1

Cyber Insurance From a Quantum Perspective

Speakers

Flemming Jensen – MDD Forensic Accountants

Steve Rosenthal – RGL Forensics

2

3

1. Introduction2. What is Cyber Insurance and Cyber Business Risks3. First Party Cyber Insurance Cover4. Cyber Business Interruption Wordings5. Calculating Cyber Loss of Profits6. Case Studies7. Q & A

Overview

Source: Allianz Risk Barometer 2015

Top Business Risks Worldwide

Source: Allianz Risk Barometer 2015

In 2015 Cyber Risk Ranks 5th on the List of Top Business Risks

6

Cyber Risk is Rising for Business

7

Cyber in the News -

• Five out of six large companies were targeted by cyber criminals in 2014, a 40% increase over 2013.

• “In 2015 we fully expect a business to fail due to the financial consequences of a cyber attack” – Joe Hancock for AEGIS.

• “Cyber Risk poses the most serious threat to businesses and national economies” – Inga Beale, CEO of Lloyd’s

• The cyber insurance market has seen a 50% year-on-year increase in the insurance submissions for the first three months of 2015.

• Distributed denial-of service (DDoS) attacks cause losses of $150,000 per hour.• Only 2% of large UK firms have cyber insurance; 50% of Risk Managers didn’t’ know

cyber insurance existed.• The biggest concern is damage to reputation and loss of customer trust.

8

What is a Cyber Attack?

• Cyber attack is an attempt by unauthorized individuals to damage, destroy or compromise a computer network or system including unauthorized theft or usage of stolen data.

• By Who?• Human Error• Insider• External – Criminals, Foreign Governments or cyber terrorists• Extortion

9

Interesting Cyber Facts

10

Interesting Cyber Facts

Which Cyber risks are the main cause of economic loss?

Loss of reputation 61%

Business interruptions 49%

Loss of customer data 45%

Cost of Data Breaches

Cyber in the Headlines

• TV5Monde (French Television Network)– Disruption of 11 TV channel broadcasts for several hours due to a hack attack – April 2015– Hack of the company’s website and social media accounts

• Mandarin Oriental (Hotel Chain)– Credit card records in EU and US exposed – March 2015

• British Airways– Frequent flyer accounts hacked – March 2015

• Anthem (Health Insurer)– 80m records of current and former customers exposed – February 2015– Potential damage control cost of more than $100 million

• Bitstamp (Bitcoin Exchange)– $5 million in virtual currency stolen – January 2015– Trades temporarily suspended, user accounts frozen and deposits blocked

• Premera Blue Cross (Health Insurer)– Potentially exposed personal details, social security numbers, bank account details– Discovered in January 2015– Currently investigating with FBI and cybersecurity firms

Cyber in the Headlines

• Sony Pictures– 200 gigabytes of internal data such as emails and salary information leaked – November 2014– Estimated damage of $15 million

• Staples (Retailer)– 1 million credit card details stolen – October 2014

• Target:– 70m records exposed in Q4 2013– Loss estimated at $148m with insured losses estimated at $38m

• Home Depot– 56 million records exposed in Q3 2014– Loss estimated at $62m with insured losses estimated at $27m

• JP Morgan– 83 million records exposed in October 2014

• Marsh estimate that cybercrime costs global economy $445billion each year

14

What is Cyber Insurance?

Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks due to a cyber attack.

Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

15

What is a Cyber Loss?• No damage in the physical sense• Not typically covered under traditional business insurance policies• Requires taking out a cyber risk insurance policy

Market Outlook 2015

Source: UK Cyber Security Report (March 2015)https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf

Cyber Insurance Market • Global:

– 2014: Premiums estimated to have reached $2.4 billion (an increase of 50% compared to 2013)• US:

– 2013: $1 – 1.3 billion in gross written premium– 2014: $2 billion gross written premium – 2015: Expected to exceed $2 billion in gross written premium– Typical US premium of $100,000-$300,000 would buy $10million cyber cover

• Europe:– Currently $150 million– Increasing from anywhere between 50% and 100% each year– Growth in European market will be influenced by EU Cybersecurity Directive

• UK:– London currently represents $225 million in premiums - 10% of the global market– Most of the premiums come from the US– Lloyds reported a 50% growth in insurance submissions in Q1 2015 compared Q1 2014– Typical UK premium of £150,000 would buy £10million cyber cover– Premium influenced by extent of exposure in the US

Typical Premiums for Cyber Insurance in the US

Source: Deloitte

Cyber Insurance Premiums

Source: Cyber Risk Networkhttp://www.cyberrisknetwork.com/2015/01/15/advisen-insight-cyber-insurance-market-update/

20

What Are Cyber Risks?

