Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance

Cyber Insurance - What You Need to Know!
2
Contents
Cybercrime Reporting Network Reveals Startling Numbers .........................................................3
Lloyd’s Appeals To Brokers For Help On Cyber.................................................................................4
PM Announces Strengthened Cyber Ties With US ...........................................................................6
Asian Cyber Cover ‘Set To Soar’............................................................................................................7
Cyber: What Are The Emerging Issues? ..............................................................................................8
Risk Modellers Set Out Cyber Strategies.......................................................................................... 10
Cyber Dominates Top Ten Legal Risks For Business In 2016.........................................................11
Global Ratings Agency Discusses Difficulties With Cyber........................................................... 13
IT, Data Security Top Business Concerns In 2016 ........................................................................... 15
Many Businesses Ill-Prepared For Crises, Study Shows ................................................................ 16
Businesses Lack Cyber Insurance, Fail To Report Attacks: Survey............................................ 17
ASIC Reports On ASX Cyber Resilience ............................................................................................ 18
Cyber Insurance Still Leaves Breach Victims Out Of Pocket ...................................................... 19
Insurers ‘Sceptical’ Of Booming Cyber-Risk Market...................................................................... 21
Physical Cyber Attack Risk Exposes Gap In Coverage..................................................................22
FBI Warns Vehicles Are ‘Increasingly Vulnerable’ To Cyber Attacks.........................................24
ASIC Zeroes In On Cyber Crime...........................................................................................................26
Stock Markets A Target For Cyber Crime: Report ..........................................................................27
Munich Re, Beazley Team Up On Cyber Cover................................................................................28
Cyber Risks On Radar, But Strategies Fall Short: Report .............................................................29
CGU Launches Revolutionary New Cyber Product Into The Australian Market.....................30
Cyber-Security Plan Will Unlock Innovation, PM Says ................................................................. 31

3
Cybercrime reporting network reveals startling
numbers
he Australian Cybercrime Online Reporting Network (ACORN) revealed that it
received more than 39,000 reports of cybercrime throughout 2015.
ACORN continues to boost law enforcement efforts as it provides an easy way
for those affected by cybercrime to report their issues but cyber threats are expected
to increase over the coming year.
It was also found that Victoria received the highest number of cybercrime reports with
Queensland and New South Wales making up the top three.
Michael Keenan MP, the minister for justice and minister assisting the Prime Minister
on counter-terrorism, revealed the startling number this week as the both individuals
and businesses come to grips with cyber risk.
“As Australia's reliance on technology grows, and online shopping remains an
increasingly attractive option for busy Australians, the cost and incidence of
cybercrime is expected to increase” Keenan said.
“I encourage all members of the public to be vigilant
online and to work together to ensure a safer and
more secure digital environment for all Australians
by reporting to the ACORN.”
Keegan noted that the leading types of cybercrime reported to ACORN are online
fraud and scams which account for over 19,000 reports or 49% of the total number.
“Online trading issues which affect Australians who buy and sell goods online were
the second highest type of cybercrime reported; the ACORN received 8,368 reports
which accounts for 22 per cent of total reports in 2015,” Keegan continued.
Different tactics employed by cybercriminals were also noted by ACORN as Keegan
listed the most used areas used online.
“Over the past year, email, social networking, and website advertising have been the
top three reported online channels used by cybercriminals to target their victims.”
T

4
Lloyd’s appeals to brokers for help on cyber
Lloyd’s has collaborated with modelling firms AIR Worldwide and RMS with the
Cambridge Centre of Risk Studies to announce a set of common core data
requirements for cyber risks, the insurance institution has announced.
Both AIR and the RMS/Cambridge team have agreed to highlight common elements
when they publish their data schemas later this month, with each agreeing to use
similar terminology and precise definitions, Lloyd’s said.
Now it is turning to key brokers to do their bit.
Lloyd’s director of performance management, Tom Bolt, said: “Cyber insurance is an
important new area of coverage and it is essential that we have good quality
standardised data to track exposures.
“I am delighted that the RMS/Cambridge team and AIR, in consultation with the
Lloyd’s Market Association, have worked with us to propose standard definitions for
some common data.

5
“I have written to major brokers to ask them to endeavour to provide this data to
Lloyd’s underwriters.”
Lloyd’s general representative in Australia, Chris Mackinnon, told Insurance Business
that the new framework should help the Australian industry to better evaluate cyber
risk.
“The framework introduces common core schema for cyber exposure data and
common core features for input data used in cyber risk tools in the market,”
Mackinnon said.
“This will enable Australian brokers and insurers to better evaluate cyber risks, with
increased access to good quality standardised data to track exposures.”
Mackinnon noted that the new framework is aimed to help standardise an ever-
changing and evolving risk as the business looks to keep up with an emerging risk
with huge potential opportunities and challenges.
“This new framework will provide better clarity for the calculation of risks and this is a
significant step forward,” Mackinnon said.
“At Lloyd’s we have been modelling catastrophes for hundreds of years, and our data
enables us to create very effective modelling forecasts.
“But cyber security risks are a relatively new class of business and the entire insurance
industry needs to ensure that it improves data aggregation to build more reliable
models that enable underwriters to properly price risk.
“Lloyd’s underwriters are some of the most experienced in the world, and we are
pleased that we have been able to use our experience to help build a consensus on
the standardisation of data that will benefit the whole sector.”

