Cyber insurance the next frontier - Cyber insurance: The next frontier - DXC Technology
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber insurance: The next frontier
Cyber insurance
the next frontier
1Cyber insurance: The next frontier Table of contents Summary 3 The Market Need 3 Cyber Risk: A Growing Concern 4 Rising Cost of Cyber Crime 5 Impact by Industry 6 Cyber Risk and Insurance 7 Cyber Risk under Traditional Insurance Cover 7 Standalone Cyber Cover 8 Recent Development in Australia 8 Considerations when Developing Cyber Insurance 9 Challenges for Insurers 9 Lack of Historic Data 9 Understanding Risk Appetite and Risk Aggregation 9 Recommendations 10 Solving the Data Challenge 10 Risk Management 10 Data Pools 10 Holistic Risk Solution 10 Conclusion 11 References 12
Cyber insurance: The next frontier
SUMMARY
Since its inception, insurance has always served to manage risk. In the 17th century, a fire could
destroy a shop front, records, and an entire business. Fire insurance served as a means of
managing this risk both financially and actively, as insurers owned fire brigades.
In the 21st century, cyber risk can equally destroy a business by destroying its records and its
reputation. Beyond providing insurance, the standards and guidelines developed by the industry
have the potential to define best practices and act as pseudo-regulations. Organisations need a
means to manage cyber risk outside of their risk appetite; the insurance industry can fulfil this need.
Whilst cyber insurance fulfils a market need, it is also an opportunity for growth for insurance
providers. Market saturation in the insurance industry has meant that insurers have found
organic growth difficult to attain. Insurers that can identify emerging areas and successfully
navigate these trends will be better placed for growth. Insurers looking to capitalise on the
growing cyber insurance market, and develop it into a profitable and sustainable line of business,
must come to terms with the complexity of cyber risk.
The market need
Cyber risk has emerged as one of the top challenges faced by companies worldwide. A string of high-profile data breaches have
populated news headlines across the globe, including those involving Target in 2013, Sony Pictures Entertainment in 2014, and the
Ashley Madison website in 2015. In Australia, David Jones and Kmart both suffered data breaches in October 2015. Statistics from the
Australian Cyber Security Centre (ACSC) show that, during 2014, authorities responded to 11,733 reported cases of cyber incidents
affecting Australian businesses.
In the current cyber landscape, cyber attacks on businesses now appear to be inevitable. For businesses, being attacked is
no longer a matter of ‘if’ but ‘when’. Companies are now more conscious of cyber risk, with a 2015 survey of major Australian
businesses conducted by the ACSC showing that 77 per cent of respondents have a cyber security incident response plan in place.
The issue of cyber risk has extended beyond the realms of IT and has become a strategic business issue. Company boards and
C-level executives are becoming actively involved in cyber risk management decisions.
The increased awareness of cyber risk has also generated increased interest in cyber insurance as a mechanism for risk transfer.
The UK government has actively encouraged the role of insurance in managing and mitigating cyber risk.
According to Fitch Ratings, cyber cover represents a key growth opportunity for the insurance industry, and many insurers have
sought to take advantage of this by offering cyber risk insurance products. While the cyber insurance market is still relatively
small, it is experiencing exponential growth with PwC estimating that the global cyber insurance market will triple in size from
US$2.5 billion in 2014 to US$7.5 billion by 2020. A large Australian insurance broker estimates that its gross written premium for
cyber policies will increase from AU$15 million in 2015 to AU$25 million in 2016.
There are two types of Estimated Size of Global Cyber Insurance Market
companies: those who
have been hacked, PwC US$2.5bn in 2014 to US$7.5bn in 2020
and those who don’t ABI Research US$10bn in 2020
yet know they have
been hacked. Lloyds US$85bn
John Chambers, Some commentators have raised concerns that insurers potentially face an
Executive Chairman and former aggregated risk from catastrophic cyber attacks that have a systemic impact.
CEO of Cisco Insurers will need to find a balance between providing cyber policies that
address their client’s needs and finding an acceptable level of exposure to their
cyber insurance portfolio. In order to do this, insurers will need to gain a better
understanding of the cyber risk landscape.
3Cyber insurance: The next frontier
Cyber risk: A growing concern
According to the Allianz Risk Barometer 2016, a survey based on the responses of more
than 800 risk experts from over 40 countries, cyber risk is now a top-three global business
risk and the top long-term risk. This concern is not limited to a specific industry; cyber
risk achieved a top-five ranking in the financial services, manufacturing, power, and
transportation industries.
