insurance cybersecurity workshop series ......insurance cybersecurity workshop series cybersecurity...

2010447.1 05/22/2017

INSURANCE CYBERSECURITY WORKSHOP SERIES

Cybersecurity in the Insurance Marketplace Tuesday, May 23, 2017 Philadelphia, PA

-2- 2010447.1 05/22/2017

AGENDA 8:00 a.m. Registration, Breakfast & Networking 8:30 a.m. Welcome and Overview of Selected Cyber Losses Jim Gkonos, Special Counsel, Saul Ewing LLP 9:00 a.m. CGL Coverage Issues

Joel Hopkins, Partner, Saul Ewing LLP

9:50 a.m. Break 10:05 a.m. Cyber Insurance Coverage Issues

Robert Goodman, Partner, Saul Ewing LLP 10:50 a.m. Cyber Insurance Marketplace Explained

Featured Speaker: Emily Lowe, Vice President, Willis Towers Watson

12:00 p.m. Audience Question & Answer 12:15 p.m. Networking Lunch 1:00 p.m. Program Adjourned

5/22/2017

1

Cybersecurity in the Marketplace

May 23, 2017

Saul Ewing LLP – Philadelphia Office

Philadelphia, Pennsylvania

1

Cyber Insurance –Setting the Stage

By: James S. Gkonos

2

5/22/2017

2

WELL KNOWN RECENT CYBERATTACKS

3

WELL KNOWN RECENT CYBERATTACKS (cont’d)

4

Japan Public Pension

5/22/2017

3

2016 Cyber Attacks

5

6

• Cybercrime damage has been projected to reach $6 trillion annually by 2021

• According to the FBI, ransomeware attacks occurred 4000 times a day in 2016 According to Kaspersky ransomeware attacks on businesses

occurred every 40 seconds in 2016

• In Q3 2016 alone, 18 million new malware samples were captured (average 200,000 per day)

• Cybersecurity spending is expected to exceed $1 trillion for the next five years (2017-2021). Current cybersecurity spending is estimated to be over 35 times the level of spending 13 years ago.

5/22/2017

4

7

• 1 in 4 Chief Legal Officers (CLO) experienced a data breach in the last 2 years.

• Only 1 in 3 reporting companies carries data breach protection insurance.

• 2015 Association of Corporate Counsel Study

Cyber Insurance Coverage – still primarily manuscripted

● Recent Cambridge Business School report found coverage can come from

▪ Stand alone Cyber cover

▪ Affirmative Cyber endorsements

▪ Gaps in explicit Cyber exclusions

▪ Silent Cyber exposure

● Cambridge report found 35 insurers offering 26 different insurance products offering collectively coverage for 19 types of losses, but…

▪ Only 81% covered incident response costs

▪ Only 69% covered business interruption

▪ Only 62% offered regulatory and defense coverage

▪ Only 13% offered officer and director liability coverage

8

5/22/2017

5

Cost of Cyber Hacks

9

Home Depot• $292 Million in total cost as of 1/1/17

• $100 million in insurance coverage ($10 million deductible

• $134.5 million to credit card cos.

• $25 million to banks

• $19.5 million to consumers (class action)

• No executive job loss

10

5/22/2017

6

Target• As of 12/31/16 $291 million in cost

• $100 million in insurance coverage, $10 million deductible

• CEO and STO resigned

• 2014- $191 million - $46 million insurance

• 2013- $61 million – $44 million insurance

11

Yahoo• No specific information on actual costs,

but Verizon reduced purchase price of acquisition by $350 million

• CEO lost $2 million bonus plus equity

• GC resigned without severance

12

5/22/2017

7

Anthem• $260 million in improvements and

remedial action

• $2.5 million – consultants

• $115 million – security improvements

• $31 million initial notice

• $112 million credit protection

• $415,000 in regulatory fines

13

Office of Personnel Mgt.• Director, CIO resigned

• $130 million in identity theft protection

14

5/22/2017

8

Sony – Playstation Hack• $171 million- identity theft insurance,

improvements to network security, free content, customer support and investigation costs

• $17.5 million settlement of consumer class action

• $400,000 UK fine

15

Sony Films Hack• $35 million improving financial/IT system

• $15 million – investigations/remedial cost

16

5/22/2017

9

TJ Maxx• 2007 – Company estimated loss at $25

million

• 2017 – loss to date - $256 million

• 2007- $118 million – mostly notif. cost

• 2008 - $107 million

• 2009 - $21 million

• Ultimately settled lawsuit with VISA for $41 million

17

Potential Costs• System improvements/repair

• Notification costs

• Credit protection

• Investigation/consultants

• Lawsuits – banks, consumers

• Regulatory fines

• Loss of acquisition value

18

5/22/2017

10

19

20

James S. Gkonos Special Counsel Philadelphia Office Centre Square West Philadelphia, Pennsylvania 19102-2186 Phone: (215) 972-8667 Fax: (215) 972-1833 Email: [email protected] Jim Gkonos focuses his practice on insurance and reinsurance regulatory matters, contract and treaty interpretation and reinsurance disputes. He is a certified reinsurance arbitrator. As a former division general counsel of a large domestic property and casualty carrier, Jim has significant experience with and knowledge of the regulatory issues facing domestic carriers. He was responsible for the drafting and interpretation of the reinsurance treaties placed annually by the division and has been involved in the commutation of hundreds of reinsurance treaties.

Jim assists clients on issues relating to financial guarantees, surety bonds and the intersection between insurance and the capital markets. He frequently represents clients that have problems and issues with insurance companies in runoff and liquidation. He has structured securitized international financial transactions backed by insurance guarantees and has substantial international experience in the restructure of financially impaired, insolvent or bankrupt entities. Jim also conducted, managed and supervised substantial litigation in the United Kingdom, Japan, China, Argentina, Brazil and the Virgin Islands and brings more than 25 years of domestic litigation experience to the Insurance Practice.

Jim also previously served for nine years as senior counsel advising the Rehabilitator of one of the largest insurance insolvencies in the United States - Mutual Fire Marine and Inland Insurance Company, In Rehabilitation. In that position, Jim was responsible for interpretation of insurance insolvency laws, negotiation and commutation of reinsurance treaties, documentation of more than 13,000 claim settlements and managing reinsurance arbitrations and the litigation against the insolvent company’s MGA's and accountants.

As complex regulations governing the insurance and re-insurance continue to evolve, Jim has become a frequent speaker and author on numerous insurance topics, including the impact of the subprime defaults on the insurance and capital markets, changes in state and federal regulatory environments and how the challenging economic climate impacts the insurance and financial markets.

Practices Appellate

Corporate Governance

Business and Finance

Commercial Litigation

Litigation

Insurance

Education J.D., Penn State The Dickinson School of Law, 1979

B.A., University of Delaware, 1976, with honors

Bar Admissions Pennsylvania

Clerkships Chief Justice Daniel Herrmann, Supreme Court of Delaware, 1979-1980

James S. Gkonos 2

He is admitted to practice before the U.S. Court of Appeals for the Third Circuit, the U.S. Court of Appeals for the Federal Circuit, the U.S. District Court for the Eastern District of Pennsylvania, the U.S. Court of International Trade and the Supreme Court of Pennsylvania.

