Cyber insurance the next frontier · 2017-03-30 · Cyber risk: A growing concern According to the...

1

Cyber insurance the next frontier

Cyber insurance: The next frontier


Table of contents

Summary 3

The Market Need 3

Cyber Risk: A Growing Concern 4

Rising Cost of Cyber Crime 5

Impact by Industry 6

Cyber Risk and Insurance 7

Cyber Risk under Traditional Insurance Cover 7

Standalone Cyber Cover 8

Recent Development in Australia 8

Considerations when Developing Cyber Insurance 9

Challenges for Insurers 9

Lack of Historic Data 9

Understanding Risk Appetite and Risk Aggregation 9

Recommendations 10

Solving the Data Challenge 10

Risk Management 10

Data Pools 10

Holistic Risk Solution 10

Conclusion 11

References 12

3

The market needCyber risk has emerged as one of the top challenges faced by companies worldwide. A string of high-profile data breaches have populated news headlines across the globe, including those involving Target in 2013, Sony Pictures Entertainment in 2014, and the Ashley Madison website in 2015. In Australia, David Jones and Kmart both suffered data breaches in October 2015. Statistics from the Australian Cyber Security Centre (ACSC) show that, during 2014, authorities responded to 11,733 reported cases of cyber incidents affecting Australian businesses.

In the current cyber landscape, cyber attacks on businesses now appear to be inevitable. For businesses, being attacked is no longer a matter of ‘if’ but ‘when’. Companies are now more conscious of cyber risk, with a 2015 survey of major Australian businesses conducted by the ACSC showing that 77 per cent of respondents have a cyber security incident response plan in place.

The issue of cyber risk has extended beyond the realms of IT and has become a strategic business issue. Company boards and C-level executives are becoming actively involved in cyber risk management decisions.

The increased awareness of cyber risk has also generated increased interest in cyber insurance as a mechanism for risk transfer. The UK government has actively encouraged the role of insurance in managing and mitigating cyber risk.

According to Fitch Ratings, cyber cover represents a key growth opportunity for the insurance industry, and many insurers have sought to take advantage of this by offering cyber risk insurance products. While the cyber insurance market is still relatively small, it is experiencing exponential growth with PwC estimating that the global cyber insurance market will triple in size from US$2.5 billion in 2014 to US$7.5 billion by 2020. A large Australian insurance broker estimates that its gross written premium for cyber policies will increase from AU$15 million in 2015 to AU$25 million in 2016.

Since its inception, insurance has always served to manage risk. In the 17th century, a fire could destroy a shop front, records, and an entire business. Fire insurance served as a means of managing this risk both financially and actively, as insurers owned fire brigades.

In the 21st century, cyber risk can equally destroy a business by destroying its records and its reputation. Beyond providing insurance, the standards and guidelines developed by the industry have the potential to define best practices and act as pseudo-regulations. Organisations need a means to manage cyber risk outside of their risk appetite; the insurance industry can fulfil this need.

Whilst cyber insurance fulfils a market need, it is also an opportunity for growth for insurance providers. Market saturation in the insurance industry has meant that insurers have found organic growth difficult to attain. Insurers that can identify emerging areas and successfully navigate these trends will be better placed for growth. Insurers looking to capitalise on the growing cyber insurance market, and develop it into a profitable and sustainable line of business, must come to terms with the complexity of cyber risk.

SUMMARY


Estimated Size of Global Cyber Insurance Market

PwC US$2.5bn in 2014 to US$7.5bn in 2020

ABI Research US$10bn in 2020

Lloyds US$85bn

Some commentators have raised concerns that insurers potentially face an aggregated risk from catastrophic cyber attacks that have a systemic impact. Insurers will need to find a balance between providing cyber policies that address their client’s needs and finding an acceptable level of exposure to their cyber insurance portfolio. In order to do this, insurers will need to gain a better understanding of the cyber risk landscape.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

John Chambers, Executive Chairman and former CEO of Cisco

Cyber risk: A growing concern

According to the Allianz Risk Barometer 2016, a survey based on the responses of more than 800 risk experts from over 40 countries, cyber risk is now a top-three global business risk and the top long-term risk. This concern is not limited to a specific industry; cyber risk achieved a top-five ranking in the financial services, manufacturing, power, and transportation industries.

