Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance

Cyber Insurance - What You Need to Know!

2

Contents

Cybercrime Reporting Network Reveals Startling Numbers ......................................................... 3

Lloyd’s Appeals To Brokers For Help On Cyber ................................................................................. 4

PM Announces Strengthened Cyber Ties With US ........................................................................... 6

Asian Cyber Cover ‘Set To Soar’ ............................................................................................................ 7

Cyber: What Are The Emerging Issues? .............................................................................................. 8

Risk Modellers Set Out Cyber Strategies .......................................................................................... 10

Cyber Dominates Top Ten Legal Risks For Business In 2016 ......................................................... 11

Global Ratings Agency Discusses Difficulties With Cyber ........................................................... 13

IT, Data Security Top Business Concerns In 2016 ........................................................................... 15

Many Businesses Ill-Prepared For Crises, Study Shows ................................................................ 16

Businesses Lack Cyber Insurance, Fail To Report Attacks: Survey ............................................ 17

ASIC Reports On ASX Cyber Resilience ............................................................................................ 18

Cyber Insurance Still Leaves Breach Victims Out Of Pocket ...................................................... 19

Insurers ‘Sceptical’ Of Booming Cyber-Risk Market ...................................................................... 21

Physical Cyber Attack Risk Exposes Gap In Coverage .................................................................. 22

FBI Warns Vehicles Are ‘Increasingly Vulnerable’ To Cyber Attacks ......................................... 24

ASIC Zeroes In On Cyber Crime ........................................................................................................... 26

Stock Markets A Target For Cyber Crime: Report .......................................................................... 27

Munich Re, Beazley Team Up On Cyber Cover ................................................................................ 28

Cyber Risks On Radar, But Strategies Fall Short: Report ............................................................. 29

CGU Launches Revolutionary New Cyber Product Into The Australian Market ..................... 30

Cyber-Security Plan Will Unlock Innovation, PM Says ................................................................. 31


3

Cybercrime reporting network reveals startling numbers

he Australian Cybercrime Online Reporting Network (ACORN) revealed that it received more than 39,000 reports of cybercrime throughout 2015.

ACORN continues to boost law enforcement efforts as it provides an easy way for those affected by cybercrime to report their issues but cyber threats are expected to increase over the coming year.

It was also found that Victoria received the highest number of cybercrime reports with Queensland and New South Wales making up the top three.

Michael Keenan MP, the minister for justice and minister assisting the Prime Minister on counter-terrorism, revealed the startling number this week as the both individuals and businesses come to grips with cyber risk.

“As Australia's reliance on technology grows, and online shopping remains an increasingly attractive option for busy Australians, the cost and incidence of cybercrime is expected to increase” Keenan said.

“I encourage all members of the public to be vigilant online and to work together to ensure a safer and

more secure digital environment for all Australians by reporting to the ACORN.”

Keegan noted that the leading types of cybercrime reported to ACORN are online fraud and scams which account for over 19,000 reports or 49% of the total number.

“Online trading issues which affect Australians who buy and sell goods online were the second highest type of cybercrime reported; the ACORN received 8,368 reports which accounts for 22 per cent of total reports in 2015,” Keegan continued.

Different tactics employed by cybercriminals were also noted by ACORN as Keegan listed the most used areas used online.

“Over the past year, email, social networking, and website advertising have been the top three reported online channels used by cybercriminals to target their victims.”

T


4

Lloyd’s appeals to brokers for help on cyber

Lloyd’s has collaborated with modelling firms AIR Worldwide and RMS with the Cambridge Centre of Risk Studies to announce a set of common core data requirements for cyber risks, the insurance institution has announced.

Both AIR and the RMS/Cambridge team have agreed to highlight common elements when they publish their data schemas later this month, with each agreeing to use similar terminology and precise definitions, Lloyd’s said.

Now it is turning to key brokers to do their bit.

Lloyd’s director of performance management, Tom Bolt, said: “Cyber insurance is an important new area of coverage and it is essential that we have good quality standardised data to track exposures.

“I am delighted that the RMS/Cambridge team and AIR, in consultation with the Lloyd’s Market Association, have worked with us to propose standard definitions for some common data.


5

“I have written to major brokers to ask them to endeavour to provide this data to Lloyd’s underwriters.”

Lloyd’s general representative in Australia, Chris Mackinnon, told Insurance Business that the new framework should help the Australian industry to better evaluate cyber risk.

“The framework introduces common core schema for cyber exposure data and common core features for input data used in cyber risk tools in the market,” Mackinnon said.

“This will enable Australian brokers and insurers to better evaluate cyber risks, with increased access to good quality standardised data to track exposures.”

Mackinnon noted that the new framework is aimed to help standardise an ever-changing and evolving risk as the business looks to keep up with an emerging risk with huge potential opportunities and challenges.

“This new framework will provide better clarity for the calculation of risks and this is a significant step forward,” Mackinnon said.

“At Lloyd’s we have been modelling catastrophes for hundreds of years, and our data enables us to create very effective modelling forecasts.

“But cyber security risks are a relatively new class of business and the entire insurance industry needs to ensure that it improves data aggregation to build more reliable models that enable underwriters to properly price risk.

“Lloyd’s underwriters are some of the most experienced in the world, and we are pleased that we have been able to use our experience to help build a consensus on the standardisation of data that will benefit the whole sector.”


6

PM announces strengthened cyber ties with US

Australia and the United States will work closer together in a bid to combat cybercrime, it has been announced by the Prime Minister.

Malcolm Turnbull announced the partnership last week as the countries will look to work together to curb online crime.

In a statement, the Government announced a series of measures the partnership will bring including an annual Australia-US Cyber Security Dialogue which will “engage senior representatives from both countries’ business, academic and government sectors to discuss common cyber threats, promote cyber security innovation and shape new business opportunities.”

The partnership will also look to promote “peacetime ‘norms’ for cyber space,” which will lead to “practical confidence building measures that help to reduce the incidence of malicious cyber activity and the risk of conflict.”

The deal will bring law enforcement efforts between the two nations closer together as both will be able to use experts in the field.

“To meet the growing threat of cybercrime, we will also enhance cybercrime cooperation between our nations, including through increased exchanges between respective law enforcement and cybercrime experts and more collaboration on cybercrime investigations,” the Government statement continued.

It is not just Australia and America that will benefit from the partnership as the Government said the ramifications of the deal will be felt throughout the region.

“Finally, we agreed to enhance the coordination of our cyber capacity building efforts in the Indo-Pacific, to help our partners in this region increase their cyber security and their capacity to combat cybercrime.”


7

Asian cyber cover ‘set to soar’

Almost one-third of Asian insurers expect cyber insurance to grow 50% in the next three years, a Munich Re survey shows.

Some 83% have already noted increased demand, but just 10% offer coverage for cyber risks, according to the poll taken at the Singapore International Reinsurance Conference in November.

New technologies such as automated vehicles and the Internet of Things, plus the introduction of stricter laws and regulations, are driving a spike in cyber exposure, the reinsurer says.

About 40% of survey respondents are developing new cyber covers, but 43% have yet to market policies.

“Compared with Asia and Europe, the US markets are already relatively far advanced,” Munich Re board member with responsibility for Asia Ludger Arnoldussen said.

“According to our own estimates, the market volume for cyber covers in Asia is likely to reach $US0.5-$US1.5 billion ($0.71-$2.14 billion) by 2020.

“Our aim is to assist our clients in tapping into this attractive market.”


8

Cyber: What are the emerging issues?

Cyber attacks on Australian organisations rose by 20 per cent in 2014, according to the Australian Signals Directorate, a timely reminder cyber threats are growing. Moreover, the Australian Crime Commission reported in June this year Australians lose about $110,000 every hour to cyber criminals, or more than $2.6m every day.

This demonstrates how serious cyber security is for every business. As such, it is critical organisations are aware of the growing risk of cyber intrusions and are actively putting in place steps to reduce this risk.

At Marsh, we have observed many rising threats, including criminals targeting data by stealing or disclosing personally identifiable or financial data, modifying or corrupting data or blocking legitimate users’ access to data. However, external threats from hackers are just some of the risks about which organisations need to be aware. Many perils are actually internal.

For instance, a culture of trust within an organisation’s work force, traditionally thought to be a benefit, now creates a threat. Many high quality phishing emails appearing to be legitimate correspondence from banks, the ATO and other trusted sources may inadvertently be opened by employees, exposing the business to hackers.

Therefore, employees must be trained to spot and delete such communication to thwart the intended intrusion.

Some of the other internal risks are known as ‘man in the middle’ intrusions. These are where attackers electronically eavesdrop on email conversations undetected and alter communication between parties who believe they are writing to each other in confidence.

Aside from emerging cyber security threats, the legislative environment is also changing the nature of cyber risks. It was anticipated mandatory data breach notification laws would be in place by the end of 2015. While this did not happen, the recommendation for data breach notifications by the Joint Parliamentary Committee on Intelligence and Security remains. As such it is expected that data breach notification legislation will be introduced to Parliament in 2016.

