Outcomes

Cyber Insurance

View the original Working Session content
 

Cyber insurance market (2017 cyber insurance data from Best)

  • US direct premiums by US P&C insurers rose 32% to $1.8bn
  • Policies in force increased 24% to 26 mn
  • Cyber claims increased from 5,955 to 9,017

Top five cyber attacks (2017 AIG claims data)

  • Ransomware - 26%
  • Data breach by hackers - 12%
  • Other security failures/unauthorized access - 11%
  • Impersonation fraud - 9%
  • Other virus/malware infections - 8%

Privacy and Network Security coverage

Security involves managing technical risk, but a contractual response is also needed.

First party exposures

  • Breach coach
  • Forensic expert
  • Notification provider -Public relations specialists
  • Data remediation and restoration

Third party exposures

  • Lawsuits
  • Regulatory investigations and fines

Additional Coverages

  • Business interruption
  • Contingent business interruption
  • Social engineering
  • Cyber extortion
  • Senior executive losses

Market Challenges

  • No standard forms or policy language
  • Comparison among different insurer forms is difficult
  • Lack of understanding of cyber risk
  • Broker sophistication (or lack of it)
  • Evolving and emerging risks

Application process

The application process is a critical step for proper, viable insurance

  • Precise declaration of volumes and types of data
  • Written, attorney-approved policies and procedures
  • Existing network security programs (firewalls, antivirus software, etc.)
  • Cyber security personnel
  • History of cyber events
  • Awareness of facts and circumstances that reasonably could give rise to a claim
  • Practices around encryption, passwords, patching, access controls
  • Third party audits
  • Employee hiring and termination practices
  • Third-party service providers
  • Backup procedures
  • Physical security controls
  • Prior insurance policy cancellation or declination

Coverage Pitfalls

Cyber is often unclear to people running businesses, let alone cybersecurity. They may not know or understand what could cause a breach, what the path could be, even in very simple terms and concepts. Yet this is potentially a huge issue and exposure.

  • Claimed cyber practices and procedures and other representations
  • Exclusion for failure to follow minimum required practices
  • Notice condition
  • Prior written consent requirements
  • Panel professions
  • Other insurance provision
  • Liability assumed under contract exclusion
  • Rogue/malicious employees
  • Imputation of intent
  • Pre-existing cyber conditions
  • Choice of law

For example, a pre-existing cyber condition could arise because attack dwell times currently average 200 days, and a contract could be signed after an attack has started.

GDPR

The General Data Protection Regulation (GDPR) raises new challenges for insureds and insurers.

  • Three types of personal data breach under the regulation:
    • Confidentiality
    • Availability
    • Integrity
  • Collection, use, storage, and disposal of personal data
  • Policies and other documentation
  • Data Protection Officer
  • Fines and penalties
  • Management liability

Unless an organisation understands where the risks are concerning GDPR, it will not get the right coverage. For example: - A data breach or confidentiality breach is often covered by insurance for GDPR - An availability might or might not be covered under GDPR or you need to ask - It is much harder to get coverage in GDPR insurance for an integrity breach

Additional Notes

  • Somebody in the organisation must own the process and tell the insurance carrier if anything material changes.
  • How an organisation presents itself as a risk will determine avail and price of insurance
  • Coverage and price benchmarking is improving, but still volatile
  • A business needs to understand how much of a ‘bad thing’ it can withstand, and how much it is prepared to pay in insurance. The business should then lay off just the part of the risk that it can’t/doesn’t want to handle.
  • Boards are being put in notice that they are responsible for risk and mis-managing risk. Directors and officers may need coverage, so remember to consider this.
  • To avoid confusion, consult with a risk manager and collaborate with Infosec, Audit and/or Compliance teams to help build an approach and determine the appropriate work plan for hedging the cyber risk profile.

Key Takeaway

5 critical steps to securing appropriate coverage

  1. Know your cyber risks
  2. Review your existing insurance program
  3. Carefully respond to application questions
  4. Match cyber insurance coverage to cyber risk profile
  5. Understand and operationalize policy requirements and obligations

References

Additional/External References

  • PowerPoint/PDF presentation by Yvette Connor and Judy Selby (URL is TBD, see separate file called owasp_2018_cyber_insurance_connor_selby.pdf)

Session organiser(s)

Yvette Connor Yvette Connor

Participants

Naushad S Naushad S , Orid Ahmed Orid Ahmed , Peter Turczak Peter Turczak , Radu Tighineanu Radu Tighineanu , Simon Pavillon Simon Pavillon , Yasmin Martin Yasmin Martin Barbara Prevel Barbara Prevel , Judy Selby Judy Selby

Attached materials: