insurance cyber risk - pwc · pdf file•malware/virus/botnets ... companies that said they...
TRANSCRIPT
CYBER RISICI
Agenda:
• Introduction to Willis
• What are Cyber risks?
• Exposure and cases
• Risk management
• Risk transfer Insurance
• Closure and questions
| 1
WILLIS DENMARK
• Partner-owned company ( Willis International is
majority shareholder)
• 6 locations and more than 470 employees
• Manage more than DKK 9 billions in premiums
The largest insurance broker in Denmark
AON 22 %
Willis 38 %Øvrige 25%
Marsh 15%
Andel af FMF’s omsætning i DK
| 3
WILLIS INTERNATIONAL
Key figures
+400 offices
Roughly 17.000 employees in 110 countries
+600 Multinational costumers
Premium volume > 30 billions USD
| 4
CYBER RISK
Cyber risk can be defined as the risk connected to activity online, internet trading,
electronic systems and technological networks, as well as storage of personal data
CY
BE
R R
IS
KS
HACKER ATTACK
DATA BREACH
VIRUS TRANSMISSION
CYBER EXTORTION
EMPLOYEE SABOTAGE
NETWORK DOWNTIME
MULTIMEDIA LIABILITY
HUMAN ERROR
CHARACTERISTIC
| 8
• “One-man hacker”
• Organized Hacker Crime- Associations
• Hacktivists
• Spy
Whom?
• DDoS
• Malware/virus/botnets
• Hacking
• Espionage via hacking
• Theft of computers/smartphones
How?
• Money (directly/indirectly)
• Personal/business data
• Public attention
• Extortion
• Vandalism
Gain?
• All companies can be a target - its just a matter of how and when.
Target
EKSPOSURE
Any company and organisation that
Stores Personal Identifiable information
Are reliant on:
| 10
The internet / Networks/
Computers
Web-pages
Digital info
FACES CYBER
RISKS
EXPOSURE
“IN FEBRUARY 2013,
PRESIDENT OBAMA
DECLARED THAT
THE “CYBER THREAT
IS ONE OF THE MOST
SERIOUS ECONOMIC
AND NATIONAL
SECURITY CHALLENGES
WE FACE AS A NATION”
AND THAT “AMERICA'S
ECONOMIC PROSPERITY
IN THE 21ST CENTURY
WILL DEPEND ON
CYBER SECURITY.”
In Denmark – One of the 10 biggest risks.
April 2013 - the Danish Emergency
Management Agency
(Beredskabsstyrelsen) declared that
Cyber-attacks are among the top 10
biggest threats for Denmark!
| 11
WILLIS FORTUNE 500
CYBER DISCLOSURE REPORT, 2013
This report on the Willis Public Company Cyber Exposure Disclosure Study with a Focus on
the Fortune 500 (Study) highlights three key disclosure areas in the SEC’s guidance:
•The significance of the organization’s cyber exposures and how these are qualified
•How the exposures are likely to manifest themselves
•What the company is doing to mitigate these risks.
| 12
COMPANIES THAT SAID THEY WERE EXPOSED TO CYBER RISK WERE
SPECIFIC AS TO THE TYPE OF CYBER RISKS THEY ARE FACING 95%
OF THE TIME.
THE TOP THREE RISKS IDENTIFIED BY THE FORTUNE 500 ARE:
1) LOSS OR THEFT OF CONFIDENTIAL INFORMATION: 65%
2) LOSS OF REPUTATION: 50%
3) DIRECT LOSS FROM MALICIOUS ACTS (HACKERS, VIRUSES ETC.):
48 %.
THESE RISKS ARE CLOSELY FOLLOWED BY EXPOSURE TO LIABILITY
FOR SYSTEM BREACHES OR FAILURES (40%).