This increased concern regarding cyber risk is not unfounded. A 2015 UK survey of
664 organisations, conducted by PwC, found that 90 per cent of large organisations and
74 per cent of small businesses suffered a security breach. Closer to home, a 2015 survey
of 149 major Australian businesses across 12 industry sectors found that 50 per cent of
respondents had suffered a breach.
Companies are responding to this growing threat by spending more on information
security. The 2015 ACSC survey found that 56 per cent of respondents reported an
increased expenditure on cyber security. This represents a significant increase from the
2013 survey result of 27 per cent. In a separate estimate in 2015, Gartner predicted that
annual information security spend for Australian companies will grow by 7.4 per cent,
which is well above the 4.7 per cent worldwide growth average.
Top 10 Global Business Risks for 2016
Business Interruption 38%
Market Developments 34%
Cyber Incidents 28%
Changes in Legislation and Regulation 24%
Natural Catastrophes 24%
Macroeconomic Developments 22%
Loss of Reputation or Brand Value 18%
Fire, Explosion 16%
Theft, Fraud and Corruption 11%
Political Risks 11%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Source: Allianz Percentage of Respondents Listing as a Top Risk
4Cyber insurance: The next frontier
Rising cost of cyber crime
The ‘2015 Cost of Cyber Crime Study: Australia’ is the fourth annual study of
Australian companies conducted by the Ponemon Institute. It found that the average
annualised cost of cyber crime in Australia rose 13 per cent from AU$4.27 million in
2014 to AU$4.9 million in 2015. The 2015 study used a sample of 28 Australian-based
organisations with an annualised cost of cyber crime ranging from AU$0.79 million to
AU$18 million.
Other key findings of the 2015 Cost of Cyber Crime Study included:
Cyber crime costs vary by organisational size with a positive relationship
between organisational size and annualised cost. However, per capita cost for small
organisations was significantly higher than larger organisations ($1,919 versus $372).
Cyber crimes are requiring longer to resolve, with the average time to resolve a
cyber attack now 31 days up from 23 days in 2014. The average cost incurred over this
period has also significantly increased by 47 per cent to AU$419,542.
Cyber crime affects all industries, but to different degrees. Organisations in
the energy and utilities, financial services, and technology industries experienced
substantially higher cyber crime costs than organisations in media, consumer
products, and retail.
5Cyber insurance: The next frontier
Impact by industry
The diagram below summarises the different impacts that cyber attacks have on different industries. When developing policies,
insurers need to recognise that the risk and potential claims from some industries can be substantially greater than for others.
Source: Centre for Internet Safety
Case Study: Target Breach 2013
In 2013, Target Corporation suffered a data breach of 40 million payment card information records and 70 million
personally-identifiable information records. As of December 2015, Target has estimated that it had accrued US$290 million
in expenses as a result of the breach. Just US$90 million will be covered by insurance.
The total amount includes a US$67 million settlement of class action lawsuits brought by Visa Inc. on behalf of banks, and other
issuers of credit and debit cards, a US$10 million settlement with shoppers, and a US$39 million settlement with MasterCard
and other issuing banks not covered by other class actions.
Target was reported to have been insured across a number of providers. It was self-insured for US$10 million of cyber coverage
and held policies of US$15 million with Ace Ltd, US$10 million with American International Group Ltd, US$10 million with
Axis Capital Holdings Ltd, and US$40 million among four unidentified insurers.
Target was also reported to have US$60 million of directors’ and officers’ liability (D&O) insurance, of which US$10 million
was self-insured, US$25 million with American International Group Ltd, US$15 million with Ace Ltd, and US$15 million with The
Travelers Companies Inc.
6Cyber insurance: The next frontier
Cyber risk and insurance Cyber risk under traditional insurance cover
Since its inception, insurance has existed to mitigate the Traditional insurance cover was not designed to protect against
consequences of an adverse event by transferring the risk to a cyber risk and many underwriters have introduced specific
third party, i.e. the insurer. Cyber risk insurance is no different; exclusions for losses incurred as a result of a cyber incident. The
it aims to transfer the adverse consequences of a cyber incident following section examines the treatment of cyber claims under
from the policyholder to the underwriter of the insurance policy. traditional insurance policies.
Interestingly, 52 per cent of CEOs and CIOs of large UK-based Property: Damage to software and data as a result of a
organisations thought that their organisation had insurance that cyber attack is usually not covered as they are deemed to be
would cover them in the event of a cyber breach. However, the intangible forms of property. Some policies also have specific
percentage of firms with cyber cover (under standalone cover or exclusions removing cyber attack triggers for physical asset
implicit in other policies) was only 10 per cent. Furthermore, the damage (e.g. the perils exclusion under s7(a)(ii) of the Mark
actual penetration of standalone cyber insurance products for IV Industrial Special Risks policies that form the basis of many
UK large businesses was closer to 2 per cent. property insurance policies for large businesses).
These results reflect the inadequacy of traditional insurance Business interruption: Cover is for lost revenue and additional
policies at protecting against cyber risk, and a need for insurers costs incurred. Most traditional policies are not triggered by
to provide policyholders with a clearer picture of what is covered cyber attacks that do not cause physical damage.
under existing policies. A better understanding of coverage will General liability: This covers third-party liabilities for physical
let policyholders make informed decisions about the role of property damage, bodily injury, and advertising injury. However
insurance in their broader cyber risk-mitigation strategy. most general liability policies have introduced an exclusion
It is also important for insurers to examine their existing of coverage for claims arising from unauthorised access or
exposure to cyber risk under their traditional policies and disclosure of personal information.
include it when examining their appetite for cyber risk. Errors and omissions/professional indemnity: This cover
This is the case even if the insurer has no intention to provide is for third-party liabilities arising from the performance of
standalone cyber insurance cover. professional services. Cover may be restricted to liability claims
from customers and not affected employees.
Terrorism reinsurance scheme: Under the terrorism
reinsurance scheme, reinsurance is available to primary insurers
for commercial property and associated business interruption
loss associated with a declared terrorist incident. However,
loss arising from a computer crime is specifically excluded in
Schedule 1 of the regulations. Therefore, losses arising from
cyber incidents are unlikely to be covered under the terrorism
reinsurance scheme.
7Cyber insurance: The next frontier
Standalone cyber cover
Outside of traditional insurance policies, many insurers now offer extensions to traditional policies and standalone products to cover
the following loss categories. Some of the loss categories below are often bundled together under a cyber policy while others are
optional extras. Some of these losses are completely insurable while others are subject to sub-limits. When underwriting policies,
insurers will need to determine the appropriate mix of these loss categories to cover.
Loss Category Cover
Data and software loss The cost of reconstituting data and/or software that has been corrupted or deleted.
Business interruption The loss of revenue or additional expenses incurred due to the unavailability of IT systems or data
as a result of cyber attacks or other non-malicious IT failures.
Cyber extortion The cost of expert handling for extortion and the ransom payment.
Cyber crime The direct financial loss arising from the use of computers to commit fraud or theft of money,
securities, or other properties.
Breach of privacy The cost to investigate and respond to privacy breaches, notification costs, and fines from
regulators, and third-party liability claims arising from the incident.
Network failure liabilities Third-party liabilities arising from a failure of security that causes network systems to be
unavailable to third parties.
Brand damage The loss of revenue arising from an increase in customer churn or reduced transaction volumes
that are directly attributable to the publication of a security breach event.
Physical asset damage First-party loss due to destruction of physical property resulting from cyber attacks.
Death and bodily injury Third-party liability for death or bodily injury resulting from cyber attacks.
Intellectual property The loss of value of an IP asset.
theft
Forensic and response
The cost incurred to investigate and resolve the cyber incident and minimise post-incident losses.
costs
Legal costs The legal cost of defence or settlement of third-party claims.
Recent development in australia
A recent development in the Australian regulatory landscape that is likely to impact the adoption of cyber insurance products is the
mandatory notification requirement proposed under the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. Under
the proposed scheme, organisations with annual turnover of AU$3 million or more will need to notify affected individuals of a ‘serious
data breach.’
The bill defines a ‘serious data breach’ as one where there is a ‘real risk of serious harm’ to any of the individuals whose information
has been the subject of the breach. Should this Bill be passed, organisations that are subject to a data breach will face increased
costs and reputational damage, which could give organisations more reason to take up cyber insurance cover as part of their risk
mitigation strategy.
Under the current legislation, corporations are liable to fines of up to AU$1.8 million for breaches of the Privacy Act. Mandatory
notification will bring Australia in line with other jurisdictions such as Canada, the European Union, and certain states in the
United States.
8Cyber insurance: The next frontier
Considerations when developing Analysing the pricing of cyber insurance cover has shown
that the rate on line (premium divided by limit of indemnity
cyber insurance purchased) for the primary layer for cyber insurance (part of the
Given the complexity of cyber risks, there are a number of policy that pays first in case of a loss) is three times higher than
issues that insurers will need to consider when developing for general liability cover and six times higher than property. The
their cyber insurance policies. A quick analysis of the existing pricing for cyber insurance across firms is also much flatter than
products has shown that most insurers offer policies that have that of general liability and property insurance. Together, these
a similar set of covered items and exclusions. The variance have a negative impact on cyber insurance, with a higher price
between the policies is in whether sub-limits have been applied likely to discourage take-up and the lack of price differentiation
to certain loss categories. reducing the incentive for policyholders to improve their security
posture to save on premiums.
Individual insurers and the insurance industry as a whole
will need to determine what role they wish to play in the Understanding risk appetite and risk aggregation
risk management process. By adopting standard terms and
conditions that dictate the security standards policyholders The non-physical nature of cyber risk and the interconnectedness
need to comply with (e.g. firewalls, hosting locations, etc.), of the digital world means that a single cyber event can
insurers have the potential to assume a pseudo-regulatory role affect thousands of policyholders in different geographical
that shapes how businesses manage their cyber risk. locations. As a result, an insurer may find themselves subject
to catastrophic losses due to the aggregation of risk across
Furthermore, by packaging their insurance product with its clients. It is, therefore, important for insurers to understand
incident-response services that mitigate the costs of a breach, the potential for risk aggregation and clearly understand the
insurers can provide a holistic risk solution to their clients. possible maximum loss it would face if a systemic event were
to occur. This will let insurers balance their exposure with their
Challenges for insurers appetite for cyber risk.
Lack of historic data Some have suggested that the aggregation of risk is too great
for the private sector and that a government backstop is
A commonly-raised issue regarding the underwriting of cyber required. However, a recent report suggests that, although the
insurance policies is the lack of historic data on cyber risk. estimated possible maximum loss of £20 billion for a single cyber
While many surveys regarding the cost of cyber crime have event is greater than that of a nuclear event, it is well within
been conducted, these surveys sample a selected number of the £65 billion insurance/reinsurance capacity for a natural
organisations. As a result, the findings are descriptive rather catastrophe such as a Tokyo or California earthquake.
than normative, and cannot be used as a statistical basis for
actuarial analysis. This lack of data makes it difficult for insurers
to accurately price cyber insurance policies, so many insurers
have tended to take a conservative approach. 9Cyber insurance: The next frontier
Recommendations
Solving the data challenge
The lack of historical data has two broad potential solutions.
Risk management
Throughout the history of developing insurance policies, actuaries have at times been
challenged with the lack of historic data. Underwriters need to recognise that, in the
rapidly-changing threat landscape, historic data is less important than a thorough
understanding of cyber risks, probability, and the ability to mitigate cyber risks.
Underwriters looking to price policies can engage cyber security experts who
understand the threats. IT security experts can provide a security assessment of
potential policyholders. Maturity statements that compare a company’s security
posture against industry standards can be used as inputs in the screening process.
Assessment reports can also include roadmaps for how a policyholder can achieve
industry standards. This has the benefit of reducing risk for the insurer and can
potentially lower premiums for the insured at renewal. For smaller organisations
where the cost of a comprehensive security assessment may be prohibitive, insurers
can work with cyber security experts to develop standard security surveys that can
ascertain the security posture of the policyholder.
In the absence of historical data, some insurers have developed modelling tools based
on Monte Carlo simulations to evaluate the potential loss exposure from cyber risk.
Data pools
Another solution to the data challenge is for the insurance industry to collaborate
and pool anonymised data. By working with government agencies such as the
ACSC, insurance companies can get access to data from reported incidents. A third
potential source of data are cybersecurity providers who will be able to provide
insurers with anonymised data from customer security logs.
Holistic risk solution
Insurance companies have the opportunity to provide a holistic solution to cyber
risk. By bundling ancillary services such as threat intelligence and digital attack
simulations to their cyber risk product, they can offer policyholders additional value
and reduce the likelihood of successful attacks against the insured.
By gathering threat intelligence, insurers can create a threat map that profiles a
client’s position. Following that, insurers could conduct a risk assessment. This may
include activities such as penetration testing, security audits, and white hat hacking
campaigns to get a clear view of the client’s risk profile. As a final step, ongoing
training is essential for the insurer, the brokers they work with, and for clients, who
may be entitled to reduced premiums if they have certain requirements in place such
as security certifications and accreditations.
In the event of a cyber breach, it is in the insurer’s and insured’s best interests to
mitigate the losses arising from the attack. However, the vast majority of organisations
do not have the adequate expertise to handle a cyber incident effectively to minimise
damage. Therefore it is necessary to engage an incident response team that can be
deployed to manage the adverse consequences of a breach.
10Cyber insurance: The next frontier
An independent third party will also need to be engaged to provide post-incident
investigation. At this stage, the cyber security expert will operate as a claims
assessor, gathering evidence and determining the root cause of the incident, as well
as expected and covered losses, and costs of the breach.
Assess Support Respond
During Coverage
Pre Coverage
Post Incident
Policy and Product Prevention and Forensics
Development Defence
Claims
Maturity Assessment
Assessment
Conclusion
Cyber insurance is an emerging product that is likely to grow exponentially over
the next few years. In fact, it is likely to grow much faster than other insurance
products such as automobile, life, or home and contents insurance. Once people
and businesses genuinely understand the scope and severity of the threat they are
exposed to, demand is likely to accelerate rapidly. Insurers looking to capitalise on
this new revenue stream will need to act swiftly and develop a strategy around cyber
insurance. A thorough understanding of cyber risk and a partnership with cyber
security experts will be critical to success.
While insurers may look to hire these skills in-house, this approach could be hindered
by the ongoing shortage of cyber security skills in the market. The other option is for
insurers to partner with organisations that can provide the insight and advice that
they need with policy development and claims assessment.
11Cyber insurance: The next frontier
References
Allianz, Allianz Risk Barometer Top Business Risks 2016, January 2016
Australian Cyber Security Centre, 2015 Cyber Security Survey: Major Australian Businesses, December 2015
Australian Government and Australian Reinsurance Pool Corporation, Cyber Terrorism and Australia’s Terrorism Insurance
Scheme: Physical Destructive Cyber Terrorism is a Gap in Current Insurance Coverage, March 2016
CERT Australia, Cyber Crime & Security Survey Report 2013, May 2014
Fitch, The Rise of Cyber Insurance: Growth Opportunity Paired with Incalculable Threat, March 2015
Gartner, Forecast Analysis: Information Security Worldwide, 2Q15 Update, September 2015
Greenwald J, ‘Target has $100M of cyber insurance, $65M of D&O cover: Sources’, Business Insurance, 14 January 2014,
Accessed 18 February 2016, http://www.businessinsurance.com/article/20140114/NEWS07/140119934
HM Government and Marsh, UK Cyber Security: the role of insurance in managing and mitigating the risk, March 2015
Insurance Information Institute, Cyber Risk: Threat and opportunity, October 2015
Liew R, ‘Aon finds cyber insurance a booming trade as hacks spike’, Australian Financial Review, 14 September 2015, Accessed
18 Feb 2016, http://www.afr.com/technology/aon-finds-cyber-insurance-a-booming-trade-as-hacks-spike-20150910-gjjk20
Ponemon Institute, 2015 Cost of Cyber Crime: Australia, September 2015
PricewaterhouseCoopers, Information Security Breaches Survey 2015, June 2015
PricewaterhouseCoopers, Insurance 2020 & beyond: Reaping the dividends of cyber resilience, September 2015
PricewaterhouseCoopers, Top Issues The promise and pitfalls of cyber insurance, January 2016
Stempel J and Rose N, ‘Target in $39.4 million settlement with banks over data breach’, Reuters, 2 December 2015, Accessed
18 Feb 2016, http://www.reuters.com/article/us-target-breach-settlement-idUSKBN0TL20Y20151203
Stewart E, ‘Cyber attack insurance growing fast’, ABC News, 9 October 2015, Accessed 18 February 2016,
http://www.abc.net.au/news/2015-10-09/cyber-attack-insurance-growing-fast/6842744
About DXC
DXC Technology (NYSE: DXC) is the world’s leading independent, end-to-end IT services company, helping
clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise
Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public
sector clients across 70 countries. The company’s technology independence, global talent and extensive
partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is
recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.
www.dxc.technology © 2017 DXC Technology Company. All rights reserved. DXC_CSC-363. March 2017You can also read
