This presentation has been prepared for the 2016 General Insurance Seminar.

The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Insuring Cyber Risk
An Introduction & More

Cyber Insurance
Working Group
Presented by
Peter Yeates &
Dean Marcus
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Why Care?

Regulation

US
experience

Growing
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Agenda

Product and Claims and Aggregation &

Environment The Future
Pricing Reserving Scenarios

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
Cyber Risk for General Insurers
Insurer

Corporate
Insurance
Cyber

Deterministic Scenarios
Op Risk

Insureds

Cyber Cat
Modelling
Cyber
Insurance

Non-Cyber
Insurance
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Environment
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Background
The Threat The Response
• Insurance product triggered by
cyber perils, especially data
breach
• Breach response services
• Covers many of the gaps in
existing products

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
Where does insurance fit in?
Insurance is one piece of cyber risk management

Protection & Response

Map risks Insurance
Detection Plan

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
8 those of the Institute and the Council is not responsible for those opinions.
Market Size
Global Cyber Premium is $2.5 billion
3
Gross Written Premium $billion US

Australian GWP is
estimated to be
20 million (AUD)
2

1 Annual growth
over 30% over the
last 3 years
0
2008

2010

2011

2013

2014

2015
2009

2012
Underwriting Year
US Other
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
9 those of the Institute and the Council is not responsible for those opinions.
 HIPPA (Federal)
Health insurance breach notification Global
Mandatory Norification
(California) Regulation
Federal & State
HIPPA enhanced. Similar requirements to
California replicated in most other states

GDPR (EU)
General Data Protection
Regulation passed - comes into
force in May 2018

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
Market Penetration – US
Lots of opportunity for more growth
Corporate
SME penetration is
30% penetration is higher but still
very low – less below 30%
than 5%
Penetration

20%

10%

0%
SME

Corporate
This presentation has been prepared for the 2016 General Insurance Seminar.
Source:
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily Advisernet
11 those of the Institute and the Council is not responsible for those opinions.
Business Size
Insurance Offerings in Australia
In its infancy …
• 15+ insurers offering cyber
• No standard policy wording
• 15-50+ underwriting questions
• Variation in premiums
• Gaps in coverage
• Response services provided
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
12 those of the Institute and the Council is not responsible for those opinions.
 Privacy Act
National Privacy Principles
Australian
OAIC
Regulation
My Health Records Act
Notifiable breaches

Privacy Act Enhancements

Australian Privacy Principles

Notification of Serious
Data Breaches
Exposure draft for consultation

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Product and
Pricing
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Cyber Coverage

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
http://www.actuaries.digital/2016/06/29/insuring-cyber-risk-concerns-about-coverage/
 Drivers of Risk

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
16 those of the Institute and the Council is not responsible for those opinions.
 This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
17 those of the Institute and the Council is not responsible for those opinions.
Show me the data!
IT security
Threats
DDoS attacks
Breaches
Cyber losses
Paid cyber insurance losses?

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Show me the data!
Available data* General caveats
• Surveys: Breaches reported by a • Events are breaches rather than
few large US companies. insurance claims.

• Mandatory breach notification • Doesn’t cover all perils.

may lead to better data, but is an
underlying driver of higher claims. • How useful is historical data?

• Very few breaches are reported.

*See Appendix A

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Limitations/Biases in Data*

Not
Small Reporting Lacking
insurance
samples bias detail
Data

*See Appendix A

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Claims and
Reserving
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Timeline of a claim
First Days First Week First Month 3-6+ Months

•Notify Insurer •Qualify •PR •Rebuild/replace

•Response Team •Legal •Notify regulator systems
•Crisis management •Insurance •Improve security
investigation •Monitoring of
•Rectification Plan impacted data
•Liaise with
investigators
•Finalise claims cost

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Claims Handling
Support responding to attack Insurer perspective
• Fast response times • Wide range of services and skills

• Analogous to kidnap and ransom • Scaling claims handling down to

policies smaller businesses/losses?

• 3rd party support for crisis, • Is an “all perils” cover more

mitigation, IT forensics and legal appropriate in some cases?

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Claim Trends
Investigations and Lost Business drive cost

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
24 those of the Institute and the Council is not responsible for those opinions.
 Initial challenges
Reserving
Similar classes
• No standard policy wordings, coverage • PI and Medical Malpractice
and exclusions
• D&O
• Best data is out of date

• Claims coverage conflicts: coverages • Liability

can conflict with other policies!

 Common learnings: dealing with new

&evolving policy wordings, lack of case
law and precedents

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Reserving – what do we know?
• Average time to identify a breach: 163 days*.

