Вы находитесь на странице: 1из 34

MITIGATING CYBER RISKS

8 MARCH 2019
AGENDA

 JLT Intro & Evolving Risk Landscape - Amit Solanki, JLT

 Quantification & the need for Monitoring Risk – Burgess Cooper, E&Y

 Current Regulatory Climate – Fines and insurability – Sarah


Stephens, JLT

 Insurance as Solution – Vernica Walia, JLT

JLT INDEPENDENT INSURANCE BROKERS 2


WHO WE ARE

JLT is a global organisation of specialists and one of the world’s leading providers of insurance, reinsurance and employee benefits related
advice, brokerage and associated services.

Our collaborative approach enables us to share knowledge, solve problems and deliver the best solutions for our clients. We have the freedom
to take on new challenges, think creatively and capture opportunities that others may not. We always aim to do what is right for our clients, our
colleagues, our trading partners and our shareholders.

10,000+ 2017 Revenues of Market Capitalisation


of over
Over 10,000 colleagues
£1.39bn £2.8bn*

£191.5m £11.1bn 115+Offices


Premiums placed
2017 Underlying profit
before tax (2017) 40+Territories
The full results of the JLT Group to 31 December 2017 are available at jlt.com *
March 2018

JLT INDEPENDENT INSURANCE BROKERS 3


JLT INDEPENDENT SPECIALTIES

JLT INDEPENDENT INSURANCE BROKERS 4


GLOBAL SPECIALISTS

Focusing and growing in specialist areas where we offer distinctive products, services and independent choice, such as:

£100bn 60%
CONSTRUCTION SPECIAL RISKS
JLT’s London construction team JLT has been broker to over 60%
manages the insurance of the world’s biggest sporting
requirements for projects globally events over the last decade
with a value in excess of £100bn

40% 50%
AEROSPACE REAL ESTATE
Representing 40% of the world’s Broker to more than 50% of all
airline operators with 10 or more commercial properties in the City
aircraft in service of London

UK’sNo.1 30%
EMPLOYEE BENEFITS ENERGY
JLT is the UK’s largest JLT handles in excess of 30% of
administrator of private sector the world’s mobile drilling rig fleet
pensions

JLT INDEPENDENT INSURANCE BROKERS 5


RISK LANDSCAPE
WHAT IS CYBER RISK
WHO CAN IT IMPACT?
What is Cyber Risk?
Any threat connected to the use of technology or data, impacting a business or an individual, is a cyber
risk.
Any entity that utilizes a computer network or processes/collects confidential information is at risk

JLT INDEPENDENT INSURANCE BROKERS 7


POTENTIAL IMPACT OF A BREACH

A data and security breach can have serious operational, financial, legal and reputational implications for an organization.
Costs associated with a privacy breach and a security breach

JLT INDEPENDENT INSURANCE BROKERS 8


CYBER INSURANCE ECOSYSTEM

Identification Management

Notification &
Extortion
Response Public Relations Forensic Experts Legal Experts
Specialist
Consultants

Establishing Response to
Notification Call center Ransom
the extent of third party
letters support Negotiation
the breach liability claims

Payment of
Mailing and Setting up e- Forensic
settlements Ransom
other support examination
and court Payment
transmission mechanism costs
judgements

Monitoring Remediation Responding to Mitigation


Mitigating
support and of identified a regulatory expenses &
reputation loss
expenses vulnerabilities investigations support

JLT INDEPENDENT INSURANCE BROKERS 9


CASE STUDIES
BRITISH AIRWAYS (BA) – BUSINESS INTERRUPTION
SYSTEM FAILURE IMPACTED
Operational Negligence Analysis

The Incident Business Impact Conclusion


• On May 27th, 2017, BA • The system outage • Internal enquiry was
cancelled all flights from impacted 75,000 conducted to determine
Heathrow and Gatwick whether BA outage was
following a massive global IT
customers human error
failure • All flights from Heathrow
• IT worker responsible for
and Gatwick were cancelled
• The CEO suggested that the accidently switching off
on May 27th and several
failure happened due to a power supply
flights were delayed for the
power outage
next few days
• However, reports pointed that
the failure was due to BA’s • GBP 80,000,000 cost
decision to outsource incurred by British Airways
hundreds of IT jobs to India