This increased concern regarding cyber risk is not unfounded. A 2015 UK survey of 664 organisations, conducted by PwC, found that 90 per cent of large organisations and 74 per cent of small businesses suffered a security breach. Closer to home, a 2015 survey of 149 major Australian businesses across 12 industry sectors found that 50 per cent of respondents had suffered a breach.

Companies are responding to this growing threat by spending more on information security. The 2015 ACSC survey found that 56 per cent of respondents reported an increased expenditure on cyber security. This represents a significant increase from the 2013 survey result of 27 per cent. In a separate estimate in 2015, Gartner predicted that annual information security spend for Australian companies will grow by 7.4 per cent, which is well above the 4.7 per cent worldwide growth average.

Business Interruption

Top 10 Global Business Risks for 2016

Percentage of Respondents Listing as a Top Risk

38%

34%

28%

24%

24%

22%

18%

16%

11%

11%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Market Developments

Cyber Incidents

Natural Catastrophes

Fire, Explosion

Theft, Fraud and Corruption

Political Risks

Loss of Reputation or Brand Value

Macroeconomic Developments

Changes in Legislation and Regulation

Source: Allianz

4


Rising cost of cyber crime

The ‘2015 Cost of Cyber Crime Study: Australia’ is the fourth annual study of Australian companies conducted by the Ponemon Institute. It found that the average annualised cost of cyber crime in Australia rose 13 per cent from AU$4.27 million in 2014 to AU$4.9 million in 2015. The 2015 study used a sample of 28 Australian-based organisations with an annualised cost of cyber crime ranging from AU$0.79 million to AU$18 million.

Other key findings of the 2015 Cost of Cyber Crime Study included:

Cyber crime costs vary by organisational size with a positive relationship between organisational size and annualised cost. However, per capita cost for small organisations was significantly higher than larger organisations ($1,919 versus $372).

Cyber crimes are requiring longer to resolve, with the average time to resolve a cyber attack now 31 days up from 23 days in 2014. The average cost incurred over this period has also significantly increased by 47 per cent to AU$419,542.

Cyber crime affects all industries, but to different degrees. Organisations in the energy and utilities, financial services, and technology industries experienced substantially higher cyber crime costs than organisations in media, consumer products, and retail.

5


6

Impact by industryThe diagram below summarises the different impacts that cyber attacks have on different industries. When developing policies, insurers need to recognise that the risk and potential claims from some industries can be substantially greater than for others.

Case Study: Target Breach 2013

In 2013, Target Corporation suffered a data breach of 40 million payment card information records and 70 million personally-identifiable information records. As of December 2015, Target has estimated that it had accrued US$290 million in expenses as a result of the breach. Just US$90 million will be covered by insurance.

The total amount includes a US$67 million settlement of class action lawsuits brought by Visa Inc. on behalf of banks, and other issuers of credit and debit cards, a US$10 million settlement with shoppers, and a US$39 million settlement with MasterCard and other issuing banks not covered by other class actions.

Target was reported to have been insured across a number of providers. It was self-insured for US$10 million of cyber coverage and held policies of US$15 million with Ace Ltd, US$10 million with American International Group Ltd, US$10 million with Axis Capital Holdings Ltd, and US$40 million among four unidentified insurers.

Target was also reported to have US$60 million of directors’ and officers’ liability (D&O) insurance, of which US$10 million was self-insured, US$25 million with American International Group Ltd, US$15 million with Ace Ltd, and US$15 million with The Travelers Companies Inc.

Source: Centre for Internet Safety


Cyber risk and insuranceSince its inception, insurance has existed to mitigate the consequences of an adverse event by transferring the risk to a third party, i.e. the insurer. Cyber risk insurance is no different; it aims to transfer the adverse consequences of a cyber incident from the policyholder to the underwriter of the insurance policy.

Interestingly, 52 per cent of CEOs and CIOs of large UK-based organisations thought that their organisation had insurance that would cover them in the event of a cyber breach. However, the percentage of firms with cyber cover (under standalone cover or implicit in other policies) was only 10 per cent. Furthermore, the actual penetration of standalone cyber insurance products for UK large businesses was closer to 2 per cent.

These results reflect the inadequacy of traditional insurance policies at protecting against cyber risk, and a need for insurers to provide policyholders with a clearer picture of what is covered under existing policies. A better understanding of coverage will let policyholders make informed decisions about the role of insurance in their broader cyber risk-mitigation strategy.

