Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
| Professional Liability Renewal Proposal | Proprietary & Confidential
Table of ContentsCoverage Summary 1-6
Cyber Evaluation and Underwriting Cyber Risk 8-10
Claims 12-14
Market Update 16-20
0
1Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential
Cyber Coverage SummaryPrivacy Breach
(theft, loss & unauthorized disclosure of confidential information
including cyber extortion)
Security Breach(unauthorized access/use, alteration
of data, virus transmission & DoSincluding cyber extortion)
Media Injuries(content-based
injuries)
E&O(professional
services)
1st Party Loss
3rd Party Liability
Breach response expenses*
Extortion expense/payment
Damages
Defense costs
Regulatory defense and penalties
PCI fines
Damages
Defense costs
Damages
Defense costs
Breach response expenses*
Extortion expense/payment
Loss of income/extra expenses(BI and Dependent BI)
Data restoration cost
Damages
Defense costs
Regulatory defense and penalties
PCI fines
* Breach response expenses include computer forensics expenses, crisis management costs, legal costs, notification costs, consumer credit monitoring services and call center
1st Party Loss
3rd Party Liability
3rd Party Liability
3rd Party Liability
Technology, Privacy & Data Breach ExposuresMost Common Exposures
2
Professional Services
Personal Information
Corporate Information
Network Security Failure
Regulatory Proceedings
Internet Content
Cyber Extortion
Business Partner Exposures
Aon Risk Solutions Proprietary & Confidential 3
What to Consider With Cyber?
To Set a Retroactive Date– Network Connectivity is at the forefront of the developing world. Most breaches are not discovered until
months after the initial intrusion. Network Business Interruption
– As companies become more dependent on network capabilities, potential exposure related to business interruption increases:
Privacy Event Costs: – Do you carry high amounts of Personally Identifiable Information?
• Direct Sales/Retail & E-Commerce• Protected Health Information• Customer Information• Full Time Employees• Background Checks• Theft, Extortion, or Destruction of critical information assets
Reputation PR Costs: – Companies are highly dependent on Brand Recognition and Reputation. Cyber offers coverage for
Public Relations costs subsequent to a breach. . Regulatory Coverage (For Privacy Event Only)
– Federal and State Regulators frequently fine entities that have a privacy event . More activity from the FTC and SEC
Protect Financial Statements– Costly breaches create disruptions in stock value.– SEC identifies Cyber Risks as potential material for disclosure
4Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential
188205 206
69
0
50
100
150
200
250
Num
ber o
f Day
s
Study
Time to Identify Data Breach
Average Timeto IdentifyAverage Timeto Contain
Please Note: Trustwave data taken from the 2015
Trustwave Global Security Report (n = 574)
Mandiant data taken from the 2015 Mandiant MTrends Beyond the Breach study
Ponemon data taken from the PonemonInstitute 2015 Cost of Data Breach Study: Global Analysis (n = 350)
Average Time to Identify a Data Breach
Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 5Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014
Cyber Evaluation and Underwriting Cyber Risk
Aon Risk Solutions Proprietary & Confidential 6
Cyber Threat Environment
“Our intellectual property here [US} is about $5 Trillion. Of that, approximately $300 Billion is stolen over networks per year.” Commission on the Theft of American Intellectual Property, page 2, http://www.ipcommission.org/report/ip_commission_report_052213.pdf citing Keith B, Alexander, “Cybersecurity and American Power” (conference presentation hosted by the American Enterprise Institute, Washington, D.C. July 9, 2012).
