Cyber insurance: The next frontier. Cyber insurance the next frontier

Transcription

1 Cyber insurance the next frontier 1

2 Table of contents Summary 3 The Market Need 3 Cyber Risk: A Growing Concern 4 Rising Cost of Cyber Crime 5 Impact by Industry 6 Cyber Risk and Insurance 7 Cyber Risk under Traditional Insurance Cover 7 Standalone Cyber Cover 8 Recent Development in Australia 8 Considerations when Developing Cyber Insurance 9 Challenges for Insurers 9 Lack of Historic Data 9 Understanding Risk Appetite and Risk Aggregation 9 Recommendations 10 Solving the Data Challenge 10 Risk Management 10 Data Pools 10 Holistic Risk Solution 10 Conclusion 11 References 12

3 SUMMARY Since its inception, insurance has always served to manage risk. In the 17 th century, a fire could destroy a shop front, records, and an entire business. Fire insurance served as a means of managing this risk both financially and actively, as insurers owned fire brigades. In the 21 st century, cyber risk can equally destroy a business by destroying its records and its reputation. Beyond providing insurance, the standards and guidelines developed by the industry have the potential to define best practices and act as pseudo-regulations. Organisations need a means to manage cyber risk outside of their risk appetite; the insurance industry can fulfil this need. Whilst cyber insurance fulfils a market need, it is also an opportunity for growth for insurance providers. Market saturation in the insurance industry has meant that insurers have found organic growth difficult to attain. Insurers that can identify emerging areas and successfully navigate these trends will be better placed for growth. Insurers looking to capitalise on the growing cyber insurance market, and develop it into a profitable and sustainable line of business, must come to terms with the complexity of cyber risk. The market need Cyber risk has emerged as one of the top challenges faced by companies worldwide. A string of high-profile data breaches have populated news headlines across the globe, including those involving Target in 2013, Sony Pictures Entertainment in 2014, and the Ashley Madison website in In Australia, David Jones and Kmart both suffered data breaches in October Statistics from the Australian Cyber Security Centre (ACSC) show that, during 2014, authorities responded to 11,733 reported cases of cyber incidents affecting Australian businesses. In the current cyber landscape, cyber attacks on businesses now appear to be inevitable. For businesses, being attacked is no longer a matter of if but when. Companies are now more conscious of cyber risk, with a 2015 survey of major Australian businesses conducted by the ACSC showing that 77 per cent of respondents have a cyber security incident response plan in place. The issue of cyber risk has extended beyond the realms of IT and has become a strategic business issue. Company boards and C-level executives are becoming actively involved in cyber risk management decisions. The increased awareness of cyber risk has also generated increased interest in cyber insurance as a mechanism for risk transfer. The UK government has actively encouraged the role of insurance in managing and mitigating cyber risk. According to Fitch Ratings, cyber cover represents a key growth opportunity for the insurance industry, and many insurers have sought to take advantage of this by offering cyber risk insurance products. While the cyber insurance market is still relatively small, it is experiencing exponential growth with PwC estimating that the global cyber insurance market will triple in size from US$2.5 billion in 2014 to US$7.5 billion by A large Australian insurance broker estimates that its gross written premium for cyber policies will increase from AU$15 million in 2015 to AU$25 million in There are two types of companies: those who have been hacked, and those who don t yet know they have been hacked. John Chambers, Executive Chairman and former CEO of Cisco Estimated Size of Global Cyber Insurance Market PwC US$2.5bn in 2014 to US$7.5bn in 2020 ABI Research US$10bn in 2020 Lloyds US$85bn Some commentators have raised concerns that insurers potentially face an aggregated risk from catastrophic cyber attacks that have a systemic impact. Insurers will need to find a balance between providing cyber policies that address their client s needs and finding an acceptable level of exposure to their cyber insurance portfolio. In order to do this, insurers will need to gain a better understanding of the cyber risk landscape. 3

