cyber risks: understanding the unknown

Cyber Risks Understanding the Unknown

Carlos Wong

Senior Director, Analytics, A.M. Best

Pablo Vasquez

Financial Analyst, A.M. Best

April 2016

Disclaimer

7th April 2016Cyber Risks: Understanding the Unknown 2

© AM Best Company (AMB) and/or its licensors and affiliates. All rights reserved. ALL INFORMATION CONTAINEDHEREIN IS PROTECTED BY COPYRIGHT LAW AND NONE OF SUCH INFORMATION MAY BE COPIED OROTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED,REDISTRIBUTED OR RESOLD, OR STORED FOR SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR INPART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT AMB’s PRIORWRITTEN CONSENT. All information contained herein is obtained by AMB from sources believed by it to be accurate andreliable. Because of the possibility of human or mechanical error as well as other factors, however, all informationcontained herein is provided “AS IS” without warranty of any kind. Under no circumstances shall AMB have any liability toany person or entity for (a) any loss or damage in whole or in part caused by, resulting from, or relating to, any error(negligent or otherwise) or other circumstance or contingency within or outside the control of AMB or any of its directors,officers, employees or agents in connection with the procurement, collection, compilation, analysis, interpretation,communication, publication or delivery of any such information, or (b) any direct, indirect, special, consequential,compensatory or incidental damages whatsoever (including without limitation, lost profits), even if AMB is advised inadvance of the possibility of such damages, resulting from the use of or inability to use, any such information. The creditratings, financial reporting analysis, projections, and other observations, if any, constituting part of the informationcontained herein are, and must be construed solely as, statements of opinion and not statements of fact orrecommendations to purchase, sell or hold any securities, insurance policies, contracts or any other financial obligations,nor does it address the suitability of any particular financial obligation for a specific purpose or purchaser. Credit risk is therisk that an entity may not meet its contractual, financial obligations as they come due. Credit ratings do not address anyother risk, including but not limited to, liquidity risk, market value risk or price volatility of rated securities. NO WARRANTY,EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESSFOR ANY PARTICULAR PURPOSE OF ANY SUCH RATING OR OTHER OPINION OR INFORMATION IS GIVEN ORMADE BY AMB IN ANY FORM OR MANNER WHATSOEVER. Each credit rating or other opinion must be weighed solelyas one factor in any investment or purchasing decision made by or on behalf of any user of the information containedherein, and each such user must accordingly make its own study and evaluation of each security or other financialobligation and of each issuer and guarantor of, and each provider of credit support for, each security or other financialobligation that it may consider purchasing, holding or selling.

Disclaimer


US Securities Laws explicitly prohibit the issuance or maintenance of a credit rating where a person involved in thesales or marketing of a product or service of the CRA also participates in determining or monitoring the credit rating, ordeveloping or approving procedures or methodologies used for determining the credit rating.

No part of this presentation amounts to sales / marketing activity and A.M. Best’s Rating Division employees

are prohibited from participating in commercial discussions.

Any queries of a commercial nature should be directed to A.M. Best’s Market Development function.

Agenda


• Defining Cyber Risk and its Scale

• Cyber Risk and Enterprise Risk Management

• Cyber Risk and the Insurance Market

• Cyber Risk and Insurers’ Credit Ratings

• Q & A

Approach to (Cyber) Risks


PREVENTION

Technology

MITIGATION

People

RECOVERY

Processes

Insurance

Solutions

Defining Cyber Risk


• Cyber risk spreads and mutates along with technology

• Hard to model

• Can be seen as an additional tax on innovation

“The business risk associated with the use,

ownership, operation, involvement, influence and

adoption of IT within an enterprise”

(ISACA IT Risk Framework)

Defining Cyber Risk


Cyber risk can derive from either non-malicious

failures or malicious attacks

• Technological failures • Human error

• Terrorism• Espionage• Financial crime• Sabotage

Defining Cyber Risk


There is more than data loss…typical

losses/damages

• Breach of intellectual property

• Business interruption

• Extortion

• Financial fraud

• Breach of privacy• Network failure liabilities• Reputational loss• Physical damage

• Recovery costs

Scale of the Risk


Source: McAfee

• One of the five most likely risks (WEF)• 66% annual growth rate last 5 years (PwC survey)• Annual global cost - USD 375-575 billion in 2014 (USD

100 billion from the United States) (McAfee)