Additionally, the advent of the Internet of Things (IOT) is introducing new cyber perils. For instance, it has been reported the majority of cars stolen in France are targeted using electronic hacking. Indeed, anything connected to the internet could be targeted by hackers. Worryingly, it’s likely many businesses are overlooking vulnerabilities in devices such as printers, video conferencing equipment and thermostats.


9

While many organisations now understand potential cyber threats expose them to financial regulatory and reputation repercussions, many don’t appreciate some of the other, more serious consequences of a cyber intrusion. For instance, ratings agency Standard & Poor’s has noted a major cyber attack on a financial institution could put its credit rating at risk.

Plus, a perceived misalignment between an organisation’s published privacy policy and implementation of that policy could lead to allegations the organisation engaged in deceptive practices. It has also become almost obligatory that, following a cyber intrusion, the CEO resigns or is terminated. This was the case with the Target event in the US in December 2013 and the more recent Ashley Madison event.

It’s important for organisations to explore ways to protect their electronic ramparts in light of the growing risks around cyber. As part of this it’s important not to overlook third party vendors or customers when it comes to cyber security. As an example, it was determined that the massive Target breach in December 2013 originated through a vulnerability in an air conditioning contractor’s system.

It’s also essential to seek assurances from third party vendors or customers on their level of cyber security resilience and ask for a Cyber Insurance Certificate of Currency from them. You may also be asked to provide documentary evidence your organisation purchases cyber insurance.

While we are still developing a detailed understanding of the full spectrum of threats to Australian networks, a number of trends will manifest globally in the near future, as outlined in the Australian Cyber Security Centre Threat Report 2015. Importantly, the number of cyber criminals, and their sophistication, will increase, making detection and response more difficult. We also expect incidences of spear phishing will continue to grow and the use of ransomware will continue to be prominent.

It’s also expected there will be an increase in the number of cyber adversaries with a destructive capability and, possibly, the number of incidents with a destructive element. There will also be an increase in electronic graffiti, such as web defacements and social media hijacking.

What this shows is that cyber intrusions are a growing and increasingly complex peril businesses must face. It’s essential for every organisation to recognise this and put robust mitigation strategies in place to reduce the risk of a cyber threat undermining or even destroying their businesses.


10

Risk modellers set out cyber strategies

Insurers can follow five cyber-loss processes to build up coverage in what is expected to be one of the industry’s fastest-growing markets, according to a new report.

The processes cover cyber-data exfiltration, denial-of-service attacks, cloud service provider failure, financial transaction cyber compromise and cyber extortion.

The research was conducted by catastrophe risk management group RMS and Cambridge University, and is supported by leading industry specialists including Aon Benfield, Axis Capital, Renaissance Re, Talbot Underwriting and XL Catlin.

RMS CEO Hemant Shah says the report aims to help the industry “understand the correlation space for this new class of exposure”, because cyber threats know no bounds, unlike the coverage for natural hazards and industrial risks.

“We know to be wary of writing two industrial risks along the same river basin, and the role flood defences play in mitigating loss,” Mr Shah said. “With cyber risks, the contours of systemic accumulation are not as clear.”

The five cyber-loss scenarios have the potential to cause wide and correlated losses, and the report lays out ways to structure the data an insurer should be accumulating.

“These scenario models provide a capability for insurers to carry out routine monitoring of their aggregation risk, assessing what their likely claims payout would be to these benchmark extreme events as their portfolio grows,” the report says.

“They provide useful pointers to use in setting a company’s risk appetite.

“We believe using these scenarios will help companies improve their knowledge of the cyber peril and help them gain confidence in establishing their risk appetites for insuring cyber.”

The report says the regulatory landscape is undergoing dramatic change, as governments and judiciaries look to stiffen penalties for cyber crimes. Australia is among the countries developing their own information security laws and regulations.


11

Cyber dominates top ten legal risks for business in 2016

As the lines between work and personal use of increasingly prolific technology become more and more blurred, the exposure to risk, for businesses of all types, grows in parallel. According to the recent findings of a wide ranging report released by Borden Ladner Gervais LLP (BLG), a Canadian law firm, half of the top ten legal risks affecting business in 2016 are cyber related.

Speaking to Insurance Business, Andrew Harrison, managing partner at BLG, said that: “More and more, the lines between work and personal technologies become so blurred that many employees no longer make a conscious distinction between work and personal.”

