CAPTIVE AND CYBER A MATCH MADE IN PARADISE · 2016-10-19 · • Tolerance: We evaluate new systems...
Transcript of CAPTIVE AND CYBER A MATCH MADE IN PARADISE · 2016-10-19 · • Tolerance: We evaluate new systems...
CAPTIVE AND CYBER A MATCH MADE IN PARADISE
Liz Limjuco, Vice President, MarshGrace M. Crickette, CGEIT, CCEP, ARM, & AVP Business Operations - SFSUTina Summers, Senior Vice President, Marsh
1October 19, 2016
Agenda
Cyber Insurance Market UpdateLiz Limjuco, Vice President - Marsh
In her role as an Advisory Specialist at Marsh,
Liz engages with clients throughout the West
Zone to advise them on their Cyber, E&O,
media and intellectual property programs.
Liz joined Marsh in 2016. Previously she
worked at AIG as the Cyber Vendor Services
Leader managing the extensive cyber
vendors’ network and coordinating cyber
partnership opportunities for client. Prior to
this, Liz was a Regional Underwriting
Manager for the Professional Liability Division
at AIG
• B.S. Business focusing on Market Research -
University of Dayton.
2
My Cyber Story Grace M. Crickette, CGEIT, CCEP, ARM, & AVP Business Operations – SFSU
Grace is passionate about creating innovative programs
that elevate the reputation of the organization, provide a
positive employee experience, and result in lasting change
and sustainable savings. She is an accomplished
Administrator and Financial Executive, CRO, CCO, and
Captive Insurance Officer, with an exceptional record of
success in leading institutional strategic business planning,
finance and budgeting, administration and operations
management, investment and business growth, large
scale information technology implementations, and
governance and risk management for a variety of
industries.
• 2011 Business Insurance's Women to Watch.• Business Insurance - 2011 Risk Management Honor
Roll. • 2011 - Treasury and Risk magazine named Grace as
one of the “100 Most Influential People in Finance”, • Grace is an alum of the University of Redlands and
Harvard Business School.
Cyber + CaptivesTina Summers, Senior Vice President – Marsh
Tina is a Consultant in Marsh’s Captive Solutions
Practice. In this role, her responsibilities include
providing consulting services in the captive and
alternative risk finance area by: assessing captive
opportunities; performing comprehensive feasibility
studies; and working with captive management on
captive formations. Tina also performs strategic
reviews for existing captives providing opportunities
for the captive to add more value to the client’s
organization.
Prior to joining Captive Solutions, Tina was an associate
client executive (ACE) in Marsh’s San Francisco Global
Risk Management Department.
• BA, University of California San Diego (UCSD)• MBA, Haas School of Business, University of
California Berkeley – Class of 2017
October 19, 2016
Cyber Insurance Market UpdateLiz Limjuco, VP, Marsh
3October 19, 2016
4
Cyber InsuranceCyber Attacks: A Growing Global Risk
• Costs businesses $400B+ per year
• The world is becoming more dependent on the internet - with the quantity of data in circulation apparently doubling each year and estimates that there will be 50 billion connected devices in the world by 2020 – 6.5 devices for every person on the planet. [1]
[1] Marsh & McLennan Companies CYBER RISK HANDBOOK 2015October 19, 2016
Source: TRustwave2015
Variables:• Credit Card
Information
• 64% of retail
breaches were
e-Commerce
• 27% were Point of
Sale
Cyber InsuranceWho is at risk?
5October 19, 2016
Source: Trustwave 2015
Are you under attack?:• 19% Self
Detection
Cyber InsuranceYou Know You are Under Attack When…
October 19, 2016 6
7 October 19, 2016
Cyber InsuranceMain Costs and Loss Items
Government Regulators
GENERAL
LIABILITY
PROPERTY
ERRORS AND
OMISSIONS
FIDELITY
AND CRIME
D&O TYPES OF POLICIES
8
Cyber InsuranceUnderstanding the Gaps in Coverage
October 19, 2016 8
9 October 19, 2016
Cyber InsuranceHow Does a Cyber Policy Fill Gaps in Traditional P&C Policies
For clients that DO NOT purchase a stand alone Cyber policy, these are likely exposures they are self-insuring.
Not typically covered Covered in some cases Typically covered
Trends & Developments
Standalone Cyber Insurance
Increasing Limits
Larger Losses
Abundant Capacity
10
Pricing Pressures
Business Interruption / Property Damage
Cyber Extortion
Social Engineering
Cyber InsuranceWhat’s happening in the insurance market today?
October 19, 2016 10
11
• Growing Market– Gross written premiums expected to increase from $2.5B in 2014 to $7.5B in 2020.
– Capacity remains steady at approximately $500M.
– New area of opportunity in otherwise soft Property and Casualty markets.
– Traditional or “legacy” Cyber insurers threatened by naïve capacity.
• Opportunity Riddled With Uncertainty– Where else (which policies) are insurers exposed to Cyber claims?
– Uncertainty in some industries is driving conservative pricing.
– Aggregation and concentration continue to be a major concern.
Cyber InsuranceCurrent State of Underwriting
October 19, 2016 11
My Cyber Story Grace M. Crickette, CGEIT, CCEP, ARM & AVP Business Operations – San Francisco State University
12October 19, 2016
• Tell my story: captive experience and cyber experience
13October 19, 201613
DISRUPTIVE INNOVATION:
Emerging technologies will be the dominant driver of disruptive
innovation, bringing significant opportunities and threats.
DISRUPTIVE INNOVATION:
How can your Captive be a dominant driver in providing cyber insurance
and address the information technology opportunities and threats
facing your organization.
Cyber + Captive =
14October 19, 2016
CAPTIVE CAPABILITY
• Help manage volatility in retained risk positions between silo’d infrastructure
• Provide coverage to stakeholders who don’t fit in self-insured trust mechanisms
• Support development of revenue generating insurance activities
• Support enterprise risk management efforts by building mutually beneficial insurance infrastructures for various stakeholders
• Capitalize on enterprise risk management expertise
CISO’S PAIN
• The Insurance Program is not aligned with the improvements that need to be made
• The Insurance Program coverage is limiting
• The Business Partners that will bring innovation to our IT Architecture don’t meet our insuring requirements, impeding progress
• Vendor Management capabilities are insufficient
• Difficulty communicating the Risk Environment and ROI on security measures to Leadership and the Board
What Information Technology Operational or Strategic Challenges are you able to solve leveraging the Captive?.
15October 19, 2016
A Match Made in Paradise?
16
• Leverage your Captive to provide insurance coverage that provides a holistic cover for Information Technology
• Leverage your Captive to address issues associated with information Technology Partners
• Leverage your Captive to drive the Governance of Enterprise Information Technology
October 19, 2016 16
How to Find Cyber Insurance for the Uninsurable
HOW TO FIND CYBER INSURANCE FOR THE UNINSURABLE
When the University of California sought cyber liability insurance, it found no one
wanted to write the coverage. Chief Risk Officer Grace Crickette shares how her two
years of persistence paid off in finding a Lloyd’s syndicate that reverse underwrote the
coverage — paying claims only as long they meet certain standards.
http://www.insurancejournal.tv/videos/5186/
(handout to be provided)
17October 19, 2016
Opportunity: Your Computer on WheelsHere are some things connected cars can do now—or will be able to do in a few years
18October 19, 2016
Outside the Firewall
19
October 19, 2016 19
IT Risk Mitigation
20
• Frameworks (risk assessments)
• Vulnerability analysis
• Penetration and Controls testing
• Internal corporate processes and culture:
o IT Risk committee
o Training and awareness
o Contractual risk transfer
o Financial risk transfer
o Incident response plan
o Claims process
o IT and Security protection (encryption, device tracking)
October 19, 2016
21
October 19, 2016 21
SERMP
22October 19, 2016
Appetite and Tolerance
Develop Risk
Appetite & Tolerance
Statements
• Technology
• Appetite Statement: We have a low risk appetite for continuing with outdated and legacy systems, we have a high tolerance for moving forward with new systems even with some element of risk in execution and performance.
• Tolerance: We evaluate new systems for potential “bugs” and disruption and we will not tolerate launching a system that is known to cause disruption for more than 4% of our Customers.
• Action: On systems where the review indicates a known disruption of more than 4% of Customers, we will delay deployment.
23October 19, 2016
Appetite and Tolerance
• Safeguarding Information
• Appetite Statement: We have a very low Risk Appetite for privacy or security breach of Protected Information, balanced with a need to have timely and accurate Customer information in order to better serve our Customers.
• Tolerance: We will ensure over the next year that all of our systems and process (cyber or non-cyber) and 3rd Party providers have the appropriate safeguards in place.
• Action: Compliance reports will be monitored by executive Team and progress will be reported to the Board.
24
Develop Risk
Appetite & Tolerance
Statements
October 19, 2016
25
Metric Target Actual
PCI Compliance % of Compliance 100% 86.9%
Security Risk Management Program % of Completion 100% 40%
ISO Compliance % of compliance with ISO 27001 / 27002 95% Not Available
Score 63%
Data / Systems Security: Ability to safeguard data and critical operational data.
Management Mitigation Plan: The execution of a 27-point plan to lock down intrusion detection and protection is underway; The Security Risk Management Framework is underway and will be updated quarterly; Assess systems against ISO 27001/27002.Accountable Executive: CIO
Sample Board Report
Data / Systems Security
Monitoring & Reporting
October 19, 2016
Where to Learn More
• http://www.microsoft.com/atwork/security/
• http://www.insurancejournal.tv/videos/8466/
• http://privacyguidance.com/myblog.html The Privacy Professor Blog
• http://www.ponemon.org/ Ponemon Institute
• http://www.wileyrein.com/professionals.cfm?sp=bio&id=145#pub Kirk Nahra
26October 19, 2016
Cyber + Captive Tina Summers, Senior Vice PresidentMarsh Captive Solutions
27October 19, 2016
28 October 19, 2016
Cyber InsuranceHow Can a Client Use a Captive for Cyber Risk?
Retention/ Deductible
1st and 3rd Party Cyber Liability
Insurance Risk Transfer Program
1. Captive• Reimbursement Policy for
SIR/Deductible
Excess CAT Limits
Uninsurable Risks
Self Insured Risk Transfer 3. Captive
• Policy for Excess Limits• Possible access to
reinsurance capacity
2. Captive• Policy for exposures
insurer will not cover• Possible access to
reinsurance markets
Ventilated Layer Limit
Fronted Program with Commercial Carrier6. Captive
• Reinsures front
1st Party OR 3rd Party Exposure Self-insured
4. Captive• Quota Share or Limit for
layer within risk transfer program
5. Captive• Quota Share or Limit for
layer within risk transfer program
28
BENEFITS OF USING CAPTIVE FOR CYBER
• Market pricing is cost prohibitive and company feels retaining risk is a more efficient use of capital
• Smooths the volatility of retained losses and dampens balance sheet impact by segregating funds in the form of premiums to pay potential losses
• Captive captures and quantifies all loss costs versus expenses within the retention being siloed among the various claim stakeholders (i.e. IT, legal, PR, risk, finance, customer service, etc.)
• Access reinsurance for potentially broader coverage
• Write coverage for gaps in risk transfer policy (some risks are uninsurable in the current market place)
• Utilize captive surplus for Cyber Business Interruption Quantification (CBIQ) analysis
• Solve operational issues: coverage for 3rd party providers & align insurance underwriting with IT Governance and Strategy
29 October 19, 2016 29