It is also important for insurers to examine their existing exposure to cyber risk under their traditional policies and include it when examining their appetite for cyber risk. This is the case even if the insurer has no intention to provide standalone cyber insurance cover.

Cyber risk under traditional insurance cover

Traditional insurance cover was not designed to protect against cyber risk and many underwriters have introduced specific exclusions for losses incurred as a result of a cyber incident. The following section examines the treatment of cyber claims under traditional insurance policies.

Property: Damage to software and data as a result of a cyber attack is usually not covered as they are deemed to be intangible forms of property. Some policies also have specific exclusions removing cyber attack triggers for physical asset damage (e.g. the perils exclusion under s7(a)(ii) of the Mark IV Industrial Special Risks policies that form the basis of many property insurance policies for large businesses).

Business interruption: Cover is for lost revenue and additional costs incurred. Most traditional policies are not triggered by cyber attacks that do not cause physical damage.

General liability: This covers third-party liabilities for physical property damage, bodily injury, and advertising injury. However most general liability policies have introduced an exclusion of coverage for claims arising from unauthorised access or disclosure of personal information.

Errors and omissions/professional indemnity: This cover is for third-party liabilities arising from the performance of professional services. Cover may be restricted to liability claims from customers and not affected employees.

Terrorism reinsurance scheme: Under the terrorism reinsurance scheme, reinsurance is available to primary insurers for commercial property and associated business interruption loss associated with a declared terrorist incident. However, loss arising from a computer crime is specifically excluded in Schedule 1 of the regulations. Therefore, losses arising from cyber incidents are unlikely to be covered under the terrorism reinsurance scheme.

7


8

Standalone cyber cover

Outside of traditional insurance policies, many insurers now offer extensions to traditional policies and standalone products to cover the following loss categories. Some of the loss categories below are often bundled together under a cyber policy while others are optional extras. Some of these losses are completely insurable while others are subject to sub-limits. When underwriting policies, insurers will need to determine the appropriate mix of these loss categories to cover.

Loss Category Cover

Data and software loss The cost of reconstituting data and/or software that has been corrupted or deleted.

Business interruption The loss of revenue or additional expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures.

Cyber extortion The cost of expert handling for extortion and the ransom payment.

Cyber crime The direct financial loss arising from the use of computers to commit fraud or theft of money, securities, or other properties.

Breach of privacy The cost to investigate and respond to privacy breaches, notification costs, and fines from regulators, and third-party liability claims arising from the incident.

Network failure liabilities Third-party liabilities arising from a failure of security that causes network systems to be unavailable to third parties.

Brand damage The loss of revenue arising from an increase in customer churn or reduced transaction volumes that are directly attributable to the publication of a security breach event.

Physical asset damage First-party loss due to destruction of physical property resulting from cyber attacks.

Death and bodily injury Third-party liability for death or bodily injury resulting from cyber attacks.

Intellectual property theft

The loss of value of an IP asset.

Forensic and response costs

The cost incurred to investigate and resolve the cyber incident and minimise post-incident losses.

Legal costs The legal cost of defence or settlement of third-party claims.

Recent development in australia

A recent development in the Australian regulatory landscape that is likely to impact the adoption of cyber insurance products is the mandatory notification requirement proposed under the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. Under the proposed scheme, organisations with annual turnover of AU$3 million or more will need to notify affected individuals of a ‘serious data breach.’

The bill defines a ‘serious data breach’ as one where there is a ‘real risk of serious harm’ to any of the individuals whose information has been the subject of the breach. Should this Bill be passed, organisations that are subject to a data breach will face increased costs and reputational damage, which could give organisations more reason to take up cyber insurance cover as part of their risk mitigation strategy.

Under the current legislation, corporations are liable to fines of up to AU$1.8 million for breaches of the Privacy Act. Mandatory notification will bring Australia in line with other jurisdictions such as Canada, the European Union, and certain states in the United States.


9

Considerations when developing cyber insuranceGiven the complexity of cyber risks, there are a number of issues that insurers will need to consider when developing their cyber insurance policies. A quick analysis of the existing products has shown that most insurers offer policies that have a similar set of covered items and exclusions. The variance between the policies is in whether sub-limits have been applied to certain loss categories.

Individual insurers and the insurance industry as a whole will need to determine what role they wish to play in the risk management process. By adopting standard terms and conditions that dictate the security standards policyholders need to comply with (e.g. firewalls, hosting locations, etc.), insurers have the potential to assume a pseudo-regulatory role that shapes how businesses manage their cyber risk.

Furthermore, by packaging their insurance product with incident-response services that mitigate the costs of a breach, insurers can provide a holistic risk solution to their clients.

Challenges for insurers

Lack of historic data

A commonly-raised issue regarding the underwriting of cyber insurance policies is the lack of historic data on cyber risk. While many surveys regarding the cost of cyber crime have been conducted, these surveys sample a selected number of organisations. As a result, the findings are descriptive rather than normative, and cannot be used as a statistical basis for actuarial analysis. This lack of data makes it difficult for insurers to accurately price cyber insurance policies, so many insurers have tended to take a conservative approach.

Analysing the pricing of cyber insurance cover has shown that the rate on line (premium divided by limit of indemnity purchased) for the primary layer for cyber insurance (part of the policy that pays first in case of a loss) is three times higher than for general liability cover and six times higher than property. The pricing for cyber insurance across firms is also much flatter than that of general liability and property insurance. Together, these have a negative impact on cyber insurance, with a higher price likely to discourage take-up and the lack of price differentiation reducing the incentive for policyholders to improve their security posture to save on premiums.

Understanding risk appetite and risk aggregation

The non-physical nature of cyber risk and the interconnectedness of the digital world means that a single cyber event can affect thousands of policyholders in different geographical locations. As a result, an insurer may find themselves subject to catastrophic losses due to the aggregation of risk across its clients. It is, therefore, important for insurers to understand the potential for risk aggregation and clearly understand the possible maximum loss it would face if a systemic event were to occur. This will let insurers balance their exposure with their appetite for cyber risk.

Some have suggested that the aggregation of risk is too great for the private sector and that a government backstop is required. However, a recent report suggests that, although the estimated possible maximum loss of £20 billion for a single cyber event is greater than that of a nuclear event, it is well within the £65 billion insurance/reinsurance capacity for a natural catastrophe such as a Tokyo or California earthquake.


10

Recommendations

Solving the data challengeThe lack of historical data has two broad potential solutions.

Risk management

Throughout the history of developing insurance policies, actuaries have at times been challenged with the lack of historic data. Underwriters need to recognise that, in the rapidly-changing threat landscape, historic data is less important than a thorough understanding of cyber risks, probability, and the ability to mitigate cyber risks.

Underwriters looking to price policies can engage cyber security experts who understand the threats. IT security experts can provide a security assessment of potential policyholders. Maturity statements that compare a company’s security posture against industry standards can be used as inputs in the screening process. Assessment reports can also include roadmaps for how a policyholder can achieve industry standards. This has the benefit of reducing risk for the insurer and can potentially lower premiums for the insured at renewal. For smaller organisations where the cost of a comprehensive security assessment may be prohibitive, insurers can work with cyber security experts to develop standard security surveys that can ascertain the security posture of the policyholder.

In the absence of historical data, some insurers have developed modelling tools based on Monte Carlo simulations to evaluate the potential loss exposure from cyber risk.

Data pools

Another solution to the data challenge is for the insurance industry to collaborate and pool anonymised data. By working with government agencies such as the ACSC, insurance companies can get access to data from reported incidents. A third potential source of data are cybersecurity providers who will be able to provide insurers with anonymised data from customer security logs.

Holistic risk solutionInsurance companies have the opportunity to provide a holistic solution to cyber risk. By bundling ancillary services such as threat intelligence and digital attack simulations to their cyber risk product, they can offer policyholders additional value and reduce the likelihood of successful attacks against the insured.

By gathering threat intelligence, insurers can create a threat map that profiles a client’s position. Following that, insurers could conduct a risk assessment. This may include activities such as penetration testing, security audits, and white hat hacking campaigns to get a clear view of the client’s risk profile. As a final step, ongoing training is essential for the insurer, the brokers they work with, and for clients, who may be entitled to reduced premiums if they have certain requirements in place such as security certifications and accreditations.

In the event of a cyber breach, it is in the insurer’s and insured’s best interests to mitigate the losses arising from the attack. However, the vast majority of organisations do not have the adequate expertise to handle a cyber incident effectively to minimise damage. Therefore it is necessary to engage an incident response team that can be deployed to manage the adverse consequences of a breach.