WILLIS FORTUNE 500
CYBER DISCLOSURE REPORT, 2013
The companies that used a term such as “critical” to describe their cyber risk seem not to have any particular
relationship to one another (e.g., an auto manufacturer, a food and drink company, a distributor of petroleum
products, two utilities, a large machinery manufacturer, a health care insurer, a life insurance company and a
computer manufacturer).
| 13
QUANTIFYING CYBER RISK
Our study found that:
• 38% disclosed that a potential cyber event might “impact” or
“adversely impact” the business
• An additional 36% (180 companies of 500) may face “material harm”
to their businessdue to cyber attacks
• 2% (12 companies) specified their potential cyber risk as “critical”
CASES - DENMARK
April 2013:
Ddos in DK:
| 14
Patient data – social security numbers
Virus attack - Danish municipality
DDoS attack – Danish Travel site
CASES - INTERNATIONAL
Hacking
| 15
Tax division South Carolina
US Media Company
Lost a laptop – counselling
The EFFECT
• Dissatisfied costumers
• Bad public attention
• Loss of data
• Uncertainty
• ”Lock-out”
• Work barriers
Claim for damages / compensation
PR costs/Crisis management costs
Loss / notification
Extortion
Data recovery
Consultant costs (legal/it/forensic)
| 16
RISK MANAGEMENT
| 19
Analyse your risks
Describe your risk strategi
Implementing risk solutions
Monitor the performance
Transfer your risks
CYBER INSURANCE
Security
Data
Liability
PR
Primarily third partyloss /claims
made against the company
Primarily first party loss
- Fines/penalties - Company loss - Violations of
sanctions - Loss of data
- Hacking - Virus or Ddos - Extortion - Theft of data
- Distribution of false information
- Wrong information on webpages.
- Privacy violation, - Disclosure of
business information
- IPR Infringement - Service failure
Netbankbanking
| 21
A cyber Insurance provides coverage for a double burden:
CYBER INSURANCE
What is generally covered by a cyber
insurance?
Defence costs
Liability regarding to:
- Publication of personal data / breach of
privacy law
- Unintentional distribution of confidential
information and trade secrets
- Transfer of virus to an other computer or
network
Repair of reputation
Notification costs
Recovery costs
Investigation costs
Business interruption
Extensions:
- Intellectual property infringement (e.g.
unintentional ”deep-linking” or ”framing”).
- Publication of credit card information
- Extortion (Ransom)
- Electronic theft (e.g. Internet banking)
- Monitoring
- Multimedia liability
| 22
CYBER INSURANCE
What is generally not covered?
• Prior or pending claims
• Conduct
• Improvement costs
• Bodily Injury and property damage
• Contractually liability
• Business interruption caused by other
things than the listed cyber incidences.
• Violation of patent-rights.
• Unauthorised trading
• Unlawfully collected data
• Contractual liability
Exclusions
| 23
CYBER INSURANCE
How is the insurance adaptable for
you business? .
Which extensions are relevant for
you?
Is there an emergency team / a
hotline?
Does it give you coverage to
investigate the incidents?
Does it provide coverage for
professional fee of independent
advisors (e.g. legal advice, cyber
risk specialists)
Take notice off:
| 24
NO EXCLUSION FOR :
•Terror
•Hammer clause
•Employees mistakes
•Employees criminal act
•Infringement of intellectual
property
•Contractual liability (unless there
is a carve back)
Benchmark
| 25
Revenue ($) Limit ($) Deductible ($) Insurance
45,000,000,000 40,000,000 1,000,000 E&O, Cyber
25,000,000,000 150,000,000 5,000,000 Cyber
24,000,000,000 50,000,000 1,500,000 Cyber
22,000,000,000 80,000,000 5,000,000 Cyber
21,000,000,000 30,000,000 2,500,000 Cyber
16,800,000,000 20,000,000 1,000,000 Cyber
15,256,230,000 25,000,000 1,000,000 Cyber
15,000,000,000 50,000,000 1,000,000 Cyber
13,794,000,000 60,000,000 1,000,000 Cyber
12,000,000,000 5,000,000 250,000 Cyber
5,000,000,000 25,000,000 500,000 Cyber
FINEX
For further information contact:
Head of FINEX in Willis:
Klaus Stubkjær Andersen
Phone: 88139565 or e-mail: [email protected]
Legal Consultant in FINEX
Tine Olsen
Phone: 88139431 or e-mail: [email protected]
Visit www.willis.dk