powerpoint presentation · presentation title sub-title text 1 the role of the cyber underwriter...
TRANSCRIPT
PRESENTATION
TITLE Sub-title text
1
THE ROLE OF THE CYBER
UNDERWRITER
MATTHEW HOGG, LL.B. (HONS), LL.M.
VICE PRESIDENT, STRATEGIC ASSETS
LIBERTY SPECIALTY MARKETS
• Liberty Specialty Markets (www.libertyspecialtymarkets.com) is the trading name for the
combined operation of Liberty Mutual Insurance Europe Limited, Liberty Syndicate
Management Limited and Liberty Mutual Reinsurance
• Liberty Specialty Markets is part of Liberty Mutual Insurance Group
• The operation is composed of three business units: Commercial, Specialty and Reinsurance
2
AGENDA
• The Role of an Underwriter
• Cyber Insurance (refresher)
• A "dummies" guide to cyber risk selection & pricing
3
THE ROLE OF AN UNDERWRITER
• Consider applications for insurance cover and decide whether to accept and, if so, on what
terms and conditions of acceptance:
- Ensure happy with detail of information provided
• Information requests
• Conference calls
• Site visits
- Assess likelihood of a claim (frequency AND severity)
- Assess ethical & legal position before offering terms
- Decide on what coverage should be provided (drawing up policy
documents/endorsements)
- Price the exposure of the risk allowing for loss ratios, expenses, profit/rate of return
- Negotiating terms with the insurance broker 4
THE ROLE OF AN UNDERWRITER II
• Liaising with experts:
- Risk management solutions
- Risk Assessment companies
- Lawyers
• Claims involvement:
- Involvement in significant claims
• Policy language determination
• Assisting in-house claims with choice of external expert claims expertise
5
THE ROLE OF AN UNDERWRITER III
• Actuarial involvement:
- Analysing actuarial data
- Determining “reserving”, “IBNR” and anticipated loss ratios
• Analysing Systemic and Aggregation Risk
- Technological
- Contingent/outsourcing
- Industry e.g critical national infrastructure
- Regulatory/Legal
- Socio-Economic
6
THE ROLE OF AN UNDERWRITER IV
• Running a P&L
- Operating a team/division/business for the purposes of providing insurance solutions
• Expense management (internal and external)
• Reinsurance purchasing
• HR/staffing
• Finance knowledge
• Strategy
• Setting the “appetite” parameters
• New Business development/Innovation
- Marketing
- Product development 7
8
CYBER INSURANCE
But Europe lagging
Behind - $300m
London now offering Limits of up to $300m
Standalone or by endorsement Over 20 markets
in London
CYBER INSURANCE
• “relating to or characteristic of the culture of computers, information technology, and virtual
reality”
• Reality?
- A policy only covers what the insurer wants it to cover
- No standardisation
- Covers i) computer network integrity exposures; ii) privacy, confidentiality and network
security liability
- Covers risks arising from technology and data, but not always digital data!
- Not all about “malicious attacks”
9
CYBER INSURANCE
– First Party
– Loss or damage to digital assets
– Non-physical business interruption and extra expense
– Cyber extortion and cyber terrorism
– Reputational harm
– Third Party
– Security and privacy liability and defence costs
» network security breaches
» transmission of malicious code
» damage, alter, corrupt, distort, copy, delete, steal, misuse,
or destroy Third Party Digital Assets
» breach of third party or employee privacy rights or wrongful
disposal of data
» Causing DDoS attack on third party
» Phishing or Pharming
» confidentiality
– Privacy regulation defence, fines and penalties
» PCI fines extensions available
– Customer care & reputational expenses
» notification expenses
» credit monitoring
» PR expenses
» Forensics
– Multi-media Liability
10
1. computer crime and computer
attacks by third parties
2. accidental damage or
destruction of hardware
3. administrative or operational
mistakes by employees and
third party providers.
4. Full system Failure (all risks)
Committed or failed to
prevent a Wrongful Act
CYBER INSURANCE (INNOVATION)
• Where it’s going:
- Property & PDBI coverage
- Reputational harm
- Insuring value of R&D and trade secrets
11
A "DUMMIES" GUIDE TO RISK SELECTION & PRICING
• Staggered Expectancies – “Benchmarking”
- SME
- Large Corp.
• Quality of risk management
- Generally (non-silo)
- Specifically (Standards, PCI, Vendor Management, Encryption, Threat Intelligence etc)
- Grass roots culture?
• Focus on data
- Type, Security, Distribution, Points of access (internal & external)
12
A "DUMMIES" GUIDE TO RISK SELECTION & PRICING
• Industry Sector
- Financial Institutions, Retail, Power & Energy
• Revenue
- Where correlation to liabilities AND when insuring revenue losses
• Network Dependency
- Online revenue? Critical infrastructure?
- Industrial Control Systems vs “traditional” IT systems
• Operational Jurisdiction
- e.g. USA? Spain?
13
A "DUMMIES" GUIDE TO RISK SELECTION & PRICING
• Policies & Controls
- BCM, Incident Response, Security Policy, Privacy Policy
- “on the ball?”
• Relevant laws & regulations
- Telco? Data owner or data processor?
• Claims experience
- No claims vs managed to success
• Visibility/Exposure
- Crime/hacktivist/plaintiff bar threat
14