4 Cyber risk: A growing concern According to the Allianz Risk Barometer 2016, a survey based on the responses of more than 800 risk experts from over 40 countries, cyber risk is now a top-three global business risk and the top long-term risk. This concern is not limited to a specific industry; cyber risk achieved a top-five ranking in the financial services, manufacturing, power, and transportation industries. This increased concern regarding cyber risk is not unfounded. A 2015 UK survey of 664 organisations, conducted by PwC, found that 90 per cent of large organisations and 74 per cent of small businesses suffered a security breach. Closer to home, a 2015 survey of 149 major Australian businesses across 12 industry sectors found that 50 per cent of respondents had suffered a breach. Companies are responding to this growing threat by spending more on information security. The 2015 ACSC survey found that 56 per cent of respondents reported an increased expenditure on cyber security. This represents a significant increase from the 2013 survey result of 27 per cent. In a separate estimate in 2015, Gartner predicted that annual information security spend for Australian companies will grow by 7.4 per cent, which is well above the 4.7 per cent worldwide growth average. Top 10 Global Business Risks for 2016 Business Interruption 38% Market Developments 34% Cyber Incidents 28% Changes in Legislation and Regulation Natural Catastrophes Macroeconomic Developments 22% 24% 24% Loss of Reputation or Brand Value Fire, Explosion 16% 18% Theft, Fraud and Corruption Political Risks 11% 11% 0% 5% 10% 15% 20% 25% 30% 35% 40% Source: Allianz Percentage of Respondents Listing as a Top Risk 4

5 Rising cost of cyber crime The 2015 Cost of Cyber Crime Study: Australia is the fourth annual study of Australian companies conducted by the Ponemon Institute. It found that the average annualised cost of cyber crime in Australia rose 13 per cent from AU$4.27 million in 2014 to AU$4.9 million in The 2015 study used a sample of 28 Australian-based organisations with an annualised cost of cyber crime ranging from AU$0.79 million to AU$18 million. Other key findings of the 2015 Cost of Cyber Crime Study included: Cyber crime costs vary by organisational size with a positive relationship between organisational size and annualised cost. However, per capita cost for small organisations was significantly higher than larger organisations ($1,919 versus $372). Cyber crimes are requiring longer to resolve, with the average time to resolve a cyber attack now 31 days up from 23 days in The average cost incurred over this period has also significantly increased by 47 per cent to AU$419,542. Cyber crime affects all industries, but to different degrees. Organisations in the energy and utilities, financial services, and technology industries experienced substantially higher cyber crime costs than organisations in media, consumer products, and retail. 5

6 Impact by industry The diagram below summarises the different impacts that cyber attacks have on different industries. When developing policies, insurers need to recognise that the risk and potential claims from some industries can be substantially greater than for others. Source: Centre for Internet Safety Case Study: Target Breach 2013 In 2013, Target Corporation suffered a data breach of 40 million payment card information records and 70 million personally-identifiable information records. As of December 2015, Target has estimated that it had accrued US$290 million in expenses as a result of the breach. Just US$90 million will be covered by insurance. The total amount includes a US$67 million settlement of class action lawsuits brought by Visa Inc. on behalf of banks, and other issuers of credit and debit cards, a US$10 million settlement with shoppers, and a US$39 million settlement with MasterCard and other issuing banks not covered by other class actions. Target was reported to have been insured across a number of providers. It was self-insured for US$10 million of cyber coverage and held policies of US$15 million with Ace Ltd, US$10 million with American International Group Ltd, US$10 million with Axis Capital Holdings Ltd, and US$40 million among four unidentified insurers. Target was also reported to have US$60 million of directors and officers liability (D&O) insurance, of which US$10 million was self-insured, US$25 million with American International Group Ltd, US$15 million with Ace Ltd, and US$15 million with The Travelers Companies Inc. 6

7 Cyber risk and insurance Since its inception, insurance has existed to mitigate the consequences of an adverse event by transferring the risk to a third party, i.e. the insurer. Cyber risk insurance is no different; it aims to transfer the adverse consequences of a cyber incident from the policyholder to the underwriter of the insurance policy. Interestingly, 52 per cent of CEOs and CIOs of large UK-based organisations thought that their organisation had insurance that would cover them in the event of a cyber breach. However, the percentage of firms with cyber cover (under standalone cover or implicit in other policies) was only 10 per cent. Furthermore, the actual penetration of standalone cyber insurance products for UK large businesses was closer to 2 per cent. These results reflect the inadequacy of traditional insurance policies at protecting against cyber risk, and a need for insurers to provide policyholders with a clearer picture of what is covered under existing policies. A better understanding of coverage will let policyholders make informed decisions about the role of insurance in their broader cyber risk-mitigation strategy. It is also important for insurers to examine their existing exposure to cyber risk under their traditional policies and include it when examining their appetite for cyber risk. This is the case even if the insurer has no intention to provide standalone cyber insurance cover. Cyber risk under traditional insurance cover Traditional insurance cover was not designed to protect against cyber risk and many underwriters have introduced specific exclusions for losses incurred as a result of a cyber incident. The following section examines the treatment of cyber claims under traditional insurance policies. Property: Damage to software and data as a result of a cyber attack is usually not covered as they are deemed to be intangible forms of property. Some policies also have specific exclusions removing cyber attack triggers for physical asset damage (e.g. the perils exclusion under s7(a)(ii) of the Mark IV Industrial Special Risks policies that form the basis of many property insurance policies for large businesses). Business interruption: Cover is for lost revenue and additional costs incurred. Most traditional policies are not triggered by cyber attacks that do not cause physical damage. General liability: This covers third-party liabilities for physical property damage, bodily injury, and advertising injury. However most general liability policies have introduced an exclusion of coverage for claims arising from unauthorised access or disclosure of personal information. Errors and omissions/professional indemnity: This cover is for third-party liabilities arising from the performance of professional services. Cover may be restricted to liability claims from customers and not affected employees. Terrorism reinsurance scheme: Under the terrorism reinsurance scheme, reinsurance is available to primary insurers for commercial property and associated business interruption loss associated with a declared terrorist incident. However, loss arising from a computer crime is specifically excluded in Schedule 1 of the regulations. Therefore, losses arising from cyber incidents are unlikely to be covered under the terrorism reinsurance scheme. 7

8 Standalone cyber cover Outside of traditional insurance policies, many insurers now offer extensions to traditional policies and standalone products to cover the following loss categories. Some of the loss categories below are often bundled together under a cyber policy while others are optional extras. Some of these losses are completely insurable while others are subject to sub-limits. When underwriting policies, insurers will need to determine the appropriate mix of these loss categories to cover. Loss Category Data and software loss Business interruption Cyber extortion Cyber crime Breach of privacy Network failure liabilities Brand damage Physical asset damage Death and bodily injury Intellectual property theft Forensic and response costs Legal costs Cover The cost of reconstituting data and/or software that has been corrupted or deleted. The loss of revenue or additional expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures. The cost of expert handling for extortion and the ransom payment. The direct financial loss arising from the use of computers to commit fraud or theft of money, securities, or other properties. The cost to investigate and respond to privacy breaches, notification costs, and fines from regulators, and third-party liability claims arising from the incident. Third-party liabilities arising from a failure of security that causes network systems to be unavailable to third parties. The loss of revenue arising from an increase in customer churn or reduced transaction volumes that are directly attributable to the publication of a security breach event. First-party loss due to destruction of physical property resulting from cyber attacks. Third-party liability for death or bodily injury resulting from cyber attacks. The loss of value of an IP asset. The cost incurred to investigate and resolve the cyber incident and minimise post-incident losses. The legal cost of defence or settlement of third-party claims. Recent development in australia A recent development in the Australian regulatory landscape that is likely to impact the adoption of cyber insurance products is the mandatory notification requirement proposed under the Privacy Amendment (Notification of Serious Data Breaches) Bill Under the proposed scheme, organisations with annual turnover of AU$3 million or more will need to notify affected individuals of a serious data breach. The bill defines a serious data breach as one where there is a real risk of serious harm to any of the individuals whose information has been the subject of the breach. Should this Bill be passed, organisations that are subject to a data breach will face increased costs and reputational damage, which could give organisations more reason to take up cyber insurance cover as part of their risk mitigation strategy. Under the current legislation, corporations are liable to fines of up to AU$1.8 million for breaches of the Privacy Act. Mandatory notification will bring Australia in line with other jurisdictions such as Canada, the European Union, and certain states in the United States. 8

