Transcript Cyber Insurance

OESAI COMPREHENSIVE GENERAL
INSURANCE TECHNICAL TRAINING
Cyber Insurance
OESAI COMPREHENSIVE GENERAL
INSURANCE TECHNICAL TRAINING
Ezekiel Macharia
Group Actuary - Jubilee Holdings Limited
Day 2, Tuesday 10th November, 2015
AGENDA
• Cyber Risk & Cyber Risk Insurance
• Product Development Life Cycle
– Demand Research & Pricing
– Underwriting & Policy Terms
– Claim Underwriting
• Conclusion
Cyber Risk
Insert Pictures
• any risk of
loss, disruption
nofinancial
OESAI background
or damage to the reputation of an
organisation from some sort of failure
of its information technology
systems (includes networks & the
internet).
Key Insurable Cyber Risks
• Theft:
– Identity theft
– Theft of digital assets
Insert Pictures
no OESAI background
• Business interruption
– Lost Income
– Recovery of damaged data records
– Reputational damage
– Cost of Credit Monitoring of impacted clients
• Malware & Human Error (bugs)
• Legal suits alleging trademark/copyright infringement
Malware
(Malicious
Software)
Cyber Risk: Malware
Software that is intended to damage or disable computers (systems)
COMMON TYPES OF MALWARE
Name
Worm
Trojan
Virus
Adware
Description
Example
Exploit vulnerability of operating
systems & spread without human Infected emails
intervention
Trick user that they are using
Fake installation file
legitimate software
Software capable of copying itself
and spreading to other computers Script files
(need human intervention)
Automatically delivers adverts
Pop up Ads
Automatically perform a specific
Bot
BotNets & Spambots
operation
Bug
Flaw in system design
Human Error
Hold a computer captive - restrict
Ransomware
Encrypted files/Locked down system
user access
Remote access or control without
Rootkit
Backdoor
detection
Spying on user activity without
Spyware
Keystrokes collector
knowledge
Function
Spread & delivery payloads (most common)
Used to install other malwares
Spreading itself and carrying other malware
Annoying/Deliver Spyware
Co-ordinated attacks
Allow attackers to bypass user authentication
Ransom to pay creator of malware
Stealth entry to steal/alter/install or control
Activity monitoring & data harvesting
Case Study Kenya: Top Malware Attacks
• 79% of malicious
software attacks in
Kenya are worms
• Virus attack is only
2%
Source: Technology Service Provider of Kenya
Technology Service Providers of
Kenya (TESPOK)
(www.tespok.co.ke ) tracks
malware attacks in Kenya
Case Study Kenya: Top Malware Sources
• Top malware cyber
attacks in Kenyan IT
infrastructure are
from China & USA
sources (IP address)
• Attackers use
sophisticated tools
Source: Technology Service Provider of Kenya
Attackers are international – any
criminal in the world with an internet
connection can now attack your clients
business
Product Development?
• Demand Research: Is there need for cyber risk insurance?
• Pricing
Is there need for
cyber risk insurance?
How developed is Cyber Security in
OESAI member countries?
• Report developed by International
Telecommunication Union (ITU)
• Key indicators for cyber security
development are:
•Legal
•Technical capacity
•Organizational
•Capacity Building
•Cooperation
Country
GSI Rank
Mauritius
1
Uganda
2
Rwanda
3
Kenya
5
South Africa
6
Tanzania
11
Botswana
12
Malawi
12
Zambia
13
Burundi
14
Angola
15
Mozambique
16
Swaziland
16
Zimbabwe
17
Ethiopia
17
Namibia
18
Lesotho
18
Source: GLOBAL Cybersecurity Index &
Cyberwellness Profiles Report 2015
Case study: Tanzania Cyber Crimes Bill
(2015)
Pornography
Dissemination
Publication of False Information
Information – data/facts in form of pictures/text/symbols
Racist/Xenophobic Material
Publication or dissemination
Unsolicited Messages
Sms/Email/Ads??
Violation of Intellectual Property
Infringement on commercial / non-commercial basis
Cyber Bullying
Bullying online
Data Espionage
Obtain data without permission
Laws
supporting
Insurable
Risk
Liability
Pricing Cyber Risk
Frequency
Strength of Security System
Likelihood of intrusion
Risk Management Culture
Control in place & role of compliance & audit
GSI Index
Severity
Legal Fees & Fines
IT Staff Costs
Data restoration
Lost Income
Macro factors
PR & Marketing Costs
Rating of Service Providers
Extortion
Reliability of cloud providers, backup providers, website, etc
Disaster Recovery
Ability to recover from attack
Customer Support
Underwriting Cyber
Insurance
•Policy Terms
•Underwriting considerations
Policy Terms
First Party Risks
Legal Liability
Not complying with privacy laws
Crisis Management Costs
Third Party Risks
Security Liability
Liability arising from breach of security
Multimedia Liability
Informing customers, public relations & adverts
Liability arising from insured’s internet, advertising &
marketing activities
Data Extortion
Professional Liability
Ransom Payment
Data Recovery
IT Staff overtime, data retrieval & verification
Loss of Income
As a result of network failure & downtime
Liability arising out of negligence in providing IT Services
Underwriting considerations
• Business
– Type of business
– Size of business
– Scope of the business
• Number of customers
• Multimedia
– Presence on the Web
– Data collected and stored
• Enterprise Risk Management (ERM) techniques applied by the
business to protect its computer network and its assets.
– Risk management procedure & culture
• Don’t tell anyone!! Non-disclosure of cyber risk policy
Claim Management
•In addition to traditional claim
management, the insurer may want to
hire Third Party IT experts to review the
claims – post insurance underwriting
Claims Underwriting
• Comparing capacity of the insured at policy purchase date and
claim date (moral hazard)
– Ability of employees and others to access data systems
– Utilization of antivirus and anti-malware software
– Frequency of updates
– Performance of firewalls
• Claim incidence details compared to risk-management
techniques applied by the business to protect its network and its
assets – what failed.
• Utilization of disaster response plan (DRP) when the claim
occurred to the business’s networks, website, physical assets and
intellectual property.
Conclusion
• Cyber risk is an emerging risk in the world
• Legal framework for insurable legal liability is
generally under development across east & southern
African countries
• There is demand for cyber risk insurance
• Where pricing data is not available – proxies can be
developed
• Underwriting will depend on risk management and
culture of the client
QUESTIONS
[email protected]
+254 722 540 045