CYBER RISK

INSURANCE

18.06.2013 Tine Olsen, Willis

CYBER RISICI

Agenda:

• Introduction to Willis

• What are Cyber risks?

• Exposure and cases

• Risk management

• Risk transfer Insurance

• Closure and questions

| 1

WILLIS

Part 1

WILLIS DENMARK

• Partner-owned company ( Willis International is

majority shareholder)

• 6 locations and more than 470 employees

• Manage more than DKK 9 billions in premiums

The largest insurance broker in Denmark

AON 22 %

Willis 38 %Øvrige 25%

Marsh 15%

Andel af FMF’s omsætning i DK

| 3

WILLIS INTERNATIONAL

Key figures

+400 offices

Roughly 17.000 employees in 110 countries

+600 Multinational costumers

Premium volume > 30 billions USD

| 4

WHAT ARE CYBER RISKS?

Part 2

CYBER RISK

Cyber risk can be defined as the risk connected to activity online, internet trading,

electronic systems and technological networks, as well as storage of personal data

CY

BE

R R

IS

KS

HACKER ATTACK

DATA BREACH

VIRUS TRANSMISSION

CYBER EXTORTION

EMPLOYEE SABOTAGE

NETWORK DOWNTIME

MULTIMEDIA LIABILITY

HUMAN ERROR

RELIANCE ON THE INTERNET – 73 % OF THE EUROPEAN COMPANIES

| 7

CHARACTERISTIC

| 8

• “One-man hacker”

• Organized Hacker Crime- Associations

• Hacktivists

• Spy

Whom?

• DDoS

• Malware/virus/botnets

• Hacking

• Espionage via hacking

• Theft of computers/smartphones

How?

• Money (directly/indirectly)

• Personal/business data

• Public attention

• Extortion

• Vandalism

Gain?

• All companies can be a target - its just a matter of how and when.

Target

EXSPOSURE

Part 3

EKSPOSURE

Any company and organisation that

Stores Personal Identifiable information

Are reliant on:

| 10

The internet / Networks/

Computers

Web-pages

Digital info

FACES CYBER

RISKS

EXPOSURE

“IN FEBRUARY 2013,

PRESIDENT OBAMA

DECLARED THAT

THE “CYBER THREAT

IS ONE OF THE MOST

SERIOUS ECONOMIC

AND NATIONAL

SECURITY CHALLENGES

WE FACE AS A NATION”

AND THAT “AMERICA'S

ECONOMIC PROSPERITY

IN THE 21ST CENTURY

WILL DEPEND ON

CYBER SECURITY.”

In Denmark – One of the 10 biggest risks.

April 2013 - the Danish Emergency

Management Agency

(Beredskabsstyrelsen) declared that

Cyber-attacks are among the top 10

biggest threats for Denmark!

| 11

WILLIS FORTUNE 500

CYBER DISCLOSURE REPORT, 2013

This report on the Willis Public Company Cyber Exposure Disclosure Study with a Focus on

the Fortune 500 (Study) highlights three key disclosure areas in the SEC’s guidance:

•The significance of the organization’s cyber exposures and how these are qualified

•How the exposures are likely to manifest themselves

•What the company is doing to mitigate these risks.

| 12

COMPANIES THAT SAID THEY WERE EXPOSED TO CYBER RISK WERE

SPECIFIC AS TO THE TYPE OF CYBER RISKS THEY ARE FACING 95%

OF THE TIME.

THE TOP THREE RISKS IDENTIFIED BY THE FORTUNE 500 ARE:

1) LOSS OR THEFT OF CONFIDENTIAL INFORMATION: 65%

2) LOSS OF REPUTATION: 50%

3) DIRECT LOSS FROM MALICIOUS ACTS (HACKERS, VIRUSES ETC.):

48 %.

THESE RISKS ARE CLOSELY FOLLOWED BY EXPOSURE TO LIABILITY

FOR SYSTEM BREACHES OR FAILURES (40%).

