Cyber risk challenge and the role of insurance

3 November 2015

Carsten Topsch, Andreas Schlayer

Image: Clerkenwell / Getty Images

Accelerating Growth in Technology

(condensed)

1400 1450 1500 1550 1600 1650 1700 1750 1800 1850 1900 1950 2000 2050

Leads to exponential development

of cyber exposures

First 3D Chip3D Movies

Google Driverless CariPad

YoutubeGoogle

Hybrid Cars

DVDs

Cell PhonesWWW

Apple MacintoshMS-DOS

WordprocessorMicroprocessor

Windows

Facebook

Man on Moon

Steam Engine

Telegraph

Light Bulb

Telephone

Car

TelescopePrinting Press

Source: asgard.vc 04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 2

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

1

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

0

0

0

1

0

1

0

1

1

0

1

1

0

1

0

1

1

1

1

0

1

0

1

1

1

1

1

1

0

1

1

0

0

0

1

1

1

0

0

1

1

1

1

0

0

1

1

1

1

0

0

0

1

0

1

1

0

0

1

1

1

0

1

1

1

0

1

0

0

1

0

0

1

1

0

1

0

0

1

0

1

0

0

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

1

1

0

0

1

1

1

1

1

0

1

1

0

0

0

1

1

1

0

0

1

1

1

1

0

0

1

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

Exposure grows with evolution

of technology

Customer starts to perceive the

risk suddenly and unexpectedly

Therefore cyber risks are different

Cycle

Cycle

Cycle

Cycle

CycleChange

Change

Change

Change

Change

Demand for insurance

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 3

Estimated Primary Insurance Cyber Market

Result

Exponential growth of cyber Insurance market

0

1

2

3

4

5

6

7

8

9

2013 2014 2015 2020

2013, 2014 & 2020

US market Rest of the world

In USD bn.

1.3–1.5

2.1–2.3

3.0–3.2

6.0–8.0

~1.2–1.4

~0.1

~5.0

~1.0–3.0

~2.0

~0.1–0.3

~2.75

~0.3–0.5

Source: RID market estimate based on different external sources

(Marsh & McLennan, Advisen, Barbican Insurance, Allianz, Betterley 04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 4

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

1

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

0

0

0

1

0

1

0

1

1

0

1

1

0

1

0

1

1

1

1

0

1

0

1

1

1

1

1

1

0

1

1

0

0

0

1

1

1

0

0

1

1

1

1

0

0

1

1

1

1

0

0

0

1

0

1

1

0

0

1

1

1

0

1

1

1

0

1

0

0

1

0

0

1

1

0

1

0

0

1

0

1

0

0

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

1

1

0

0

1

1

1

1

1

0

1

1

0

0

0

1

1

1

0

0

1

1

1

1

0

0

1

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

1

0

0

0

1

1

Very quickly the demand for

insurance develops

And keeps changing and

evolving with every

technology cycle

Therefore cyber risks are different

Change Demand

DevelopEvolve

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 5

For now identified areas of Cyber Insurance

Private Lines

insurance solutions

Data breach insurance

for commercial

business

Data breach insurance

for industrial business

Insurance of

critical infrastructure

Images: used under license from shutterstock.com 04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 6

Challenges for an insurer which have to be mastered

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Both in an dynamic and quickly changing environment

Pricing

Risk-

assessment

Claims

Handling

7

Munich Re Services

One Source to support your business

Service

Knowledge

Transformation

Market environment (global and national)

Business Experience

Legal developments

Risk assessment

Pricing

Terms & Conditions/Wordings and its Conception

Claims service

Network of (IT) Service Providers

Product consulting

Accumulation management

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch 8

Know-how sharing

International legal developments

SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Canada

Broadening the Federal law “Personal

Information Protection and Electronic

Documents Act” (PIPEDA) following the US.

Partly stricter federal

state laws in force

Brazil

No Data Protection law. But several special

laws that address data protection

and security.

Like in Chile, trends for data protection

arising out of Brazil are expected to

influence other South American countries.

First debates about Data storage laws.

Malaysia

Personal data Protection

Act 2010

Indonesia

Electronic Information

Transaction Act

Germany

EU Guideline for Network- and

Information security.

“IT-Sicherheitsgesetz”

Liability of companies – e. g., § 93

Aktiengesetz, §43 GmbHG

Australia

New Government promises new laws

and enhanced data protection.

Privacy Act 1998

Russia

New “Data-localisation-law”, effective

since Sept. 2014. Collection of PII

Data in Russia, these have to be

stored in Russian data centres.

Companies have to use Russian

servers for data which was gathered

in Russia.

South Africa

Protection of Personal Information Act

(“POPIA”) 2013

Singapore

Is working on Data protection laws,

triggered by a huge incident/claim.

Could become a role model for other

Asian countries.

India

The government gathers

biometric data. Usage for those

still has to be regulated.

Otherwise EU-Regulation in

regards of Information- and Data-

protection serves as role model

Alternative

04 November 2015 9

Transformation into underwriting

Risk assessment

1. Underwriting-tool

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

2. Proposal Forms and Questionnaires, depending on the complexity of a single risk or portfolio

Overall Exposure

(low, medium, high)

Overall Complexity

(low, medium, high)

IT Security Protection

Level (0–125%)

Quantity Rating

(0–100%)

Quality Rating

(good, medium, bad)

Exposure

Complexity

Security Level

Overall Exposure/

Complexity Score

Actual Security Level

(0–125%)

Actual Risk Rating

(1–4)

10

Transformation into claims handling

Service provider network

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Service

Provider

IT Forensics

Data

Forensics

incl.

Accounting

11

PreventionFirst

Notification

of Loss

(Call Center)

Claims Handling

Crisis Consulting

Crisis Management

(Public)

Notification

Public Relations

Legal Consulting

Identity protection and -

recovery

Forensics

Cyber Extortion

Worldwide spread

Large number of systems infected by one event

Accumulation

Cyber accumulation scenarios

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Worldwide spread

Large number of services interrupted

No prevention by insured possible

Accumulation is triggered by one company

Large number of clients affected in one event

“Global Outage” of external networks,

e.g., the Internet

Outage of a large Cloud Service Provider as

a supplier

Self-reproducing Computer Viruses

12

sub cloud

provider

credit

company

bank

hospital

sub cloud

provider

Cloud

provider

end user

pharma

industry

sub loud

provider

bank

hospital

sub loud

provider

sub loud

provider

sub loud

provider

client

bank

company

invalid

supplier

pharma

hospital

lab

lab

doc

client

bank

company

doc

end user

end user

1st tier

Online-

shop

end user

end user

2nd tier

Accumulation

Cyber accumulation scenarios

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Accurate modeling not possible

Excluded under reinsurance treaty and/or insurance policy

Low limits for unnamed service provider

High limits for named service provider

Monitor exposure per service provider

“Global Outage” of external networks,

e.g., the Internet

Outage of a large Cloud Service Provider as

a supplier

Model propagation of a “Super Virus”

Determine effect on portfolio

Introduce sublimit in insurance policy

Annual Aggregate Limit in reinsurance treaty

Self-reproducing Computer Virusessub cloud

provider

credit

company

bank

hospital

sub cloud

provider

Cloud

provider

end user

pharma

industry

sub loud

provider

bank

hospital

sub loud

provider

sub loud

provider

sub loud

provider

client

bank

company

invalid

supplier

pharma

hospital

lab

lab

doc

client

bank

company

doc

end user

end user

1st tier

Online-

shop

end user

end user

2nd tier

13

Our Approach and Offer to you

Primary- and Reinsurance Solutions

04 November 2015SIRC 2015 - Presentation by Mr. Andreas Schlayer and Mr. Carsten Topsch

Product consulting

and tailor-made

service to meet

your demands

Worldmap

Business Experience

Expert Network

Wording

Workshops

Risk assessment

Portfolio management

Pricing

Designing terms & conditions and its concepts

Network of service providers

Accumulation management

…

14

Thank you for your attention

3 November 2015

Carsten Topsch, Andreas Schlayer

Image: Clerkenwell / Getty Images

© 2015 Münchener Rückversicherungs-Gesellschaft © 2015 Munich Reinsurance Company