• Once a breach is identified:

– First party heads of damage are relatively easy to estimate
– Benchmarking surveys can assist for data breach compensation
– Regulatory penalties evolve over time

• Reserving methodology: Initially will be very simple

*IBM/Ponemon 2016
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Reserving - WARNING

𝑪𝒐𝒔𝒕 = 𝒏𝒖𝒎𝒃𝒆𝒓 𝒐𝒇 𝒓𝒆𝒄𝒐𝒓𝒅𝒔 𝒃𝒓𝒆𝒂𝒄𝒉𝒆𝒅 ×

𝒄𝒐𝒔𝒕 𝒑𝒆𝒓 𝒓𝒆𝒄𝒐𝒓𝒅?*

* https://netdiligence.com/wp-content/uploads/2016/05/NetDiligence_2015_Cyber_Claims_Study_093015.pdf
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Aggregation &
Scenarios
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily Sandy Blackout: erin m
those of the Institute and the Council is not responsible for those opinions.
 Aggregation & scenarios
Scenarios*
Statistical data for 1. Business Blackout (NE US electricity grid)
2. (UK electricity grid)
Cat-style modelling? 3. Database corruption
4. Data breach at major retailers (FSA)
5. Data breach
6. Ransomware
7. Cloud breach
Scenarios?
8. Payment provider breach
9. Denial of service attack
10. Building management system breach
(remote sprinkler activation)

This presentation has been prepared for the 2016 General Insurance Seminar.
*Business blackout https://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
UK Grid http://www.lockheedmartin.com/us/news/press-releases/2016/april/collaboration-on-critical-national-infrastructure-cybersecurity.html
FSA Retailers: http://www.bankofengland.co.uk/pra/Documents/supervision/activities/generalinsurancestresstestingjuly2015.pdf
those of the Institute and the Council is not responsible for those opinions.
Others see RMS: http://forms2.rms.com/rs/729-DJX-565/images/RMS-Managing-Cyber-Insurance-Accumulation-Risk-05142016.pdf
 Electrical grid scenarios
• Available data based on historical grid reliability:
– Loss extent
– Return period

• Credible threat:
– December 2015 Ukrainian attack*
– Demonstrations of attacks on specific pieces of equipment

• Key message: bear in mind proximate cause

This presentation has been prepared for the 2016 General Insurance Seminar.
*https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyber_attack
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
For more discussion on scenarios, see http://www.actuaries.digital/2016/02/22/insuring-emerging-cyber-risks-2/
those of the Institute and the Council is not responsible for those opinions.
 The Future
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily CSIRAC Australia’s first computer with
those of the Institute and the Council is not responsible for those opinions. 768 words of memory: photo SCIS (CC)
 The future
► Evolution of cyber threats as hackers become more
sophisticated and exposure increases
Environment ► High profile cyber incidents impact Australian businesses

► Mandatory reporting of cyber events introduced

► Privacy protections tightened
Regulation ► Costs increase for penalties and response efforts

► Understanding and take up of cyber insurance increases

► Standardisation and streamlining of cyber products to better
meet businesses needs
Insurance ► Expansion of focus beyond data breach
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
Questions?

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Appendix
Data

This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.
 Appendix: Data
Key available datasets
 Benchmarks the cost of data breach incidents internationally and in Australia (separate reports)
Ponemon  Covers 26 companies in 11 sectors
Survey  Attack details and identification/reporting stats by industry, business size, cause
(Australia)  Preventative measures being used
 Lost business costs

Verizon Data
 Uses 64,199 incidents and 2,260 breaches to produce stats on breaches
Breach
 Attack details and identification/reporting stats split by industry, agent, method, intention
Investigation
 Software vulnerability comparisons, phishing stats, etc.
Report

 Uses 160 data breach insurance claims submitted by underwriters, usually relating to smaller organisations. They
NetDiligence estimate that this covers “approximately 5% of the total number of cyber claims handled by all markets” with event
Cyber dates between 2012-2015.
Claims Study  Attack details and identification/reporting stats split by claim/HoD type (first vs. third party, crisis services, legal
defence, legal settlement, regulatory defence, regulatory fines), type of lost data, cause, industry, size of business.

• Congressional Research Service Cybersecurity: Data, Statistics, and Glossaries, Rita Tehan (2015): https://www.fas.org/sgp/crs/misc/R43310.pdf
• IBM/Ponemon: http://www-03.ibm.com/security/au/data-breach/index.html
This presentation has been prepared for the 2016 General Insurance Seminar.
• Verizon: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
• NetDiligence: http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf
those of the Institute and the Council is not responsible for those opinions.
 Appendix: Data
Survey biases
Sampling-frame bias and non-statistical results: The participants in the surveys aren’t
statistically representative of all companies in Australia, and the problem worsens
when looking at particular industries/sizes. As a result, the surveys don’t display
statistical measures like confidence intervals.
Reporting bias: Firms are often reluctant to divulge accurate data or even record
some events. This casts doubt on the reliability of the data, but might change over
time depending on mandatory reporting.
Non-response bias: Companies that didn’t participate may have significantly different
data breach cost histories, and may have opted out of surveys in part because of
this difference.
Unmeasured factors: Various important variables, including detailed security measures
and other features of companies, are omitted from surveys.
Basis risk: The surveys typically measure losses from a business perspective, not from an
insurance perspective
This presentation has been prepared for the 2016 General Insurance Seminar.
The Institute Council wishes it to be understood that opinions put forward herein are not necessarily
those of the Institute and the Council is not responsible for those opinions.