Dealing with the Challenges of Cyber Crime in the Nigerian Economy – The Insurance Solution...

Dealing with the Challenges of Cyber Crime in the Nigerian Economy – The

Insurance Solution

September 2015

By

Shola Tinubu (FCIB)MD/CEO, Scib Nigeria & Co. Ltd.

CONTENTS

Part 1- Background• Global Cyber Liability• Definition of Cyber Insurance

Part 2- Challenges

Part 3- Cyber Risks

a. Potential Risk Targetsb. Potential Business Consequencesc. Potential Legal Consequenced. Potential Cost

Part 4- Cyber Risk Management

Part 5- Regulatory Framework

Part 6- The Solution: Cybercrime Insurance

• Questions?

Part 1

Background

Global Cyber Liability

• 864.2 million personal records have been breached in the U.S. since 2005.

• 2.7 billion people in the world are online (approximately 40% of the world’s population).

• Portable devices carrying more than 172 million personally identifiable records were lost or stolen, between 2005 and 2014.

• In U.S. Healthcare alone, more than 120,000 people are being notified that their data has been breached every week!

Part 1 - Background

Global Cyber Liability (Cont…)

• More than a third of customers of companies that suffered a data breach no longer did business with the companies in question “because of the breach”

• Cybercrimes are widespread, systemic and insidious

• Cyber crime cost companies $300bn - $1trillion total in 2013

• Average cost of $500,000 and 24 days to identify and resolve an attack

• ~5% drop in share price for public companies

• Value of brand can decline 17-31%, depending on nature and industry

Source: www.aon.com

Part 1 - Background (Cont…)

EFCC, Nigerians raise alarm on hackingon July 29, 2011 / in Crime Alert 4:54 pm / Comments

- Fears of massive fraud in the banking and financial sector have been raised by the Economic and Financial Crimes Commission (EFCC) as Nigerians are alarmed by renewed upsurge in hacking into their personal computer systems and electronic mail accounts, using it to attempt defrauding friends and relatives.- This is coming as the United States approved $130billion to fight hacking and cyber related crimes, with focus on hacking and cyber crime fraudsters from Nigeria. Washington last week deported a Nigerian for defrauding 70 law firms through cyber crimes.

-This came as EFCC said that it has received reports of people trying to use electronic means to divert public funds, perpetuate forgery and fraud.

Source: Vanguard July 29, 2011


Saturday Vanguard

http://www.vanguardngr.com/category/more/crime-alert/

http://www.vanguardngr.com/2011/07/efcc-nigerians-raise-alarm-on-hacking/

Business Day

Nigerian payment cards vulnerable to hackers abroadNovember 4, 2014 | Filed under: Exclusive, main story | Author: Ben Uzor

- The failure of some more advanced economies to upgrade to the latest electronic payment card technologies is causing Nigerian card holders to be vulnerable to hackers when they travel abroad, BusinessDay has gathered.

- Facts have emerged that hackers in some countries abroad are duplicating Automated Teller Machine (ATM) cards belonging to Nigerian bank customers who travel to those countries and conduct payment transactions on their cards.

-The hackers clone the Nigerian cards and use them to purchase items worth millions of dollars from shopping malls in the US.

Source: Businessday


http://businessdayonline.com/category/main-story/

http://businessdayonline.com/author/testuser/

http://businessdayonline.com/author/testuser/

Definition of Cyber Insurance


Cyber insurance -- also called cyber security insurance, cyber liability insurance, cyber risk insurance, and data security insurance, among other terms –

What Does the Product Protect Against• Protection of businesses from Internet-based risks, • Risks relating to information technology infrastructure and activities.

ExclusionRisks of this nature are typically excluded from traditional commercial

general liability policies.

What Does Product Cover?

Covers include;• first-party coverage against losses such as data destruction,

extortion, theft, hacking, and denial of service attacks;

• liability cover indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and

• other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.


Part 2

Challenges

Part 2 - Challenges

• Attacks or security breaches may lead to a variety of business

consequences, which are very difficult to quantify the impact

• Lack of historical data is one of the foremost issues faced while

determining the premium rate of an insurance policy and deciding on

whether to underwrite the risk.

• Lack of standard legal definitions of cyber liability across the globe.

• Lack of systems to alert consumers in a timely manner in the event of a

cyber breach.

• Inadequate protection of personally identifiable information held by

insurance companies and third-parties .

• Insufficient audits to determine if controls are in place to protect

personally identifiable information.

• Inadequate Periodic employee training and assessment .

• Lack of implementation of policy by the government

• High rates of poverty.

• Lack of awareness .