6
PM announces strengthened cyber ties with US
Australia and the United States will work closer together in a bid to combat
cybercrime, it has been announced by the Prime Minister.
Malcolm Turnbull announced the partnership last week as the countries will look to
work together to curb online crime.
In a statement, the Government announced a series of measures the partnership will
bring including an annual Australia-US Cyber Security Dialogue which will “engage
senior representatives from both countries’ business, academic and government
sectors to discuss common cyber threats, promote cyber security innovation and
shape new business opportunities.”
The partnership will also look to promote “peacetime ‘norms’ for cyber space,” which
will lead to “practical confidence building measures that help to reduce the incidence
of malicious cyber activity and the risk of conflict.”
The deal will bring law enforcement efforts between the two nations closer together
as both will be able to use experts in the field.
“To meet the growing threat of cybercrime, we will also enhance cybercrime
cooperation between our nations, including through increased exchanges between
respective law enforcement and cybercrime experts and more collaboration on
cybercrime investigations,” the Government statement continued.
It is not just Australia and America that will benefit from the partnership as the
Government said the ramifications of the deal will be felt throughout the region.
“Finally, we agreed to enhance the coordination of our cyber capacity building efforts
in the Indo-Pacific, to help our partners in this region increase their cyber security and
their capacity to combat cybercrime.”

7
Asian cyber cover ‘set to soar’
Almost one-third of Asian insurers expect cyber insurance to grow 50% in the next
three years, a Munich Re survey shows.
Some 83% have already noted increased demand, but just 10% offer coverage for
cyber risks, according to the poll taken at the Singapore International Reinsurance
Conference in November.
New technologies such as automated vehicles and the Internet of Things, plus the
introduction of stricter laws and regulations, are driving a spike in cyber exposure, the
reinsurer says.
About 40% of survey respondents are developing new cyber covers, but 43% have yet
to market policies.
“Compared with Asia and Europe, the US markets are already relatively far advanced,”
Munich Re board member with responsibility for Asia Ludger Arnoldussen said.
“According to our own estimates, the market volume for cyber covers in Asia is likely
to reach $US0.5-$US1.5 billion ($0.71-$2.14 billion) by 2020.
“Our aim is to assist our clients in tapping into this attractive market.”

8
Cyber: What are the emerging issues?
Cyber attacks on Australian organisations rose by 20 per cent in 2014, according to
the Australian Signals Directorate, a timely reminder cyber threats are growing.
Moreover, the Australian Crime Commission reported in June this year Australians
lose about $110,000 every hour to cyber criminals, or more than $2.6m every day.
This demonstrates how serious cyber security is for every business. As such, it is
critical organisations are aware of the growing risk of cyber intrusions and are actively
putting in place steps to reduce this risk.
At Marsh, we have observed many rising threats, including criminals targeting data by
stealing or disclosing personally identifiable or financial data, modifying or corrupting
data or blocking legitimate users’ access to data. However, external threats from
hackers are just some of the risks about which organisations need to be aware. Many
perils are actually internal.
For instance, a culture of trust within an organisation’s work force, traditionally
thought to be a benefit, now creates a threat. Many high quality phishing emails
appearing to be legitimate correspondence from banks, the ATO and other trusted
sources may inadvertently be opened by employees, exposing the business to
hackers.
Therefore, employees must be trained to spot and delete such communication to
thwart the intended intrusion.
Some of the other internal risks are known as ‘man in the middle’ intrusions. These are
where attackers electronically eavesdrop on email conversations undetected and
alter communication between parties who believe they are writing to each other in
confidence.
Aside from emerging cyber security threats, the legislative environment is also
changing the nature of cyber risks. It was anticipated mandatory data breach
notification laws would be in place by the end of 2015. While this did not happen, the
recommendation for data breach notifications by the Joint Parliamentary Committee
on Intelligence and Security remains. As such it is expected that data breach
notification legislation will be introduced to Parliament in 2016.
Additionally, the advent of the Internet of Things (IOT) is introducing new cyber perils.
For instance, it has been reported the majority of cars stolen in France are targeted
using electronic hacking. Indeed, anything connected to the internet could be
targeted by hackers. Worryingly, it’s likely many businesses are overlooking
vulnerabilities in devices such as printers, video conferencing equipment and
thermostats.