9 Considerations when developing cyber insurance Given the complexity of cyber risks, there are a number of issues that insurers will need to consider when developing their cyber insurance policies. A quick analysis of the existing products has shown that most insurers offer policies that have a similar set of covered items and exclusions. The variance between the policies is in whether sub-limits have been applied to certain loss categories. Individual insurers and the insurance industry as a whole will need to determine what role they wish to play in the risk management process. By adopting standard terms and conditions that dictate the security standards policyholders need to comply with (e.g. firewalls, hosting locations, etc.), insurers have the potential to assume a pseudo-regulatory role that shapes how businesses manage their cyber risk. Furthermore, by packaging their insurance product with incident-response services that mitigate the costs of a breach, insurers can provide a holistic risk solution to their clients. Challenges for insurers Lack of historic data A commonly-raised issue regarding the underwriting of cyber insurance policies is the lack of historic data on cyber risk. While many surveys regarding the cost of cyber crime have been conducted, these surveys sample a selected number of organisations. As a result, the findings are descriptive rather than normative, and cannot be used as a statistical basis for actuarial analysis. This lack of data makes it difficult for insurers to accurately price cyber insurance policies, so many insurers have tended to take a conservative approach. Analysing the pricing of cyber insurance cover has shown that the rate on line (premium divided by limit of indemnity purchased) for the primary layer for cyber insurance (part of the policy that pays first in case of a loss) is three times higher than for general liability cover and six times higher than property. The pricing for cyber insurance across firms is also much flatter than that of general liability and property insurance. Together, these have a negative impact on cyber insurance, with a higher price likely to discourage take-up and the lack of price differentiation reducing the incentive for policyholders to improve their security posture to save on premiums. Understanding risk appetite and risk aggregation The non-physical nature of cyber risk and the interconnectedness of the digital world means that a single cyber event can affect thousands of policyholders in different geographical locations. As a result, an insurer may find themselves subject to catastrophic losses due to the aggregation of risk across its clients. It is, therefore, important for insurers to understand the potential for risk aggregation and clearly understand the possible maximum loss it would face if a systemic event were to occur. This will let insurers balance their exposure with their appetite for cyber risk. Some have suggested that the aggregation of risk is too great for the private sector and that a government backstop is required. However, a recent report suggests that, although the estimated possible maximum loss of 20 billion for a single cyber event is greater than that of a nuclear event, it is well within the 65 billion insurance/reinsurance capacity for a natural catastrophe such as a Tokyo or California earthquake. 9

10 Recommendations Solving the data challenge The lack of historical data has two broad potential solutions. Risk management Throughout the history of developing insurance policies, actuaries have at times been challenged with the lack of historic data. Underwriters need to recognise that, in the rapidly-changing threat landscape, historic data is less important than a thorough understanding of cyber risks, probability, and the ability to mitigate cyber risks. Underwriters looking to price policies can engage cyber security experts who understand the threats. IT security experts can provide a security assessment of potential policyholders. Maturity statements that compare a company s security posture against industry standards can be used as inputs in the screening process. Assessment reports can also include roadmaps for how a policyholder can achieve industry standards. This has the benefit of reducing risk for the insurer and can potentially lower premiums for the insured at renewal. For smaller organisations where the cost of a comprehensive security assessment may be prohibitive, insurers can work with cyber security experts to develop standard security surveys that can ascertain the security posture of the policyholder. In the absence of historical data, some insurers have developed modelling tools based on Monte Carlo simulations to evaluate the potential loss exposure from cyber risk. Data pools Another solution to the data challenge is for the insurance industry to collaborate and pool anonymised data. By working with government agencies such as the ACSC, insurance companies can get access to data from reported incidents. A third potential source of data are cybersecurity providers who will be able to provide insurers with anonymised data from customer security logs. Holistic risk solution Insurance companies have the opportunity to provide a holistic solution to cyber risk. By bundling ancillary services such as threat intelligence and digital attack simulations to their cyber risk product, they can offer policyholders additional value and reduce the likelihood of successful attacks against the insured. By gathering threat intelligence, insurers can create a threat map that profiles a client s position. Following that, insurers could conduct a risk assessment. This may include activities such as penetration testing, security audits, and white hat hacking campaigns to get a clear view of the client s risk profile. As a final step, ongoing training is essential for the insurer, the brokers they work with, and for clients, who may be entitled to reduced premiums if they have certain requirements in place such as security certifications and accreditations. In the event of a cyber breach, it is in the insurer s and insured s best interests to mitigate the losses arising from the attack. However, the vast majority of organisations do not have the adequate expertise to handle a cyber incident effectively to minimise damage. Therefore it is necessary to engage an incident response team that can be deployed to manage the adverse consequences of a breach. 10

