210 likes | 443 Views
Data and Cyber Liability Insurance. Presentation to the Institute of Directors, Guernsey. Friday 15 th April 2016. John Cross, Managing Director, Glemham Underwriting Limited. Today’s talk …. A Bit About Me And Glemham Insuring Data – A Brief History The Transition From Paper To The Cloud
E N D
Data and Cyber Liability Insurance Presentation to the Institute of Directors, Guernsey • Friday 15th April 2016 John Cross, Managing Director, Glemham Underwriting Limited
Today’s talk… • A Bit About Me And Glemham • Insuring Data – A Brief History • The Transition From Paper To The Cloud • Liabilities – Off-line And On- • What Cover Is Available?
A Bit About Me…and Glemham • Underwriting liability and Professional Indemnity insurance since 1986 for Commercial Union and various syndicates at Lloyd’s. • A pioneer of online trading in commercial insurance, backed by a traditional support team of underwriters and administrators. • Established Glemham Underwriting in 2006. • Glemham underwrites a range of commercial insurance classes for micro businesses and SMEs based in the UK, the islands and Ireland
The Transition From Paper To The Cloud • Commercial firms have adopted IT to the point that multi platform networks are the norm. • This development has taken place via mainframes (largest businesses only) through PCs (most firms) to tablets, smartphones etc (everyone). • This is all despite the lack of availability of affordable cover for loss of data. • Firms spend what they perceive they need to (or their clients demand) to keep this safe from third party incursion although, as with physical property, the main protection is not being targeted by data thieves. • Cloud-based storage is perceived as being safer due to data storage companies being able to demonstrate higher levels of data security than most businesses can reasonably afford. • This is the single largest reason why data insurance is becoming a) available and b) affordable.
Insuring Data – A Brief History (i) • Insurers understand tangible property but have been reluctant to extend cover to electronic date for fear that previously uninsured losses will result in a deluge of claims • Computer Insurance policies have been able able to cover reinstatement of lost data for 20+ years – typically £10k-£25k limits for £50-£1000’s premium • Cover didn’t include the value of data itself, just the cost of re-keying it. Relatively few buyers as a consequence. • First products developed in the US in the 1990s for very limited audience (mainly internet companies) & insurer appetite dented by Y2K and 9/11 (the latter shrinking capacity for innovation) • Low demand for more sophisticated product due to lack of reliable actuarial data on losses in the business world and low awareness of what is available. Many Lloyd’s insurers entered the market but withdrew due to lack of a viable business mix.
Insuring Data – A Brief History (ii) • US Cyber products offered relatively low cover limits and demanded expensive up-front penetration testing and network audits before any cover was provided. • As a consequence, only highly exposed buyers sought the cover, resulting in a market with few high value risks and most insurers deciding not to participate other than via small % participation at Lloyd’s on specialist facilities where the brokers drove the wording and pricing. • By the mid 2000s, increased risk awareness in general led to clients seeking protection under standard commercial insurance policies as data became integral to all businesses following the mass abandonment of paper-based systems. • Insurers still hampered by the lack of actuarial data so, while specialist markets starting to build momentum, most larger UK insurers still not entering the market.
Insuring Data – A Brief History (iii) • In 2015 demand in the UK for “Cyber Insurance” became a clamour with all markets rushing to design and launch their product. • Nothing had changed apart from the perception that such a product was needed as a defensive tool. Some pressure from regulators & professional bodies (eg the Jersey Financial Services Commission) • The rush to market has led to each insurer having a different offering, usually backed by some form of risk assessment, probably involving an on-line tool for small limits through to a full penetration test and on-site appraisal for larger operations with a substantial web presence. • Of course, the very largest firms have always been able to incorporate data loss within their self-insured programmes to the extent they are able to reinsure this above the limit they are willing to retain (pay) themselves. • Now, in 2016, some sense of conformity is emerging.