9
While many organisations now understand potential cyber threats expose them to
financial regulatory and reputation repercussions, many don’t appreciate some of the
other, more serious consequences of a cyber intrusion. For instance, ratings agency
Standard & Poor’s has noted a major cyber attack on a financial institution could put
its credit rating at risk.
Plus, a perceived misalignment between an organisation’s published privacy policy
and implementation of that policy could lead to allegations the organisation engaged
in deceptive practices. It has also become almost obligatory that, following a cyber
intrusion, the CEO resigns or is terminated. This was the case with the Target event in
the US in December 2013 and the more recent Ashley Madison event.
It’s important for organisations to explore ways to protect their electronic ramparts in
light of the growing risks around cyber. As part of this it’s important not to overlook
third party vendors or customers when it comes to cyber security. As an example, it
was determined that the massive Target breach in December 2013 originated through
a vulnerability in an air conditioning contractor’s system.
It’s also essential to seek assurances from third party vendors or customers on their
level of cyber security resilience and ask for a Cyber Insurance Certificate of Currency
from them. You may also be asked to provide documentary evidence your
organisation purchases cyber insurance.
While we are still developing a detailed understanding of the full spectrum of threats
to Australian networks, a number of trends will manifest globally in the near future, as
outlined in the Australian Cyber Security Centre Threat Report 2015. Importantly, the
number of cyber criminals, and their sophistication, will increase, making detection
and response more difficult. We also expect incidences of spear phishing will
continue to grow and the use of ransomware will continue to be prominent.
It’s also expected there will be an increase in the number of cyber adversaries with a
destructive capability and, possibly, the number of incidents with a destructive
element. There will also be an increase in electronic graffiti, such as web defacements
and social media hijacking.
What this shows is that cyber intrusions are a growing and increasingly complex peril
businesses must face. It’s essential for every organisation to recognise this and put
robust mitigation strategies in place to reduce the risk of a cyber threat undermining
or even destroying their businesses.

10
Risk modellers set out cyber strategies
Insurers can follow five cyber-loss processes to build up coverage in what is
expected to be one of the industry’s fastest-growing markets, according to a new
report.
The processes cover cyber-data exfiltration, denial-of-service attacks, cloud service
provider failure, financial transaction cyber compromise and cyber extortion.
The research was conducted by catastrophe risk management group RMS and
Cambridge University, and is supported by leading industry specialists including Aon
Benfield, Axis Capital, Renaissance Re, Talbot Underwriting and XL Catlin.
RMS CEO Hemant Shah says the report aims to help the industry “understand the
correlation space for this new class of exposure”, because cyber threats know no
bounds, unlike the coverage for natural hazards and industrial risks.
“We know to be wary of writing two industrial risks along the same river basin, and
the role flood defences play in mitigating loss,” Mr Shah said. “With cyber risks, the
contours of systemic accumulation are not as clear.”
The five cyber-loss scenarios have the potential to cause wide and correlated losses,
and the report lays out ways to structure the data an insurer should be accumulating.
“These scenario models provide a capability for insurers to carry out routine
monitoring of their aggregation risk, assessing what their likely claims payout would
be to these benchmark extreme events as their portfolio grows,” the report says.
“They provide useful pointers to use in setting a company’s risk appetite.
“We believe using these scenarios will help companies improve their knowledge of
the cyber peril and help them gain confidence in establishing their risk appetites for
insuring cyber.”
The report says the regulatory landscape is undergoing dramatic change, as
governments and judiciaries look to stiffen penalties for cyber crimes. Australia is
among the countries developing their own information security laws and regulations.

11
Cyber dominates top ten legal risks for business in
2016
As the lines between work and personal use of increasingly prolific technology
become more and more blurred, the exposure to risk, for businesses of all types,
grows in parallel. According to the recent findings of a wide ranging report released
by Borden Ladner Gervais LLP (BLG), a Canadian law firm, half of the top ten legal
risks affecting business in 2016 are cyber related.
Speaking to Insurance Business, Andrew Harrison, managing partner at BLG, said that:
“More and more, the lines between work and personal technologies become so
blurred that many employees no longer make a conscious distinction between work
and personal.”
Of the various risks identified, Harrison notes that the average cost of a data breach is
US$3.7m and larger organisations will be at the higher end of the scale.
There is increasing fraud in e-payment systems; IT security failures due to people
(mis)using workplace computer systems; and compliance risk.

