1. Cyber Insurance cs5493(7493)

2. AKA E-commerce insurance E-business insurance Information system insurance Network intrusion insurance

3. Brave New World New field of insurance, policies begin appearing at the beginning of the 21 st century.

4. Old vs New What do traditional insurance policies cover?

5. Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire

6. Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood

7. Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft

8. Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters.

9. Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters Liability claims.

10. Traditional Policies Traditional policies would not cover financial losses related to lost data. Data losses are not covered for DoS or mal-ware attacks.

11. Traditional Policies: Data Loss Claims For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee. "After that, the insurance firms changed their policies to state that data is not considered tangible property,“ (Kalinich) The upshot is that an enterprise needs special cyber insurance to cover data-related issues.

12. Legal Precedence High profile cases against the insurer will cause all insurers to change their policy offerings.

13. Cyber-Insurance The gap left by traditional policies created a market for cyber-insurance. Example: traditional policies do not cover: Data loss from malware (AGLI vs Ingram Micro) Revenue loss from DoS attacks Contacting individuals who have had their private information hacked. Re-issuing compromised credit-card info. Etc.

14. Cyber Insurance Challenges Insurance market inefficiencies

15. Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information

16. Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information Mono-cultures

17. Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information Mono-cultures Moral hazard

18. Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks

19. Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks Prices of policies vary greatly from one product offering to the next.

20. Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks Prices of policies vary greatly from one product offering to the next. Insurance regulators have little guidance for monitoring cyber-insurance policies.

21. Cyber Insurance Inefficiencies Insurers face a small market for reinsurance available for cyber-policies

22. Reinsurance Insurance carriers can purchase insurance to spread their risk to other firms.

23. Claims Signs of an immature product offering: Early claims made under cyber-polices were contentious (ended up in court) Court disputes were not consistent due to lack of precedence.

24. Lack of Standards There are no standard products, insurers are creating polices on a case-by-case basis. There are no standard products for insurance regulators to examine

25. Asymmetric Information If a firm purchases a $25-million dollar policy, they must have a good reason to do so. (is it in the best interest for the insurer to offer such a policy?)

26. Mono-culture Risk An insurance company must have a diverse base to reduce the possibility of being overwhelmed by a single event generating too many claims.

27. Mono-Culture Risk The interdependency and correlation of risk to insurers impose a high probability of excessive losses. Insurers need a diverse and large policyholder base.

28. Cyber Insurance Mono-Cultures The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could be vulnerable to the same attack.

29. Cyber Insurance Mono-Cultures The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could be vulnerable to the same attack. Some attacks carry a high probability of excessive payouts by the insurers.

30. Moral Hazard Under full insurance, the insured has little incentive to undertake precautionary measures because losses are compensated.

31. Moral Hazard Insurance companies have strategies to reduce their moral hazard risk.

32. Moral Hazard Ways to mitigate moral hazard: Impose claim limits

33. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims

34. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost

35. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured

36. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered.

37. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered. Policyholder must meet a standard of care

38. Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered. Policyholder must meet a standard of care Contracts must be renewed annually, the insurer can terminate the relationship

39. Standard of Care Requirements The insurers are making standard of care requirements mandatory for cyber-insurance coverage.

40. Standard of Care Requirements Data backup and procedures

41. Standard of Care Requirements Data backup and procedures Data backup storage

42. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls

43. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware)

44. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan

45. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management

46. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management Employee security awareness training

47. Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management Employee security awareness training Software updates/patches

48. Standard of Care Requirements Standard configurations

49. Standard of Care Requirements Standard configurations Encryption

50. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring

51. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls

52. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls

53. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies

54. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies Business continuity (disaster) plan

55. Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies Business continuity (disaster) plan Testing of security controls

56. Standard of Care Requirements Logging events Measuring effectiveness of security controls

57. Standard of Care Requirements The insurers are providing cyber risk- management services to help clients identify vulnerabilities.

58. Cyber Insurance Providers AIG Zurich North America Saint Paul Companies Liberty Mutual Lloyds of London Chubb Group INSUREtrust

59. Policy Premiums Policy premiums are based on a wide number of factors:

60. Policy Premiums Policy premiums are based on a wide number of factors: Size of company

61. Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect

62. Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims

63. Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims Number of individuals having privileged access

64. Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims Number of individuals having privileged access standard of care enforcement

65. Policy Premiums AIG Small company can spend as little as $1000/year for up to $100K coverage.

66. Policy Premiums AIG Small company can spend as little as $1000/year for up to $100K coverage. More comprehensive coverage can be purchased for $50,000/year.

67. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims (mandated by law in many instances)

68. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident

69. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims

70. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims

71. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services

72. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services Replacement of effected equipment.

73. Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services Replacement of effected equipment. Data recovery costs

74. Coverage (INSUREtrust) Regulatory & Civil Action Coverage Fines from private and government regulatory agencies (under HIPPA, SOX, …)

75. Coverage (INSUREtrust) Regulatory & Civil Action Coverage Fines from private and government regulatory agencies (under HIPPA, SOX, …) Civil class-action and individual lawsuits Study liability insurance from other held policies to insure you are not paying for double coverage, insurance companies will not double cover on a claim.

76. Coverage (Chubb) Cyber extortion coverage For cases where a hacker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder's system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator

77. Coverage Virus liability: Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder's system

78. Coverage Revenue lost For example, revenues lost due to DDOS attacks.

79. Coverage A new provision in cyber-insurance includes “damage to reputation”

80. Coverage

81. Total Cyber Policy Coverage Insurance provider Willis NA, estimates about $750 million dollars in total polices worldwide (P. Foster, Dec 2011) Cyber insurance coverage increased to above estimated $1.2 Billion in 2013. (total insurance market place is $1.1 Trillion, Insurance Information Institute) A 20% increase over 2011 (Marsh&McLennan) A 33% increase over 2012. (ibid)

82. Coverage Growth Cause Regulatory requirements that customers be notified when their data is compromised.

83. Example of Cyber Insurance The Target Stores security breach resulted in $61 million dollars in expenses (Reuters, 2014). A cyber insurance policy covered $44million of those expenses. This resulted in a net loss of $17 million for Target.

84. Regulation vs Insurance Regulation has punitive measures for non- compliance: fines and incarceration Insurance is used to transfer risks, there are no fines or incarceration, only the threat of monetary loss, reputation, etc.

85. Regulation vs Insurance What if government agencies and contractors were required to purchase cyber insurance rather than using punitive measures? What if the government provided a temporary reinsurance market to help the overall marketplace grow? There would be resistance to such suggestions (Whitehouse paper 2005).