Part 2 – Challenges (cont…)

Part 3

Cyber Risks

Where

Who

What

FinancialImpact

Online Offline

Accidental

Malicious Internal External

LiabilityRegulator

y FineDefence Expense

Lost Income

Extra Expense

Crisis Expense

MediaTechnolog

yProtected

Data

Part 3 - Cyber Risks

What risks are there in Cyber?

Who creates cyber risk?

17%

10%

60%

6%7%

Internal Accidental

Internal Malicious

External

Internal Unknown

Unknown

2014 Year to Date (datalossdb.org)

Part 3 - Cyber Risks (Cont...)

Notable Trends in Cybercrime

• Motivation : Huge financial potential is making attackers more sophisticated

• Methods : Attacks are becoming more targeted

• Targets : The workstation (desktop or laptop) and the user is the easiest path into the network

• New wave of Cyber Terrorism


Sources of Data Breaches

49%

16%

9%

9%

7%

5%4% 2%

Laptop/SmartphoneThird PartyPaper RecordsInsiderBackupHacked SystemsMalicious CodeUndisclosed


Potential Risk Targets

• Any business handling customer data will, sooner or later, be confronted with the challenge of a data breach.

• The stakes are high. If customers don’t think the business can be trusted, the future of the company may be at risk.

• Companies with access to private, confidential information about their customers or employees have a responsibility for keeping it safe

• Companies who have a web presence have emerging content exposures

• Companies who have a dependency on technology have emerging transactional exposures


Potential Business Consequences

• Harm to business, company valuation, stock price, etc.

• Long-term financial and business damage

• Theft of valuable intellectual property and business plans

• Theft of customer data and funds

• Disruption of critical operations and corporate web sites

• Headline and reputational harm


Potential Legal Consequences

• Governmental investigations and sanctions

• Consumer litigation

• Class action lawsuits

• Shareholder derivative demands

• Potential claims against the company


Potential Costs

• Financial losses for company

• Financial losses for shareholders

• Brand reputation


Part 4

Cyber Risk Management

Cyber Risk Management Framework

Assessing Risk

Maintain Risk at Acceptable Level

Reduce Risk of Security Breach through Preventive Technology

Reduce Financial Risk through Insurance

Reduce Risk to Acceptable Level

Part 4 - Cyber Risk Management

Scib’s Cyber Risk Management Process

Part 4 - Cyber Risk Management

Managing the external accidental (aka vendor) cyber risk

Vendor risk assessment (financial, technical, legal, security, privacy,

quality control, compliance)

Contractual risk transfer(Scope of indemnity, limit of liability)

Vendor insurance(Professional Indemnity, Cyber)

Your insurance(Cyber, others…?)

Cyber Risk Management

Part 4 - Cyber Risk Management (Cont...)

Part 5

Regulatory Framework

27

The Act is segmented into three (3) parts;i. Part I -Object And Applicationii. Part II ‐ Protection Of Critical National Information Infrastructureiii. Part III ‐ Offences and Penalties

The Act dubbed: ‘Cybercrimes Prohibition, Prevention Act’, was signed

by former President Goodluck Jonathan on May 15, 2015.

Cybercrime Prohibition, Prevention Act 2015

Part 5 - Regulatory Framework

28

Objectives

The main objective of the Act is to provide an effective and unified legal,

regulatory and institutional framework for the prohibition, prevention,

detection prosecution and punishment of cybercrimes in Nigeria. It also

seeks to ensure the protection of critical national information

infrastructure as well as promoting cyber security and the protection of

computer systems and networks electronic communications, data and

computer programmes intellectual property and privacy rights.

Cybercrime Prohibition, Prevention Act 2015 (Cont…)

Part 5 - Regulatory Framework (Cont...)

29

The Cybercrime Act is a crucial piece of legislation:

- It will encompass stronger obligations around minimum technical and organizational control as well as prompt failure disclosures.

- The Act provides more power to regulators around imposing financial penalties as well as subjecting companies to regulatory audits.

- Firms must start preparing early as there are a number of additional administrative and record keeping obligations that may require fundamental organizational and IT change and in some cases at significant cost.

Implications of the Cybercrime Prohibition, Prevention Act 2015 to Business Operations


30

Fines up to N7,000,000.00 or imprisonment for a term of not less than three years or both fine and imprisonment in the event of a computer related fraud and identity theft and impersonation.

Part III under Offences & Penalty, section 6, subsection 3 & 4 of the Cybercrime Prohibition, Prevention Act 2015

New Cybercrime Regulation Impacts

N


Part 6

The Solution: Cybercrime Insurance

What is Cyber Insurance?

Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks.

Cyber Insurance also offers coverage for liability that arises out of unauthorized use of, or unauthorized access to, electronic data or software within a company’s network or business. In addition, it provides coverage for liability claims for spreading a virus or malicious code, computer theft, extortion, or any unintentional act, mistake, error, or omission made by employees while performing their job.