11

An independent third party will also need to be engaged to provide post-incident investigation. At this stage, the cyber security expert will operate as a claims assessor, gathering evidence and determining the root cause of the incident, as well as expected and covered losses, and costs of the breach.

Pre

Cov

erag

e

Assess

Dur

ing

Cov

erag

e

Support

Post

Inci

dent

Respond

Policy and Product Development

Maturity Assessment

Prevention and Defence

Forensics

Claims Assessment

ConclusionCyber insurance is an emerging product that is likely to grow exponentially over the next few years. In fact, it is likely to grow much faster than other insurance products such as automobile, life, or home and contents insurance. Once people and businesses genuinely understand the scope and severity of the threat they are exposed to, demand is likely to accelerate rapidly. Insurers looking to capitalise on this new revenue stream will need to act swiftly and develop a strategy around cyber insurance. A thorough understanding of cyber risk and a partnership with cyber security experts will be critical to success.

While insurers may look to hire these skills in-house, this approach could be hindered by the ongoing shortage of cyber security skills in the market. The other option is for insurers to partner with organisations that can provide the insight and advice that they need with policy development and claims assessment.


ReferencesAllianz, Allianz Risk Barometer Top Business Risks 2016, January 2016

Australian Cyber Security Centre, 2015 Cyber Security Survey: Major Australian Businesses, December 2015

Australian Government and Australian Reinsurance Pool Corporation, Cyber Terrorism and Australia’s Terrorism Insurance Scheme: Physical Destructive Cyber Terrorism is a Gap in Current Insurance Coverage, March 2016

CERT Australia, Cyber Crime & Security Survey Report 2013, May 2014

Fitch, The Rise of Cyber Insurance: Growth Opportunity Paired with Incalculable Threat, March 2015

Gartner, Forecast Analysis: Information Security Worldwide, 2Q15 Update, September 2015

Greenwald J, ‘Target has $100M of cyber insurance, $65M of D&O cover: Sources’, Business Insurance, 14 January 2014, Accessed 18 February 2016, http://www.businessinsurance.com/article/20140114/NEWS07/140119934

HM Government and Marsh, UK Cyber Security: the role of insurance in managing and mitigating the risk, March 2015

Insurance Information Institute, Cyber Risk: Threat and opportunity, October 2015

Liew R, ‘Aon finds cyber insurance a booming trade as hacks spike’, Australian Financial Review, 14 September 2015, Accessed 18 Feb 2016, http://www.afr.com/technology/aon-finds-cyber-insurance-a-booming-trade-as-hacks-spike-20150910-gjjk20

Ponemon Institute, 2015 Cost of Cyber Crime: Australia, September 2015

PricewaterhouseCoopers, Information Security Breaches Survey 2015, June 2015

PricewaterhouseCoopers, Insurance 2020 & beyond: Reaping the dividends of cyber resilience, September 2015

PricewaterhouseCoopers, Top Issues The promise and pitfalls of cyber insurance, January 2016

Stempel J and Rose N, ‘Target in $39.4 million settlement with banks over data breach’, Reuters, 2 December 2015, Accessed 18 Feb 2016, http://www.reuters.com/article/us-target-breach-settlement-idUSKBN0TL20Y20151203

Stewart E, ‘Cyber attack insurance growing fast’, ABC News, 9 October 2015, Accessed 18 February 2016, http://www.abc.net.au/news/2015-10-09/cyber-attack-insurance-growing-fast/6842744


About DXCDXC Technology (NYSE: DXC) is the world’s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company’s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.

© 2017 DXC Technology Company. All rights reserved. DXC_CSC-363. March 2017www.dxc.technology

http://www.businessinsurance.com/article/20140114/NEWS07/140119934

http://www.afr.com/technology/aon-finds-cyber-insurance-a-booming-trade-as-hacks-spike-20150910-gjjk20

http://www.reuters.com/article/us-target-breach-settlement-idUSKBN0TL20Y20151203

http://www.abc.net.au/news/2015-10-09/cyber-attack-insurance-growing-fast/6842744

Cyber insurance the next frontier · 2017-03-30 · Cyber risk: A growing concern According to the...

Documents

Transcript of Cyber insurance the next frontier · 2017-03-30 · Cyber risk: A growing concern According to the...