Terrorism and Cyber the fast changing landscape it is not just about privacy anymore
www.miller-insurance.com Terrorism - conventional exposures and responses Miller Insurance Services LLP is authorised and regulated by the Financial Conduct Authority
www.miller-insurance.com 2
www.miller-insurance.com Physical loss or damage caused by Terrorism is nothing new In South Africa the internal civil strife and external conflicts spilling over international and Homeland borders led to the creation of SASRIA a South African government backed programme. - The private market supports and complements
www.miller-insurance.com Private Market offers multiple complementary options: - Physical Damage - Business Interruption - Contingent Business Interruption - Ingress/Egress - Liabilities - Captive Wraps - International - Other tailored and integrated coverages (see later slides) - Capacity available: USD billions per location/event
www.miller-insurance.com ARNDALE CENTRE, MANCHESTER, UK Total economic damage in excess of USD 1.5 billion 5
www.miller-insurance.com UK has experienced a series of terrorist attacks Response Pool Re a government backed programme. - The private market supports, complements and competes with the programme.
www.miller-insurance.com BALI 7
www.miller-insurance.com Attacks targeting the tourist sector by causing loss of life among international tourists Tourists visiting dropped by 60% Culturally difficult for government to introduce a Terror programme
www.miller-insurance.com 9
www.miller-insurance.com US government introduces TRIA - Private market complements and competes with the programme
www.miller-insurance.com 11
www.miller-insurance.com The changing terrorism landscape- differing responses Paris Charlie Hebdo Massacre - Al Qaida claim responsibility Deemed to be an act of terrorism by GAREAT (French government programme) Sydney Hostage Siege - ISIL sympathiser. Declared to be a terrorist act for insurance purposes by Australian treasurer Boston Marathon (not declared a TRIA qualifying event) 12
www.miller-insurance.com 13
www.miller-insurance.com Words Matter- Devil is in the detail 1990/91 Desert Shield became Desert Storm Acts by Iraqi secret agents war or terror? 2011 Egypt riots on a street escalates to Insurrection President George W. Bush declared War President Obama softened his language around cyber attacks from overseas War or not?
www.miller-insurance.com Definitions Terrorism - The unofficial or unauthorized use of violence and intimidation in the pursuit of political aims Terror - The use of extreme fear to intimidate people: weapons of terror A new type of terrorism is evolving. 15
Evolving Cyber Threats: A Framework, A Methodology, and Insurance
Core Points Cyber Threats Evolving Faster Than Controls Public Cybersecurity Frameworks Alone are not Enough Current Methodologies That Provide Underwriters Needed Data are Sparse
The Life Insurance Comparison
Considerations How do you assess risk to address ALL the ways cyber attacks are being planned and executed? Invest in people, technology, and process? People: Insider Threat Technology: Data Security, Mobility, Physical Security Process: Internal Business Operations, 3 rd Parties Align security with the business? Assessment that is rooted in industry standards Prioritize and balance capability with security (ROI) Build in and Share? Actionable threat intelligence Increase maturity of control performance
Our View Holistic multi-domain analyst-driven assessment requiring reasonable time commitment from individual customer POCs 6 Top-level Domains Insider Threat Data Security Physical Security Internal Business Operations External Business Operations Mobility Module Add-ons Address Industry Specific Nuances Critical Infrastructure/SCADA HIPAA PCI/PII Data is collected via combination of analyst driven discussion with key personnel, customer-provided answers and analyst observation.
In Closing Early trends we are seeing Security Investments vs Vulnerabilities vs Breaches Cross-industry comparison Chasing the attacker
Cyber Insurance Discussion
RISK ENVIRONMENT Massive privacy claims catching up to markets in 2014; although exploits have been around for some time Carriers/clients still concerned about this; however, risks is shifting from privacy around PII, PHI, and vandalism, to Extortion Espionage/theft of Intellectual Property Sabotage and full scale business interruption/degradation of bandwidth Intense Reputational harm Property Damage and Bodily Injury 23
PRIVACY LIABILITY & INFORMATION SECURITY INSURANCE MARKET OVERVIEW Retail and Hospitality: The cyber market is experiencing an intense hardening, primarily in the retail / hospitality space. The rise in frequency and severity of data breaches continues at an alarming pace. There has been, on average, one breach in each of the last 11 months with claim payments exceeding $10mm (many over $50mm) with many more where there has been some carrier payout Approximately $200mm for total market capacity (US, London, Bermuda) for all coverage grants, excess of sizable retentions Non-Retail Insurance: Up to $400mm - $500mm in capacity for both first and third party insuring agreements, excess of sizeable retention (loss experience on privacy claims bleeding over in terms of retention, but capacity still there)
SAMPLE CYBER EXCLUSIONS & LIMITATIONSknow what you are buying CL 380 Exclusion (appearing on property, casualty, and terrorism policies at Lloyds in particular; mostly limited to Oil & Gas thus far) in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or any other electronic system. Cyber terrorism limitation (on some cyber policies) does not include any such activities which are part of or in support of any military action, war or warlike operation. War exclusion excludes Any Act of Terrorism, strike or similar labor action, war, invasion, act of foreign enemy, hostilities, or warlike operations (whether declared or not). 25
IMPORTANT CARVE BACKS to shoot for... (Sample language) Cyber Terrorism - an act or series of acts of any person or group(s) of persons, whether acting alone or on behalf of or in connection with any organisations(s), committed for political, religious or ideological purposes including but not limited to the intention to influence any government and/or to put the public in fear for such purposes by using activities perpetrated electronically or otherwise that are directed towards the destruction, disruption or subversion of communication and information systems, infrastructure, computers, the internet, telecommunications or electronic networks and/or its content thereof or sabotage and/or threat therefrom.
OVERSIGHT AND REGULATION Focus on Critical Infrastructure DHS oversight and authority has grown substantially Focus on information sharing and real-time threat analysis Concerns over privacy and financial/reputational repercussions DHS has insurance industry working group on cyber-security HHS, state AGs, FTC, SEC, others. 27
INDUSTRY FACING SIGNIFICANT CHALLENGES Policies untested regarding terrorism Cyber-terrorism, cyber warfare, state-sponsored, declared vs. undeclared? War/Terrorism exclusions in reinsurance treaties Tacking on non-privacy risk to already pained market; challenges in valuing true business interruption loss Aggregation issues could have a big impact: forcing major carriers and Lloyds syndicates to look at P&C, D&O, Crime, and K&R policies where there is potential overlap and either exclude cyber or charge appropriate premium for the risk forcing underwriters who don t understand cyber to price the risk and claims adjusters who don t understand cyber to adjust complicated cyber-related claims 28
INDUSTRY FACING SIGNIFICANT CHALLENGES Game changers? Target - Potentially paves the way for Card Issuers to go directly to merchants for reissuance expenses Anthem - Anthem agreed to deal with HIPAA/HHS around breach notice/response issues on behalf of all insureds; however, may be state regulations that trump HIPAA federal statute for plan sponsor; additional fiduciary responsibilities under ERISA may push companies to want to get in front of Anthem s response time; as a result hundreds of cyber policies have been put on notice 2014 German steel mill attack- Only the second time where cyber attack was confirmed to have caused physical damage to infrastructure 29
John Eltham D. +44-20-7031-2689 C. +44-773-300-1307 John.eltham@miller-insurance.com Mary Guzman D. 404-497-7535 C. 404-290-8155 mguzman@mcgriff.com Mark Lopes D. 202-629-1960 x330 mlopes@tscadvantage.com 30