Part 6 - The Solution: Cybercrime Insurance

Part 6 - Scope of Cyber Insurance Coverage (Contd)

First Party SectionsInsured’s Loss

Network-related Business Interruption

System Failure Business Interruption (some policies)

Dependent Business Interruption (some policies)

Extra Expense

Intangible Asset damage

Reputation Damage (some policies)

Expense/Service SectionsExpenses Paid to Vendors

Crisis Management

Breach-related Legal Advice

Forensic Investigation

Breach Notification

Call Center

Credit Monitoring, Identity Monitoring, ID Theft Insurance

Cyber Extortion Payments/ Assistance

Liability SectionsDefense Costs + Damages

+ Regulator Fines

Failure of Network Security

Failure to Protect/ Wrongful Disclosure of Information, including employee information

Privacy or Security related regulator investigation

All of the above when committed by an outsourcer

Wrongful Collection of Information (some policies)

Media content infringement/ defamatory content

Scope of Cyber Insurance Coverage

First Party Response expense reimbursement options include:

Legal & Forensic Services

Crisis Management/Public Relations

Notification and Remediation Expenses

Business Interruption and Additional Expense

Computer Program and Electronic Date Restoration

Computer Fraud

Funds Transfer Fraud

Telecommunications Theft

Part 6 - The Solution: Cybercrime Insurance (Cont...)

Scope of Cyber Insurance Coverage

Third Party Defense & Liability expenses (including defense costs)

Data security breaches can take many forms and do not necessarily lead

to any direct consumer injury like identity theft. However, you will likely

need to defend against individual and/or class action lawsuits anyway.

Your policy will provide defense and pay liability judgments against you

up to the limit of insurance you select.

In addition, you will have access to a proprietary breach preparedness

web site with pre and post-breach services and resources.


Property Insurance: Denial-of-Service attacks do not constitute

‘physical perils’ and do not damage ‘tangible property’

Professional Indemnity:- Unauthorized access exclusions.

- Requires negligence in provision of defined business activities.

- Generally no cover for information commissioner regulatory actions

General Liability InsuranceGeneral Liability coverage is limited to

‘publication or utterance’ resulting in one of traditional privacy torts.

“Publication” resulting from hacking is not an act of the insured

Fidelity Guarantee Coverage- This covers loss as a result of the

dishonesty of staff resulting in the loss of money, securities, or tangible property.

Common Hurdles:- Intentional acts and insured vs.

insured issues. -No coverage for crisis

expenses required by law or to protect reputation.

Your Standard Policies Probably Don’t Work


Cyber Insurability Analysis

Professional Indemnity


Who needs Cyber Insurance?

Everybody that has phones with personal or corporate data.

Every organization that receives and sends email.

Companies who host, store, share or transmit proprietary & confidential data

Companies who transact business and generate revenues from the Internet

Companies whose business operations would be impacted by a service disruption

Companies who outsource storage, processing or sharing of confidential information

with third party service providers

Companies who publish electronic content

Companies whose high profile increases the probability of extortion


Who needs Cyber Insurance? (Contd)

It can happen to anyone…

The culprit is often someone close to your business: A surprisingly

large proportion of data breaches are carried out by insiders—over half by

some estimates

Size doesn’t matter: Half of the potential companies that suffer data

breaches have very few employees

The perpetrator could live halfway around the globe.

Any company can be hit: Retailers, health care institutions,

manufacturers, professional service providers, media and entertainment

companies, and financial institutions are likely to be targeted

A breach can result from a simple mistake: e.g. An employee misplaces

a laptop or Blackberry, or leaves it in an unsecured location, such as an

unlocked car


What is the cost of the cover?

A good starting point is to determine what exposure does the company have .what types of incidents you want cover for and for what limit. The company should state both your own costs (known as first-party costs) and the costs that others may attempt to claim from you as a result of the incident (known as third-party costs).

Depending on the nature of the risks, premium rates can range between 1% to 6.0 % of the limits covered.


Risk Assessment Parameter

Optimal ProgramInsurable

Risks

Contractual Requirements

Budget

Risk Tolerance

Loss Modeling

Peer Purchasing

Data

Scope of Coverage/ Control

Market Limitations

The Solution: Cybercrime Insurance (Cont...)

How can Scib facilitate the cover?

Scib approach

Strategic Meetings / DiscussionScib will take a collaborative approach with prospective client to identify and analyze exposures, risk and potential insurance including proposed structures, or alternative solutions

Submission DevelopmentScib will work with prospective clients to obtain relevant, necessary and favorable underwriting information to present to markets

Scib approach (Cont…)

Marketplace LeverageScib will put our vast knowledge of market conditions and trends to work on behalf of each prospective client, negotiating favorable terms and conditions with top tier carriers.