JLT INDEPENDENT INSURANCE BROKERS


11
MARRIOTT BREACH – BREACH OF PRIVACY

Full System Failure Analysis

The Incident Business Impact Conclusion


• On November 30th 2018, • Class action lawsuits - by • Highlights the systemic
Marriott disclosed data breach customers & shareholders. nature of cyber risk
impacting as many as 500mn • One lawsuit for $12.5 • Focuses on potential fallout
consumers. billion in damages, or $25 of cutting costs from
• Hack began at Starwood in for each of the 500 million mergers.
2014 before it was acquired individuals affected • This has the potential to be
by Marriot. • Marriott might be exposed the largest standalone cyber
• Waited 3 months to reveal to GDPR data privacy rules insurance loss in history – if
the hack - Inadequate and considered insured
delayed
• Drop in share price by 7%;
securities class action lawsuit

JLT INDEPENDENT INSURANCE BROKERS


12
MORRISON CASE
VICARIOUS LIABILITY
Inherent Liability

The Incident Business Impact Conclusion


• A former senior employee of • The (ex)employee was • Courts tend to use the
Morrisons, leaked personal found guilty of fraud, broad and evaluative
details of 100,000 of securing unauthorised approach when considering
Morrisons' employees on a file access to computer material employer's vicarious liability.
sharing website and sent the and disclosing personal
data to the press. data and was given an
• 5,500 affected employees eight year sentence
sued Morrisons for breach of • The court also held
the Data Protection Act 1998 Morrison vicariously liable
(UK), alleging misuse of stating that acts of the
private information and for Morrisons' employee in
breach of confidence sending data to third parties
were within the field of
activities assigned to him by
Morrisons.

JLT INDEPENDENT INSURANCE BROKERS


13
MONDELEZ - COVERAGE AND CHALLENGES

Coverage Issue & War Exclusion

The Incident Insurer’s Stand & Impact Conclusion


• In June 2017, the food • Insurer will have the burden • Cyber insurers are
company Mondelez to prove that the NotPetya increasingly willing to
International was hit by attack was a “hostile or modify war exclusions so
NotPetya warlike action – can be true that they don’t apply to
• the malware caused damage for all Cyber attacks. cyber terrorism.
to the company’s network • War exclusions were • An unexpectedly broad
servers and computers in developed with physical ruling in Zurich’s favor might
excess of $100 million conflicts in mind. give cyber insurers an
• Mondelez submitted its losses • While a cyber attack by one argument under their war
to its property insurer, which warring party against exclusions.
denied coverage in reliance another could be an act of
on the policy’s war exclusion. war, the same would not be
• Mondelez disagreed, and filed true of an unintended attack
suit against Zurich on October on an innocent third party.
10, 2018

JLT INDEPENDENT INSURANCE BROKERS


14
GOOGLE
FRENCH REGULATORY ACTION
Regulatory Fine

The Incident Business Impact Conclusion


• Investigations against • $57 million fine, the • Besides the fine regulator
Google’s basis a complaint biggest handed out for a pointed out that maintaining
filed by local groups. data protection violation and status quo will lead to
• The regulator CNIL stated that the French agency's first further fines in France and
- Google breached the GDPR penalty under GDPR, are also by other regulators.
by failing to meet justified by the regulator due • Separately, Google has
transparency and information to severity of the been accused of GDPR
requirements, infringements privacy violations by
• Failing to obtain a legal basis • This is small compared to consumer groups across
for processing. the maximum limits allowed seven European countries
by GDPR
• Invalid consent for ads
personalization, because it • Google announced that it
isn't specific and users aren't planned to appeal the fine
sufficiently informed

JLT INDEPENDENT INSURANCE BROKERS 15


FACEBOOK MULTIPLE INCIDENTS
CYBER & MANAGEMENT LIABILITY

Regulatory Fine/ D&O Derivative Claim

The Incident Financial / Business Litigation/Enquiries


• Earlier in 2018, Facebook Impact • The investigation in New York
disclosed they had granted • Facebook Inc. was slapped continues with increased
access to 87 million user data to with a symbolic 500,000- scrutiny on unlawful practices.
Cambridge Analytica. pound fine by the UK’s • Lawsuits filed alleging
• In July 2018, Facebook reported privacy regulator – highest company had mispresented
slower-than-expected revenue possible under old rules its policies with respect to the
growth and predicted reduced • A recent UK report calls for use and sale of its user data;
margins for the coming quarters. sites such as Facebook to be on the company’s disclosures
• The value of the company’s brought under regulatory about its GDPR readiness
shares declined 19%, control, and related privacy issues
representing a drop in market • Facebook and the Federal • Continuing investigations in
capitalization of nearly $120 Trade Commission are Europe under privacy and anti
billion. There was no regulatory discussing a settlement that trust laws – Germany,
action could amount to a record, Ireland(10), UK
multibillion-dollar fine

JLT INDEPENDENT INSURANCE BROKERS 16


INDIA SCENARIO

Aadhaar Data Breach Largest in the World, Says WEF’s Global Risk Report

- (1.1 Billion Registered Citizens)

• Privacy has been recognized as a fundamental Constitutional right by the Supreme Court.

• Ministry of Electronics and Technology committee - The B.N. Sri Krishna Committee released the Draft Data
Protection bill.

Modeled on EU GDPR and China regulations the act maintains similar fines for non compliance and holds organizations
responsible. – proposed fine of 2 - 4% of worldwide turnover OR INR 5 cr to INR 15cr, whichever is higher

This if and when passed should act as the one comprehensive legislation encompassing all industry specific cyber laws.

• The Ministry of Health and Welfare - Digital Information Security in Healthcare Act ("DISHA" Establish National
eHealth Authority ("NeHA") ;

• Telecom Regulatory Authority of India (TRAI) - Privacy Regulations

JLT INDEPENDENT INSURANCE BROKERS 17


QUANTIFICATION OF
RISK
CYBERSECURITY MANAGEMENT FRAMEWORK

Cybersecurity Program Management Framework aligns with information security frameworks such as ISO 27001/2, NIST,
SANS, PCI DSS 3.0 and industry leading practices and regulations which help assess and improve your security posture
and program. These are also some of the things insurers look at while evaluating your risk.

19
EY CYBER PROGRAM MANAGEMENT ASSISTS WITH..

Diagnose Design and deliver Sustain


Plan work and Determine future Measurable
establish Assess current state and areas Develop security Execute program Continuous impact
engagement state for improvement roadmap recommendations improvement
protocols

First Insurer Evaluation Annual Renewal Discussions

 Understanding your organization’s risk exposure


 Assessing the maturity of your current information security program and identifying areas for improvement
 Ensuring a process of continuous monitoring and assessment

20
MATURITY RATINGS

Maturity ratings provide a quantitative Maturity level descriptions


method for identifying gaps, Initial
benchmarking against industry and 1 ► Basic,ad-hoc, undocumented; changing capability may be in place with
some technology and tools; limited local processes; limited organizational
tracking progress. support.
The following maturity rating scale was used to Managed
assess the current maturity of Company A ► Partial capability is in place with a combination of some technology and
information security program and capabilities and 2 tools; local processes covering some regions/business units or processes
are repeatable but may not be good practice or maintained; limited
identify where improvements are required. organizational support to implement good practice.
The maturity scale: Defined
► Considers governance, metrics, people, ► Defined capability is in place with significant technology and tools for some
3 key resources and people; processes defined for some regions and/or
processes, technologies and tools business units; organizational guidance and support is in place for some key
regions and/or business units.
► Helps determine strategic program initiatives
to implement to reach desired future maturity Quantitatively managed
► Mature capability is in place with advanced technology and tools for most
► Can be used to evaluate changes in maturity key resources and people; consistent processes exist for most regions
4
over time as recommendations are and/or business units; some governance is in place
(accountability/responsibility/metrics) for most key regions and/or business
implemented units.

Optimizing
► Advanced capability is in place that is leading-edge technology and tools for
5 all key resources and people; consistent process across regions and
business units; effective governance is in place
(accountability/responsibility/continual monitoring for improvement).

21
MATURITY ‘SPIDER GRAPH’ RATING
FOR ILLUSTRATION PURPOSE ONLY
Domain
Domain name Client Sector
category Cyber Program Maturity Ratings
Govern Governance and organization 1.2 1.8
Governance and
Strategy 1.4 1.7 organization
Awareness 3.5 Strategy
Policy and standards 1.1 1.0
3 Policy and
Incident response
Complicate Architecture 1.4 1.4 2.5
standards

Asset management 1.8 1.8 2


BCP/DR Architecture
Host security 2.0 2.5 1.5

Identity and access management 1


1.6 2.4
Security monitoring Asset management
0.5
Network security 2.7 2.2 0
Operations 2.7 3.0 Vulnerability
identification & Host security
Data protection 1.7 1.5 remediation

Privacy 2.0 2.3


Third party Identity and access
Software security 1.2 1.9 management management

Third party management 2.2 1.9


Software security Network security
Vulnerability identification &
remediation 1.7 1.8 Privacy Operations
Data protection
OT Security 1.8 -

Detect Threat intelligence 0.9 - Company A DIP Banking


Security monitoring 1.4 1.9

Respond BCP/DR 2.7 1.4


Overall Maturity Rating : 1.62
Incident response 1.4 2.0

Educate Awareness 1.6 1.6

Legend: Better than peers in Diversified Worse than peers in Diversified At par with peers in Diversified
Industrial Products (DIP) Industrial Products (DIP) Industrial Products (DIP)

22
EVOLVING
REGULATORY
SCENARIO
CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

EUROPEAN UNION
The General Data Protection Regulation has given data protection wider territorial scope, harsher sanctions (max
fines of EUR 20M or 4% of global turnover); broader investigative and corrective powers (on-site data protection
audits and public warnings/orders for remediation processes); and it has made it easier for individuals to claim
compensation.
The other changes resulting from GDPR include;
• A bigger variety of data covered by the regulations due to the broader definition of “any information relating to
an identified or identifiable natural person (data subject).”
• Suppliers and processors are now being directly regulated for the first time
• Controllers are now responsible for ensuring that the data protection principles are complied with (need clear
processes to help them meet tightened protocols for data collection)
• The legal requirements for data processing are now more difficult for companies to meet, so they need to be
more vigilant with processing checks
• Increased focus on international information transfers by the media and regulators
• Compulsory notification to supervisory authorities and victims within 72 hours of breach alerts and “without
undue delay” for high risk cases
• More transparency is required with the introduction of subject access rights (affecting individuals). Data subjects
now have the right to require information about the data being processed concerning them; access to data in
certain circumstances and the ability to correct inaccurate data.
• Companies now have to be more accountable, with thorough evidence of their compliance available for regular
inspection and appointed data protection officers
EU member states retain the right to introduce their own laws, so companies need to stay on top of all the territorial
differences to see if the various laws impact their processing activities.

JLT INDEPENDENT INSURANCE BROKERS 24


CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

USA
Privacy and data protection regulation varies from state to state and can also be dependent on
industry. All individual state regulations address notification procedures, but some add further
requirements like developing formal information security programs (MA) and encrypting payment
card information in transit (NV). The industry-specific legislation for data regulation includes;
• Health Insurance Portability and Accountability Act
• Gramm-Leach-Bliley Act (finance)
• Children’s Online Privacy Protection Rule
• Fair Credit Reporting Act
• Payment Card Industry Data Security Standard (retail)
Insurers are increasingly wary of providing broad cover for all US privacy regulations. As the amount
of resources allocated to privacy and data protection increase, the amount of investigations and
resulting penalties are expected to rise. California has recently passed its own version of Europe’s
GDPR, known as the California Consumer Privacy Act, which will come into effect in January
2020. The act applies to all companies that hold data on over 50,000 people and imposes fines of
USD 7,500 per violation.
The Federal Trade Commission (FTC) is the only body with the authority to investigate broad
violations of privacy or perceived misleading trade practices nationwide and Attorney Generals have
the same authority at a state level. The FTC step in to enforce the rules predominantly when
companies have unlawful access to personal consumer information and use it in an illegal way.
They continue to engage with the global community and authorities to increase US company
awareness of the correct privacy and data protection practices, ensuring their compliance.

JLT INDEPENDENT INSURANCE BROKERS 25


CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

AUSTRALIA
Data privacy and protection consists of both Federal and State/Territory legislation. The Federal
Privacy Act 1988 and Australian Privacy Principles (APPs) apply to the private sector that earn at
least AUS 3 million annually and all Commonwealth Government and Capital Territory Government
agencies. The Australian Senate passed a bill establishing mandatory notification to the Privacy
Commissioner and victims of ‘eligible’ breaches, which came into effect in February 2018. The bill
affects the same people as the Privacy Act, plus foreign companies that deal directly with Australian
consumers and companies sending personal information offshore. Failure to comply could result in
maximum fines of AUS 1.8 million for serious and repeated offences. The bill has similar insurance
considerations as GDPR, but less extensive.
ASIA
The APEC Privacy framework published in 2005 compliments regional approaches to personal data
privacy, but these are only principles that aren’t as enforceable as the GDPR. Recent law changes in
Singapore, Malaysia, China and South Korea show that regulation is becoming more of a priority
across the continent. Chinese data protection has advanced significantly, and South Korea, the
Philippines, Indonesia and Japan also have mandatory reporting requirements. As Asia’s economies
increasingly deal with the global community and trade across borders, they are increasingly reliant on
technology, so their regulations are likely to tighten. Hong Kong’s Privacy Commissioner for personal
data has announced a study of GDPR with a view to implementing something similar in the coming
years. The same incident response considerations as Europe and Australia apply. In Asia, it is also
customary to offer small amounts of compensation to consumers after a breach, so insurers may
consider extending cover for voluntary ‘settlements’ or ‘costs to proactively compensate consumers.’

JLT INDEPENDENT INSURANCE BROKERS 26


CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

CANADA
There is a patchwork of 28 different privacy laws on a federal and provincial level, which govern issues
like the protection of personal information, collection of data, online privacy and behavioural advertising.
The overarching federal law is the Personal Information Protection and Electronic Documents Act
(PIPEDA). In September 2017, regulations were also added to mandate breach reporting under
PIPEDA. There is increasing pressure for broader privacy laws to mirror GDPR, as there is currently
only an ‘adequate’ level of data protection during information transfers. Incident response coverage and
privacy violation considerations are the same as in Europe, but the wording should be as vague as
possible to encompass the patchwork of laws and to ensure that definitions aren’t too restrictive for
personal information.
LATIN AMERICA
Data protection and privacy rules across LatAm consist of both federal and local legislation. The
countries with specific data protection laws include; Columbia, Brazil, Argentina, Mexico, Peru, Chile,
Nicaragua, Costa Rica, Panama, Uruguay and Paraguay.
The EU traditionally sets the bar for data protection regulation around the world and some obligations
can be applied in non-EU countries. Countries in regions outside of Europe can also decide to follow
GDPR obligations for the potential monetary benefits of being considered “adequate” for data transfers
from Europe. For this reason, the introduction of GDPR has had a knock on effect in Latin America, with
their regulations becoming stricter and new bills being proposed that mirror some features of the
European legislation in Brazil, Argentina and Chile. This is bringing a new level of consistency to the
global community’s data protection and privacy laws, but companies should still be aware of the
different regional wording and requirements.

JLT INDEPENDENT INSURANCE BROKERS 27


INSURANCE AS A
SOLUTION
CYBER INSURANCE
FIRST PARTY COVER(OWN COSTS)

Forensic IT, Legal and PR Costs

Regulatory Investigations – Costs & Fines (where insurable)

Notification & Credit Monitoring

PCI Data Security Standards

Electronic Data Reconstitution

Cyber Extortion

Loss of Income & Costs – Interruption due to Security Breach,


Privacy Breach & Cyberterrorism

JLT INDEPENDENT INSURANCE BROKERS 29


Personal & Corporate Data Liability

Outsourcing Liability

Data Security Liability – denial of access, virus transmission etc

Media Liability: infringement of copyright, plagiarism, libel/slander,


invasion of privacy

Defence Costs & Damages

JLT INDEPENDENT INSURANCE BROKERS 30


KEY EXCLUSIONS

• Antitrust

• Bodily Injury and Property Damage (carve back available now)

• Contractual Liability (carve back available now)

• Intellectual Property

• Prior Claims and Circumstances (retro date concept)

• Securities Claims

• Terrorism / War

• Unauthorised or unlawfully collected data (carve back available now)

• Uninsurable Loss

JLT INDEPENDENT INSURANCE BROKERS 31


EVOLVING CYBER COVERAGE

Third Party Business


Liability Interruption due Supply Chain Cloud
endorsements to breach cover cover Coverage

First party System Failure Outsourcing Individual


expenses and coverage Cover Cyber + Crime
liability policy cover

Recent Enhancements
• Network Security coverage

• Additional Costs for System Upgrade

• Property Damage Gap cover

• SLA Penalties cover

• Cyber Product Liability Cover

JLT INDEPENDENT INSURANCE BROKERS 32


COMMON QUESTIONS WE HOPE TO HAVE
ADDRESSED
• What a Cyber Policy covers

• Difference between first party costs and third party liability

• Cyber risk is just hacking, right?

• We outsource payment processing, data storage, so how are we at risk?

• My biggest risk is my reputation, and this can cover that?

JLT INDEPENDENT INSURANCE BROKERS 33


CONTACT INFORMATION

Amit Solanki | Lead Partner | JLT Independent


+91 9820769692
Amit_Solanki@jltindependent.com

Burgess Cooper | Partner Advisory, Services | E&Y


M: 99308 18333
E: Burgess.cooper@in.ey.com

Vernica Walia | Principal Consultant | JLT Independent


+919930423012
Vernica_Walia@jltindependent.com

Disclaimer: Insurance is the subject matter of solicitation. The information contained in this publication is based on sources we believe are reliable however we do not
guarantee its accuracy. This information provides only a general overview of subjects covered; is not intended to be taken as advice regarding any individual situation or as
legal, tax, or accounting advice; and should not be relied upon as such. Recipients of this publication should consult their own legal and other advisors regarding specific
coverage and other issues.

For more details on risk factors, terms and conditions please read sales brochure carefully before concluding a sale.

Authorised and regulated by the Insurance Regulatory and Development Authority of India (IRDAI). An associate of the
Jardine Lloyd Thompson Group. JLT Independent Insurance Brokers Private Limited, +91 22 4510 5900,
www.jltindependent.com