WILLIS FORTUNE 500

CYBER DISCLOSURE REPORT, 2013

The companies that used a term such as “critical” to describe their cyber risk seem not to have any particular

relationship to one another (e.g., an auto manufacturer, a food and drink company, a distributor of petroleum

products, two utilities, a large machinery manufacturer, a health care insurer, a life insurance company and a

computer manufacturer).

| 13

QUANTIFYING CYBER RISK

Our study found that:

• 38% disclosed that a potential cyber event might “impact” or

“adversely impact” the business

• An additional 36% (180 companies of 500) may face “material harm”

to their businessdue to cyber attacks

• 2% (12 companies) specified their potential cyber risk as “critical”

CASES - DENMARK

April 2013:

Ddos in DK:

| 14

Patient data – social security numbers

Virus attack - Danish municipality

DDoS attack – Danish Travel site

CASES - INTERNATIONAL

Hacking

| 15

Tax division South Carolina

US Media Company

Lost a laptop – counselling

The EFFECT

• Dissatisfied costumers

• Bad public attention

• Loss of data

• Uncertainty

• ”Lock-out”

• Work barriers

Claim for damages / compensation

PR costs/Crisis management costs

Loss / notification

Extortion

Data recovery

Consultant costs (legal/it/forensic)

| 16

RISK MANAGEMENT

Part 4

RISK MANAGEMENT

18

RISK MANAGEMENT

| 19

Analyse your risks

Describe your risk strategi

Implementing risk solutions

Monitor the performance

Transfer your risks

CYBER INSURANCE

Part 5

CYBER INSURANCE

Security

Data

Liability

PR

Primarily third partyloss /claims

made against the company

Primarily first party loss

- Fines/penalties - Company loss - Violations of

sanctions - Loss of data

- Hacking - Virus or Ddos - Extortion - Theft of data

- Distribution of false information

- Wrong information on webpages.

- Privacy violation, - Disclosure of

business information

- IPR Infringement - Service failure

Netbankbanking

| 21

A cyber Insurance provides coverage for a double burden:

CYBER INSURANCE

What is generally covered by a cyber

insurance?

Defence costs

Liability regarding to:

- Publication of personal data / breach of

privacy law

- Unintentional distribution of confidential

information and trade secrets

- Transfer of virus to an other computer or

network

Repair of reputation

Notification costs

Recovery costs

Investigation costs

Business interruption

Extensions:

- Intellectual property infringement (e.g.

unintentional ”deep-linking” or ”framing”).

- Publication of credit card information

- Extortion (Ransom)

- Electronic theft (e.g. Internet banking)

- Monitoring

- Multimedia liability

| 22

CYBER INSURANCE

What is generally not covered?

• Prior or pending claims

• Conduct

• Improvement costs

• Bodily Injury and property damage

• Contractually liability

• Business interruption caused by other

things than the listed cyber incidences.

• Violation of patent-rights.

• Unauthorised trading

• Unlawfully collected data

• Contractual liability

Exclusions

| 23

CYBER INSURANCE

How is the insurance adaptable for

you business? .

Which extensions are relevant for

you?

Is there an emergency team / a

hotline?

Does it give you coverage to

investigate the incidents?

Does it provide coverage for

professional fee of independent

advisors (e.g. legal advice, cyber

risk specialists)

Take notice off:

| 24

NO EXCLUSION FOR :

•Terror

•Hammer clause

•Employees mistakes

•Employees criminal act

•Infringement of intellectual

property

•Contractual liability (unless there

is a carve back)

Benchmark

| 25

Revenue ($) Limit ($) Deductible ($) Insurance

45,000,000,000 40,000,000 1,000,000 E&O, Cyber

25,000,000,000 150,000,000 5,000,000 Cyber

24,000,000,000 50,000,000 1,500,000 Cyber

22,000,000,000 80,000,000 5,000,000 Cyber

21,000,000,000 30,000,000 2,500,000 Cyber

16,800,000,000 20,000,000 1,000,000 Cyber

15,256,230,000 25,000,000 1,000,000 Cyber

15,000,000,000 50,000,000 1,000,000 Cyber

13,794,000,000 60,000,000 1,000,000 Cyber

12,000,000,000 5,000,000 250,000 Cyber

5,000,000,000 25,000,000 500,000 Cyber

CLOSURE AND

QUESTIONS

Part 6

FINEX

For further information contact:

Head of FINEX in Willis:

Klaus Stubkjær Andersen

Phone: 88139565 or e-mail: ksa@willis.dk

Legal Consultant in FINEX

Tine Olsen

Phone: 88139431 or e-mail: tio@willis.dk

Visit www.willis.dk