Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021

Page created by Frank Lindsey
 
CONTINUE READING
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Image: cosmin4000-GettyImages

Cyber Insurance
Still infant or grown up?

Dr. Jürgen Reinhart
March 2021
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Questions about cyber we want to answer today

1. Cyber Risk – what is it?
2. What does this mean for insurance?
3. What keeps a Chief Underwriter awake at night?
4. Why are actuaries concerned with this?

                                                    Cyber insurance – still infant or grown-up?   13 March, 2021   2
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
1   Cyber Risk – what is it?
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
What does it mean “Cyber”?

  The term “Cyber” is a prefix used to                                                    In the insurance industry the term
  describe a person, thing, or idea as                                                 “Cyber” is used for all risks which arise
  part of the computer and information                                                     out of or stem from the usage of
  age. Taken from kybernetes, Greek                                                    computer systems, hardware, software,
      for “steersman” or “governor”                                                      data, the internet, networks and any
                                         Currently, the adjective “cyber” relates to    other components of any information
                                         or characterizes the interconnectivity and        technology (IT) and Operational
                                             culture of computers, information                     Technology (OT)
                                               technology, and virtual reality
                                                      (‘the cyber age’)

                                                                                                                   13 March, 2021   4
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Digital revolution bears a hyper-connected world

                                                                                          2030

                                                                      Biometrics          125bn
                                                         Artificial
                                                       Intelligence

                                              5G
                                Virtual
 2017                          Assistants
                    Robotics
         Big Data
                                                                               Digital
  27bn                                         Man-Machine
                                                                Smart
                                                                Cities
                                                                             Ecosystems
                                       Cloud   Collaboration
                           Smart
                                     Computing
                           Data

                                                                                                  13 March 2021   5
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Operational Technologies

      Operational technology (OT) is hardware and software that detects or causes a change, through
      the direct monitoring and/or control of industrial equipment, assets, processes and events.
                                                                      Cyber insurance – still infant or grown-up?
                                                                                                                6   13 March, 2021
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Home Office

              Cyber insurance – still infant or grown-up?   13 March, 2021   7
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Evolution and exponential growth in cyber incidents

Major cyber incidents                                                                                                                         2016                                      Exemplary selection
                                                                                                                                              Yahoo
                             2007                            2011                                       2013                                  (500m records)
                             DDoS on Estonian                Sony PSN                                   Yahoo!                    2015                         2017
                             govt. sites                     data breach                                (3bn records)             Anthem                       WannaCry
                                                                                                                   2014           (80m records)
                                                                                                                   Sony Picture                                       2017
                                                     2010
                                                                                                                   hack                                               NotPetya
                                                     Stuxnet
                                                                                                                                                                        2018
                                                                                                                                                                        Google+ (52m records)
                                                                                                                                                                            2018
                                                                                                                                                                            Marriott
                                                                                                                                                                            (500m records)
2005                                                                                                                                                                        2018
                                                                                                                                                                                                        2020
                                                                                                                                                                            British Airways
                                                                                                                                                                            (500k records)
                                                                                                                                                                          2018
                                                                                                                                                                      2018Twitter (330m records)
                                                                                                                                                                      Facebook (90m records)

                                                              2011                                                                                                2017
                                                              RSA SecurID infiltration                                                                            Uber (57m records)
                                                                                                          2014           2015
                                                                                                          Ebay           US federal1                  2016
                           2009
                                                                                       2012               (145m records) (21m records)                LinkedIn (112m records)
                           DDoS attack on govt./financial
                           websites in South Korea                                     Dropbox
                                                                                       (68m records)                                  2016
                                                                                                                                      Bank of Bangladesh attack
                                                                                                                                      (estimated $81m stolen)
1 Sensitive personnel data stolen from US govt. employees gone through security clearance background checks                                                                                  13 March 2021   8
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Top 10 Global Business Risks 2021
Allianz Risk Barometer

                                    Cyber insurance – still infant or grown-up?   13 March, 2021   9
Cyber Insurance Still infant or grown up? - Dr. Jürgen Reinhart March 2021
Evolving threat landscape and cybercrime perspective

                                                                                                        Munich Re global cyber risk and
                                                                                                        insurance survey
                  Estimates of global cybercrime costs differ with cybersecurity ventures being
                  at the upper end assuming these costs to reach $10.5tn p.a. by 2025!
                                                                                                            81% of global respondents
                  In 2021 the number will be around $6tn up from $3tn in 2015                                (5.507) believe in an increase
                                                                                                             of cyber crime
                                                                                                            Fraud, Data Breaches and
             Attacks and payloads will get even more sophisticated and targeted wherever
             an extra effort seems promising
                                                                                                             Ransomware Top 3 concerns of C-
                                                                                                             Level respondents
                                                                                                            30% of global C-Level respondents
              Just one example: Spear phishing is a rather high and manual investment.                       are “extremely concerned” about a
              Automated tools combined with scanning programs will reduce efforts.
              Distribution and customization will be more easy                                               potential cyberattack. 38% are at
                                                                                                             least “concerned”