12
“Cyber has ramifications beyond the scope of the initial business in case of malware
or a cyber breach, and one of the interesting things about the insurance business is
that it is so wide ranging in its scope,” Harrison said.
On the data security front, businesses, particularly small to mid-size entities, often
lack breach response policies, proper governance tools, and employee privacy
training programs to prevent or promptly respond to breaches. They lack cyber
security preparedness, which makes them vulnerable to privacy class actions
following a security breach involving personal information.
In this era of Big Data, new business models and marketing techniques are emerging,
including facial recognition and personalization reaching new levels of sophistication,
as well as dynamic pricing practices, to name but a few. Businesses need to consider
whether personal information is properly “de-identified”, what type of information
should be considered as “sensitive” in various contexts, how to obtain valid consent
in compliance with the “reasonable expectations” of customers, and how to deal with
technological innovation, shifting social norms, and building customer trust through
proper privacy practices.
The advent of mobile and digital wallets coupled with contactless payment methods
and the ever-increasing growth in on-line payments have made e-payments become
ubiquitous and have increased the need to develop effective authentication
protocols, technology, policies and procedures to mitigate and reduce the risk of
fraud.
2015 saw a number of high-profile cyber-sex related security breaches. Most
prominent being the Ashley Madison scandal, in which the personal details of over 37
million people were exposed. Worryingly for employers, many subscribers to the
website had signed up using their professional email accounts.
“It’s worth pausing at the beginning of the year to work out what people need to be
sensitive too,” said Harrison.
“We’re not trying to be dramatic but ignoring these
risks is not helpful either. Whenever there’s a risk
there’s an opportunity for insurers, because often
that’s a way of sharing risk.”

13
Global ratings agency discusses difficulties with
cyber
A.M Best has discussed the challenges insurers face when writing cyber liability and
what they can do to ensure their own safety.
Speaking to A.M Best TV, senior financial analyst Fred Eslami, said that the next few
years will be crucial for cyber risk as interconnectivity continues across the globe.
“In the next few years, there are going to be nearly 50 billion devices connected to
the Internet; therefore, expectation is that frequency and severity are going to
increase,” Eslami said.
“With this realisation, companies spent US$70 billion in 2014 and US$75 billion in 2015
to protect and address cyber risk.
“We have been focusing on increasing the awareness of cyber security and cyber risk
within the community of our rated entities as well as to understand and determine
what impact such a risk will have on the financial strength of our companies.”

14
Eslami said that companies that write cyber liability face three major challenges
thanks to a lack of data on the topic as the emerging risk continues to be top of mind.
“There is no, for example, actuarial analysis or result orientated data to do proper
pricing, reserving and aggregation so that is one of the challenges,” Eslami continued.
“The next one is the evolving nature of the regulatory and legal environment which
the industry is dealing with right now.
“The last one is, of course the rapid transition of legacy systems that we have to more
advanced and open-source information technology.”
Eslami noted that once more data for cyber risk becomes available, businesses will
be able to operate in the space more successfully and backed a stand-alone product
as the way forward.
“I think once the actuarial information is gathered and articulated properly, the legal
framework is defined better, there are three ways that we cans see how companies
can improve their position vis-e-vis cyber.
“One is to devise and design specific cyber policies instead of including it as part of
their CGL or D&O or property coverage. That helps, if nothing else, to reduce the legal
costs of defending these cases.
“The next one would be for the companies themselves to come up with a single risk
limit.
“These policies that they issue are kind of interconnected and typically you want to
have a limit relative to your subclass on the policies that you issue so that is another
element that would help eliminate unnecessary expenses.
“The last one would be, again, lack of actuarial
studies, to come up with a contingency reserve on
the polices or aggregate policies that they issue,
again there is no IBNR (incurred but not reported)
for cyber so with the contingency reserve that
would be covered.”

15
IT, data security top business concerns in 2016
Top financial executives across all Australian companies ranked IT and data security
as their primary business concerns in 2016, according to a new survey conducted by
leading global recruitment firm Robert Half.
The latest study found that 28 percent of 160 CFOs and financial directors were most
worried about IT & data security. The economy was the second major business
concern at 26 percent followed by skills shortage at 18 percent and regulatory and
compliance changes at 15 percent.
Only finance leaders of small businesses did not rank IT and data security as their
chief concern, with 34 percent citing the economy as their main issue for 2016.
David Jones, Robert Half’s senior managing director for Asia Pacific, noted that a
breach of data security can lead to extreme financial and reputational consequences.
“It is therefore critical for all companies – regardless of size – to take a protective
approach to IT security,” he said.
To protect corporate and customer information, Jones said Australian companies
continue to use various tools and services such as security software, password
management systems and hard drive encryption service.
However, Jones lamented that small and medium businesses normally use fewer
data protection tools than large companies even if they all face the same online risks.
For one, the research found that only 24 percent of small companies and 18 percent
of medium firms have network security systems, compared to 52 percent of large
companies.
“In recent years larger companies have increasingly invested in cyber security
measures, and this has encouraged cyber attackers to cast their gaze at more
vulnerable entities,” Jones said.
“This further highlights the need for small and medium businesses, which have
become an increasingly attractive target for hackers, to invest in the necessary IT
security tools and specialised IT talent,” he added.