11 An independent third party will also need to be engaged to provide post-incident investigation. At this stage, the cyber security expert will operate as a claims assessor, gathering evidence and determining the root cause of the incident, as well as expected and covered losses, and costs of the breach. Assess Support Respond Pre Coverage Policy and Product Development Maturity Assessment Conclusion During Coverage Prevention and Defence Post Incident Forensics Claims Assessment Cyber insurance is an emerging product that is likely to grow exponentially over the next few years. In fact, it is likely to grow much faster than other insurance products such as automobile, life, or home and contents insurance. Once people and businesses genuinely understand the scope and severity of the threat they are exposed to, demand is likely to accelerate rapidly. Insurers looking to capitalise on this new revenue stream will need to act swiftly and develop a strategy around cyber insurance. A thorough understanding of cyber risk and a partnership with cyber security experts will be critical to success. While insurers may look to hire these skills in-house, this approach could be hindered by the ongoing shortage of cyber security skills in the market. The other option is for insurers to partner with organisations that can provide the insight and advice that they need with policy development and claims assessment. 11

12 References Allianz, Allianz Risk Barometer Top Business Risks 2016, January 2016 Australian Cyber Security Centre, 2015 Cyber Security Survey: Major Australian Businesses, December 2015 Australian Government and Australian Reinsurance Pool Corporation, Cyber Terrorism and Australia s Terrorism Insurance Scheme: Physical Destructive Cyber Terrorism is a Gap in Current Insurance Coverage, March 2016 CERT Australia, Cyber Crime & Security Survey Report 2013, May 2014 Fitch, The Rise of Cyber Insurance: Growth Opportunity Paired with Incalculable Threat, March 2015 Gartner, Forecast Analysis: Information Security Worldwide, 2Q15 Update, September 2015 Greenwald J, Target has $100M of cyber insurance, $65M of D&O cover: Sources, Business Insurance, 14 January 2014, Accessed 18 February 2016, HM Government and Marsh, UK Cyber Security: the role of insurance in managing and mitigating the risk, March 2015 Insurance Information Institute, Cyber Risk: Threat and opportunity, October 2015 Liew R, Aon finds cyber insurance a booming trade as hacks spike, Australian Financial Review, 14 September 2015, Accessed 18 Feb 2016, Ponemon Institute, 2015 Cost of Cyber Crime: Australia, September 2015 PricewaterhouseCoopers, Information Security Breaches Survey 2015, June 2015 PricewaterhouseCoopers, Insurance 2020 & beyond: Reaping the dividends of cyber resilience, September 2015 PricewaterhouseCoopers, Top Issues The promise and pitfalls of cyber insurance, January 2016 Stempel J and Rose N, Target in $39.4 million settlement with banks over data breach, Reuters, 2 December 2015, Accessed 18 Feb 2016, Stewart E, Cyber attack insurance growing fast, ABC News, 9 October 2015, Accessed 18 February 2016, About DXC DXC Technology (NYSE: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit DXC Technology Company. All rights reserved. DXC_CSC-363. March 2017