Although most people think in terms of ‘breach,’ events actually involve– Targeted attacks and sophisticated malware– Botnet activities– Hacktivism– Cyber espionage– Insider actions
Many forms of assets are under siege– Confidential and proprietary data; trade secrets and IP; customer information– Payment systems and data
Recent, multi-pronged attacks signal new era in cybercrime Defenses are mounting, but the bad guys are winning The objective is to mitigate; it is not possible to eliminate
Aon Risk Solutions Proprietary & Confidential 7
Other Cyber Considerations
Business structure and cyber/technologies dependencies
Strategies and operational changes (recent or near-term)
Perspectives regarding cyber and privacy exposures
Risk mitigation strategies, tools, resources, and protocols– Risk evaluation or audit– Risk quantification– Incident response planning– Employee training– Table top exercises
Event planning and resources
Risk transfer approach(es)
• By 2020, 26 Billion objects will be connected to the internet.*
• 90% of Worlds Data Generated in Last Two Years.**
• 4.4 Trillion Gigabytes of Data in the World –expected to double every two years.***
*http://www.siemens.com/innovation/en/home/pictures-of-the-future/digitalization-and-software/internet-of-things-facts-and-forecasts.html
**http://www.sciencedaily.com/releases/2013/05/130522085217.htm
***http://www.itworldcanada.com/article/the-amount-of-data-were-creating-is-out-of-this-world/91586
Aon Risk Solutions Proprietary & Confidential 8
Critical Questions in Evaluating Cyber Risk
Does your organization have an enterprise security program that meets best practices and standards? Does your security program integrate compliance requirements? Do you know where there are gaps and deficiencies as well as the priority that should be assigned to
remediation measures? What are your organization’s key vulnerabilities? What would be the financial consequences of a significant breach or cyber event? Are you prepared to manage a major event? What types of insurance is available, what limits to consider, and at what price? Are your executives and the board exercising governance over privacy and security risks?
Loss Mitigation Services
• Complimentary Services: all policyholders will have free access to ACE’s Cyber Experience, an online risk management portal, and a
free one hour educational session
• Essential Services:
• Security Ratings for Data-Driven Risk Management (Led by Bitsight)
Cyber Threat Blueprint (Led by FireEye)
Incident Response (Led by GD Fidelis)
Information Governance (Led by Huron Consulting)
Vendor Management (Led by Lewis Brisbois)
PCI Compliance Review (Led by McGladrey)
Calculating Business Interruption (Led by Navigant)
Cyber Readiness (Led by NetDiligence)
HIPAA Compliance Program Review (Led by Trustwave)
Security Awareness (Led by Wombat Securities)
Cyber Threat Health Check (Led by FireEye)
9
Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 10Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014
Claims
11Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential
Cyber Risks – Quantification - Data Breach Severity
Response Step/Event 2014 Breach Costs*Mean/Max
First Party Loss
Business interruption or suspension of network Not enough Data Available
Crisis Management
Forensics Expenses $119,278 $1,500,000
Notification (Includes Call Center/Credit Monitoring) $175,147 $6,150,000
Legal Guidance $117,613 $2,500,000
Public Relations $4,513 $135,000
Defense + Damages
Legal Costs to defend breach-related litigation $698,797 $4,000,000
Damages sought in consumer class-action lawsuit $558,520 $2,500,000
PCI Fines Penalties for non-compliance with PCI standards/Legal $2,328,667 $6,900,000
Regulatory defense
Defense expenses for HHS, FTC, State AG, etc. $1,041,906 $5,000,000
Regulatory penalties
Resolution/Settlement and/or civil fines or penalties $937,500 $2,500,000
Total Exposure: $6M / $30M
*2014 NetDiligence Report
48%
15%
10%
10%
6%
11%
Total Claim Payouts by Type Of Cost (N=85)
Crisis Services Legal Defense
legal Settlement Regulatory Defense
Regulatory Fines PCI Fines
Aon Risk Solutions Proprietary & Confidential 12
Data Breach Timeline
Vendor Investigations
Regulatory Investigations
Notification, Credit
Monitoring, Credit
Restoration
Third party litigation and damages
Forensics Counsel Review
How the expenses accrue:
Detect Breach
<30 Days 365+ Days<10 Days
45% of losses paid by insurers are “Crisis Management Expenses”
15% of losses paid are Defense Costs
20% of losses paid are associated with
damages, fines, or penalties
Source: NetDiligence
ACE Claims Analysis:Privacy Claims and Industry Trends
Paper 6%
Human Error 16%
Privacy Policy 8%
Hack 27%
Rogue Employee14%
Software Error3%
Unknown 8%
Laptops13%
Hard Drives3%
Other 2%
Lost/Stolen Devices18%
Industry Breakout:• Healthcare – 30%• Technology – 12%• Professional Services – 14%• Retail – 9%• Financial Institutions – 7%
Targeted Attacks for PI:• Lost/Stolen Devices
• 2008 – 41%• 2014 – 20%• 2015 – 18%
• Hacking and Rogue Employee• 2008 – 31%• 2014 – 40%• 2015 – 41%
© Copyright 2015 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of ACE Group.
13
0%
5%
10%
15%
20%
25%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
7%
24%
19% 21%
10%
Healthcare
0%
10%
20%
30%
40%
50%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
46%
14%11%
4%
14%
Retail
0%
5%
10%
15%
20%
25%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
19%
12%
25%
20%
5%
Professional Services
ACE Claims Analysis:Triggers by Industry Segment
0%5%
10%15%20%25%30%35%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
33%
9%
22%
11%13%
Technology
© Copyright 2015 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of ACE Group.
14
15
Changing Triggers and Increasing Forensic Costs
Loss Trends and DevelopmentClass Action Filings
16
© Copyright, 2011
ies.
Organization Records/Stores
Target 110M Records/1,900 stores
Neiman Marcus 1.1M Records
Michael’s 2.6M Records
Mt. Gox 774,000 Bitcoins ($409.2M)
Ebay 145M Records
PF Changs 33 Stores
Albertson’s 700 Stores
Supervalu 209 Stores
Anthem 80,000,000 customers
Organization Records/StoresCommunity Health Systems
4.5M Records
Premera 11,000,000 customers
JP Morgan Chase 76M Households
Home Depot 56M Records
Adult Friend Finder 3.9M records
Adobe 152M Records
Aaron Brothers 54 Stores
Carefirst 1.1M customers
Sony $70M-$100M Cyber Expenses Predicted
Charge Anywhere 5 Years of Malware
• 2013/2014/2015 Major Breaches
17
Loss Trends and DevelopmentBalance Sheet Losses from Data Breaches
© Copyright, 2011
Anthem Inc.
Hackers breached the computer system of Anthem, the second largest health insurer in the U.S. and stole the PII of up to 80 million people.
The database containing the PII was not fully encrypted and the hackers were able to access customer’s names, date of births, Social Security numbers, addresses, phone numbers and more.
It is reported the breach will cost beyond $100,000,000 and will exhaust the insurance tower.
Sony
There is evidence that the intrusion had been occurring for more than a year, prior to its discovery in November of 2014. It is reported that over 100 terabytes of data from Sony was taken, including PII of employees, emails between employees, copies of unreleased films, etc.
The hackers also installed destructive malware that resulted in employees’ computers becoming inoperable.
It is reported that the damage will range anywhere from $70,000,000-$100,000,000 and exhaust the insurance tower as well.
Home Depot
The hack may cost between $30,000,000-$50,000,000 and will lead to up to 3 billion dollars in fake charges.
Point of sales malware targeted outdated and unpatched Windows XP.
Data Breach Expenses – 1st Party
18
Forensics
Public Relations/Crisis Management Services
Legal Services including but not limited to determining compliance with Privacy Regulations, drafting
notification letters and indemnification rights
Notification/Credit Monitoring Services
Call Center Services
Fraud Consultation services provided through a licensed investigator or credit specialist
Identity Restoration Services
19
Loss Trends and DevelopmentSurveys/Studies
Mandiant 2014
33% of victims discover the breach internally, 67% of victims were notified by an external entity
229 Days – Median number of days that threat groups were present on a victim’s network before detection
44% of Phishing Emails were IT related – Often attempting to impersonate the targeted company’s IT Department.
Identity Theft Resource Center 2014 Data Breach Category Summary
Healthcare led all industries with 333 breaches confirmed
Healthcare was second in terms of industries with over 8M records exposed
Major healthcare breaches include Premera Blue Cross, Anthem Inc., CareFirst
© Copyright, 2011
Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 20Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014
Market Update
21Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential
Market Update and Development
Capacity for coverage continues to grow both domestically and abroad for middle market risks, but not for large risks
- There are approximately 35-67 unique markets that can provide Cyber capacity, with new entrants each year, but some leaving in the wake of the Home Depot, Target, SONY, etc. breaches
- Markets exist domestically (primary and excess), the UK (primary and excess) and Bermuda (excess only)- Of the available markets, there continue to be 3-4 Tier I markets capable of writing primary
Capacity
Coverage
Retentions
Pricing
Coverage continues to expand- Insurers continue to differentiate their offerings with new/enhanced coverage components, specifically
focused on Cyber Liability coverage (Goodwill Coupon, Breach Response Services, PCI Coverage, etc.) with renewed focus on network interruption
- Breach mitigation coverages continue to expand to meet clients’ needs, including higher limits of coverage and the availability of coverage through a tower
- Despite market conditions, insurers are still willing to provide comprehensive terms & conditions specific to unique exposures faced by individual insureds
Stronger data is being gathered as more breaches are reported- There continues to be numerous breaches reported with additional reports tracking costs of the breaches- Policies are responding, particularly to the breach mitigation, allowing better tracking of “claims” payments- Much more focus on IT security calls and IT systems relating to Point of Sale (“POS”) systems
Retentions remain stable and varied for middle market accounts, but some material increases for large accounts- Retentions of all levels are available in the market, but vary based on industry class, revenue and unique
exposures, with recent market pressure to increase retentions, sometimes significantly- Adjusting retentions can lead to more coverage/sublimit flexibility
Pricing continues to trend upwards- Pricing continues to rise in the wake of significant breaches, particularly in the affected industries – increases of
100% - 400% over expiring are not uncommon - Renewal premiums continue to increase even for insureds with no change in exposure profile
Claims & Losses
The Current Cyber Insurance Marketplace
22
•Market estimated at $1.0B to $1.8B…*•Market penetration: varies from 3% for SMEs to 25% for National Accounts*•35+ insurance carriers offer cyber•5 largest players(AIG/Beazley/ACE) are generally primary leads on dedicated cyber towered programs•Other 30 markets also competing on SME, Middle-Market and Excess positions•Typical limit capacity of $1M to $25M
−Blocks of capacity built in $10M & $5mm layers in addition to quota-share layers−Towers layered as high as $350M and higher
*Betterley Report 2014 & Advisen Statistics 2014
Aon Risk Solutions | Professional Risk SolutionsProprietary & Confidential
Cyber Insurance: Major Exclusions Breach of contract (unless liable in absence of a
contract) Patent/Trade Secret Return of Fees or Recall Expense Direct Bodily Injury or Property Damage False/Deceptive Advertising Known network security vulnerabilities Unsolicited communication and wrongful collection
not excluded Breaches or security failures that began prior to retro
date Intentional acts or fraud by management Liquidated damages Coupons, discounts, or incentives to Insured’s
customers System upgrades or repairs Unencrypted Devices/Information Performance Guarantees/Express Warranties Cyber War (but cyber terrorism carve back for
coverage)
24
5 Predictions for 2015…
1. Increase in RAM scraping malware on PoS systems before the liability shift to EMV chip and pin technology.
2. Increase in attacks on payment systems (NFC, Mobile Wallets, Apple Pay) and an increase in attacks against banks/virtual currency operators.
3. Internet of Things exposed (networked/connected devices such as smart fridges, smart thermostat, etc.)
4. Phishing threats increase in sophistication (bank accounts, login information needing to be reset, etc.)
5. Mobile devices will become a larger target (apps gathering more data resulting in more phishing attacks and malware to steal credentials)
5 Predictions for 2015…
Risk. Reinsurance. Human Resources.
Aon Risk Solutions | Aon Risk Services Central
Additional Questions?