             Phishing attacks will remain the major entry door

                  Development and adoption of top technologies like 5G, artificial intelligence,
                  automation, edge computing or the shift to clouds will add new attack surfaces

                                                                                                   Cyber insurance – still infant or grown-up?
2   What does this mean for
    insurance?
Cyber insurance market with strong expected growth

                                                    10,8                          5,0

                                              5,3                         1,1
                                      3,7                          0,6

                                                                         Europe
                                     North America
                           20,2

                                                                                              0,1   0,4
                                                                                        0,1
                   7,3                                                                  Middle East
                                                             0,0    0,0     0,2
          4,7
                                                0,2    0,8         Africa                                             3,0
                                        0,1

        World in bn USD                Latin America                                                      0,3
                                                                                                                0,6

                                                                                                          Asia/Oceania
   2018           2020        2025

1 Estimates by Munich Re                                                                                        13 March 2021   12
For Europe a CAGR of 37% is expected

                                                                                                        5.0

                                                                                             3.8
                                                                                   2.9
                                                                    2.2
                                                       1.6
                                          1.1
         0.6                        0.8

        2018                       2019   2020         2021         2022          2023       2024       2025
                                          UK     Germany   France   Italy   Rest of Europe

Source: Munich Re Economic Research/CU                                                              13 March 2021   13
3   What keeps a Chief Underwriter
    awake at night?
Cyber (re-)insurance outlook

                                                                         (Contingent)                                           Loss of
Loss or           Privacy breach    Cyber             Property           Business           Product           Reputational      intellectual
theft of data     protection        extortion         damage             interruption       liability         damage            property

 Data is           Consumer          (Threat of or)    First or third-    Business           Third-party       Loss of profit    Loss of profit
 destroyed or      data is stolen    loss or           party property     interruption or    property          resulting from    as a
 stolen;           or lost, or       destruction of    damage as a        contingent         damage or         reputational      consequence
 covered in        non-              own or            consequence        business           bodily injury     damage as a       of stolen trade
 private,          compliance        customer data     of a cyber         interruption       caused by         consequence       secrets, or
 commercial        with privacy                        event              resulting from     software          of a cyber        other
 and industrial    legislation by                                         a cyber event      failure within    event             commercially
 lines             a company                                                                 a product                           sensitive
 of business                                                                                                                     information

                                                                                                                 Increasing exposure
                                                                                                          and complexity of coverages

                                                                                                                                 13 March 2021     15
New trends in Cyber wordings

                         Infrastructure failure exclusion/limited to
                         BI (not applicable to data restauration)

                         Blanket Contingent BI for supply chain

                         Open peril system failure/any unplanned
                         outage/“Act of God trigger”

                         “Bricking”

                         “Voluntary shutdown” covered in BI section

                         BI Indemnity period (180 days or more?)

                                                                       13 March 2021   16
Ransomware is getting a problem

                                  Cyber insurance – still infant or grown-up?   13 March, 2021   17
Major Cyber Accumulation scenarios1

                                                                  Data breach

                                                                                                                                                                                       External networks failure3
 Virus/Malware

                                                                                                                                   IT Service provider outage2
                 Global outbreak of                                             Multiple insureds are                                                            Large-scale outage                                  Electrical
                 widespread,                                                    affected by a large-                                                             of services such as                                  power supply
                 untargeted self-                                               scale data                                                                       Cloud causing                                       Telecommunication
                 reproducing malware                                            breach attack                                                                    widespread                                           & Internet
                                                                                                                                                                 business impacts
                                                                                                                                                                                                                       Infrastructure
                                                                                                                                                                                                                       Software Failure

1 MR has investigated other scenarios (e.g., corrupted software) as well, which turned out to be lower in terms of PML magnitude 2 Scenario/model under development
3 This scenario is are deemed not within appetite and are only written by exception, if specific permission (“dispensation”) is granted by the highest underwriting authority                                                 13 March 2021   18
On December 13, 2020 CISA determined that this
exploitation of SolarWinds products poses an unacceptable
risk to Federal Civilian Executive Branch agencies and
requires emergency action. Multiple versions of SolarWinds
Orion are currently being exploited by malicious actors.
This tactic permits an attacker to gain access to network
traffic management systems. Disconnecting affected
devices, as described in Required Action 2 of the ED, is
the only known mitigation measure currently available.
4   Why are actuaries concerned with
    this?
Topics where we need actuaries

                        Pricing

                      Exposure Analysis

                       Risk Quantification

                      Accumulation Risk Modelling

                        Data analytics and Artificial Intelligence

                                                          Cyber insurance – still infant or grown-up?
Cyber Insurance – What Is It?

                                or

                                     Cyber insurance – still infant or grown-up?   13 March, 2021   22
Editing footer: Insert > Header & Footer (title of presentation and name of speaker)   13 March, 2021   23
Q&A
                                             Image: cosmin4000-GettyImages

Cyber is a challenge…
                 …but also an opportunity!
You can also read