CYBER INSURANCE IN IF - with a touch of Casualty - August 18 th 2017 Kristine Birk Wagner
CYBER EXPOSURE IN IF TOPICS Brief overview of If s Liability portfolio Cyber today s definition Cyber coverages Parameters driving demand Portfolio control Summary
BRIEF OVERVIEW OF IF S LIABILITY PORTFOLIO High complex portfolio with stable and profitable results 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Casualty Industrial net development 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
3 rd PARTY RISK THE LIABILITY TRIANGLE Insured client Claimant Insurance company Precondition for coverage under any Liability insurance: The insured client has a legal liability towards the claimant.
CYBER TODAY S DEFINITION DEFINITION A loss caused directly or indirectly by: Accidental damage or destruction of an ICT system (Information and Communication Technology) Administrative or operational mistakes connected to an ICT system ICT crime and ICT attacks EXAMPLES A loss would typically be: ICT system damage Loss of data Physical damage Business interruption Third party loss/liability claims Reputational damage/loss Financial sanctions The loss can be covered under: Traditional P&C Insurance (typically Property and Liability) Cyber Insurance
CYBER COVERAGES IF HAS AS PER TODAY THREE PRODUCTS The Cyber Stand-Alone, The Property Endorsement & The Commercial Crime Endorsement 1 st PARTY ELEMENTS (elements Data / system in all three recovery products) Legal support / defense Data / system recovery Regulatory and administrative fines Legal (if compliant support to / defense insurer) Regulatory Reduction, and interruption administrative or loss fines of (if business compliant or value to insure) Reduction, Extortion, loss interruption, of reputation, or loss public of business relationsor value Extortion, loss of reputation, public relations 3 rd PARTY ELEMENTS (only The Cyber Stand-Alone Product) Identity recovery Re-issuing of credit cards Infringement of Intellectual Property Network failure liability due to slow or non-performance Crisis management: Incident response incl. forensics, notification, credit monitoring etc.
CYBER EXPOSURES hidden IN INSURANCE COMPANIES EXISTING CONDITIONS Some with an accumulation potential Cyber Product: 1 st PARTY ELEMENTS & 3 rd PARTY ELEMENTS Extension covering loss of data (regardless of the peril) and BI caused by non-physical perils Loss of data if that is deemed to be damage/personal injury. Pure Financial Loss None None None Property 1 st party financial loss if caused by a property damage peril (typically FLEXA - Fire, Lightning, Explosion, Act of God) General liability 3 rd party claim against the insured due to a claimed financial loss caused by the insured, including Recall, Crime, and D&O Cargo 1 st party loss covering the loss of, or damage to, goods during transportation including storage and Freight forwarders liability (3 rd party loss) Motor 1 st party loss covering the loss of or damage to your own car and the 3 rd party loss covering the legal liability connected to the use of the car Workers Compensation, Personal Accident, Travel Insurance Insurances paid by the insured or the employer covering mainly personal injuries
1 st PARTY EXPOSURES IN INSURANCE COMPANIES EXISTING PORTFOLIO Physical damage to any asset owned by the insured, including damage to ICT Systems and loss of electronic data (owned by the insured) typically caused by a FLEXA incident. The German Steel mill. Hackers had managed to access the control systems at an unnamed steel mill, preventing a blast furnace from shutting down properly and causing massive (though unspecified) damage. The attackers had gained access through the plant s business network, using a spear-phishing email a targeted email that appears to come from a trusted source but contains a malware attachment or link to a malicious website. Once a foothold had been established on the corporate system, the hackers were able to explore the company s networks, before causing damage via the production network. LIMITED ACCUMULATION RISK
3 rd PARTY EXPOSURES IN INSURANCE COMPANIES EXISTING PORTFOLIO Any property damage or personal injury, including loss of data (damage to digital assets) not owned by the insured. Damages to 3 rd parties can lead to a liability claim, covered under the GLPL policy. Court rulings have found loss of electronic data to be both property damage respective pure financial loss. Based on this there is a potential liability exposure under general liability for damages following loss of electronic data when seen as property damage or a personal injury. E&O and PI are not triggered by a physical damage, and there can thus be a risk of covering Cyber This would however require that the advisor is held liable. We have a limited portfolio of advisors that could be held liable, and Cyber events are typically not relating to projects. Cyber losses can be covered under a Pure Financial Loss (PFL) coverage Note that PFL is sub-limited, and in parts of the portfolio we have implemented a cyber exclusion. The interpretation of the exclusion constitutes uncertainty. 1 st party reproduction and recreation of electronic data following a criminal act by an employee or third party, or following a virus contamination. This cover is always given with a sublimit. LIMITED ACCUMULATION RISK
3 rd PARTY EXPOSURES IN INSURANCE COMPANIES EXISTING PORTFOLIO Cyber is not covered directly, but can increase the underlying risk of claims that can lead to a covered loss under the D&O policy. D&O insurance always has a potential exposure for breach of duty, negligent acts etc. Cyber is not covered directly, but can increase the underlying losses that can lead to a covered loss under the recall policy. The risk of a Cyber event can lead to a recall (as e.g. recall of 1,4 million cars due to an in risk of hacking into the steering system of the car) LIMITED ACCUMULATION RISK
PARAMETERS DRIVING DEMAND FOR CYBER INSURANCE And thus drive the potential accumulation exposure LEGISLATION Both domestic, foreign and international legislation as well as jurisdiction (GDPR as per 2018) Increasing awareness of management (D&O) and maintaining corporate sustainability REPUTATION SIZE Big companies are attractive due to the amount of data, while small companies still have a below average level of IT security Doing business in/with US clients/consumers is equal with doing business in the country with highest level of privacy legislation and specific jurisdiction US EXPOSURE INDUSTRY Attractiveness due to quality or quantity of data, security maturity level, and potential benefit for attacker
PORTFOLIO CONTROL In addition to reinsurance protection CYBER WORDINGS AND APPETITE Property endorsement ready Continuous product development CONTROL OF EXPOSURE Registration secured Dedicated cyber accumulation team Development of Risk Management competences UNDERWRITING CONTROL AND GUIDELINES If Cyber Pricing Tool Underwriting and accumulated risk Limits and referrals UNDERWRITING COMPETENCE Specialized in-house underwriting expertise Close cooperation with partners Continuous and systematic competence development
SUMMARY The digital development is changing the insurance environment as our customer s need for coverage of non-physical perils is gradually increasing. To address the demand If has developed currently three cyber products: One cyber product with a broad coverage including 1 st party loss such as business interruption, technical assistance, intellectual property, extortion and notification costs as well as 3 rd party liability. Two different cyber products, aiming at different sized companies, covering the clients business interruption loss and assisting the clients with relevant technical support. The digital changes have however also led to new exposures in our existing portfolio, primarily in our general liability portfolio and to some extend in the property portfolio. The development constitutes an opportunity to If, where our extensive knowledge about our clients, their risks and needs, is combined with an understanding of the global digital development. This leads not only to new products, but also to a re-evaluation the existing risks.