16
Many businesses ill-prepared for crises, study
shows
More than 50% of companies believe they are inadequately prepared for crises,
according to a new Deloitte survey.
And about 70% of respondents say it takes up to three years to repair reputations
following a crisis.
The Crisis in Confidence study questioned 317 non-executive board members
worldwide.
The two most serious threats to business are loss of reputation and cyber crime,
according to the respondents.
Deloitte Managing Partner Risk Advisory Harvey Christophers says 49% have
capabilities or processes in place to achieve the best outcome following a crisis.
In the Asia-Pacific region only 34% are confident of their resilience.
In Australia almost 60% of big businesses surveyed say it takes one to three years to
recover reputations and operations. Half say it takes the same time for financial
recovery.
Only 32% of respondents engage in crisis simulations or training.
The report says the potential to lose customers and shareholder value due to
reputational damage after a data breach, denial of service, or corrupted or stolen
assets is significant.
Only 37% of Asia-Pacific businesses have a crisis resolution plan for natural disasters,
while 40% have a plan for workplace violence.
“Given that stress levels have a significant impact on our decision-making abilities in
times of crisis, it is absolutely critical that a pre-formulated, thoroughly tested
response plan is in place to ensure the business takes quick action,” the report says.

17
Businesses lack cyber insurance, fail to report
attacks: survey
Businesses see cyber security as important but majority do not take it seriously
enough, with most companies lacking cyber insurance and only under a third of
attacks being reported.
These were among the findings of the Cyber Security: Underpinning the Digital
Economy report by Barclays and the Institute of Directors (IOD) which showed a
“worrying gap” between awareness of the risks and preparedness among companies.
The report, which polled nearly 1,000 IOD members, found that only around 57% of
business leaders have a formal strategy to protect themselves even though 91% say
that cyber security is important.
The study also revealed that only 20% of British businesses hold cyber insurance and
just 21% are considering cyber insurance within the next 12 months.
Of the companies that have been victims of cyber attacks, only 28% reported the
incidents to the authorities even if 49% of attacks resulted in interruption of business
operations and 11% caused financial losses.
“No shop-owner would think twice about phoning the police if they were broken into,
yet for some reason, businesses don’t seem to think a cyber breach warrants the
same response,” said Richard Benham, a cyber security management professor who
authored the report.
The study also lamented that government efforts to tackle cybercrime seem to be
failing to get through to businesses since 32% of IOD members were still unaware of
Action Fraud Aware, the UK’s national reporting centre for fraud and internet crime.
Benham said the report proves that companies need to get real about cybercrime
and its financial and reputational consequences.
“Our report shows that cyber must stop being
treated as the domain of the IT department and
should be a boardroom priority. Businesses need to
develop a cyber security policy, educate their staff,
review supplier contracts and think about cyber
insurance.”

18
ASIC reports on ASX cyber resilience
The Australian Securities and Investments Commission (ASIC) has released its first
assessment report on the cyber resilience of the Australian Securities Exchange (ASX)
and Chi-X.
“Cyber resilience is now widely regarded as one of the most significant concerns for
the financial services industry and the economy at large,” the regulator says.
“The cyber resilience of our regulated population is, therefore, a key focus.”
The report concludes the ASX and Chi-X have met statutory obligations to hold
sufficient resources for the management of cyber resilience, and notes some
“encouraging practices”.
However, a consistent industry-wide approach is required to address developing
cyber threats, ASIC says. “We will continue to work with government and other
regulators to support industry to achieve this.”
The report calls on the wider financial services sector to recognise the growing cyber
threat, and refine systems and processes to prevent and address critical issues.
It calls for senior management to closely manage cyber risk from internal and third-
party sources, establish robust collaboration and information-sharing networks to
access the best defensive intelligence and technology, and implement thorough
cyber awareness training programs.
“Because of the dynamic nature of the cyber threat landscape, a comprehensive and
long-term commitment to cyber resilience is essential to assist all organisations and
the Australian economy to manage this threat,” ASIC Commissioner Cathie Armour
said.

19
Cyber insurance still leaves breach victims out of
pocket
New research by a leading insurance analytics and information service has suggested
that businesses with cyber coverage are still left out of pocket when it comes to a
data breach.
The research from Advisen and ID Experts has found that “the vast majority” of cyber
breaches fall below cyber insurance deductibles leaving businesses with costs.
Entitled, Mitigating the Inevitable: How organisations manage data breach exposures,
the survey of more than 200 risk professionals found that 25% of respondents suffered
a data breach over the last 12 months that fell 91-100% below their deductibles.
“In fact, of the respondents who purchase cyber insurance and have identified a data
breach in the previous twelve months, nearly all fell below their deductibles,” the
report states.

