Cyber Risks –A Reinsurer’s Perspective on Exposure & Claims6cc75279-416b-4e2a... · Cyber Risks...
Transcript of Cyber Risks –A Reinsurer’s Perspective on Exposure & Claims6cc75279-416b-4e2a... · Cyber Risks...
Cyber Risks – A Reinsurer’s Perspective on Exposure & Claims
EMEA Claims Conference 2018, Rüschlikon, 6th – 7th March, Anthony Cordonnier
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Cyber: a claims sprint through the last year (and a bit…)
2
Source: flyertalk.com Source: businessinsider.com
Source: wikipedia.org Source: bleepingcomputer.com Source: Wikipedia.org
Source: Google.com
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 3
Cyber coverage:trends & challenges
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Cyber coverage landscape
4
Affirmative cyber covers
Data RestorationRegulatory Defence
Cyber Extortion
Incident Response Costs (might include Notification, Forensics, PR, Monitoring)
Communication and Media Liability
Business Interruption (BI) and Contingent Business Interruption (CBI)
Data Privacy Liability
Network and Information Security Liability
Third party covers First party covers
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Underlying coverage trends
5
System failure coverage (named vs.
open perils)
Contingent business interruption
Cyber creep in GTPL (and other) policies
Bodily injury / property damage extensions in
cyber policies
Lack of standardized wordings
Critical infrastructure War Confiscation / seizure
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Traditional treaty reinsurance structures applied to cyber (1/2)
6
Quota share
Risk XL
Alignment of interests
Solvency relief
Expenses funding
No protection against large losses
Large loss protection
Accumulation of retentions in case of event hitting multiple insureds
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 7
Aggregate XLStop loss
Event XL
Traditional treaty reinsurance structures applied to cyber (2/2)
Earnings protection
Capital relief
Lack of alignment of interests
Cost
One retention in case of large event
Difficulty in defining event
Complexity of a line of business that has multiple triggers
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 8
• Some reinsurance wordings include loose event definitions
When determining what shall be considered a single event, the Reinsured may include a single act or a series of related acts, and may consider objective factors including when and where such act(s) are executed, whether they are performed by the same perpetrator, whether they use the same technique or malware, and if they target insureds operating in the same industry segment.
• Current geopolitical climate is driving a push from brokers to weaken war exclusions
War, per the Reinsured's policies. However, this shall not apply to: a. Loss or damage arising out of or caused by an act of terrorism as defined in the
Definitions Article; or b. Loss or damage occasioned by riots, strikes, civil commotion, vandalism, malicious
damage, including acts committed by agents of any government, party or faction engaged in war, hostilities or other warlike operation, provided such agents are acting secretly and not in connection with any operations of military or naval armed forces in
the country where the interests insured are situated.
As always, the devil is in the wording…
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 9
Quantifying cyber risks & accumulation
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
The traditional actuarial approach
10
Source: Swiss Re Economic Research & Consulting
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
The challenges in applying traditional methods to cyber risks
11
Lack of empirical data
Lack of historical data
Lack common reporting standards for data breaches
Lack of understanding of rare & severe risks
Fluidity of risk drivers
New actors & new attack methods
The human element
Accumulation potential
IT monoculture
Cloud services
Correlated vulnerabilities
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Cyber accumulation – main scenario clusters
Data Breach(Impact on personal data)
• Personal data and credit card data are stolen from several data banks using the same systems
Critical Infrastructure
(With or without property
damage)
• A virus is blocking the cooling system of several generators that sub sequentially start to burn
• Malware affecting a transmissions operator leads to a blackout (without property damage)
DDoS / IO(Distributed Denial of Service / Interruption of Operations)
• Coordinated attack that affects many e-sales portals
• Attack on clouds
• Widespread internet outage
12
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 14
Silent cyber exposure matters because…
Source: PRA consultation paper CP 39/16
…it constitutes a real risk …it’s getting on regulators’ agenda
Traditional property insurance policies are expected to cover physical damage and business interruption from incidents like the cyber attack to a German steel mill in 2014
By its nature, silent cyber risk is not always identified, managed and monitored and may be a material risk for firms
“”The PRA expects firms to
robustly assess and actively manage their insurance products with specific consideration to silent cyber risk exposure
“”
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 15
Unless explicitly excluded, cyber risks might be covered by most conventional insurance policies
Extent of cyber risk coverage
Non- affirmative/silent
Affirmative/explicit
Partially excluded(e.g. NMA 2914)
Fully excluded(e.g. CL 380)
Silent cyber exposure:
• Depending on the scope of insuring agreements, losses caused by cyber perils might be silently covered in most conventional insurance policies
• Silent cyber can creep into policies where cyber exclusions are not fully exhaustive
• Trend towards digitization and new technologies such as IoT, smart homes, autonomous cars are likely to increase silent cyber exposure under conventional lines
• Underwriters should carefully assess how silent cyber exposure might impact loss severity and frequency
• Understanding silent cyber exposures in conventional lines is key to actively manage accumulation
Silent cyber in…
Property
General Liability
E&O
D&O
Motor
Other LoBs
Marine
Engineering
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier 16
The limits of insurability
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
“Our adversaries are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite
improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.”
A world of many threats
17
Daniel R. Coats, Director of National Intelligence Senate Select Committee on Intelligence, May 2017
“What I see frightens me. I am frightened because our enemies are no longer known to us. They do not exist on a map. They are not nations, they are individuals. And look
around you. Who do you fear? Can you see a face, a uniform, a flag? Our world is not more transparent now. It is more
opaque. It is in the shadows.”
‘M’, Skyfall
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Criminal acts, terrorism, war: a blurred line
18
Losses arising out of malicious acts committed against an insured
Losses arising out of criminal / wilful acts committed by an insured
Losses resulting from act of cyber terrorism
Losses resulting from act of war
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
A few thoughts for the future
19
Role of governments
Role of pools
Role of financial markets
EMEA Claims Conference 2018 | Rüschlikon, 6th – 7th March | Anthony Cordonnier
Legal notice
21
©2018 Swiss Re. All rights reserved. You are not permitted to create any modifications or derivative works of this presentation or to use it for commercial or other public purposes without the prior written permission of Swiss Re.
The information and opinions contained in the presentation are provided as at the date of the presentation and are subject to change without notice. Although the information used was taken from reliable sources, Swiss Re does not accept any responsibility for the accuracy or comprehensiveness of the details given. All liability for the accuracy and completeness thereof or for any damage or loss resulting from the use of the information contained in this presentation is expressly excluded. Under no circumstances shall Swiss Re or its Group companies be liable for any financial or consequential loss relating to this presentation.