Liabilities – Off-line and On-line • Liability insurance is a different animal to Property as the loss is paid to the third party, not the policyholder. • Liability claims are rarer as a consequence of the need to prove who is liable for the loss rather than it just having happened. • Insurers have happily been covering the third party risks posed by IT companies for the past two decades. Losses have been relatively few and, while costly, insurers have made money – good money. • That said, claims are believed to be under-reported because IT “always goes wrong, takes longer to deploy and costs more than originally forecast”. Client expectations have factored in some element of reluctance to claim against the IT supplier. • Surprisingly, computers have led to no new laws beyond the widening reach of privacy legislation. The torts remain the same (libel, trespass, negligence etc).
What Cover Is Available? • There are currently two approaches to providing cover: • A cheap policy extension • A more sophisticated stand-alone cover • The first is usually offered as an add-on to an existing commercial policy also covering buildings, contents etc. • This extension can cost from as little as £50 per policy with some insurers levying this as a flat amount irrespective of the size of the insured firm. • The latter is often a stand-alone offering from an insurer or agent who only underwrites “Cyber” cover. • This bespoke cover is more expensive with cost starting from around £1,000 and rated on turnover and the client sector concerned.
The Cyber Extension • This usually covers the additional costs of dealing with a systems breach and extends Public Liability cover to include liabilities arising from email and the company’s web presence (if not already covered). • Insured events are typically: • Media Liability – infringement of third party intellectual property, defamation (libel & slander) and negligent virus transmission. • Breach of confidential third party information. • Limits are significantly lower than for injury and damage claims – typically £10,000s than than £millions. • Businesses who purchase Professional Indemnity cover already have much of what is provided as part of their standard cover. • The more useful extensions include costs incurred in putting email and the company’s website back on-line but subject to an excess and low level of cover which is aggregated for this and third party claims.
The Cyber Policy (i) A specialist Cyber policy typically breaks cover down into component parts, typically as follows: • First and third party costs relating to security breaches (forensic, notification of affected parties, notifying regulators etc). • Loss of income & increased costs of working following a breach • Costs of restoring the system, email or website following hacker damage • Cyber Extortion – payment of ransom demands • Claims from third parties for loss of privacy including payment card industry charges & fines. • Media Liability – infringement of third party intellectual property, defamation (libel & slander) and negligent virus transmission.
The Cyber Policy (ii) A more comprehensive Cyber policy may also include: • Vicarious liability for failures by cloud providers & other vendors • Damage to own reputation, including PR costs to mitigate reputational damage • Own and third party costs resulting from rogue employees • Monetary loss arising from phishing scams • Cover for programming errors These policies typically also provide cover for significantly higher limits They also rely on an up-front online data protection questionnaire which informs the underwriting process in terms of the applicant’s current protection levels and recommends subsequent actions which leads to qualification for other covers.
The Situation in Guernsey (i) Insurers like doing business on the island because of the low crime rate but... Cyber & Data risks are different as they do not require a physical presence to happen and... Guernsey has lots of client money While physical remoteness is no longer and advantage, the island’s ability to fund state of the art cyber security is going to be key to it being seen as an attractive location for cyber insurance as ... Cyber criminals are just like physical ones – they seek weakness and exploit it for their own gain.
The Situation in Guernsey (ii) As a consequence, the key is not just to buy the cheapest Cyber & Data insurance but to select a product that comes with a durable risk assessment and then provides meaningful coverage in the event of an attack. Cheap ‘add-ons’ are just that and will only deal with peripheral expenses: they won’t protect the business. Mainstream insurers are often not the best placed to assist with this although that is changing as they race to catch up. Look out for those who partner an established IT security business and, particularly, at the hoops that must be jumped through to qualify for the cover. Those insurers who have the highest risk acceptance standards are probably going to survive the longest in the class,
In Summary… • It is clear Cyber and Data insurance remains a developing area of coverage. • Developments over 2015 means most firms can now access cover at modest cost. • Businesses who are entirely dependent upon their and client data can now purchase higher limits of cover (£ millions) • The quality and level of cover is dependent upon measures taken to protect the network against attack • It will still take time for a common approach to emerge so do not fall into the trap of buying Cyber and Data cover as art of a single insurer package if it is inadequate
Thank You… Many thanks for listening. Any questions?