Honors and Awards

• Named to “Who’s Who Legal” list for Insurance and Reinsurance, 2016

Memberships and Affiliations

• Member, Federation of Regulatory Counsel • Member, ABA Litigation Section • Member, ABA International Law Section • Member, ABA Accountants' Liability Subcommittee of the Professional Liability Committee, Litigation

Section

5/22/2017

1

1

Cyber Insurance:Coverage Under the “Standard” Policies

2

Directors & Officers / Errors & Omissions

First Party Property

Crime Coverage

Commercial General Liability

Others

5/22/2017

2

3

•Director’s & Officers / Errors & Omissions

Breach of fiduciary duties by directors & officers

Waste of corporate assets

Derivative actions for mismanagement

Claims against the company where entity (“side c”) coverage exists

Breach of professional responsibilities leading to a breach

Don’t forget tag-on cyber liability coverage

4

Property policies

Data loss as “direct physical loss or damage to covered property”

Business interruption / extra expense – See NMS Services, Inc. v. Hartford, 62 Fed. Appx. 511 (4th Cir. 2003) (employee hacking and erasure of files)

Contingent business interruption coverage

ISO endorsement BP 05 95 – limited coverage for direct damage to data due to insured’s negligence

5/22/2017

3

5

Crime / Fidelity policies

● See Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821(6th Cir. 2012) (predicting Ohio law).

▪ Theft of credit card and checking account information

▪ Policy covered “loss” directly resulting from the theft of any insured property

6

•Commercial General Liability

Coverage A – covers “bodily injury” and “property damage”

● Courts have often held that a loss of electronic data is not “property damage.”

● Definition of property damage often requires the property to be tangible, which electronic data is not.

● Many policies include an “electronic data” exclusion, precluding coverage for losses arising from:

▪ Loss of data

▪ Loss of use of data

▪ Damage to or corruption of data

▪ Inability to access or manipulate data

5/22/2017

4

7


Coverage B –covers amounts the insured “becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”

Personal and advertising injury defined to include “publication . . . of material that violates a person’s right of privacy.”

Issues – is there publication, is there a violation of privacy rights?

8


Netscape Communications Corp. v. Federal Ins. Co., 343 Fed. App’x 271 (9th Cir. 2009) (coverage for putative class action lawsuits based on software that violated users’ privacy rights)

Recall Total Information Mgmt., Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014) (publication required to trigger CGL coverage for data breach), aff’d , 317 Conn. 46.

Zurich American Ins. Co. v. Sony Corp. of Am., (N.Y., case no. 651982) (hacking constitutes publication, but not by the hacked party) (case settled while appeal was pending)

5/22/2017

5

9


Hartford Cas. Ins. Co. v. Corcino & Assoc., 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013) (hacking is publication by hacked party; statutory damages covered)

Travelers Indemnity v. Portal Healthcare Solutions, 2016 WL 1399517 (4th Cir. 2016) (coverage for unintentional patient data breach where records were not viewed by a 3rd party)

● Policy included Part B coverage for “electronic publication of material that . . . Gives unreasonable publicity [or] discloses information about a person’s private life.”

● Unintentional publication is still publication

● Publication doesn’t require third-party access

10

ISO has introduced several endorsements to address cyber risks under the CGL:

CG 24 13 04 13 endorsement deleting coverage for the invasion of privacy offense

CG 21 06 05 14 – Excludes all coverage for injury or damage, except bodily injury, arising from access to or disclosure of confidential or personal information

CG 21 07 05 14 – Similar to above form, but also excludes bodily injury

5/22/2017

6

11

ISO endorsements:

CG 21 08 05 14 – Same exclusion, but only for Coverage B

CG 04 37 12 04 – Buy back liability coverage; property damage includes “loss of electronic data.”

CG 00 65 12 04 – Claims-made coverage for loss caused by an “electronic data incident.”

▪ No need for “physical injury to tangible property”

Questions/Discussion

Joel C. Hopkins Partner Harrisburg Office Penn National Insurance Plaza Harrisburg, Pennsylvania 17101-1619 Phone: (717) 257-7525 Fax: (717) 257-7590 Email: [email protected] Joel Hopkins focuses his practice on representing insurers, self insureds, risk retention groups, captives, producers and insurance industry service providers in regulatory, business, claims, coverage and solvency issues. Joel represents regulated insurance entities in matters before the Pennsylvania Insurance Department, including product advocacy, market conduct, enforcement and licensure actions and review hearings. He has litigated numerous coverage and bad faith actions in state and federal courts, and has represented insurers and producers in a wide variety of matters before state insurance departments.

Joel counsels business clients on a wide variety of insurance and risk transfer matters, including complicated coverage and program issues relating to mergers and acquisitions. He counsels clients on insurance product development, compliance and evaluation, and creates and improves claims, coverage and regulatory policies, procedures and manuals. Joel serves as claims and coverage counsel to insurers, risk retention groups, group captives and self-insureds.

Past and current insurance representations include:

• Counseling clients on insurance regulatory compliance • Representing insurers, producers and others in market conduct

examinations, enforcement actions, organizational and program issues

• Evaluating and drafting claims policies, procedures and manuals • Drafting coverage forms and endorsements • Serving as claims and coverage counsel to insurers, risk retention

groups and captives, including preparing/updating claims manuals, policies and procedures; providing counsel to insurers with respect to large and complex claims handling matters; claim audits; and bad faith avoidance

• Conducting internal audits of claims operations/procedures/files and recommend changes to avoid litigation and assure regulatory compliance

Practices Business and Finance



Litigation

Energy Transmission / Pipelines

Insurance

Education J.D., Widener University School of Law, magna cum laude

B.A., Shippensburg University

Bar Admissions New Jersey, Pennsylvania

Joel C. Hopkins 2

• Serving as administrator and counsel to workers' compensation self insurance groups • Counseling corporate clients on alternative risk transfer programs including the use of captives, RRGs,

self insurance, and non-insurance contractual risk transfer • Litigating complex coverage and bad faith matters in state and federal court • Litigating statutory accounting issues; surplus lines tax disputes with Departments of Insurance and

Revenue • Representing insurers and insureds in disputes with the Pennsylvania Mcare Fund; agency and

policyholder termination cases; licensure actions; consumer and competitor complaints; UIPA violations; surplus lines violations; producer licensing actions; and actions brought by the Department as liquidator/rehabilitator

• Counseling businesses on insurance issues in operations and transactions such as mergers, acquisitions and sales

• Advising clients on regulatory issues associated with new and evolving insurance products, including rate and form filings

• Working with new and established insurers and alternative risk entities in navigating the Pennsylvania regulatory environment and obtaining necessary licenses, registrations, appointments and approvals

• Providing analysis of coverage, claims and bad faith issues • Preparing, advising and negotiating a variety of contracts between insurers and third parties including

producers, TPA’s, MGA’s, reinsurers, among others, and litigating disputes arising under such agreements

Prior to joining Saul Ewing, Joel worked for nearly 10 years as a claims professional with two major insurance companies. During that time, he earned his Associate in Risk Management and Associate in Claims designations from the Insurance Institute of America.

Honors and Awards

• Selected to the Rising Stars list, Pennsylvania Super Lawyers, 2005 to present


• American Bar Association • Pennsylvania Defense Institute • Pennsylvania Bar Association • Phi Kappa Phi National Honor Society • Risk and Insurance Management Society • Association of Insurance Compliance Professionals • Advisory Board Member, Family Support of Central Pennsylvania • President, Board of the Central Pennsylvania Food Bank

5/22/2017

1

11

Coverage Issues UnderCyber Insurance Policies

Robert Goodman Saul Ewing LLPMay 23, 2017

Introduction• Market for cyber-specific products grew in response to

uncertainty of coverage under CGL Policies

• Cyber insurance protects against data loss and exposure of personally identifiable information

Both first-party and third-party coverage

• No standardized cyber policies

• Very little case law

2

5/22/2017

2

Coverage issues arising under:

•Policy provisions and endorsements specific to “computer fraud” •Stand-alone cyber policies

3

Snapshot of Early Case Law

Cases Interpreting Policy Endorsements or Provisions

Providing for Computer Fraud Coverage

4

5/22/2017

3

• Was the loss “the direct result of the use of a computer?”

• One subcategory: Hacking vs. Phishing

5

Key Issue

“Direct Loss” Cases

InComm Holdings Inc. et al. v. Great American Insurance Co., 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017)

Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 2014 WL 3844627 (C.D. Cal. July 17, 2014), aff'd in part, vacated in part, 656 Fed. Appx. 332 (9th Cir. 2016)

Pinnacle Processing Group, Inc. v. Hartford Casualty Ins., 2011 WL 5299557 (W.D. Wash. Nov. 4, 2011)

Brightpoint, Inc. v. Zurich American Insurance Co., 2006 WL 693377 (S.D. Ind. Mar. 10, 2006)

6

5/22/2017

4

77

Hacking vs. Phishing

Hacking: An outside company breaking into a company’s data

Phishing: Fraudulently inducing a company insider to expose data or transfer funds

88

Hacking Cases

State Bank of Bellingham v. BancInsure, 2014 WL 4829184 (D. Minn. Sept. 29, 2014), aff’d, 823 F.3d 456 (8th Cir. 2016)

Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, 2016 WL 3655265 (W.D. Wash. July 8, 2016)

5/22/2017

5

99

Phishing Cases

Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 25 N.Y.3d 675, 37 N.E.3d 78 (N.Y. June 25, 2015)

Apache Corp. v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), rev’d, 2016 WL 6090901 (5th Cir. Oct. 18, 2016)

Principle Solutions Group v. Ironshore Indemnity, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016)

Other Issues

Coverage for claims under Telephone Consumer Protection Act

Doctors Direct Insurance, Inc. v. Bochenek, 2015 IL App (1st) 142919 (Ill. App. Aug. 3, 2015)

10

5/22/2017

6

1111

Cases Interpreting Stand-AloneCyber Liability Policies

• No standardized stand-alone cyber policies

• Very little judicial interpretation so far

12

5/22/2017

7

Stand-Alone Cyber Policy CasesP.F. Chang's China Bistro, Inc. v. Federal Insurance Co., 2016 WL 3055111 (D. Ariz. May 31, 2016)

Travelers Property Casualty Co. v. Federal Recovery Services, Inc., 103 F. Supp. 3d 1297 (D. Utah 2015)

Columbia Casualty Company v. Cottage Health System, 2015 WL 4497730 (C.D. Cal. July 17, 2015)

13

Cyber Coverage: Moving Forward

• The ISO recommends standardization in policy terminology

• Evolution of cybercrimes = Evolution of cyberpolicies and judicial interpretation

14

5/22/2017

8

QUESTIONS?

15

16

BaltimoreLockwood Place • 500 East Pratt Street, Suite 900 • Baltimore, MD 21202-3171 • (tel) 410.332.8600 • (fax) 410.332.8862

Boston131 Dartmouth Street, Suite 501 • Boston, MA 02116 • (tel) 617.723.3300 • (fax) 617.723.4151

HarrisburgPenn National Insurance Plaza • 2 North Second Street, 7th Floor • Harrisburg, PA 17101-1619 • (tel) 717.257.7500 • (fax) 717.238.4622

New York555 Fifth Avenue, Suite 1700 • New York, NY 10017 • (tel) 212.980.7200 • (fax) 212.980.7209

NewarkOne Riverfront Plaza • Newark, NJ 07102 • (tel) 973.286.6700 • (fax) 973.286.6800

PhiladelphiaCentre Square West • 1500 Market Street, 38th Floor • Philadelphia, PA 19102-2186 • (tel) 215.972.7777 • (fax) 215.972.7725

Princeton650 College Road East, Suite 4000 • Princeton, NJ 08540-6603 • (tel) 609.452.3100 • (fax) 609.452.3122

Washington1919 Pennsylvania Avenue, N.W. Suite 550 • Washington, DC 20006-3434 (tel) 202.333.8800 • (fax) 202.337.6065

Wilmington1201 North Market Steet • Suite 2300 • Wilmington, DE 19801• (tel) 302.421.6800 • (fax) 302.421.6813

Chesterbrook1200 Liberty Ridge Drive, Suite 200 • Wayne, PA 19087-5569 • (tel) 610.251.5050 • (fax) 610.651.5930

PittsburghOne PPG Place • 30th Floor • Pittsburgh, PA 15222 • (tel) 412.209.2500 • (fax) 412.209.2570

Robert D. Goodman Partner Newark Office One Riverfront Plaza Newark, New Jersey 07102-5426 New York Office 555 Fifth Avenue New York, New York 10017 Phone: (212) 980-7212 Fax: (973) 286-6813 Email: [email protected] Robert Goodman focuses his practice on insurance coverage disputes and counseling, products liability litigation and other mass torts, as well as complex commercial litigations and arbitrations. He has represented a wide variety of clients, including both insurers and defendants in the underlying litigations, in matters involving the full range of personal injury and mass tort matters, including over 25 years of experience in asbestos-related litigation. Robert currently represents a leading property casualty insurer in connection with a major asbestos bankruptcy, as well as related state court coverage matters. Other current and recent matters include representations of a number of insurance clients in connection with coverage disputes arising out of asbestos, environmental and products liability exposures, as well as efforts to enact federal asbestos reform legislation.

Robert’s practice has involved class actions, consolidations and federal multidistrict proceedings. He has handled litigation matters in a number of well-known “high-risk” jurisdictions, including state courts in New York, Illinois, Mississippi, Texas and West Virginia.

Experience

• Lead counsel representing a major insurance company in connection with the multibillion- dollar Pittsburgh Corning asbestos bankruptcy, playing a leading role in negotiation of Pittsburgh Corning bankruptcy plan and related insurance coverage settlements, as well as the defense of the insurer in related state court coverage litigation. This included defending depositions of company witnesses, taking depositions of policyholder witnesses, and briefing and argument of major substantive and discovery issues.

Practices Bankruptcy Litigation



Intellectual Property Litigation

Litigation

Insurance

Education J.D., Rutgers School of Law – Newark, 1988

B.A., Rutgers University, 1981

Bar Admissions New Jersey, New York

Robert D. Goodman 2

• Representation of several major property and casualty insurers in connection with coverage disputes arising out of asbestos, pollution, and product liability exposures, involving wide range of coverage issues and bad faith allegations.

• Counsel for issuer of lender-placed homeowners’ hazard insurance in purported class action involving unjust enrichment claims due to “back-dating” of policies.

• Represented leading insurance company in connection with efforts to enact federal asbestos reform legislation, working closely with key legislative staff and representatives of other insurers and reinsurers, major manufacturers, and asbestos defendants.

• Lead counsel for property casualty insurer in litigation concerning effectiveness of corporate reorganization separating active and run-off operations, including briefing and argument of dispositive motions, preparation and defense of Rule 30(b)(6) witnesses, development of expert witness addressing critical issues in litigation, and supervision of related document discovery.

• Represented major life and health insurer in arbitration arising from stop-loss reinsurance dispute.

