1 cyber hurricane the potential for aggregated internet losses and the insurance industry...
TRANSCRIPT
11
Cyber Hurricane
The Potential for Aggregated Internet Losses and the Insurance Industry
Professional Liability Underwriting Society
16th Annual Conference
Philadelphia, PA
22
Panel
Paul Nicholas Rich ReedDirector for Critical Infrastructure Protection Vice President Homeland Security Council Chubb & Son, Inc.
Rob Hammesfahr Harrison Oellrich
Managing Partner Managing Director
Cozen O’Connor Guy Carpenter
3
4
The National StrategyThe National Strategy “Securing cyberspace is an
extraordinarily difficult strategic challenge that requires a coordinated and focused effort from our entire society—the federal government, state and local governments, the private sector, and the American people.”
“The cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.”
President George W. BushPresident George W. Bush
5
The Case for ActionThe Case for Action
6
Cyber Threats Cyber Threats
• Organized cyber attacks that may cause debilitating disruption to our infrastructures, economy, or national security is a primary concern.
• Attack tools and methodologies are widely available, and the technical skills of attackers capable of causing disruption is growing.
• A spectrum of malicious actors can and do attack critical information infrastructures.
7
Dangerous CurvesDangerous Curves
8
Cyberspace Security PolicyCyberspace Security Policy
Prevent cyber attacks against our Prevent cyber attacks against our critical infrastructures;critical infrastructures;
Reduce our national vulnerabilities Reduce our national vulnerabilities to cyber attack; andto cyber attack; and
Minimize the damage and recovery Minimize the damage and recovery time from cyber attacks that do time from cyber attacks that do occur.occur.
9
National PrioritiesNational Priorities
1.1. National Cyberspace Security National Cyberspace Security Response SystemResponse System
2.2. Threat and Vulnerability Threat and Vulnerability ReductionReduction
3.3. Awareness & TrainingAwareness & Training
4.4. Securing Government’s Securing Government’s CyberspaceCyberspace
5.5. International CooperationInternational Cooperation
PLUS - 16th Annual PLUS - 16th Annual International ConferenceInternational Conference
November 9-11, 2003 November 9-11, 2003
Rich Reed, Global Intellectual Rich Reed, Global Intellectual Property and eCommerce Property and eCommerce Product Manager Product Manager
Chubb Commercial Insurance Chubb Commercial Insurance
[email protected]@chubb.com
1111
The views, information and content The views, information and content expressed herein are those of the authors expressed herein are those of the authors and do not necessarily represent the views of and do not necessarily represent the views of any of the Insurers of The Chubb Group of any of the Insurers of The Chubb Group of Insurance Companies. Chubb did not Insurance Companies. Chubb did not participate in and takes no position on the participate in and takes no position on the nature, quality or accuracy of such content. nature, quality or accuracy of such content. The information provided should not be relied The information provided should not be relied on as legal advice or a definitive statement of on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, the law in any jurisdiction. For such advice, an applicant, insured, listener or reader an applicant, insured, listener or reader should consult their own legal counsel. should consult their own legal counsel.
1212
Developing Insurance SolutionsDeveloping Insurance Solutions
Events are categorized Events are categorized Causation determined Causation determined Cost/Impact - frequency/severity/sources Cost/Impact - frequency/severity/sources
of aggregationsof aggregations Preferred risk classes are identified Preferred risk classes are identified Spread of risk is achieved Spread of risk is achieved Market is establishedMarket is established
1313
Where is the Cyber Where is the Cyber Insurance Marketplace? Insurance Marketplace?
MaturingMaturing
1414
Events - Some of the OldEvents - Some of the Old
Physical damage to Critical Resources:Physical damage to Critical Resources: – Natural and man made disasters Natural and man made disasters – Cyber-terrorismCyber-terrorism– Machinery breakdownMachinery breakdown– Vandalism – employee/third parties Vandalism – employee/third parties – Computer fraud/theft Computer fraud/theft
– Remote locations - storage/supplierRemote locations - storage/supplier
1515
Events - Some of the NewEvents - Some of the New
Proliferation and strengthening of Proliferation and strengthening of computer viruses and worms.computer viruses and worms. – Reduces functionality, and increasingly Reduces functionality, and increasingly
causing damage causing damage – Can impact single or multiple customers Can impact single or multiple customers – Insurers can’t subrogate against developers Insurers can’t subrogate against developers – Prosecution of culprits, has slowed, but not Prosecution of culprits, has slowed, but not
stopped the trendstopped the trend
1616
Events - Some of the NewEvents - Some of the New
Unauthorized computer access or useUnauthorized computer access or use– Insider or outsider Insider or outsider – Reducing functionality, causing damage Reducing functionality, causing damage – Theft data, money or securities Theft data, money or securities – Launching an attack aimed at multiple Launching an attack aimed at multiple
parties parties Denial of service attacks Denial of service attacks
1717
Dependence on the “Web”Dependence on the “Web”
The Internet is resilient….but:The Internet is resilient….but: – Productivity rests on the operation, security Productivity rests on the operation, security
and continuity of a “public network” and continuity of a “public network” – Individual risk profile varies:Individual risk profile varies:
based on business modelbased on business model proactive – security policies and procedures proactive – security policies and procedures reactive - loss mitigation through recovery reactive - loss mitigation through recovery
and planning and planning – Can the causation be identified?Can the causation be identified?
1818
Sources of AggregationSources of Aggregation
Service providersService providers– Critical infrastructure - energy, financial Critical infrastructure - energy, financial
and telecommunications on a global basis and telecommunications on a global basis
Third party data storage facilities Third party data storage facilities Vulnerable softwareVulnerable software
1919
Loss Mitigation - Service Loss Mitigation - Service ProvidersProviders
Known and managed exposure Known and managed exposure Networks are well engineered, scalable Networks are well engineered, scalable
and time tested and time tested Carriers frequently respond to natural Carriers frequently respond to natural
disasters disasters Extensive inter-provider support Extensive inter-provider support Proven practices and proceduresProven practices and procedures
2020
Carrier Management of Carrier Management of Aggregated ExposuresAggregated Exposures Tracked - per peril or per risk Tracked - per peril or per risk Identify impact areas Identify impact areas Determine probable maximum loss Determine probable maximum loss
(PML) using analytic models (PML) using analytic models Manage aggregate PML’s Manage aggregate PML’s Allocate limits to maximize return Allocate limits to maximize return Monitor accumulationsMonitor accumulations
2121
Loss Mitigation - Remote Loss Mitigation - Remote StorageStorage
Single entity/location exposure - Single entity/location exposure - impacting multiple customers impacting multiple customers
Inside/outside exposure assessment Inside/outside exposure assessment – physical, contractual, DRP and continuityphysical, contractual, DRP and continuity
Accumulated limits – direct and Accumulated limits – direct and contingent contingent
2222
ReinsuranceReinsurance
Availability Availability Capacity Capacity Cost - near term and long termCost - near term and long term Partnership - can the understanding of risk Partnership - can the understanding of risk
expand? expand? Scope of protection Scope of protection Terms Terms
Robert W. Hammesfahr, Esq.Robert W. Hammesfahr, Esq.Cozen O’ConnorCozen O’Connor222 South Riverside Plaza, Suite 1500222 South Riverside Plaza, Suite 1500Chicago, IL 60606Chicago, IL [email protected]@cozen.com
PLUS - 16th Annual PLUS - 16th Annual International International ConferenceConference
24
Burch/Cheswick map of the Internet showing the major ISPsData collected June 28, 1999http://www.cheswick.com/map/index.htmlcopyright © 1999 - Lucent Technologies
2525
Network, software and infrastructure failure Media and content liabilities Privacy Virus, malware, hacking, and cyber extortion
Most Common Types of Third Party Losses
2626
New Coverage v. Traditional Coverage Economic loss v. physical damage Intangible property/data IP v. protection of
physical property Statutory causes of action Copyright and trademark liability Privacy and identity theft
2727
Cyber Damage Litigation:Experience and Emerging Issues
Claims exist– Denial of service and virus cases– Theft of intellectual property and hacking– Cookie litigation– Privacy litigation
Claims are expensive to defend The law is new and uncertain
2828
Key Decisions
Liability– Doubleclick/Cybersource– Intel– Database damage cases
Coverage– AOL v. St. Paul
November 11, 2003
Cyber Hurricane
The Current State Of PlayThe Current State Of Play
Harrison OellrichHarrison Oellrich Managing DirectorManaging Director
Guy Carpenter & Co., Inc.Guy Carpenter & Co., Inc.
The Potential for Aggregated Internet Losses & the Insurance Industry
30
Quick Emergence of Cyber Exposures
Sophisticated exposures
Create insurer/reinsurer concerns
– Never contemplated
– Cannot be underwritten within context of traditional policies
Not sufficiently able to
– Quantify
– Underwrite
– Price
31
Result
Dramatically curtailed coverage, if any under traditional policies
Development of specific stand alone policies
32
Stand Alone Policies
Allow underwriters to:
– Assess
– Underwrite
– Price
each insureds unique internet exposure
Current Total Limits:
– $250M market wide
– However rarely if ever more than $100M available per insured
33
Challenge
Need data to model
– Mine
– Massage
– Methodology
Sophisticated models now used for physical perils
Cyber perils seemingly subvert ability to model
34
Cyber Hurricane (Aggregation)
Need method to slice and dice a la traditional property cat perils
Otherwise must aggregate every dollar written against every other dollar of exposure
Initial attempts to do so successful
Thinking validated by WW property cat leaders/marketplace
35
Need for Data/Modeling Capability
Loss data plentiful for “bricks and mortar” cat perils
Virtually non-existent for emerging cyber perils
– past attacks unreported
– Reputational risk
Credible data +modeling techniques =
a substantive/sustainable marketplace
36
Government Involvement/ Why us?
Multiple collaborative initiatives
Internet deemed a critical component of nation’s infrastructure
It must therefore be protected at all costs
Disciplines insurers/reinsurers can provide are same as government wishes to impose if it were able
If successful; network environment hardened
National security enhanced!!
37
Irrational Exuberance?
Forrester Research predicts Business to Business E-Commerce: $1.3Trillion by 2005
– Insurance Information Institute: this will result in $2.5B of premium by 2006
– Conning & Co.: $5B of premium likely during same period
Even if overstated all must agree that opportunities are real/significant
38
A Future Vision
Every business will have a presence on the internet
Potential for Cyber Risk Insurance to be the next major growth area of our industry
– Buildings of the 21st Century
Opportunities will arise/evolve swiftly
Creating exposures never contemplated
– Industry must be creative to fully capitalize on this opportunity
3939
Cyber Hurricane
The Potential for Aggregated Internet Losses and the Insurance Industry
Professional Liability Underwriting Society
16th Annual Conference
Philadelphia, PA