Strategic Negotiations and PlacementScib will utilize proven and sophisticated negotiation strategies to finalize placements that meet collaboratively established goals. Throughout the process Scib advises on Cyber risk management best practices and provides frequent thought leadership and guidance on emerging exposures and coverage issues

Our Vision and Mission

Our Vision

• To Be The No.1 Risks Solutions Provider Of Choice.

Our Mission

• Pursuit of Excellence in the Provision of Risks Solutions of a Global Standard using Innovation

Who We Are

Established July 1978.

Joint Venture between F.I.M Consultants Ltd. & Standard Chartered Insurance Brokers Ltd. UK*

Post Standard Chartered Bank’s Divestment – Sedgwick remains a Shareholder and Technical Partner ……….SCIB

Today

• Scib is ranked No. 1 of 500 plus registered brokers in Nigeria.

• Staff Strength of 75. Highly experienced and motivated.- Additional 55 comprising Consultants and other support staff.

• Multi-disciplinary team comprising of Lawyers, Chartered Accountants, Chartered Insurance Practitioners and others with background in Actuarial Science, Engineering and Economics.

• Head Office in Lagos: - Head Office Annex in Lagos

- Regional office in Ibadan, Port Harcourt, Kaduna & Abuja. - Branch office in Kaduna

International Affiliation • Scib is the Network Correspondent for Aon in Nigeria.

• Aon is the Largest Insurance broking company in the world with over 500 offices in more than 120 countries.

www.aon.com

Aon has a leadership position in relation to financial institutions.

1. 100% of the top 10 global insurers2. 94% of the top 50 global banks3. 60% of the top 10 asset managers

This gives Scib a Global Access.

http://www.aon.com/

Aon

Scib

Global Reach

500 Offices

120 Countrie

s

49

No. 1 Insurance Broker in the World

No. 1 Insurance Broker in Nigeria

WHERE WE ARE

WESTERN REGIONAL OFFICE - IBADAN

Arit of Africa House (1st Floor)14 SanusiAkere StreetOluyole EstateIbadan.Mobile number-08085852816Tel/fax: 02-2414154E-mail: [email protected]

EASTERN REGIONAL OFFICE - PORTHARCOURT

UPDC Building26 Aba RoadPort HarcourtRivers StateMobile number-08028399355Tel: 084-770888; 084-575499E-mail: [email protected]

NORTHERN REGIONAL OFFICE - ABUJA

Suite 20 & 21 Yashua Plaza(Behind AP Plaza)1046 Adetokunbo AdemolaCrescentWuse II – Abuja.Mobile number-08023143111Tel. 09-6710628E-mail: [email protected]

HEAD OFFICE ANNEX

Custodian House 16A, Commercial Avenue (2nd Floor)Sabo-Yaba, LagosMobile number-08085852816Telephone: 2704920 - 3,Email: [email protected]

KADUNA BRANCH OFFICE

Turaki Ali House (1st Floor)3 Kanta RoadP.O. Box 8741Kaduna.Mobile number-08023143111Tel/Fax: 062-241567E-mail: [email protected]

HEAD OFFICE

66 AdeniranOgunsanya Street.SurulereP.O. Box 1782LagosMobile number- 08081007745Tel: 01-2710030-4, Fax: 01-2710035E-mail: [email protected]

mailto:[email protected]

Why Use A Broker?

Assessment of client risk profile.

Prompt Claims processing and management

Advice on cover required by client.

Technical advice and advice on market developments.

Selection and recommendation of insurer.

Detailed knowledge of the market, insurers, products/policies and practices.

Risk management

Why Use Scib? Prompt Claims processing and management

Assessment of your risk exposure profile.

Advice on cover required.

Technical advice and advice on market developments.

Selection and recommendation of insurers

Detailed knowledge of the local and international market, insurers, products/policies and practices.

Risk management

Global Knowledge

Global reach

Our Key Differentiating Factors

Specialized unit to handle financial institutions

People/Professionalism (Technical Competence)

High Ethical Standards

Leverage

Integrity

Service

Experience

Contact Person

G. A. Olanbiwoninu Senior Manager

He has been in the field of marketing since 1995Specialty: Business Development and MarketingTel: 234 01 271 0030-4D/L: 234 808 100 7745Email: [email protected]

Questions?

Locks Keep Out only the Honest

Jewish Proverb

Quote

Thank You !

Dealing with the Challenges of Cyber Crime in the Nigerian Economy – The Insurance Solution...

Documents

Transcript of Dealing with the Challenges of Cyber Crime in the Nigerian Economy – The Insurance Solution...