Honors and Awards

• Named to the “America’s Leading Lawyers in Insurance Dispute Resolution” list by Chambers USA, 2006-2016

• Named to the “National Litigation Star” list by Benchmark Litigation, 2015


• Chair, Board of Directors, Manhattan Legal Services • Ex Officio Board Member, Legal Services NYC • Editorial Board, Insurance Coverage Law Bulletin

123.1

1

willistowerswatson.com© 2017 Willis Towers Watson. All rights reserved.

Overview of the Cyber Insurance Market 2017 – Q2

Decode secure.

willistowerswatson.com

Cyber Insurance - Core Coverages

2

Privacy Liability

Liability associated with your inability to protect personally identifiable information or corporate confidential information of third parties. The information can be in any format and breached intentionally or negligently by any person, including third party service providers to which you have outsourced information. Third party service providers include, but are not limited to, information holders.

Network Security Liability

Liability costs associated with your inability to prevent a computer attack against your computer network.

Media LiabilityTort liability associated with content you create, distribute or is created and distributed on your behalf , including social media content.

Cyber insurance policies are modular, and allow the policy holder to choose the specific coverage they feel most address their exposure. The most comprehensive programs will include all of the following coverages.

123.1

2


Cyber Insurance - Core Coverage

© 2016 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson client use only. 3

Direct (First Party) Coverage

Income Loss/Extra Expense

Income Loss/Extra Expense associated with your inability to prevent a disruption to your computer network caused by a computer attack or programming or software failure either:

1. on your network, or

2. at your IT Service Provider hosting your application.

Data ReconstructionYour costs to recreate, recollect data lost, stolen or corrupted due to your inability to prevent a computer attack against your computer network.

Extortion Costs Your costs expended to comply with a cyber extortion demand.

Regulatory Fines Fines assessed by a regulatory body due to your data breach.


Current Cyber Insurance Market

• According to PwC report on Insurance in 2020 and beyond, an estimated $2.5B in cyber insurance premium was purchased by US companies.

• Cyber insurance is generally available by US, UK (including Lloyd’s) and Bermuda based insurers.

• Coverage can be written on an stand alone or package basis, or via endorsement.

• Other insurance polices may provide some Cyber related coverages ( Managed Care E&O, Property, K&R)

4© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

123.1

3


Global spending on Cyber is expected to grow from $96 billion in 2016 to $148 billion by 2021, a CAGR of 9%

5Source: Gartner Forecast Analysis: Information Security, Worldwide 1Q16 Update, Markets&Markets: Cyber Forecast 2016 – 2021, PwC: Insurance 2020 & beyond

8.1 9.4 10.2 11.1

75.081.2

88.095.5

104.0113.3

9.4

10.0

10.4

10.9

11.5

8.77.4

9.3

7.5

6.0

9.0

123.1

2019

147.5

2020

2.1

134.7

2021

2.3

95.9

1.53.11.4

3.9

2016

+9%

104.1113.4

1.85.0

20182017

1.7

IT Security

Incident ResponseL&DStrategy & Assessments

Insurance

Global Cyber spend, 2016 – 2021, $b

© 2016 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.


Although IT accounts for the largest portion of all spend, other segments represent a sizeable market in dollar terms (~$34b by 2021)

6

7.41.43.1

9.0

75.0

11.12.3

9.311.5

113.3

Strategy & Assessments Learning & DevelopmentInsurance IT Security Incident Response

2016

2021

Measure Protect Recover

• Accounts for ~8% of the overall market

• Expected to grow at a CAGR of 5%

• Growth factors include regulation that will come into effect in 2018

• Accounts for 85% of the overall market. Within Protect:• Insurance accounts for 6%, with commissions accounting for <1%• Learning & Development accounts for ~2%• Information Technology accounts for the majority at 77%

• Expected to grow at a CAGR of 10%• Insurance slated to be fastest growing segment at a 25% CAGR • Learning & Development to grow at a 11% CAGR• Information Technology to grow at a 9% CAGR

• Growth factors include, (i) growing recognition of the importance of cyber insurance, (ii) large number of breaches caused by human error, (iii) rise in adoption of monitoring tools & capabilities

• Accounts for ~8% of the overall market

• Expected to grow at a CAGR of 8%

• Growth factors include forecasted rise in successful security incidents

Source: Gartner Forecast Analysis: Information Security, Worldwide 1Q16 Update, Markets&Markets: Cyber Forecast 2016 – 2021, PwC: Insurance 2020 & beyond

Global Cyber spend, 2016 & 2021, $b

© 2016 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

123.1

4


Cyber Insurance Purchasing Trends

2016 Information Security and Cyber Risk Management Survey - Advisen

• Uptake rate is varied among industries but early adopters include Healthcare and Financial Services companies. 80% of respondents to the RIMS Cyber Survey purchase a stand alone cyber policy


State of the Cyber Insurance Market 2017


Capacity Coverage Claims & LossesPremiums & Retentions Markets

Plentiful Expanding Rising Normalizing Unaligned

With over 60 markets offering some form of cyber coverage, there is over $600M of capacity available in the marketplace

Over the coming year, we expect additional carriers to develop primary forms and compete for business

Many carriers have released updates to their existingprimary forms and other others are in the process of developing new revisions to their forms

Primary and Excess capacity are available domestically and in London markets.Excess capacity over $50M is available in Bermuda

New capital and capacity will continue to flow into the excess marketplace, providing insurance buyers with more options

Cyber product offerings vary widely, there are no uniform set of coverage terms, exclusions, definitions, or conditions

The need to manuscript insuring agreements to specific industries and client exposures is necessary

The scope of coverage continues to expand to include traditional Property coverages such as Business Interruption and Systems Failures but there is great variation, with regard to waiting periods and coverage triggers

Coverage for Bodily injury and Property Damage is now being contemplated with the expansion of the Internet of Things (IoT) in healthcare, critical infrastructure, utilities, energy and manufacturing industries

Traditional Crime Coverage for Social Engineering and Theft of Money is expanding

Ransomware/Extortionclaims dominated 2016, FBI reported a 300% increase in attacks since 2015

Over 66% of claims emanate from Human Behavior

Insurers’ are starting to see at least 2-3 business interruption claims a year with losses exceeding the waiting period

Underwriting concerns over business interruption and property damage losses stemming from cyber incidents will continue to heighten as claims develop

The costs associated with managing cyber and privacy claims including forensic investigations and defending regulatory actions and associated fines are on the rise

Retentions at all levels are available but can vary greatly based on industry class, size of organization and particular exposures

Insurers’ have tightened pricing and retention guidelines for companies that have not addressed vulnerabilities

Depending on loss history and claims experience, pricing is beginning to stabilize

First time-buyers are enjoying competitive market conditions

Renewal pricing range from flat to 15% increases depending on the security controls and privacy protections in place

The marketplace remains unaligned on pricing, retentions and sub-limits

Markets continue to insert InfoSec professionals into the underwriting process and are getting more granular with submission questions

Standard applications are becoming obsolete for large organizations with mature risk management programs.

Insurers’ continue to innovate and build out their pre-breach and post-beach response services

There is considerable uncertainty surrounding expanding global regulation such as GDPR as well as the NYS DFS regulation and the potential for increased regulatory action claims and associated non-compliance fines/penalties

Underwriters are exploring alternative channels like big data analytics to seek insured’s security score to underwrite SMB’s where specialization is limited

123.1

5

Considerations on purchasing Cyber Insurance


• What is driving the purchase?• Contract, Media, Senior Executive, Regulatory concerns• What is the Risk Management approach at your organization• Flexibility, Cost, relationship with carriers, • What is the underwriting process • What roles does the broker play in regards to the placement?

• Provide education and advisory on threats and exposures of interest to underwriters

• Interaction with any other insurance purchases• claims advocacy• Recommendations on other related insurance coverages

RIMS Executive Report

The Risk Perspective

2016 RIMS

CYBERSURVEY

2016 RIMS CYBER SURVEY1

2016 RIMS

CYBER SURVEY

Concern about cybersecurity is ubiquitous in today’s corporate world. Our second annual RIMS Cyber Survey highlights the measures that an increasing number of organizations are relying on, while also showing that opinions are far from aligned on reporting requirements.

As far as handling cyber exposure, this year’s survey saw a leap in the number of organizations who are transferring the risk. Nearly 70% reported some form of transfer, an increase of 10% over 2015. Stand-alone cyber insurance policies seem to be the preferred route: a resounding 80% of survey respondents reported purchasing this type of cover, an increase of 29% compared to the 2015 collection.

Many organizations are being pushed in this direction by multiple forces. For example, a quarter of respondents said that they are required to buy cyber insurance as a result of contractual obligations, a leap of 17% from 2015. Here we can see evidence of organizations with large supply chains pressuring their vendors to increase their cybersecurity.

Premium paid for coverage varies widely. That said, nearly a quarter of respondents said they are paying more than $500,000 for their policies.

Regulators and legislators in many countries have been debating whether or not to mandate and standardize cyber breach reporting. Among our U.S. respondents, opinions of this approach are split: 48% think that the federal government should mandate reporting, while the rest are opposed or unsure. Meanwhile, there seems to be a lack of familiarity among risk managers about information sharing and analysis organizations (ISAO) that were created by federal legislation in 2015. Only 20% could confirm that their organizations were participating, and 40% confirmed that their companies were not.

The world of cybersecurity is, of course, rapidly evolving. That is also true for the insurance and risk management components. Please visit RIMS resources such as Risk Management Magazine, Risk Knowledge database, courses and webcasts to stay in the loop.

METHODOLOGYThis year’s survey had 272 respondents; 2015 had 284. Demographics such as industry sector, organization revenue and number of employees held close to 2015 results. The survey was distributed to RIMS membership via an internet link, and was in field between August 8 and September 9, 2016. If you have additional questions about data collection, please contact RIMS at [email protected].

As the preeminent organization dedicated to educating, engaging and advocating for the global risk community, RIMS, the risk management society™, is a not-for-profit organization representing more than 3,500 corporate, industrial, service, nonprofit, charitable and government entities throughout the world. RIMS has a membership of approximately 11,000 risk practitioners who are located in more than 60 countries. For more information about the Society’s world-leading risk management content, networking, professional development and certification opportunities, visit www.RIMS.org.


SURVEY AT A GLANCE

2015 2016

from 2015 to 2016

up 10%

Organizations transferring the risk of cyber exposure

to a third party

2015 2016

from 2015 to 2016

up 29%

Organizations with a stand-alone cyber insurance policy

2015 2016

from 2015 to 2016

up 17%

Organizations purchasing cyber insurance as a result of contractual obligations

59%

69%

51%

80%

8%

25%

Nearly a quarter of

respondents are

spending over

$500,000 on cyber

premiums.

Fewer than 50% of risk

managers think the

government should

mandate cyber breach

reporting.

Only 20% of

respondents say

their organizations

are part of ISAOs.


QUESTION 1. What are your organization’s potential first-party cyber exposures:

Business interruption and extra expense as a result of network outage

Business interruption and extra expenses for loss of data

Cyber extortion

Theft of trade secrets or IP

Reputational harm

Regulator investigations, fines, penalties

Costs related to notification, response, etc.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

76%

75%

63%

42%

82%

65%

76%

QUESTION 2. What are your organization’s potential third-party cyber exposures:

85%

38%

57%

51%

60%

69%

Disclosure of personal identifiable information (employees or customers/suppliers)

Media liability

Business interruption

Economic harm to customers as the result of a network outage

Regulator investigations, fines, penalties

Costs related to notification, response, etc.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%


QUESTION 3. Does your organization transfer the risk of cyber exposure to a third party?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

69% (s10% from 2015)

24%

7%

Yes

No

Not sure

QUESTION 4. Is your organization considering a purchase of cyber coverage within the next 12-24 months?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

67%

14%

19%

Yes

No

Not sure

QUESTION 5. Does your company have a stand-alone cyber insurance policy?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

80% (s29% from 2015)

19.5%

0.5%

Yes

No

Not sure


QUESTION 6. Does your organization purchase cyber insurance as a result of contractual obligations?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

25% (s17% from 2015)

74%

1%

Yes

No

Not sure

QUESTION 7. What is the range of limit purchased?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Less then $5 million

$5 million-$20 million




More than $200 million

20.5%

38.5%

13.5%

15.5%

8%

3.5%


QUESTION 8. What premium are you paying for your cyber coverage?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Less then $50,000

$50,000-$75,000

$75,000-$100,000

$100,000-$200,000

$200,000-$500,000

More than $500,000

24%

12.5%

10.5%

13.5%

16%

23%

QUESTION 9. Which of the following is included in your cyber insurance policy?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Professional liability

Network/business interruption

Cyber extortion

Fines and penalties

Breach notification costs

Reputational harm

Theft of trade secrets

Data recovery

50%

76%

78%

63%

91%

42%

27%

80%


QUESTION 10. Does your organization’s cyber insurance coverage extend to data stored in cloud servers?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

69%

9%

22%

Yes

No

Not sure

QUESTION 11. Does your organization have a response plan in place in the event of a cyber crisis?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

81%

7%

12%

Yes

No

Not sure


QUESTION 12. Who is involved in that response procedure?

Public relations

Information technology

Legal

Risk management

Information security

Compliance

Privacy officer

75%

94%

85%

84%

82%

52%

47%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

QUESTION 13. Has your organization identified cyberrisk using any of the following methods or tools?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Enterprise risk management (ERM)

Strategic risk management (SRM)

Software

Consultants

Not sure

49%

22%

28%

53%

19%


QUESTION 14. Which of the following has primary responsibility for cybersecurity within your organization?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Risk management

Information security


Privacy

Compliance

5%

42%

47%

2%

3%

QUESTION 15. Which individual within your company has primary accountability for cybersecurity?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Risk manager

Chief information security officer

Chief risk officer

Chief privacy officer

Chief compliance officer

Attorney

5%

84%

2%

3%

3%

4%


QUESTION 16. Which of the following methods does your company use to evaluate cybersecurity?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

In-house committee

Third party vendor

Risk assessments

Audit

62%

61%

73%

56%

QUESTION 17. How much will your company spend to protect cybersecurity exposures in 2016?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Less than $100,000

$100,000-$250,000

$250,000-$500,000

$500,000-$750,000

$750,000-$1 million

More than $1 million

23%

19%

18%

9%

7%

24%


QUESTION 18. What will be your top cyberrisk spending categories in 2016?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Employee education

Incident response

Scanning tools

Smart phone encryption software

Active monitoring and analysis of information security

Cyber insurance

Unauthorized use of access monitoring tools

Other

46%

27%

47%

15%

75%

55%

31%

9%

QUESTION 19. Which aspect of cyberrisk is most relevant to your company?

Privacy issues

Loss of business

Reputational issues

Business interruption

Legal liability, fines, penalties

Information security requirements

Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

26% (s10% from 2015)

3%

23%

23%

14%

10%

1%


QUESTION 20. Do you think the federal government should mandate the reporting of cyber breaches? (U.S. respondents only)

48%

27%

25%

Yes

No

Not sure

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

QUESTION 21. Does your organization belong to an information sharing and analysis organization (ISAO) as created by the U.S. Cybersecurity Information Sharing Act of 2015?

20%

40%

40%

Yes

No

Not sure

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%


Retail

Hospitality

Health care

Financial services

Professional services

Utilities

Energy

Government or non-profit


Telecommunications

Education

Manufacturing

Industrial

Transportation

Other

4%

4%

8.5%

14%

5.5%

4%

4.5%

10.5%

3%

1.5%

5%

10.5%

0.5%

3.5%

21%

QUESTION 22. What is your industry sector?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%


QUESTION 23. What is your organization’s estimated annual revenue? (USD)

$0 to $1 million

$1 million to $10 million




$500 million to $1 billion

$1 billion+

QUESTION 24. How many total employees are in your organization?

0 to 100

100 to 250

250 to 500

500 to 1,000

1,000 to 5,000

5,000 to 10,000

10,000 to 15,000

15,000 to 25,000

25,000 or more

1.5%

2%

5%

6.5%

18%

10.5%

56.5%

3%

5%

5.5%

8%

29.5%

12%

8%

7%

22.5%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

INFORMATION SECURITY AND CYBER RISK MANAGEMENT

THE SIXTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION

SECURITY AND CYBER RISK MANAGEMENT

October 2016

Sponsored by

3 EXECUTIVE SUMMARY

3 KEY FINDINGS

4 ANALYSIS AND CONCLUSIONS

5 PERCEPTION OF CYBER RISK

8 CYBER RISK MANAGEMENT: PREPARATION AND RESPONSE

11 SECURITY & PRIVACY INSURANCE

13 ABOUT THE SURVEY RESPONDENTS

T A B L E of C O N T E N T S

3 www.advisenltd.com

EXECUTIVE SUMMARY The cyber threat landscape continues to rapidly change and businesses of all sizes and across all industries are increasingly exposed. A recent announcement of a breach of 500 million records by a major multinational technology company, for example, serves as yet another unfortunate reminder that no business is immune to the threat of an information security incident.1

Sophisticated cybercriminals are defeating traditional approaches to cybersecurity, leaving organizations vulnerable to the costly and disruptive consequences of a data breach or other cybersecurity failure. Preparation and awareness at all levels of an organization are essential to helping reduce the likelihood of a breach and minimize its impact.

But how truly concerned are businesses? And how are they responding to these evolving threats?

With these questions in mind, Advisen and Zurich North America came together for a sixth consecutive year to study how business attitudes and strategies continue to evolve in information security and cyber risk management. The study represents a sustained commitment by both organizations to stay current with these evolving risks and the impact they have on businesses across the United States.

One theme that is constant throughout is a heightened need by businesses to become resilient against information security threats. As businesses work towards this resiliency goal, the insurance industry can play an important role in identifying emerging risks and responding to their needs.

KEY FINDINGS• Eighty-seven percent of respondents believe a technology interruption would have a moderate-to-significant

impact on their business. Still, 13 percent do not see technology interruption as even a moderate risk.

• Growth in the purchase of network security & privacy “cyber” insurance appears to be slowing, indicating the

market is maturing. While the overall upward trend of organizations purchasing cyber insurance continued in

2016, it was up only seven percent from 2015.

• Over the last six years, the proportion of companies buying security & privacy cyber insurance has increased by

85%, from 35% in 2011 to 65% in 2016.

• For the first time in the six years of this study, general counsel has surpassed information technology (IT) as

the department most frequently responsible for assuring compliance with all applicable federal, state or local

privacy laws, including state breach notification laws.

• Most companies surveyed (97 percent) clearly recognize the importance of collaboration between their risk

management and information technology (IT) departments on issues related to cyber security.

• Industries with substantial personally identifiable information (PII), personal health information (PHI) and/or personal

financial information (PFI), in general, consider data security and privacy to be a more significant risk. As a result,

they also are more likely to purchase security & privacy insurance and engage in risk management activities.

• Costs related to a breach of customer/personal information is the leading reason for purchasing “cyber”

insurance.

• Majority of businesses are working to create a mindset of resilience by engaging in risk mitigation assessment

and response plans.

1 Mike Snider and Elizabeth Weise, USA Today, “500 million Yahoo accounts breached,” (September 22, 2016), http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-confirm-massive-data-breach/90824934/


ANALYSIS AND CONCLUSIONSA lot has changed in information security and cyber risk management since 2011, the first year of this study. Hardly a week has passed without a report of high-profile data breach and just about every sector of the U.S. economy has been a target.

Over the past six years, this study has documented a marked shift in the attitude of risk professionals, executives and board members around cyber risk. Data breaches were once considered an unlikely event but are now expected to occur.

These changing views of risk professionals, executives, and boards are evident through a shifting approach to information security and cyber risk management. In the past, cyber risk was often considered as exclusively an IT issue. Now, it increasingly receives a multi-departmental risk management focus that requires participation from the mailroom to the boardroom, as well as input from external resources.

But the level of cyber risk concern is subject to a variety of factors and brings to light two different profiles within the business community: industries that collect substantial personal data (such as healthcare, communications, financial and banking, and retail) and those that do not.

These personal data-driven industries often have a higher degree of regulatory oversight and are further along in their understanding of cyber-related risk. The results of this study show that, in general, these industries view cyber risk more seriously, have more robust cybersecurity and risk management strategies, and are more likely to purchase a security and privacy insurance policy.

For example, 37 percent of the survey’s respondents come from personal data-driven industries, of which 76 percent view cyber risk as a significant threat. In comparison, of the 63 percent of respondents from all other industries, only 55 percent view cyber risk as a serious threat.

Likewise, 78 percent of respondents from personal data-driven industries purchase a security & privacy insurance policy, compared with only 59 percent from all other industries.

Over the six years of this study, the cyber risk awareness of businesses outside the personal data-driven industries has grown, but there are still some who believe their exposure is minimal. For example, the top reason respondents do not purchase a security & privacy insurance policy is they believe their organization is not susceptible to a cyber-related loss.

But these businesses are in the minority. As the level of awareness and concern grows, many businesses outside of personal data-driven enterprises believe they are exposed to a cyber-related loss. They want to become more resilient and take steps to ensure their organizations are able to prevent, detect, respond to and recover from information security incidents as quickly as possible. Preparedness is a key aspect to this resiliency and, according to the study, most have implemented at least some pre-breach risk management activities, many provided through internal resources.

The personal data-driven industries, however, are more likely to look for assistance outside the organization, particularly for pre-breach services. For example, overall the pre-breach service most commonly provided by external resources is a cyber risk management program assessment. Fifty-five percent of respondents from the personal data-driven segments look externally for this service, compared with 42 percent from all other industries. Most of the other pre-breach services, such as assessing procedures for protecting sensitive data, evaluating the company’s ability to detect and respond to indicators of data compromise, and employee training have similar findings.

“But the level of cyber risk concern is subject to a variety of factors and brings to light two different profiles within the business community: industries that collect substantial personal data (such as healthcare, communications, financial and banking, and retail) and those that do not.”


Also, since cyber risk is more frequently viewed as an enterprise-wide issue, departments such as general counsel and risk management are now taking on larger roles. The study revealed that approximately 60 percent of pre-breach services are provided by internal resources such as IT, risk management, human resources (HR) and legal.

In recent years, cybercriminals have focused on the “human element” through social engineering tactics, such as phishing and spear phishing email. The survey respondents appear to recognize this threat, indicating the issue of greatest concern is employees unintentionally infecting the network with malware.

Managing risk from inside the organization through employee education is vital to help prevent and respond to social engineering campaigns. But according to the study, about 21 percent of respondents report they still do not have an employee education program.

Taken as a whole, there remains a great need for guidance in developing information security and cyber risk management programs and improving cyber risk resiliency. This is an opportunity for the insurance industry to bring value by helping to develop strategic cyber prevention and response initiatives, and demonstrating the benefits of security & privacy insurance policies.

PERCEPTION OF CYBER RISKRISK PROFESSIONALSRisk professionals continue to view cyber as a serious threat. When asked to what extent an internet, cloud or technology disruption would impact their daily business operations, 87 percent said it would have a moderate-to-significant impact (see Exhibit 1).

EXHIBIT 1:To what extent would an internet, cloud or technology disruption impact your daily business operations?

Industry, however, can influence this perception. Industries with substantial PII, PHI and/or PFI consider cyber risk in general to be a more significant threat. For example, 76 percent of respondents in the communications, healthcare, finance and banking, and retail industries viewed cyber risk as a significant threat compared to only 55 percent of all the other industries (see Exhibit 2).

62%

25%

6%

2%

5%

Significant impact

Moderate impact

Slight impact

Minimal impact

Not sure

“THERE REMAINS A GREAT NEED FOR GUIDANCE IN DEVELOPING INFORMATION SECURITY AND CYBER RISK MANAGEMENT PROGRAMS AND IMPROVING CYBER RISK RESILIENCY.”


EXHIBIT 2:Would an internet, cloud or technology disruption have a significant impact on your daily business operations?

BOARDS AND EXECUTIVE MANAGEMENT Boards and executive management also continue to view cyber risks more seriously and the gap in risk perception between the two continues to close. In response to the question, “In your experience, are cyber risks viewed as a significant threat by your organization’s leadership?” 83 percent said “yes” for Board of Directors. That is a substantial 15 percentage points higher than in 2015 and 38 percentage points higher than the first survey in 2011.

Eighty-five percent said “yes” for C-suite executives, 10 percentage points higher than 2015 and 27 points higher than the first survey in 2011 (see Exhibit 3).

EXHIBIT 3:In your experience, are cyber risks viewed as a significant threat by your organization’s leadership?

0% 10% 20% 30% 40% 50% 60% 70% 80%

Yes All other industries

Communica>ons, healthcare, finance and banking, retail

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2011 2012 2013 2014 2015 2016

Perc

enta

ge o

f "ye

s" re

spon

ses

Board of Directors

C-suite ExecuEves


Industry also influences the cyber risk perception of boards and executive management. When again looking at the communications, finance and banking, healthcare, and retail industries, 93 percent of boards and 95 percent of C-suite executives view cyber risk as a significant threat. Conversely, 79 percent of boards and 80 percent of C-suite executives from all the other industries view cyber risk as a significant threat (see Exhibit 4).

EXHIBIT 4:Are cyber risks viewed as a significant threat? (PII-, PHI- and PFI-driven segments vs. all other industries)

EXPOSURESRespondents were asked to rate 12 cyber exposures on a five-point scale, ranging from extremely low risk to extremely high risk. According to all respondents, “employees unintentionally infecting the company’s network with malware” is the top concern with 50 percent rating it a high or extremely high risk. “Reputation damage due to privacy violation/loss of customer records” came in a close second, with 49 percent rating it a high or extremely high risk and “business interruption due to cyber disruptions” rounded out the top three with 47 percent (see Exhibit 5).

EXHIBIT 5:From the perspective of your organization, please rate each of the following risks.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Boards

C-suite

Percentage of "yes" responses

All other industries

CommunicaFons, healthcare, finance and banking, retail

24%

30%

30%

32%

33%

36%

37%

44%

46%

47%

49%

50%

0% 10% 20% 30% 40% 50% 60%

Holding your network hostage for extor@on

TheB/loss of your organiza@on’s assets/intellectual property due to a cyber aIack

Business interrup@on due to supplier cyber disrup@ons

Vulnerability/risk associated with cloud compu@ng or cloud data storage

Vulnerability of opera@ons and/or data outsourced to contractors

Employees bringing their own devices or mobile device security

Access to systems via interconnected devices or industrial control devices

A cyber aIack via malware

Privacy viola@on/data breach of customer records

Business interrup@on due to cyber disrup@ons

Reputa@on damage due to privacy viola@on/loss of customer records

Employees uninten@onally infec@ng the company’s network with malware

Percentage of resondents who rated the exposure as high or extremely high risk


Industry again has a significant influence on this perspective. Respondents from the four industries identified as having substantial PII, PHI, and/or PFI (communications, healthcare, finance and banking, retail) said “reputation damage due to privacy violation/loss of customer records” is their top concern, with 69 percent rating it a high or extremely high concern. This is compared to 38 percent rating it a high or extremely high concern from all the other industries.

Other top concerns of these personal data driven segments include “privacy violation/data breach of customer records” at 68 percent and “business interruption due to cyber disruptions” at 64 percent.

CYBER RISK MANAGEMENT: PREPARATION AND RESPONSEThe consequence of an information security incident can be severe. From the cost associated with responding to the event, to an interruption of business operations, to a tarnished reputation, it can impact both the short- and long-term health of the business.

With more risk professionals and senior leaders viewing cyber risk as a significant threat, a greater focus has been put on preparation. When a breach occurs, a number of things must happen quickly and in a coordinated fashion or it can rapidly become a crisis that spirals out of control. Companies that are prepared and take an enterprise approach to cyber risk management can be in a much better position to effectively respond when a breach is discovered.

With this in mind, respondents were asked what kind of pre-breach services they utilized and how they were provided. Assessing procedures for protecting sensitive data is the service most commonly provided by internal resources; evaluating the company’s ability to detect and respond to indicators of data compromise is the service most commonly provided by external resources; and assessment of cyber risk management programs is the service most commonly provided by insurance industry carriers and brokers (see Exhibit 6).

EXHIBIT 6:What kind of pre-breach services does your company use and who provides these services?

“Industry again has a significant influence on this perspective. Respondents from the four industries identified as having substantial PII, PHI, and/or PFI (communications, healthcare, finance and banking, retail) said “reputation damage due to privacy violation/loss of customer records” is their top concern...”

3%

5%

2%

5%

6%

9%

21%

16%

51%

57%

65%

57%

56%

57%

49%

61%

46%

38%

33%

38%

38%

34%

30%

23%

Assessment of your cyber risk management program

Annual assessment of your exposure to cyber risk based on the current threat environment

Assessment of your procedures for protecEng sensiEve data

EvaluaEon of your company's ability to detect and respond to indicators of data compromise

Assessment of your data breach response plan and related capabiliEes

Real-Eme updates on cyber threats specific to your company and industry

Cyber workshops and training for employees

ExecuEve educaEon on cyber risk

Provided externally (IT, Legal, PR, Consultants, Insurance broker or carrier) Provided internally (IT, Legal, HR, CommunicaEons) Not uElizing/conducEng


Developing a robust response capability well in advance of a breach can decrease the pressure on the business, lowers costs and reduces errors. This capability requires a high level of expertise. The study revealed that many businesses still primarily manage pre-breach planning, such as providing education for executives on cyber risk and assessing procedures for protecting sensitive data, from the inside the company. To do this effectively requires substantial resources typically only available to the largest organizations. As a result, the likelihood is high that many are not adequately prepared for a smooth and effective response.

External resources, however, are relied upon more frequently than internal resources in post-breach situations. Respondents who had experienced a breach resulting in economic loss were asked which, if any, services they engaged to respond to the breach. Crisis management is the post-breach service where internal resources are most commonly utilized (68 percent) and call center operations (80 percent) is the service where external resource are most commonly utilized (see Exhibit 7).

EXHIBIT 7:Please indicate which, if any, services you engaged to respond to the breach.

A smooth breach response also requires compliance with all applicable federal, state or local privacy laws. Cybersecurity had long been viewed as a function of IT, so it was not surprising that in previous years IT was the department most frequently responsible for maintaining compliance. But as cyber risk has increasingly become an executive- and board-level concern, as well as an enterprise-wide focus, this is changing.

For the first time, general counsel is the department most frequently responsible for assuring compliance with all applicable federal, state or local privacy laws, including state breach notification laws (see Exhibit 8). Additionally, 55 percent of risk management teams regularly work with their colleagues in IT on cyber security issues (see Exhibit 9). The importance of compliance is represented in the increased role of general counsel and demonstrates the influence of regulation and heightened awareness of the legal issues that result from a data breach.

0% 20% 40% 60% 80% 100%

Breach coaching

Credit monitoring

Forensic inves;ga;on

Call center opera;ons

Crisis management

Legal services

U;lized external resources (ex. It, Legal PR, consultants)

U;lized internal resources (ex. IT, Legal, HR, Communica;ons)

“FOR THE FIRST TIME, GENERAL COUNSEL IS THE DEPARTMENT MOST FREQUENTLY RESPONSIBLE FOR ASSURING COMPLIANCE WITH ALL APPLICABLE FEDERAL, STATE OR LOCAL PRIVACY LAWS, INCLUDING STATE BREACH NOTIFICATION LAWS...”


EXHIBIT 8:In the event of a data breach, which department in your organization is primarily responsible for assuring compliance with all applicable federal, state or local privacy laws, including breach notification laws?

EXHIBIT 9:In your organization, how closely do members of the risk management team work with their colleagues in IT?

24%

23%

17%

14%

11%

11% General Counsel

Informa6on Technology

Chief Informa6on Security Officer/Chief Privacy Officer

Risk Management/Insurance

Compliance

Other

55%

25%

17%

3%

Regularly

Infrequently

Consider IT as part of the risk management team

Not at all


SECURITY & PRIVACY INSURANCE Security & privacy insurance continues to play a growing role in corporate cyber risk management programs. Participants were asked, “Has your company purchased security & privacy insurance?” Sixty-six percent responded “yes,” 23 percent said “no,” and 11 percent said they did not know (see Exhibit 10).

When looking only at the industries identified as having significant personal data exposures (communications, healthcare, financial and retail), 78 percent purchased security & privacy insurance compared with 59 percent from all other industries.

Overall, the percentage of respondents who purchase security & privacy insurance has increased by 31 percentage points since 2011. The percentage of large companies (defined as having revenues in excess of $1 billion) has increased 35 percentage points over that period (from 35 percent in 2011 to 65 percent in 2015), while the percentage of small companies (defined as having revenues of $1 billion or less) has increased 26 percentage points.

EXHIBIT 10:Has your company purchased security & privacy insurance?

Of the respondents who purchase security & privacy insurance, the primary driver behind the insurance purchasing decision is expenses/fines related to a breach of customer/personal information at 36 percent. This was followed by liability costs at 20 percent. Interestingly, business interruption was the primary driver of the insurance purchasing decision of just 12 percent of respondents, yet it was rated a top three risk overall (see Exhibit 11).

“WHEN LOOKING ONLY AT THE INDUSTRIES IDENTIFIED AS HAVING SIGNIFICANT PERSONAL DATA EXPOSURES (COMMUNICATIONS, HEALTHCARE, FINANCIAL AND RETAIL), 78 PERCENT PURCHASED SECURITY & PRIVACY INSURANCE COMPARED WITH 59 PERCENT FROM ALL OTHER INDUSTRIES.”

2011 2012 2013 2014 2015 2016

Yes 35% 44% 52% 52% 61% 65%

No 60% 50% 38% 35% 26% 23%

0%

10%

20%

30%

40%

50%

60%

70%


EXHIBIT 11:What was the primary reason for purchasing security and privacy insurance?

Continued growth in the “cyber” insurance market seems likely since 60 percent of respondents who do not currently purchase the coverage have considered purchasing it at some point. While 45 percent of respondents do not purchase security & privacy insurance because they think their risk does not warrant risk transfer, the remaining 55 percent currently do not because of market and product limitations. These are limitations that very well could change in the future (see Exhibit 12).

EXHIBIT 12:Why did your company choose not to purchase security and privacy insurance?

36%

20%

15%

12%

9%

6%

2% Expenses/fines related to breach of customer/personal informa@on

Liability costs

Company reputa@on (legal costs, public rela@ons costs)

Business interrup@on

Other (please specify)

TheK / loss of intellectual property/proprietary processes

Property loss or damage

46%

30%

21%

3%

My risk does not warrant risk transfer

Prices too high for level of risk

Did not cover my risks

Limits too high


ABOUT THE SURVEY RESPONDENTSFor a sixth consecutive year, Advisen and Zurich North America collaborated on a survey designed to gain insight into the current state and ongoing trends in information security and cyber risk management. Invitations to participate in the survey were distributed via email to risk managers, insurance buyers and other risk professionals.

The survey was completed at least in part by 345 respondents. The majority of respondents classified themselves as either Chief Risk Manager/Head of Risk Management Department (37 percent) or Member of Risk Management Department (37 percent).

Many industries are represented. Healthcare has the highest representation at 16 percent of the total; followed by finance, banking and insurance at 12 percent; manufacturing at 11 percent; other at nine percent; public administration, education, energy and mining, and technology all at six percent; education and technology both at six percent; services at five percent; retail trade, real estate and construction all at four percent; government and transportation both at three percent; hospitality at two percent; automotive and communications both at one percent; and wholesale trade at 0.3 percent.

Businesses of all sizes responded to the survey. Overall, the survey is slightly weighted towards smaller companies, with 53 percent of respondent companies having revenues of $1 billion or less. In terms of number of employees, 24 percent of respondent companies have between 1,001 and 5,000, 22 percent have more than 15,000, 18 percent have between 5,001 and 15,000, another 18 percent have less than 250, 10 percent have between 501 and 1000, and seven percent have between 251 and 500.

More information on cyber-related risks and solutions is available at http://www.zurichna.com/cyber.

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

©2016 Zurich American Insurance Company

EMILY LOWE

POSITION Vice President

PROFESSIONAL EXPERIENCE Emily joined Willis in 2014 and is a specialist within Willis Towers Watsons’ Boston FINEX Team. She provides risk management solutions in the privacy/network security, professional liability, media, and technology disciplines. Her responsibilities include research, analysis, placement and client service for the group’s largest clients.

Prior to joining Willis, Emily was an Executive Underwriter in the Professional Liability group at ACE USA for over 5 years. Emily focused on sourcing, underwriting and closing technology, network security, privacy, media and professional liability risks produced in the New England Region. She also has experience in educational finance and financial consulting.

CREDENTIALS Emily has BS in Finance from the University of Delaware and MBA from Babson College. She is a member of the Steering Committee of the New England Chapter of the Professional Liability Underwriting Society. She recently completed the Beazley Broker Academy at Lloyd’s in London.

insurance cybersecurity workshop series ......insurance cybersecurity workshop series cybersecurity...

Documents