• First Party Risks:– Loss or damage to digital assets (data or software)– Direct financial loss

• Theft of money through electronic theft• Cyber extortion (threatening damage if money not paid)

– Theft of intellectual property / commercially sensitive information– Business disruption / interruption from network downtime– Investigation / Response costs– Customer notification expenses when there is a legal or regulatory requirement

to notify them of a security or privacy breach– Reputational damage arising from a breach of data that results in loss of

customers

21

What Are Cyber Risks?

• Third Party Risks– Security and privacy breaches, and the investigation, defence costs and civil

damages associated with them– Multi-media liability, to cover investigation, defence costs and civil damages

arising from defamation, breach of privacy or negligence in publication in electronic or print media

– Loss of third party data, including payment of compensation to customers for denial of access, DDoS (distributed denial of service) and failure of software or systems

22

Cyber Risk PoliciesAll policies are different but typically include cover for a range of First Party risk exposures and Third Party liability exposures.

Examples of First Party Risks Covered

1. Loss or Damage to Digital / Data Assets

2. Business Interruption from Network Downtime – resulting in loss of income, increased cost of operation and/or cost being incurred in mitigating the loss

3. Restoration Costs

4. Cyber Extortion

5. Reputational Damage – Crisis Management / PR Costs

6. Theft of Money and Digital Assets

23

Cyber Risk Policies

Examples of Third Party Risks Covered

1. Security and Privacy Breaches

2. Investigation of Privacy Breach

3. Customer Notification Expenses

4. Multi-media Liability

5. Loss of Third Party Data

6. Regulatory Fines and Penalties

7. Data Warehouse Breach

24

• Policies Vary Widely as to:– Policy Triggers– Sub-limits– Retentions– Waiting Periods– Definitions and valuation terms

• No such thing as “Standard Policy Cover”

Cyber Risk Policies

Comparison of Traditional and Cyber Insurance Policies

Source: Deloitte

26

Purpose of Business Interruption Insurance

“To put the Insured back into the same financial position they would have been in, but for the incident – subject to the policy wording”

27

Property Damage & Cyber Example Wording

• Trigger for a loss is an insured event• Property Damage: “Direct physical loss or destruction of or damage to the Insured

property”• Interruption defined as:

– Suspension of the service provided by the Company’s Computer System solely caused by a Security Failure; or

– Inability of the Company to access Data due to such Data being deleted, damaged, corrupted, altered or lost but only where such deletion, damage, corruption, alteration or loss is solely caused by a Security Failure

• Maximum indemnity period includes:– Period from end of Waiting Period until Interruption resolved, subject to 120 day

limit– Further 90 days from resolution of Interruption

• Measurement of loss of profits identical between Property & Cyber wordings

28

Defining Loss of Profits in Cyber Claims – Specimen Clauses

First Party Business Interruption

To indemnify the Named Insured for:

Business Interruption Loss, in excess of the applicable Retention, incurred by the Insured Organization during the Period of Restoration or the Extended Interruption Period (if applicable) as a direct result of the actual and necessary interruption or suspension of Computer Systems that first takes place during the Policy Period and is directly caused by a failure of Computer Security to prevent a Security Breach; provided that such Security Breach must first take place on or after the Retroactive Date and before the end of the Policy Period.

Business Interruption Loss incurred by the Insured due to a Business Interruption within the Indemnity Period as a direct result of the total or partial inavailability of the Company’s Computer System first Discovered during the Period of Insurance which is caused by a Business Interruption Event and which exceeds the Waiting Period;

29

Defining Loss of Profits in Cyber Claims – Specimen Clauses

Business Interruption Loss:• Reduction in net profit attributable to a loss of revenue arising from the incident• Continuing operating expenses• Increased costs of working solely incurred as a consequence of the incident to reduce

the:– Length of the period of interruption; and/or– Loss of profit arising from the incident

Business Interruption Loss usually includes:

(a) the reduction in net profits;

(b) fixed operating expenses that continue to be incurred; and

(c) Extra / Additional Expenses.

30

Cyber Business Interruption Losses – Issues and Considerations

• The concept of BI following cyber crime is inherently the same as BI after physical damage to property.

• Property policy wordings have been around for decades and wordings are understood, despite the odd disagreement!

• Cyber policy BI wordings appear to try and achieve the same result but wordings are different – this could lead to frequent disputes.

• Perhaps market will align with property wordings over time?

31

Cyber Business Interruption Losses – Issues and Considerations

- Interruption / Indemnity Period – mostly defined as from date when attack or damage occurred until date when service is resumed (i.e. damage is repaired) – similar to US property wordings, or until some maximum date – similar to UK wordings.

- Some US policies have option to of Extended Interruption Period until business recovered but often limited in time period.

- When did the attack occur and impairment begin?- Waiting Period ? Minutes ? Hours

- Is impact still ongoing or has it ended? May not be clear.

- All losses may not flow from the event – direct linkage of lost revenues should tie to the event / specific attack

32

Cyber Business Interruption Losses – Issues and Considerations

- Some policies refer to historic periods whereas others incorporate what is commonly referred to as the ‘trend clause’.

- Impact on Revenue/Sales – Need to establish a baseline or standard (what would have been achieved but for the event)

- Benefit of a cyber environment is the availability of data!

- Disadvantage of a cyber environment is the possible lack of history and trend

- Potential Recovery or Make-Up Sales – some policies have clauses that provide for credit if sales are conducted ‘elsewhere’ or ‘by other means’

33

Cyber Business Interruption Losses – Issues and

Considerations- Non-Continuing Expenses – instead of insuring loss of gross profit with a savings

clause (like conventional BI wordings), most cyber policies insure net profit and fixed expenses, but only to the extent the fixed costs “must necessarily continue”.

- How will “must necessarily continue” be interpreted?

- Causation – when assessing ongoing losses after service is resumed, will insurers seek to distinguish between the interruption of service and loss of trust by customers in terms of coverage?

34

• Security failure resulting in…..• Hardware damage? • Software alteration?

– Added malicious content– User data and/or databases– Is this damage?

• Whose damage or interruption?– Insured’s own computer equipment, suppliers

• Caused by who?– Rogue employee (s), cyber-crook, errors by staff, independent contractors,

outsourcers?• Does the incident constitute direct damage?• Forensic investigation required

Policy Trigger – What is Loss or Damage?

35

• Similar to traditional Business Interruption losses, the insured would typically incur reasonable and necessary expenses during the period of restoration to minimize or avoid a partial or total interruption in services as a result of a covered loss, including renting/leasing of external equipment, additional staff or labor costs, etc.

• Examples of possibly quantifiable costs:– Investigation Costs– Restoration Costs– Work-arounds, short term services– Remediation and Prevention Costs– Cyber Extortion– Reputational Damage– Consumer Notification Expenses– Regulatory fines and penalties

Cyber Business Interruption Losses – Extra / Other Expenses

36

Cyber Business Interruption Losses – Extra Expense – (I of II)

- Most policies refer to Extra / Additional Expense – wording requires the costs to be economic – ‘spend a dollar to save a dollar’

- Extra Expense – are these costs being segregated by the Insured? May not be straightforward to identify as being over and above normal business.

- Expenses to improve digital systems are usually excluded. The line between investigation and improvement can be less than clear but quite crucial. The area of vulnerability may need to be corrected but it is an area that seems to be beyond the coverage currently available.

- Use of Internal Resources – in an effort to resume business

37

Cyber Business Interruption Losses – Extra Expense – (II of II)

- Speed is of the essence and the Insured is likely to deploy substantial internal manpower resources to rectify the damage, protect the reputation etc. Not necessarily an increased cost to the business but a burden on the business nonetheless.

38

Additional Expenses

• Database Restoration or Replacement (sometimes falls under separate cover e.g. Restoration Costs)

– Reconstitute Database– Install and reload servers – Relocate operations– Redirect DNS

• To Achieve Make up Sales– Purchased services from competitors – Websites and domains purchased and developed– Redirecting DNS submissions

39

Redirecting DNS

• DNS (Dynamic Name Service)

• “phone book” for the internet

• DNS translates human recognized names into IP addresses

• Change DNS for the domain through registrar. (examples GoDaddy, Network Solutions)  Will result in domain located in new destination and new information

• Process can take 24-48 hours… 0r 5 minutes !!!

40

Role of the Forensic Accountant

• Forensic Accountants can assist insurers in the measurement of the loss.

• The principles are very similar to traditional Business Interruption losses.

• Independent forensic accounting firms have the depth of resource and experience to handle large volumes of data and ensure the loss is measured in accordance with the terms of the policy.

• The forensic accountant will work as part of the team – with claims handlers, IT analysts, lawyers and adjusters.

41

Case Study 1: Background

• Manufacturer of high end consumer electronic products

• Insured operates production sites in Malaysia, Brazil and Romania

• Hackers gain access to IT control equipment for Romanian production line:– Insured denied access to IT equipment that controls production machinery– Hackers upload malware onto production network– Production stopped for period of several days

42

Case Study 1: What are the Issues?

• Length of time required to:– Regain control of the network and machinery– Repair hacker’s point of entry and remove malware– Restart production– Return production to pre-incident volumes

• Can production scheduling or location be amended to minimise sales losses?

• Has their been an actual loss of sales or has lost production simply been made up

• Concerns over risk of similar attack at other sites

43

Case Study 1: Measuring the Loss• Does loss of production cause a loss of sales?

– Review pre and post incident production volumes at all relevant locations– Establish extent of production spare capacity, if any– Consider how stock volumes have been utilised– Analyse pre and post incident sales volumes for products manufactured on

affected line– Review sales trends and market data for the relevant product

• Increased costs of working:– Overtime at incident and alternative locations during and after end of repair

period– Airfreight costs for raw materials and finished goods– Outsourcing costs– Assess whether costs claimed for improved network security

• Savings may occur in shutdown period – e.g. energy, maintenance

44

Case Study 2: Background

• Online retailer selling branded fashion products

• Hackers gain access to network infrastructure, including sales system and web server:

– Consumer names, addresses and credit card data stolen– Website inaccessible to customers for period of 48 hours while evidence is

collated

• Cyber attack widely reported in mainstream media

45

Case Study 2: What are the Issues?

• Length of time required to:– Regain control of the network– Repair hacker’s point of entry and remove malware– Change login credentials for affected customers– Return website to normal operations

• Impact of incident on consumer confidence and potential for reputational losses

46

Case Study 2: Measuring the Loss

• Has incident reduced consumer use of site?– Review pre and post incident site visit count data– Determine extent of any changes in search engine rankings– Assess pre-incident linkage between site visits and sales– Establish extent of reduction in sales attributable to reduction in traffic– Establish extent of any make-up in sales after normal operations resume

• Increased costs of working:– Post incident advertising to address consumer confidence and to increase site visits– Promotional campaigns with existing customer base– Discounts and promotional offers to increase post incident sales

• Will reduction in consumer confidence cause a loss of revenue after the end of the maximum indemnity period?

47

Case Study 3: Background

• Hospital providing private medical services to health care insurers

• Hackers gain access to Insured’s network:– Insured denied access to all patient records– Hackers upload malware onto network and demand ransom for Insured to regain

access

• Forensic investigators and security consultants advise Insured not to pay ransom

• Insured elects to reconstruct patient data from backups onto replacement network

48

Case Study 3: What Are the Issues?

• Date of last complete backup pre-incident

• Length of time required to:– Obtain and install replacement server– Restore patient data from backup– Reconstruct changes to data that occurred between date of last complete backup

and incident

• Ability of Insured to use server capacity at other locations in the interim period

• Impact on patient care and treatment of Insured’s short term inability to access current patient data

49

Case Study 3: Measuring the Loss• Need to establish the following:

– Medical procedures/operations cancelled or postponed due to patient data being inaccessible

– Extent to which postponed treatment may impact scheduling of treatment for other patients

– Impact on new patient bookings– Daily revenue earned from each hospital facility

• Increased costs of working:– IT consultant costs incurred in reconstructing network and patient records– Overtime costs related to rescheduling of treatment outside normal working

hours– Costs incurred at other hospitals for transferred patients immediately post

incident– Impact on patient care and effect on the insured’s short-term inability to access

current patient data

50

Cyber Risk Insurance Still ‘Ground Floor’

• Not many claims to date.

• Policy coverage will surely be challenged as claims evolve and different situations arise.

• Policy coverage and wordings will likely evolve too.

• Choose partners who can support you through this change and ensure your clients value the claims handling process.

51

Questions?