Of the various risks identified, Harrison notes that the average cost of a data breach is US$3.7m and larger organisations will be at the higher end of the scale.

There is increasing fraud in e-payment systems; IT security failures due to people (mis)using workplace computer systems; and compliance risk.


12

“Cyber has ramifications beyond the scope of the initial business in case of malware or a cyber breach, and one of the interesting things about the insurance business is that it is so wide ranging in its scope,” Harrison said.

On the data security front, businesses, particularly small to mid-size entities, often lack breach response policies, proper governance tools, and employee privacy training programs to prevent or promptly respond to breaches. They lack cyber security preparedness, which makes them vulnerable to privacy class actions following a security breach involving personal information.

In this era of Big Data, new business models and marketing techniques are emerging, including facial recognition and personalization reaching new levels of sophistication, as well as dynamic pricing practices, to name but a few. Businesses need to consider whether personal information is properly “de-identified”, what type of information should be considered as “sensitive” in various contexts, how to obtain valid consent in compliance with the “reasonable expectations” of customers, and how to deal with technological innovation, shifting social norms, and building customer trust through proper privacy practices.

The advent of mobile and digital wallets coupled with contactless payment methods and the ever-increasing growth in on-line payments have made e-payments become ubiquitous and have increased the need to develop effective authentication protocols, technology, policies and procedures to mitigate and reduce the risk of fraud.

2015 saw a number of high-profile cyber-sex related security breaches. Most prominent being the Ashley Madison scandal, in which the personal details of over 37 million people were exposed. Worryingly for employers, many subscribers to the website had signed up using their professional email accounts.

“It’s worth pausing at the beginning of the year to work out what people need to be sensitive too,” said Harrison.

“We’re not trying to be dramatic but ignoring these risks is not helpful either. Whenever there’s a risk there’s an opportunity for insurers, because often

that’s a way of sharing risk.”


13

Global ratings agency discusses difficulties with cyber

A.M Best has discussed the challenges insurers face when writing cyber liability and what they can do to ensure their own safety.

Speaking to A.M Best TV, senior financial analyst Fred Eslami, said that the next few years will be crucial for cyber risk as interconnectivity continues across the globe.

“In the next few years, there are going to be nearly 50 billion devices connected to the Internet; therefore, expectation is that frequency and severity are going to increase,” Eslami said.

“With this realisation, companies spent US$70 billion in 2014 and US$75 billion in 2015 to protect and address cyber risk.

“We have been focusing on increasing the awareness of cyber security and cyber risk within the community of our rated entities as well as to understand and determine what impact such a risk will have on the financial strength of our companies.”


14

Eslami said that companies that write cyber liability face three major challenges thanks to a lack of data on the topic as the emerging risk continues to be top of mind.

“There is no, for example, actuarial analysis or result orientated data to do proper pricing, reserving and aggregation so that is one of the challenges,” Eslami continued.

“The next one is the evolving nature of the regulatory and legal environment which the industry is dealing with right now.

“The last one is, of course the rapid transition of legacy systems that we have to more advanced and open-source information technology.”

Eslami noted that once more data for cyber risk becomes available, businesses will be able to operate in the space more successfully and backed a stand-alone product as the way forward.

“I think once the actuarial information is gathered and articulated properly, the legal framework is defined better, there are three ways that we cans see how companies can improve their position vis-e-vis cyber.

“One is to devise and design specific cyber policies instead of including it as part of their CGL or D&O or property coverage. That helps, if nothing else, to reduce the legal costs of defending these cases.

“The next one would be for the companies themselves to come up with a single risk limit.

“These policies that they issue are kind of interconnected and typically you want to have a limit relative to your subclass on the policies that you issue so that is another element that would help eliminate unnecessary expenses.

“The last one would be, again, lack of actuarial studies, to come up with a contingency reserve on the polices or aggregate policies that they issue,

again there is no IBNR (incurred but not reported) for cyber so with the contingency reserve that

would be covered.”


15

IT, data security top business concerns in 2016

Top financial executives across all Australian companies ranked IT and data security as their primary business concerns in 2016, according to a new survey conducted by leading global recruitment firm Robert Half.

The latest study found that 28 percent of 160 CFOs and financial directors were most worried about IT & data security. The economy was the second major business concern at 26 percent followed by skills shortage at 18 percent and regulatory and compliance changes at 15 percent.

Only finance leaders of small businesses did not rank IT and data security as their chief concern, with 34 percent citing the economy as their main issue for 2016.