20
“While cyber coverage is increasingly viewed as an
essential part of many corporate insurance programs,
it is designed to protect against low frequency but
high severity occurrences.”
The report notes that, as cyber is a relatively new form of coverage, organisations are
still grappling with its application and their own cyber security concerns.
“Cyber insurance is a relatively new coverage and the number of claims filed is
comparatively few compared with more mature lines of business,” the report
continues. “But in reality, even if a data breach is large enough to trigger coverage
under a cyber insurance policy, organisations will still often be required to assume
some of the financial burden.
“For example, the cost of the breach could have exceeded the amount of coverage
purchased, or the losses could have fallen under one of the policies exclusions such
as intellectual property, infrastructure, and/or reputational loss.”
The report backs cyber coverage as a helpful tool in the fight against cyber attacks
as the coverage often includes benefits that businesses can use in response to
breaches pointing to the importance of these value-adds when dealing with the
cover.
“In addition to loss indemnification, cyber policies also provide access to a variety of
tools and services such as risk assessment tools, data breach incident response plans,
and educational resources, to help manage cyber security risks,” the report states.
“Seventy percent of respondents said that their
policy offers free tools to help manage their
cybersecurity risks. Forty-four percent of the
respondents said they have used them.”

21
Insurers ‘sceptical’ of booming cyber-risk market
Increased digitisation and interconnectivity have made cyber threats “one of the top
global perils” of this year and beyond, according to research group IDC Financial
Insights.
This may spell bad news for businesses, governments and consumers, but it provides
“tremendous opportunities for insurers to capitalise on this largely untapped market”.
However, IDC Financial Insights says insurers are “highly sceptical” of the cyber-
insurance market.
Reasons include lack of historical data for underwriting and limited understanding
about exposures.
Senior Research Analyst Sabitha Majukumar says inadequate coverage, high
premiums, too many exclusions, restrictions and uninsurable risks are typical
characteristics of cyber insurance products currently on the market.
“We strongly believe insurers should consider the available evolving tools and
technologies in the cyber-risk exposure-monitoring and assessment space,” she said.

22
Physical cyber attack risk exposes gap in coverage
Physically destructive cyber terrorism is a “real gap” in current insurance coverage,
according to the head of Australia’s Reinsurance Pool Corporation (ARPC).
Speaking in Sydney last week at the Cyber Risk Seminar hosted by Finity and the
Australian and New Zealand Institute of Insurance and Finance, ARPC CEO Chris
Wallace said the risk of catastrophic physical property and infrastructure has
increased as the physical world and cyberspace become more interconnected.
“Yet cyber terrorism is not covered by Australia’s
terrorism insurance scheme because it is defined as a
computer crime, which is excluded by the Terrorism
Insurance Act 2003.”
Dr Wallace told insuranceNEWS.com.au the ARPC wants to highlight the existence of
the gap so the market will develop policies to cover it.
“There have been some physically destructive attacks around the world,” he said.
“There are not many of these attacks, and we’re not saying terrorists have the
capabilities, just that there is a gap in the cover that is available in the market.”
Dr Wallace gave the example of a German steel mill’s electronic control system that
was hacked into in 2014, causing “massive damage” to the blast furnace.
According to the German Federal Office for Information Security (BSI) the attackers
accessed emails to steal logins, giving them access to the electronic control system.
And in 2008 Russian hackers shut down alarms, cut off communications and super-
pressurised a Turkish crude oil pipeline, causing it to explode and causing a major fire.
Finity Consulting Principal Stephen Lee also acknowledged the potential physical
damage from cyber attacks.
“The cyber attacks carried out in the US against Sony in November 2014 and Target
in December 2013 generated a great deal of global media coverage, as have other
attacks since then,” he said.
“But in our increasingly connected world, a cyber attack can also mean disruption to
utilities or cause malicious damage to property. With the ever-present risk of
terrorism in today’s environment, this is a risk that businesses cannot afford to ignore.”

23
Mr Lee says getting board level involvement in cyber risk management is critical.
“Recognising the risks both to data, business interruption and physical assets is an
important first step to tackling the problem,” Mr Lee said.
“Insurers have a key role in helping the business
community and the wider economy to manage this
risk.”
Dr Wallace says he expects the market to quickly develop appropriate cover over the
next few years.

24
FBI warns vehicles are ‘increasingly vulnerable’ to
cyber attacks
The FBI has warned that modern vehicles are becoming “increasingly vulnerable” to
cyber attacks and warned that the safety of plug-in telematics devices is paramount.
In a public service announcement released last week, the FBI and National Highway
Traffic Safety Administration (NHTSA) in the United States, warned that drivers need
to be wary of cyber threats.
“Modern motor vehicles often include new connected vehicle technologies that aim
to provide benefits such as added safety features, improved fuel economy, and
greater overall convenience,” the PSA notes.
“Aftermarket devices are also providing consumers with new features to monitor the
status of their vehicles. However, with this increased connectivity, it is important that
consumers and manufacturers maintain awareness of potential cyber security
threats.
Therefore, the FBI and NHTSA are warning the general public and manufacturers – of
vehicles, vehicle components, and aftermarket devices – to maintain awareness of
potential issues and cybersecurity threats related to connected vehicle technologies
in modern vehicles.”
The announcement follows news last year that hackers had infiltrated and taken
control of a car whilst driving on the freeway in an experiment for technology site
Wired.
The FBI acknowledged that this amount of control remains the biggest threat to
vehicle owners but other issues are still prevalent.
“Although vulnerabilities may not always result in an attacker being able to access all
parts of the system, the safety risk to consumers could increase significantly if the
access involves the ability to manipulate critical vehicle control systems,” the
announcement continued.
The security and safety of plug-in telematics devices, which use the cars OBD-II slot
under the dashboard, were also mentioned for monitoring as Progressive suffered a
hack of their device last year.

25
“More recently, there has been a significant increase in the availability of third-party
devices that can be plugged directly into the diagnostic port,” the PSA states.
“These devices, which may be designed independent of the vehicle manufacturer,
include insurance dongles and other telematics and vehicle monitoring tools. The
security of these devices is important as it can provide an attacker with a means of
accessing vehicle systems and driver data remotely.
“Vehicle owners should check with the security and
privacy policies of the third-party device
manufacturers and service providers, and they
should not connect any unknown or un-trusted
devices to the OBD-II port.”

26
ASIC zeroes in on cyber crime
The Australian Securities and Investments Commission (ASIC) has stepped up its
surveillance of cyber crime this year in a bid to keep pace with the growing digitisation
of the financial services industry.
ASIC will invest more in digital forensics capabilities and training its forensic analysts,
its enforcement report for last July-December says.
“The increasing incidence, complexity and reach of malicious cyber activities can
undermine businesses and destabilise our markets, eroding investor and financial
consumer trust and confidence in the financial system and the wider economy,” it
says.
“We will take appropriate enforcement action by accepting enforceable undertakings
or issuing infringement notices where we identify wrongdoing – for example, where
disclosure by companies and issuers provides insufficient information on cyber
threats.
“As technology continues to replace traditional
methods of investing, the likely increase in the
incidence of cyber crime means ASIC and other law
enforcement agencies will focus on activities that
ensure investors and consumers continue to be
protected.”
The volume of electronic forensic data received by the regulator has increased
steadily from less than 40 terabytes at the start of 2013 to more than 120 terabytes
last year. ASIC expects the figure to rise to 425 terabytes of data per year by 2020.
One terabyte is equivalent to about 1000 gigabytes.
“The increasing volume of data means traditional review methodologies based on
targeted keyword searches and manual review are becoming less effective and
efficient. “ASIC is increasingly adopting smarter strategies that use tools such as
predictive coding, machine learning and computer algorithms.” The regulator
secured $149 million in compensation and remediation for consumers and investors
in the second half of last year, the enforcement report shows.
It removed 27 individuals from financial services, laid 42 criminal charges, charged six
in criminal proceedings and issued 20 infringement notices.

27
Stock markets a target for cyber crime: report
Financial markets are a prime target for cyber attacks because they are “where the
money is” and can represent a nation or symbolise capitalism, according to a new
report.
The International Organisation of Securities Commissions (IOSCO) paper, called Cyber
Security in Securities Markets – An International Perspective, outlines different
approaches to cyber security adopted by market participants and regulators
worldwide.
It says cyber is not “just another risk” but constitutes “a unique, highly complex and
rapidly evolving phenomenon” that jeopardises the integrity and efficiency of financial
markets.
The report says PricewaterhouseCoopers’ latest Global State of Information Security
Survey questioned 10,000 executives from 127 countries, and found the number of
incidents detected by respondents last year was up 38%.
A Ponemon Institute study last year put the average cost of data breaches to
companies at $US3.79 million ($5 million), up 23% over the past two years.
IOSCO says the “almost complete digitalisation of data” in securities markets and
increasing use of mobile devices, outsourcing and cloud computing make the
industry more vulnerable.
“The human element of cyber risk, combined with rapidly evolving technologies in
securities markets, suggests this topic requires swift and sustained attention by
regulators and market participants,” the report says.
“According to many cyber-security experts, the
question for financial market participants is not if a
cyber attack will occur but rather when.”
The report says cyber insurance should be a complement to a business’ cyber-
security framework – not a replacement.
Global annual gross written premium for cyber insurance is about $US2.5 billion ($3.3
billion), and PricewaterhouseCoopers projects it will be $US7.5 billion by the end of
the decade.

28
Munich Re, Beazley team up on cyber cover
Munich Re-owned Corporate Insurance Partner and Beazley have joined forces to
offer cyber cover of up to $US100 million ($131 million) in response to growing
demand.
Coverage options are tailored to a variety of exposures including hacking or malware
attacks, distributed denial of service attacks, cyber extortion, and property damage
and bodily injury.
“In recent years cyber threats have risen steadily up the agenda of the world’s largest
companies… with significant implications for their balance sheets and financing
capabilities, through to dealing with regulators and ratings agencies,” Corporate
Insurance Partner Head of Cyber Solutions Chris Storer said.
“Through our close partnership… we believe we can offer a service that is unique in
providing large corporate and industrial clients with fit-for-purpose cyber solutions
that help them manage the manifold risks that cyber attacks can present.”
Various industry studies put cyber risk among the leading issues for the global
business community, with financial consultants Grant Thornton estimating the cost of
such attacks at about $US315 billion ($413 billion) a year.
“Rapidly flowing data is the lifeblood of modern business,” Beazley Focus Group
Leader for Technology Mike Donovan said. “When that data ceases to flow, or is
siphoned off, the costs for large interconnected enterprises can be huge.”

29
Cyber risks on radar, but strategies fall short:
report
The cost of business interruption is the leading cyber-risk concern for businesses,
according to Aon Global Risk Consulting.
The group’s global benchmarking report, the Captive Cyber Survey, gauges
organisations’ attitudes to cyber threats, risk assessment, insurance-buying trends
and loss adjustment concerns.
Peter Mullen, CEO of Aon’s Captive and Insurance Management practice, says the
findings show a disparity between companies recognising cyber as one of the fastest-
growing risks and understanding what their exposures and coverage needs are.
The survey shows 94% of companies would share risk with others in their industry.
Aon experts expect alternative risk transfer options will become increasingly popular
because they give companies some control over underwriting, coverage scope and
claims adjustment, while providing an opportunity to share best practices, experience
and data.
The survey also shows 95% of respondents believe clear policy wording is the most
important issue in the cyber-risk market, and 75% of large companies are concerned
about the loss adjustment process.

30
CGU launches revolutionary new cyber product into
the Australian market
CGU Insurance has launched a new cyber defence product aimed at mitigating the
rising tide of cyber-attacks.
The company believes its new offering CGU Cyber Defence, developed with SME
customers in mind, will protect businesses from cybercrimes such as privacy
breaches, system damage, extortion, computer viruses, crime and hacking.
CGU National Underwriting Manager Professional Risks Najibi Bisso said now that
cyber security is one of the biggest issues facing businesses and individuals today,
it’s essential for all business with a digital presence to ensure they have the right
protection in place.
She said the new product, which includes a wide range of features such as free cyber
consultation, 24/7 incident response team and a breach coach, provides much
broader cover than their competitors and is equipped with an all-encompassing
cyber incident response service.
“We’ve developed an offering that we believe addresses
the growing concerns SME’s will face in future. The
product is offered standalone as well as an extension
to existing policies.”
Bisso said the partnership with Norton Rose Fulbright means they can now provide a
round-the-clock cyber incident response team and service for their customers.
“We’re also working with our partners to help them educate SME’s on the importance
of cyber security by providing a range of tools that partners can access online through
the CU cyber microsite.
Scott and Broad CEO Mike Burgess, whose major client has a CGU Cyber Defence
Policy, said that CGU were a “natural choice for us when we were looking for cyber
risk support for our clients. For this type of risk you need a large insurer who has the
capacity to pay these types of claims and launch a response when the cyber event
occurs.”

31
Cyber-security plan will unlock innovation, PM says
Prime Minister Malcolm Turnbull says an “open, free and secure” internet is vital for
Australia’s future prosperity.
Introducing the Government’s $230 million cyber-security strategy, he says the plan
sets out a “philosophy and program” for meeting the challenges of the digital age.
“A secure cyberspace provides trust and confidence for individuals, business and the
public sector to share ideas and information and to innovate online,” Mr Turnbull said.
“The security threats we face are real and they are growing in severity and frequency.”
He argues the cyber-security strategy is critical to Australia’s transition to “a new and
more diverse economy, which is fuelled by innovation”.
“We cannot allow cyberspace to become a lawless domain. The private sector and
government sector both have vital roles to play.
“By working together we will build and strengthen a
trusted online environment and unlock Australia’s
digital potential.”

Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance

Ähnlich wie Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance (20)

Mehr von Statewide Insurance Brokers

Mehr von Statewide Insurance Brokers (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance