FINANCIAL LINES GROUP

Cyber Risk and Insurance

22 March 2018
BCI Vic/Tas Forum Event

SAMUEL ROGERS
Account Manager & Cyber Insurance Specialist
Financial Lines Group - JLT
Cyber Risk
The Scale of Today’s Challenge
Cyber Risk – What is happening?

Globally:
US$2.1 Trillion
by
2019*
*The Future of Cybercrime & Security by Juniper Research
What Is Data Worth?

$114 Billion

$85 Billion
Ransomware

Still…..$1
Billion
Breaches And Hacks In The News
The Data Protection Landscape is Getting Tougher

SOURCE: www.dlapiperdataprotection.com
 Privacy Amendment (Notifiable Data Breaches) Act 2017

• Applies to organisations with revenue of $3 million or more

• Requires notification to Privacy Commissioner and affected individuals
following an Eligible Data Breach
• Also requires investigation within 30 days where breach is suspected
• Eligible Data Breach –
• Unauthorised access, disclosure or loss of personal information
• Where a reasonable person would conclude that serious harm would likely
result – “serious harm” undefined
• Privacy Commissioner has wide-ranging powers to compel an organisation to
notify, make public apologies or compensation payments, and can issue fines
and penalties
Cyber Risk – What is happening?

Who is being targeted?

Cyber Risk – What is happening?

SME’s / Mid-Market Organisations

- Fewer resources to spend on information security

- May not have strict security controls / patch management
programs in place
- Often hold personal information
- Often provide services and hold information about / access to
larger organisations
JLT/HARVARD BUSINESS REVIEW RESEARCH
METHODOLOGY/PARTICIPANT PROFILE

Online Survey: 278 respondents

1 to1 interviews with a group of thought leaders

SIZE OF ORGANISATION SENIORITY KEY INDUSTRY SECTORS

4% 20%
Other Executive
40% 46% Management / 10% 18%
10,000+ grades
500-4,999 Board Healthcar Financial
employees employees Members e Services
31%
Middle
Mgmt

15%
Professional
Services /
14% 45% Consulting 17%
5,000-9,999 Senior Mgmt Technology
employees

11
JLT/HARVARD BUSINESS REVIEW RESEARCH
METHODOLOGY/PARTICIPANT PROFILE

Online Survey: 278 respondents

1 to1 interviews with a group of thought leaders

JOB FUNCTION REGIONS

7% 4%
Risk 15% Rest of
Management IT World
18% 45%
8% Asia / North
Sales / Pacific America
Business
Development

9% 33%
Consultin 13% EMEA
g General /
Executive Mgmt

12
85%
expect the financial impact of
cyber attacks and breaches to
rise in the next 1 to 2 years
Only

23%
have adopted a formal strategic
plan to address the business risks
of cyber attacks
KEY FINDINGS
STRUGGLING TO IMPROVE INTERNAL COLLABORATION

How integrated is your organisation’s functional team (e.g., CISO, compliance, general counsel,
CSO, procurement) in protecting against cyber attacks and breaches?

Very integrated
Numbers may not total
20% 100% due to rounding.

Somewhat integrated
37%

Minimally integrated
19%

Not integrated
8%

Don’t know
12%

We don’t have a functional team SOURCE: HARVARD

BUSINESS REVIEW
ANALYTIC SERVICES
5% SURVEY, AUGUST 2017

15
KEY FINDINGS
CYBERSECURITY PITFALLS

What are the most significant obstacles to properly addressing cybersecurity

risks at your organisation?
Lack of resources
56% SMALLER
ORGANISATION
42%
Lack of internal collaboration
LARGER
36% ORGANISATION
42%
Unclear return on investment
31%
28%
Lack of support at C-suite, board level
21%
12%
No known barriers
14%
26%
Other
SOURCE: HARVARD
5% BUSINESS REVIEW
ANALYTIC SERVICES
5% SURVEY, AUGUST 2017

16
WHAT’S STOPPING
PROGRESS?
1. Lack of resources
2. Lack of internal collaboration
3. Unclear return on investment
Isn’t this the IT department’s problem?
The human element is critical
in 95% of breaches

1% are unpreventable

…technology is 4% effective
- T Casey Fleming, BlackOps Partners
Most Breaches Rely On Human Error

• Poorly maintained server

• “Spear-phishing” email

• Accessed through 3rd party contractor

Cyber risk is constant and continues to evolve

Trends in 2015

• 54 new Zero Day vulnerabilities discovered (up 125%)

• 431 million new pieces of malware (up 36%)
• 992 Ransomware attacks per day (up 35%)
• Shift in focus to attacks on smartphones – including ransomware
• Spear phishing attacks up 55% - shift towards targeting individuals
• Average of 205 days from system incursion to discovery – worse in APAC
Source: 2016 Internet Security Threat Report

Anti-virus/malware is reactionary – can’t defend against new threats

There will always be a residual risk
How can cyber insurance assist?
 Cyber is not an
“all risks
anything-vaguely-
related-to-the-
internet” insurance
policy.
 13% of cyber
claims originate
from vendors

30% of cyber
claims involve
insiders
 Employees
PII

Customers
PII

Internal Customers
Corporate Corporate
What is Cyber Risk?

POTENTIAL OUTCOMES OF A CYBER EVENT

Damage / Destruction
of Data
Regulation – Notification, Extortion / Ransomware
and Fines and Penalties

Cyber
Integrity, Reputation, Breach Business Interruption &
and Public Image Delays

Third Party Claims

- Breach of Privacy Introduction and propagation of
- Confidentiality malicious software
- Security wrongful acts
What will be covered?
Areas of Coverage

First Party Costs

Forensic Costs

Cyber Extortion Payments

Public Relations Expenses

Data and System Restoration Costs

Business Interruption and Additional Cost of Working

Notification of Affected Individuals

Legal Advice and Expenses

Areas of Coverage

Third Party Claims

Breach of Privacy

Breach of Confidential Corporate Information

Regulatory Fines and Penalties – where insurable

Infringement of Copyright / Trademark / IP Rights

Breach of Network Security / Propagation of Malware or DDoS

Payment Card Industry Data Security Standards

Areas of Coverage

3rd Party Service Providers

“We outsource our
IT/servers/data, so we
have no exposure”

Cyber – responds to a breach of a 3rd party service provider,

including:

- Privacy Liability & Notification Expenses

- Data Restoration Costs
- Business Interruption Loss

34
Breach Response

Kidnap and
Ransom
Experts

Credit
Forensic Monitoring /
IT ID Theft
services

HOTLINE CALL TO
BREACH COACH
- LAWYER OR LOSS
Forensic ADJUSTING FIRM
Accountants Public
/ Loss Relations
Adjusters

Legal Notification /
advice Call Centre
Service
WHY ISN’T THIS ALREADY COVERED?
(IT MIGHT BE)

PROPERTY/ GENERAL PI CRIME D&O K&R

TERRORISM LIABILITY No specific Covers theft of Cyber incident Ransom-ware
Must have Covers third cover for money or leading to covered
property party bodily incident costs securities securities suit
damage injury/ is covered
property Check the
damage Regulatory Third Party providers
CL380 restrictions extensions Cyber
LMA2914/ 15 exclusions
Pure Financial uncommon Business
Loss Employee Social Interruption…b
Pool Re jumps claims Engineering ut for how
in extensions long?
Data Protection
Extensions Some
exclusions

Cyber
exclusions
uncommon
37
Risk Factors
Risk Factors

Do you collect, store or utilise

Risk Factors

Do you collect, store or utilise

Risk Factors

Potential Business Interruption

How reliant is your business on

Information technology?
-Desktop PCs Operational Technology?
- Websites
- Automated systems
- Email systems
- SCADA
- Payment processing systems
- Inventory / Invoicing systems
- Cloud systems / 3rd party IT providers
Risk Factors

Ask -
“How will your business “How will you absorb the
continue operating if your cost – time and money –
systems are taken in responding to a cyber
down?” incident?”

“What kind of personal “What security and

and corporate indemnity arrangements
information do you hold?” do your IT service
providers have in place?”
Thank you!

Queries?
Samuel Rogers
(03) 9613 1454

Samuel.Rogers@jlta.com.au