David Jones, Robert Half’s senior managing director for Asia Pacific, noted that a breach of data security can lead to extreme financial and reputational consequences.

“It is therefore critical for all companies – regardless of size – to take a protective approach to IT security,” he said.

To protect corporate and customer information, Jones said Australian companies continue to use various tools and services such as security software, password management systems and hard drive encryption service.

However, Jones lamented that small and medium businesses normally use fewer data protection tools than large companies even if they all face the same online risks.

For one, the research found that only 24 percent of small companies and 18 percent of medium firms have network security systems, compared to 52 percent of large companies.

“In recent years larger companies have increasingly invested in cyber security measures, and this has encouraged cyber attackers to cast their gaze at more vulnerable entities,” Jones said.

“This further highlights the need for small and medium businesses, which have become an increasingly attractive target for hackers, to invest in the necessary IT security tools and specialised IT talent,” he added.


16

Many businesses ill-prepared for crises, study shows

More than 50% of companies believe they are inadequately prepared for crises, according to a new Deloitte survey.

And about 70% of respondents say it takes up to three years to repair reputations following a crisis.

The Crisis in Confidence study questioned 317 non-executive board members worldwide.

The two most serious threats to business are loss of reputation and cyber crime, according to the respondents.

Deloitte Managing Partner Risk Advisory Harvey Christophers says 49% have capabilities or processes in place to achieve the best outcome following a crisis.

In the Asia-Pacific region only 34% are confident of their resilience.

In Australia almost 60% of big businesses surveyed say it takes one to three years to recover reputations and operations. Half say it takes the same time for financial recovery.

Only 32% of respondents engage in crisis simulations or training.

The report says the potential to lose customers and shareholder value due to reputational damage after a data breach, denial of service, or corrupted or stolen assets is significant.

Only 37% of Asia-Pacific businesses have a crisis resolution plan for natural disasters, while 40% have a plan for workplace violence.

“Given that stress levels have a significant impact on our decision-making abilities in times of crisis, it is absolutely critical that a pre-formulated, thoroughly tested response plan is in place to ensure the business takes quick action,” the report says.


17

Businesses lack cyber insurance, fail to report attacks: survey

Businesses see cyber security as important but majority do not take it seriously enough, with most companies lacking cyber insurance and only under a third of attacks being reported.

These were among the findings of the Cyber Security: Underpinning the Digital Economy report by Barclays and the Institute of Directors (IOD) which showed a “worrying gap” between awareness of the risks and preparedness among companies.

The report, which polled nearly 1,000 IOD members, found that only around 57% of business leaders have a formal strategy to protect themselves even though 91% say that cyber security is important.

The study also revealed that only 20% of British businesses hold cyber insurance and just 21% are considering cyber insurance within the next 12 months.

Of the companies that have been victims of cyber attacks, only 28% reported the incidents to the authorities even if 49% of attacks resulted in interruption of business operations and 11% caused financial losses.

“No shop-owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response,” said Richard Benham, a cyber security management professor who authored the report.

The study also lamented that government efforts to tackle cybercrime seem to be failing to get through to businesses since 32% of IOD members were still unaware of Action Fraud Aware, the UK’s national reporting centre for fraud and internet crime.

Benham said the report proves that companies need to get real about cybercrime and its financial and reputational consequences.

“Our report shows that cyber must stop being treated as the domain of the IT department and

should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff,

review supplier contracts and think about cyber insurance.”


18

ASIC reports on ASX cyber resilience

The Australian Securities and Investments Commission (ASIC) has released its first assessment report on the cyber resilience of the Australian Securities Exchange (ASX) and Chi-X.

“Cyber resilience is now widely regarded as one of the most significant concerns for the financial services industry and the economy at large,” the regulator says.

“The cyber resilience of our regulated population is, therefore, a key focus.”

The report concludes the ASX and Chi-X have met statutory obligations to hold sufficient resources for the management of cyber resilience, and notes some “encouraging practices”.

However, a consistent industry-wide approach is required to address developing cyber threats, ASIC says. “We will continue to work with government and other regulators to support industry to achieve this.”

The report calls on the wider financial services sector to recognise the growing cyber threat, and refine systems and processes to prevent and address critical issues.

It calls for senior management to closely manage cyber risk from internal and third-party sources, establish robust collaboration and information-sharing networks to access the best defensive intelligence and technology, and implement thorough cyber awareness training programs.

“Because of the dynamic nature of the cyber threat landscape, a comprehensive and long-term commitment to cyber resilience is essential to assist all organisations and the Australian economy to manage this threat,” ASIC Commissioner Cathie Armour said.


