PRESENTATION

TITLE Sub-title text

1

THE ROLE OF THE CYBER

UNDERWRITER

MATTHEW HOGG, LL.B. (HONS), LL.M.

VICE PRESIDENT, STRATEGIC ASSETS

LIBERTY SPECIALTY MARKETS

• Liberty Specialty Markets (www.libertyspecialtymarkets.com) is the trading name for the

combined operation of Liberty Mutual Insurance Europe Limited, Liberty Syndicate

Management Limited and Liberty Mutual Reinsurance

• Liberty Specialty Markets is part of Liberty Mutual Insurance Group

• The operation is composed of three business units: Commercial, Specialty and Reinsurance

2

AGENDA

• The Role of an Underwriter

• Cyber Insurance (refresher)

• A "dummies" guide to cyber risk selection & pricing

3

THE ROLE OF AN UNDERWRITER

• Consider applications for insurance cover and decide whether to accept and, if so, on what

terms and conditions of acceptance:

- Ensure happy with detail of information provided

• Information requests

• Conference calls

• Site visits

- Assess likelihood of a claim (frequency AND severity)

- Assess ethical & legal position before offering terms

- Decide on what coverage should be provided (drawing up policy

documents/endorsements)

- Price the exposure of the risk allowing for loss ratios, expenses, profit/rate of return

- Negotiating terms with the insurance broker 4

THE ROLE OF AN UNDERWRITER II

• Liaising with experts:

- Risk management solutions

- Risk Assessment companies

- Lawyers

• Claims involvement:

- Involvement in significant claims

• Policy language determination

• Assisting in-house claims with choice of external expert claims expertise

5

THE ROLE OF AN UNDERWRITER III

• Actuarial involvement:

- Analysing actuarial data

- Determining “reserving”, “IBNR” and anticipated loss ratios

• Analysing Systemic and Aggregation Risk

- Technological

- Contingent/outsourcing

- Industry e.g critical national infrastructure

- Regulatory/Legal

- Socio-Economic

6

THE ROLE OF AN UNDERWRITER IV

• Running a P&L

- Operating a team/division/business for the purposes of providing insurance solutions

• Expense management (internal and external)

• Reinsurance purchasing

• HR/staffing

• Finance knowledge

• Strategy

• Setting the “appetite” parameters

• New Business development/Innovation

- Marketing

- Product development 7

8

CYBER INSURANCE

But Europe lagging

Behind - $300m

London now offering Limits of up to $300m

Standalone or by endorsement Over 20 markets

in London

CYBER INSURANCE

• “relating to or characteristic of the culture of computers, information technology, and virtual

reality”

• Reality?

- A policy only covers what the insurer wants it to cover

- No standardisation

- Covers i) computer network integrity exposures; ii) privacy, confidentiality and network

security liability

- Covers risks arising from technology and data, but not always digital data!

- Not all about “malicious attacks”

9

CYBER INSURANCE

– First Party

– Loss or damage to digital assets

– Non-physical business interruption and extra expense

– Cyber extortion and cyber terrorism

– Reputational harm

– Third Party

– Security and privacy liability and defence costs

» network security breaches

» transmission of malicious code

» damage, alter, corrupt, distort, copy, delete, steal, misuse,

or destroy Third Party Digital Assets

» breach of third party or employee privacy rights or wrongful

disposal of data

» Causing DDoS attack on third party

» Phishing or Pharming

» confidentiality

– Privacy regulation defence, fines and penalties

» PCI fines extensions available

– Customer care & reputational expenses

» notification expenses

» credit monitoring

» PR expenses

» Forensics

– Multi-media Liability

10

1. computer crime and computer

attacks by third parties

2. accidental damage or

destruction of hardware

3. administrative or operational

mistakes by employees and

third party providers.

4. Full system Failure (all risks)

Committed or failed to

prevent a Wrongful Act

CYBER INSURANCE (INNOVATION)

• Where it’s going:

- Property & PDBI coverage

- Reputational harm

- Insuring value of R&D and trade secrets

11

A "DUMMIES" GUIDE TO RISK SELECTION & PRICING

• Staggered Expectancies – “Benchmarking”

- SME

- Large Corp.

• Quality of risk management

- Generally (non-silo)

- Specifically (Standards, PCI, Vendor Management, Encryption, Threat Intelligence etc)

- Grass roots culture?

• Focus on data

- Type, Security, Distribution, Points of access (internal & external)

12

A "DUMMIES" GUIDE TO RISK SELECTION & PRICING

• Industry Sector

- Financial Institutions, Retail, Power & Energy

• Revenue

- Where correlation to liabilities AND when insuring revenue losses

• Network Dependency

- Online revenue? Critical infrastructure?

- Industrial Control Systems vs “traditional” IT systems

• Operational Jurisdiction

- e.g. USA? Spain?

13

A "DUMMIES" GUIDE TO RISK SELECTION & PRICING

• Policies & Controls

- BCM, Incident Response, Security Policy, Privacy Policy

- “on the ball?”

• Relevant laws & regulations

- Telco? Data owner or data processor?

• Claims experience

- No claims vs managed to success

• Visibility/Exposure

- Crime/hacktivist/plaintiff bar threat

14

QUESTIONS

?

15