Growing risk

Scale of the Risk


Country % GDP (*) G20

Argentina N/AAustralia 0.08% M XBrazil 0.32% M XCanada 0.17% M XChina 0.63% H XColombia 0.14% LEU 0.41% L XFrance 0.11% L XGermany 1.60% H XIndia 0.21% L XIndonesia N/AIreland 0.20% MItaly 0.04% LJapan 0.02% L XKenya 0.01% LKorea N/A

Country % GDP (*) G20

Malaysia 0.18% MMexico 0.17% M XNetherlands 1.50% HNew Zealand 0.09% MNigeria 0.08% MNorway 0.64% HRussia 0.10% M XSaudi Arabia 0.17% L XSingapore 0.41% MSouth Africa 0.14% MTurkey 0.07% L XUAE 0.11% MUK 0.16% L XUnited States 0.64% H XVietnam 0.13% LZambia 0.19% L

Cybercrime as a percentage of GDP (McAfee)

(*) Confidence

Scale of the Risk


Cybercrime likelihood and impact (WEF)

Scale of the Risk


Recent large cyber events (A.M. Best)

Key medium-term trends


Big Data (collection and use across all industries)

All businesses “in the cloud” – interconnected“weapon of mass destruction” (systemic risk)

Millennials (perception of data privacy)

Greater reputational risk

Lack of skills (supply – demand dynamics)

Increase in exposure and frequency of attacks

Cyber Risk and Enterprise Risk Management (ERM)


Increased awareness

Cyber cannot be avoided – “cyber resilience”US, UK and others - National Institute of Standards and Technology (NIST), Cyber Essentials schemes, etc.

Traditional approach to risk management – does

it work?

• Identification and measurement

• Management

• Monitoring• Response / Recovery



Identification and measurement

• Levels of information• Threats• Measurement:

• Assets and liabilities• Scenarios

• Cyber:

• Technological readiness vs. “the human factor”• The active “adversary”• Occurrence changes everything (“it can be done”)



Management

• Avoiding not an option• Self-coverage vs. risk transfer

• Financial institutions – risk / solvency capital• Insurance policies, other legal options

• Protection• Data security, firewalls, etc.

• Cyber:

• Businesses need to be “open”• Aggressive approaches (“ahead of the curve”,

“war scenarios”)



• Focus on identified exposures

• Compliance with policies of usage, registers, activity logs, etc.

• Cyber:

• Evolving threat – “know the enemy”

• Enterprise-wide 360 view (“E” from ERM)

Monitoring

• Incident response plans: recover infrastructure, restore data, reconnect services

• Cyber:

• Prompt action more important

Response & Recovery



• Board awareness - improving• Culture important - Insider threats:

• Access, mobility, accountability, behavior• Accidental, renegade and malicious insiders• External perimeters not enough!

Monitor insiders (from inside and outside)• “Cyber Hygiene” - way of improving cyber risk culture• Growing call for cyber regulation• Strategic view on Cyber Risks – required

• NIST (National Inst. of Standards & Tech) Initiatives

Cyber Risks and ERM (1)



Risk Management,IT, Compliance

Compliance

IdentificationMonitoringManagement & Recovery

Control (law & internal)

Finance “Cyber Risk” charge

Legal Regulation, litigation, contracts, etc.

Board Appetite for cyber risks

Personnel Insider threats and lack of cyber talent

Cyber Risks and ERM (2)

Cyber Risk and Insurance


• 2018: USD 5 bn, 2020: USD 7.5 bn – realistic?• Approx. 75% from the United States

• First market to adopt standalone solutions• Specially data breaches

• 60 providers offering standalone cyber covers• UK companies relatively small (GWP ‘14: GBP 25 m)• London underwrites 10% of global cyber

• Approx. GBP 100 bn - estimated global exposure of insurance to cyber risk (standalone policies limits)

• Approx. GBP 20 bn - estimated global PML from a single event (20% assumption based on property risk)

Sources: AM Best, HM Government, Marsh

Approximately USD 2.5 bn gross premiums in ‘15



Number of companies purchasing cyber

insurance up 27% year on year in 2015 (US

market, Marsh)

All US Market, Marsh Clients

32% year on year increase in 201421% year on year increase in 2013



Abundance of personal informationHealth Care: Disproportionate market penetration




Media and financials - highest average limits

• Limits grew in ‘15 across all industries / business sizes• Abundant (theoretical) capacity available• Rate increases across all industries in 2015




Types of cyber risk coverage include:

• Loss / corruption of data• Business interruption• Liability (privacy breach, virus, unavailability of systems)• D&O / management liability• Cyber extortion and criminal rewards• Crisis management• Data breach• Identity theft• Cloud computing



The nature of the risk:

• Hard to model - data quantity and quality issue:• Lack of historical series (no mandatory disclosure) • Companies ignore they have been targeted• Companies do not want to disclose (reputational,

legal implications)• Mutating with technology / deliberate attacks

• Similar challenges as for terrorism, D&O, fidelity & crime

• Hard to price

• High global correlation – systemic risk



Reading the pricing (2):

• All factors suggest conservative underwriting • Side effect – flat pricing provides no incentive for

insured to reduce cyber risk and save on premiums



Survey results:

• 52% of large UK companies believe they have cover(PwC survey, 2014)

• However - only 10% actually do

(Combined research Marsh & Zurich)• Failure to communicate value of cover from insurers /

poor understanding of the risk and policies by

companies

• All providers within a tight price range• Suggests shared (uncertain) view on risk pricing



Hot topics:

• Regulatory pressure • Public / private sector debate on accountability• Untested legal framework



The analysis of the market suggests:

• Broad range of covers offered by insurers• No price differentiation with low limits• Would more refined modelling / data change this?• Main price factors: Geographical (US / Europe / SE

Asia / Emerging countries) and size of operations• Smaller companies: limited appetite, under-estimation

of risk (lower penetration of standalone policies), high rates

• Large US insurers concerned of exposure to catastrophe events. Need for higher limits/capacity

Cyber Risk and Insurance Credit Ratings


Definition of Cyber Risk

and Scale

Insurance

Industry

Seller

[Underwriting]Buyer

[ERM]

Rating

Assessment



Number of policies written, premiums, % direct business, type of policy, line of business, etc.

Standard questions and forms

Risk management regime Secure configuration

Network Users (PEA)

Incident management Malware prevention

Monitoring Removable media

Home and mobile



Scenario analysis

• Exposures and level of sophistication of the insurer

Possible cyber catastrophe scenarios*:

• Payment processing

services - security breach at largest provider;e-commerce payments down for 48 hours

• Electricity transmission

system - Cyber attack -shutdown of for 48 hours

• Cloud data - world’s largest provider suffers major breach of security

• Cloud-based application

hosting - world’s largest provider suffers 24-hour outage

*Marsh, UK HM Treasury



Non-writers of standalone cyber risks (1)

• The case of cloud computing and contingent

business interruption insurance

• 30% of Fortune 1000 companies deployed at

least one business

critical system in the cloud (2015)

• 78% of UK

organizations – at least one cloud-based service

Insurer

Co. # 1

Co .# 2

Co. # 3

.

.

.

Source: Kennedys



Non-writers of standalone cyber risks (2)

• Contingent Business Interruption - loss of profit linked to physical damage to dependent property (i.e. property operated by third parties that delivers, accepts or manufactures products or services to the policyholder)• Is the Cloud dependent property?• US and UK - past court cases suggest that physical

damage may include certain events (loss of data, suspension of services)

Source: Kennedys



Threat of a cyber mega-event:

• Success/diffusion of the cloud

• Low levels of risk transfer• Accumulations:

• Ineffective exclusion clauses

• Broad definition of physical damage



Final Considerations

• Systemic Risk• Insurance industry - may not be ready to adequately

mitigate the risk yet• Understanding buyer / seller side - in development

• Pressure on rating agencies to reflect this risk in their assessment

• New challenges:

• Broader rating approach?

• Data scoring rating?

Cyber RiskUnderstanding the Unknown


Q&A

Contacts

Carlos Wong Pablo Vasquez

Senior Director, Analytics Financial [email protected] [email protected]

A.M. Best

@AMBestEMEA, @AMBestRatings, @AMBestCo

mailto:[email protected]

mailto:[email protected]

Creating a culture of risk awarenessTM

Global Association of

Risk Professionals

111 Town Square PlaceSuite 1410Jersey City, New Jersey 07310USA+ 1 201.719.7210

2nd FloorBengal Wing9A Devonshire SquareLondon, EC2M 4YNUK+ 44 (0) 20 7397 9630

www.garp.org

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make

better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,

academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)

exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for

professionals of all levels. www.garp.org.

© 2012 Global Association of Risk Professionals. All rights reserved.

cyber risks: understanding the unknown

Economy & Finance