19

Cyber insurance still leaves breach victims out of pocket

New research by a leading insurance analytics and information service has suggested that businesses with cyber coverage are still left out of pocket when it comes to a data breach.

The research from Advisen and ID Experts has found that “the vast majority” of cyber breaches fall below cyber insurance deductibles leaving businesses with costs.

Entitled, Mitigating the Inevitable: How organisations manage data breach exposures, the survey of more than 200 risk professionals found that 25% of respondents suffered a data breach over the last 12 months that fell 91-100% below their deductibles.

“In fact, of the respondents who purchase cyber insurance and have identified a data breach in the previous twelve months, nearly all fell below their deductibles,” the report states.


20

“While cyber coverage is increasingly viewed as an essential part of many corporate insurance programs,

it is designed to protect against low frequency but high severity occurrences.”

The report notes that, as cyber is a relatively new form of coverage, organisations are still grappling with its application and their own cyber security concerns.

“Cyber insurance is a relatively new coverage and the number of claims filed is comparatively few compared with more mature lines of business,” the report continues. “But in reality, even if a data breach is large enough to trigger coverage under a cyber insurance policy, organisations will still often be required to assume some of the financial burden.

“For example, the cost of the breach could have exceeded the amount of coverage purchased, or the losses could have fallen under one of the policies exclusions such as intellectual property, infrastructure, and/or reputational loss.”

The report backs cyber coverage as a helpful tool in the fight against cyber attacks as the coverage often includes benefits that businesses can use in response to breaches pointing to the importance of these value-adds when dealing with the cover.

“In addition to loss indemnification, cyber policies also provide access to a variety of tools and services such as risk assessment tools, data breach incident response plans, and educational resources, to help manage cyber security risks,” the report states.

“Seventy percent of respondents said that their policy offers free tools to help manage their cybersecurity risks. Forty-four percent of the

respondents said they have used them.”


21

Insurers ‘sceptical’ of booming cyber-risk market

Increased digitisation and interconnectivity have made cyber threats “one of the top global perils” of this year and beyond, according to research group IDC Financial Insights.

This may spell bad news for businesses, governments and consumers, but it provides “tremendous opportunities for insurers to capitalise on this largely untapped market”.

However, IDC Financial Insights says insurers are “highly sceptical” of the cyber-insurance market.

Reasons include lack of historical data for underwriting and limited understanding about exposures.

Senior Research Analyst Sabitha Majukumar says inadequate coverage, high premiums, too many exclusions, restrictions and uninsurable risks are typical characteristics of cyber insurance products currently on the market.

“We strongly believe insurers should consider the available evolving tools and technologies in the cyber-risk exposure-monitoring and assessment space,” she said.


22

Physical cyber attack risk exposes gap in coverage

Physically destructive cyber terrorism is a “real gap” in current insurance coverage, according to the head of Australia’s Reinsurance Pool Corporation (ARPC).

Speaking in Sydney last week at the Cyber Risk Seminar hosted by Finity and the Australian and New Zealand Institute of Insurance and Finance, ARPC CEO Chris Wallace said the risk of catastrophic physical property and infrastructure has increased as the physical world and cyberspace become more interconnected.

“Yet cyber terrorism is not covered by Australia’s terrorism insurance scheme because it is defined as a computer crime, which is excluded by the Terrorism

Insurance Act 2003.”

Dr Wallace told insuranceNEWS.com.au the ARPC wants to highlight the existence of the gap so the market will develop policies to cover it.

“There have been some physically destructive attacks around the world,” he said.

“There are not many of these attacks, and we’re not saying terrorists have the capabilities, just that there is a gap in the cover that is available in the market.”

Dr Wallace gave the example of a German steel mill’s electronic control system that was hacked into in 2014, causing “massive damage” to the blast furnace.

According to the German Federal Office for Information Security (BSI) the attackers accessed emails to steal logins, giving them access to the electronic control system.

And in 2008 Russian hackers shut down alarms, cut off communications and super-pressurised a Turkish crude oil pipeline, causing it to explode and causing a major fire.

Finity Consulting Principal Stephen Lee also acknowledged the potential physical damage from cyber attacks.

“The cyber attacks carried out in the US against Sony in November 2014 and Target in December 2013 generated a great deal of global media coverage, as have other attacks since then,” he said.

“But in our increasingly connected world, a cyber attack can also mean disruption to utilities or cause malicious damage to property. With the ever-present risk of terrorism in today’s environment, this is a risk that businesses cannot afford to ignore.”


23

Mr Lee says getting board level involvement in cyber risk management is critical.

“Recognising the risks both to data, business interruption and physical assets is an important first step to tackling the problem,” Mr Lee said.

“Insurers have a key role in helping the business community and the wider economy to manage this

risk.”

Dr Wallace says he expects the market to quickly develop appropriate cover over the next few years.


24

FBI warns vehicles are ‘increasingly vulnerable’ to cyber attacks

The FBI has warned that modern vehicles are becoming “increasingly vulnerable” to cyber attacks and warned that the safety of plug-in telematics devices is paramount.

In a public service announcement released last week, the FBI and National Highway Traffic Safety Administration (NHTSA) in the United States, warned that drivers need to be wary of cyber threats.

“Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience,” the PSA notes.

“Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.

Therefore, the FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”

The announcement follows news last year that hackers had infiltrated and taken control of a car whilst driving on the freeway in an experiment for technology site Wired.

The FBI acknowledged that this amount of control remains the biggest threat to vehicle owners but other issues are still prevalent.

“Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems,” the announcement continued.

The security and safety of plug-in telematics devices, which use the cars OBD-II slot under the dashboard, were also mentioned for monitoring as Progressive suffered a hack of their device last year.


25

“More recently, there has been a significant increase in the availability of third-party devices that can be plugged directly into the diagnostic port,” the PSA states.

“These devices, which may be designed independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.

“Vehicle owners should check with the security and privacy policies of the third-party device

manufacturers and service providers, and they should not connect any unknown or un-trusted

devices to the OBD-II port.”


26

ASIC zeroes in on cyber crime

The Australian Securities and Investments Commission (ASIC) has stepped up its surveillance of cyber crime this year in a bid to keep pace with the growing digitisation of the financial services industry.

ASIC will invest more in digital forensics capabilities and training its forensic analysts, its enforcement report for last July-December says.

“The increasing incidence, complexity and reach of malicious cyber activities can undermine businesses and destabilise our markets, eroding investor and financial consumer trust and confidence in the financial system and the wider economy,” it says.

“We will take appropriate enforcement action by accepting enforceable undertakings or issuing infringement notices where we identify wrongdoing – for example, where disclosure by companies and issuers provides insufficient information on cyber threats.

“As technology continues to replace traditional methods of investing, the likely increase in the

incidence of cyber crime means ASIC and other law enforcement agencies will focus on activities that

ensure investors and consumers continue to be protected.”

The volume of electronic forensic data received by the regulator has increased steadily from less than 40 terabytes at the start of 2013 to more than 120 terabytes last year. ASIC expects the figure to rise to 425 terabytes of data per year by 2020. One terabyte is equivalent to about 1000 gigabytes.

“The increasing volume of data means traditional review methodologies based on targeted keyword searches and manual review are becoming less effective and efficient. “ASIC is increasingly adopting smarter strategies that use tools such as predictive coding, machine learning and computer algorithms.” The regulator secured $149 million in compensation and remediation for consumers and investors in the second half of last year, the enforcement report shows.

It removed 27 individuals from financial services, laid 42 criminal charges, charged six in criminal proceedings and issued 20 infringement notices.


27

Stock markets a target for cyber crime: report

Financial markets are a prime target for cyber attacks because they are “where the money is” and can represent a nation or symbolise capitalism, according to a new report.

The International Organisation of Securities Commissions (IOSCO) paper, called Cyber Security in Securities Markets – An International Perspective, outlines different approaches to cyber security adopted by market participants and regulators worldwide.

It says cyber is not “just another risk” but constitutes “a unique, highly complex and rapidly evolving phenomenon” that jeopardises the integrity and efficiency of financial markets.

The report says PricewaterhouseCoopers’ latest Global State of Information Security Survey questioned 10,000 executives from 127 countries, and found the number of incidents detected by respondents last year was up 38%.

A Ponemon Institute study last year put the average cost of data breaches to companies at $US3.79 million ($5 million), up 23% over the past two years.

IOSCO says the “almost complete digitalisation of data” in securities markets and increasing use of mobile devices, outsourcing and cloud computing make the industry more vulnerable.

“The human element of cyber risk, combined with rapidly evolving technologies in securities markets, suggests this topic requires swift and sustained attention by regulators and market participants,” the report says.

“According to many cyber-security experts, the question for financial market participants is not if a

cyber attack will occur but rather when.”

The report says cyber insurance should be a complement to a business’ cyber-security framework – not a replacement.

Global annual gross written premium for cyber insurance is about $US2.5 billion ($3.3 billion), and PricewaterhouseCoopers projects it will be $US7.5 billion by the end of the decade.


28

Munich Re, Beazley team up on cyber cover

Munich Re-owned Corporate Insurance Partner and Beazley have joined forces to offer cyber cover of up to $US100 million ($131 million) in response to growing demand.

Coverage options are tailored to a variety of exposures including hacking or malware attacks, distributed denial of service attacks, cyber extortion, and property damage and bodily injury.

“In recent years cyber threats have risen steadily up the agenda of the world’s largest companies… with significant implications for their balance sheets and financing capabilities, through to dealing with regulators and ratings agencies,” Corporate Insurance Partner Head of Cyber Solutions Chris Storer said.

“Through our close partnership… we believe we can offer a service that is unique in providing large corporate and industrial clients with fit-for-purpose cyber solutions that help them manage the manifold risks that cyber attacks can present.”

Various industry studies put cyber risk among the leading issues for the global business community, with financial consultants Grant Thornton estimating the cost of such attacks at about $US315 billion ($413 billion) a year.

“Rapidly flowing data is the lifeblood of modern business,” Beazley Focus Group Leader for Technology Mike Donovan said. “When that data ceases to flow, or is siphoned off, the costs for large interconnected enterprises can be huge.”


29

Cyber risks on radar, but strategies fall short: report

The cost of business interruption is the leading cyber-risk concern for businesses, according to Aon Global Risk Consulting.

The group’s global benchmarking report, the Captive Cyber Survey, gauges organisations’ attitudes to cyber threats, risk assessment, insurance-buying trends and loss adjustment concerns.

Peter Mullen, CEO of Aon’s Captive and Insurance Management practice, says the findings show a disparity between companies recognising cyber as one of the fastest-growing risks and understanding what their exposures and coverage needs are.

The survey shows 94% of companies would share risk with others in their industry.

Aon experts expect alternative risk transfer options will become increasingly popular because they give companies some control over underwriting, coverage scope and claims adjustment, while providing an opportunity to share best practices, experience and data.

The survey also shows 95% of respondents believe clear policy wording is the most important issue in the cyber-risk market, and 75% of large companies are concerned about the loss adjustment process.


30

CGU launches revolutionary new cyber product into the Australian market

CGU Insurance has launched a new cyber defence product aimed at mitigating the rising tide of cyber-attacks.

The company believes its new offering CGU Cyber Defence, developed with SME customers in mind, will protect businesses from cybercrimes such as privacy breaches, system damage, extortion, computer viruses, crime and hacking.

CGU National Underwriting Manager Professional Risks Najibi Bisso said now that cyber security is one of the biggest issues facing businesses and individuals today, it’s essential for all business with a digital presence to ensure they have the right protection in place.

She said the new product, which includes a wide range of features such as free cyber consultation, 24/7 incident response team and a breach coach, provides much broader cover than their competitors and is equipped with an all-encompassing cyber incident response service.

“We’ve developed an offering that we believe addresses the growing concerns SME’s will face in future. The

product is offered standalone as well as an extension to existing policies.”

Bisso said the partnership with Norton Rose Fulbright means they can now provide a round-the-clock cyber incident response team and service for their customers.

“We’re also working with our partners to help them educate SME’s on the importance of cyber security by providing a range of tools that partners can access online through the CU cyber microsite.

Scott and Broad CEO Mike Burgess, whose major client has a CGU Cyber Defence Policy, said that CGU were a “natural choice for us when we were looking for cyber risk support for our clients. For this type of risk you need a large insurer who has the capacity to pay these types of claims and launch a response when the cyber event occurs.”


31

Cyber-security plan will unlock innovation, PM says

Prime Minister Malcolm Turnbull says an “open, free and secure” internet is vital for Australia’s future prosperity.

Introducing the Government’s $230 million cyber-security strategy, he says the plan sets out a “philosophy and program” for meeting the challenges of the digital age.

“A secure cyberspace provides trust and confidence for individuals, business and the public sector to share ideas and information and to innovate online,” Mr Turnbull said.

“The security threats we face are real and they are growing in severity and frequency.”

He argues the cyber-security strategy is critical to Australia’s transition to “a new and more diverse economy, which is fuelled by innovation”.

“We cannot allow cyberspace to become a lawless domain. The private sector and government sector both have vital roles to play.

“By working together we will build and strengthen a trusted online environment and unlock Australia’s

digital potential.”