SlideShare uma empresa Scribd logo

Debunking Myths for Cyber-Insurance

Priyanka Aash
Priyanka Aash

It’s important to establish the balance sheet for security leadership to measure, monitor and report. Insurance is an important component to protecting the balance sheet. Don’t believe all of the fake news about cyber-insurance. This session will take you from theory to practice. How partnering with the insurance industry provides practical benefits to security leaders if you let it. Learning Objectives: 1: Learn how to map cyber-risks to financial impacts. 2: Learn how to determine if your insurance covers the impact from an incident. 3: Overcome common myths around cyber-insurance and claims. (Source: RSA Conference USA 2018)

Tecnologia
1 de 27
Baixar para ler offline
SESSION ID: #RSAC Robert Jones DEBUNKING MYTHS FOR CYBER INSURANCE GRC-F02 Global Head of Financial Lines Specialty Claims AIG Garin Pace Cyber Product Leader AIG @Garin_Pace
# R S A C Introduction – What Is Cyber Insurance? 2 What people think about cyber insurance: It only responds to data breaches The reality of cyber insurance: It can also respond to other failures of computer security, including business interruption loss, data restoration costs, and extortion threats It’s only for malicious acts (attacks) It has stringent requirements, and requires compliance for coverage It’s an admission of failure It can cover accidental disclosure of confidential information, as well as systems failures Most policies do not have audit requirements, or require the insured to warrant a security posture You buy fire insurance, right?
# R S A C Today’s Goal: Debunk common myths and help you to better use cyber insurance to improve your risk management strategy
# R S A C So, What Is Cyber Insurance REALLY? 4 Cyber insurance is an entire collection of insurance products. THEN NOW • Addressed gaps in property and general liability policies (losses where there is no bodily injury or property damage) • Insurance products were sold as specific products responding to unauthorized access/use, DoS, etc. • Cyber perils have many impacts: data loss, business interruption, liability, theft of money or fraudulent inducement, bodily injury, or even loss of real property • Insurance products and traditional coverages are being amended to respond to the new paradigm
# R S A C Cyber Impact Framework 5 1st Party Damages FinancialTangible 3rd Party Damages Cyber events impact and insurance coverages map to these four quadrants • The Cyber Impact Framework – a tool created by AIG’s partner – demonstrates the full spectrum of cyber risk • It’s useful for both conceptualizing the impacts of a cyber event, and mapping them to insurance coverage
# R S A C • The first cyber insurance products were (and many of those branded as such today still are) a collection of coverages offered a la carte • Half of our buyers didn’t even purchase business interruption until a few years ago The First Cyber Insurance Products 6 1st Party Damages FinancialTangible 3rd Party Damages Business Interruption Extortion Response Costs Defense & Indemnity
# R S A C The First Cyber Insurance Products 7 The first cyber insurance products respond well to data breaches and other financial impacts where there was no tangible damage, but have important limitations: They are typically subject to an exclusion for bodily injury or (tangible) property damage They typically do not cover theft of monies/securities They almost never cover the loss of intellectual property on a first- party basis
# R S A C Evolution Of Cyber Insurance Products 8 Some early limitations of cyber insurance have mostly disappeared as both the products themselves and the insurers have matured: Exclusions for “known shortcomings of security”, including a requirement to patch, have diminished Insurers understand that “just patch” is an oversimplification; coverage is available even for organizations with end of life software Coverage for the most in demand costs – legal advice, forensics, and notification and monitoring costs – is typically not limited to smaller amounts than the policy limit
# R S A C • “All risk” property and general liability policies have typically covered loss of tangible property and liability for property loss/bodily injury, respectively, even if arising out a cyber incident • This is referred to as “silent cyber” given the policies do not explicitly provide coverage for cyber incidents Cyber-Physical Loss And Silent Cyber 9 1st Party Damages FinancialTangible 3rd Party Damages Property Policies? General Liability Policies?
# R S A C Cyber Physical Loss and Silent Cyber 10 How property and general liability policies address both physical cyber losses and financial losses is changing: Some insurers don’t feel they have the expertise and/or appetite for cyber risk, and are excluding typically covered losses arising out of cyber incidents In contrast, some insurers are expanding coverage; for example, some property carriers are covering corruption of data even where there is no tangible property damage Even where coverage positions are not changing, more insurers are writing in affirmative coverage (no longer “silent”); insurance regulators desire certainty
# R S A C Other Cyber Losses And Insurance Products 11 Cyber Property General Liability Crime Directors & Officers Theft of funds (monies/securities) via cyber means x x x x Coverage for shareholder actions following a cyber incident x x x x
# R S A C Other Cyber Losses And Insurance Products 12 Other insurance policies may provide coverage for certain situations Kidnap, Ransom, and Extortion policies o May cover the cost of investigating ransomware or other cyber extortion, the demand itself, and any business interruption o The market was adversely impacted by ransomware, and most carriers are either now excluding coverage or changing the structure of coverage Errors and Omissions/Professional Liability policies o May provide defense and indemnity for claims brought by third parties alleging negligence with respect to a cyber incident o Example: legal malpractice policies may cover client suits, but typically do not cover first-party costs (investigation, notification, etc.)
#RSAC CHECK-IN Q&A (don’t worry – we’ll do Q&A at the end too)
#RSAC LOSS EXAMPLES
# R S A C Hospital Data Breach 15 What happened? A hospital was notified by a third-party of a potential data breach Upon investigation, they confirmed the exposure of over 40K protected health information records, in violation of HIPAA What difference did insurance make? AIG reimbursed the insured $1.24M in costs, including forensic investigation, legal advice, notification and identity monitoring, and regulatory fines 1st Party Damages FinancialTangible 3rd Party Damages
# R S A C Law Firm Data Deletion 16 What happened? A disgruntled employee deleted organizational data – including firm intellectual property – from information systems and backups What difference did insurance make? AIG reimbursed the insured $300K for the cost of re-creating/restoring the data 1st Party Damages FinancialTangible 3rd Party Damages
# R S A C Cyber Extortion 17 What happened? An extortionist contacted an organization and provided evidence of both intrusion and exfiltration of data They threatened to make sensitive data public unless a ransom of $7M in BTC was paid What difference did insurance make? AIG reimbursed the insured the cost of the forensic investigation, legal advice, and public relations Insurance covers the ransom, but AIG supported the insured’s desire to refuse the ransom 1st Party Damages FinancialTangible 3rd Party Damages
#RSAC INSURANCE AS A RISK MANAGEMENT TOOL
# R S A C Cyber Risk Management 19 In the traditional approach to cyber risk management: IT groups were responsible for managing cyber risk; not recognized as an enterprise issue Risk management included risk mitigation, investment, risk acceptance (but very little, if any, risk transfer) Cyber risk was largely thought of as, and treated as, a technology problem
# R S A C Cyber Risk Management 20 Cyber Risk Management Today: Enterprise issue Boards are concerned Social engineering and other “human” attacks a large part of cyber security Attackers generally target vulnerabilities, not organizations; collateral damage is significant “Not if, but when” – requires a comprehensive cyber risk strategy
# R S A C Insurance’s Part In Your Cyber Risk Strategy 21 Insurance is another cyber control, but with some unique properties: Unlike advanced controls – which tend to apply to specific scenarios – cyber insurance’s benefit applies to most scenarios/costs Increasing cyber capabilities typically costs successively more, but cyber insurance generally decreases in cost with cyber maturity Cyber insurance is not a replacement for a cyber risk program: Cyber insurance is often prohibitively expensive when an organization doesn’t do the basics It also doesn’t cover all loss types
# R S A C Insurance’s Part In Your Cyber Risk Strategy 22 In addition to the risk transfer, cyber insurance also provides other benefits both before and after a loss: Expertise in incident management and access to professionals Feedback, benchmarking, and trend analysis: claims statistics and common causes of loss help clients understand and mitigate the risk Risk quantification: cyber loss models are maturing and insurers are increasingly sharing model results with clients, both during underwriting and throughout the life of the policy
# R S A C Insurance’s Part In Your Cyber Risk Strategy 23 Cyber insurance continues to evolve: Insurers are partnering with information security vendors to promote best practices, give clients credit for hardening their environments, and bring objective data to bear By combining integration with technology products and model sophistication, ‘continuous underwriting’ and dynamic pricing become possible Coverage continues to evolve: more coverage for third party failures, more covered types of loss (reputation damage)
# R S A C Correcting Other Myths & Misconceptions 24 Insurers will cover ransomware; coverage exists for investigation costs, and the ransom payment (if necessary) Most cyber insurance policies cover both accidental and intentional acts by employees (executive leadership excepted) Cyber insurance does pay; insurers typically can’t talk about the success stories – only the disagreements between insurers and insureds make the news; these are not representative Policies themselves are just like any other control, they must be tuned; talk with your insurer about expectations
# R S A C 25 Next Steps: Talk to your Risk Manager (or whoever manages your company’s risk program and insurance purchasing) — Get on the same page regarding your company’s cyber risk profile — Review what coverage your existing policies afford your company If you’re taking more risk than you’d like, or if you’re not sure if you are: Ask your broker how much experience they have placing cyber insurance — If they don’t have a lot of experience, they may need to hire a “wholesaler” (an expert), or you may need to use a specialty broker for this placement Get a quote which covers the risks you identified; if you don’t agree with the price, ask the insurer to share their rationale Apply What You Have Learned
# R S A C Conclusion 26 Cyber risk is a constantly evolving threat with potentially critical impact Like other severe perils, insurance can help to protect a company from catastrophe Cyber insurance is not a singular insurance product, but a collection of policies; depending on your threat profile and risk appetite, your needs will differ Insurers offer value in addition to pure risk transfer, including expertise in handling cyber incidents and ensuing litigation, and information on both threats and risk mitigation
# R S A C 27 American International Group, Inc. (AIG) is a leading global insurance organization. Founded in 1919, today AIG member companies provide a wide range of property casualty insurance, life insurance, retirement products, and other financial services to customers in more than 80 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIGinsurance www.twitter.com/AIGinsurance | LinkedIn: www.linkedin.com/company/aig. AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.

Recomendados

What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
CBIZ, Inc.
 
Intermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksIntermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial Risks
David Chase
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
Rohan Sehgal
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
EC-Council
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
Christopher Rieser
 

Recomendados

What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
CBIZ, Inc.
 
Intermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksIntermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial Risks
David Chase
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
Rohan Sehgal
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
EC-Council
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
Christopher Rieser
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics
Chris Stallard
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
Ethan S. Burger
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
Colleen Beck-Domanico
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
NationalUnderwriter
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
CODE BLUE
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
Cyber security
Cyber securityCyber security
Cyber security
Vaibhav Jain
 
SEC Alert
SEC AlertSEC Alert
SEC Alert
John Apkarian
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
In the news
In the newsIn the news
In the news
Rob Wilson
 
Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014
Paul Ferrillo
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
The developing world of cyber litigation and compliance
The developing world of cyber litigation and complianceThe developing world of cyber litigation and compliance
The developing world of cyber litigation and compliance
PECB
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?
Henry Draughon
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference
David Sweigert
 
What to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident OccursWhat to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident Occurs
Colleen Beck-Domanico
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
Dave James
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
aakash malhotra
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
 

Mais conteúdo relacionado

Mais procurados

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
NationalUnderwriter
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
CODE BLUE
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014
Paul Ferrillo
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?
Henry Draughon
 

Mais procurados (20)

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Cyber security
Cyber securityCyber security
Cyber security
 
SEC Alert
SEC AlertSEC Alert
SEC Alert
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
In the news
In the newsIn the news
In the news
 
Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014Cybersecurity_Alert_Dec_16_2014
Cybersecurity_Alert_Dec_16_2014
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
The developing world of cyber litigation and compliance
The developing world of cyber litigation and complianceThe developing world of cyber litigation and compliance
The developing world of cyber litigation and compliance
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference
 
What to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident OccursWhat to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident Occurs
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 

Semelhante a Debunking Myths for Cyber-Insurance

Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Client Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverageClient Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverage
Chris Beh
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of Accoun
AlleneMcclendon878
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
Matt Moneypenny
 

Semelhante a Debunking Myths for Cyber-Insurance (20)

Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Cyber risk
Cyber riskCyber risk
Cyber risk
 
Client Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverageClient Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverage
 
A Guide To Cyber Insurance
A Guide To Cyber InsuranceA Guide To Cyber Insurance
A Guide To Cyber Insurance
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats Report
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of Accoun
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
Cyber insurance : Fraud, waste or abuse?
Cyber insurance : Fraud, waste or abuse?Cyber insurance : Fraud, waste or abuse?
Cyber insurance : Fraud, waste or abuse?
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Identifing And Controlling Intellectual Property Loss Exposures
Identifing And Controlling Intellectual Property Loss ExposuresIdentifing And Controlling Intellectual Property Loss Exposures
Identifing And Controlling Intellectual Property Loss Exposures
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar Presentation
 

Mais de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mais de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Debunking Myths for Cyber-Insurance

  • 1. SESSION ID: #RSAC Robert Jones DEBUNKING MYTHS FOR CYBER INSURANCE GRC-F02 Global Head of Financial Lines Specialty Claims AIG Garin Pace Cyber Product Leader AIG @Garin_Pace
  • 2. # R S A C Introduction – What Is Cyber Insurance? 2 What people think about cyber insurance: It only responds to data breaches The reality of cyber insurance: It can also respond to other failures of computer security, including business interruption loss, data restoration costs, and extortion threats It’s only for malicious acts (attacks) It has stringent requirements, and requires compliance for coverage It’s an admission of failure It can cover accidental disclosure of confidential information, as well as systems failures Most policies do not have audit requirements, or require the insured to warrant a security posture You buy fire insurance, right?
  • 3. # R S A C Today’s Goal: Debunk common myths and help you to better use cyber insurance to improve your risk management strategy
  • 4. # R S A C So, What Is Cyber Insurance REALLY? 4 Cyber insurance is an entire collection of insurance products. THEN NOW • Addressed gaps in property and general liability policies (losses where there is no bodily injury or property damage) • Insurance products were sold as specific products responding to unauthorized access/use, DoS, etc. • Cyber perils have many impacts: data loss, business interruption, liability, theft of money or fraudulent inducement, bodily injury, or even loss of real property • Insurance products and traditional coverages are being amended to respond to the new paradigm
  • 5. # R S A C Cyber Impact Framework 5 1st Party Damages FinancialTangible 3rd Party Damages Cyber events impact and insurance coverages map to these four quadrants • The Cyber Impact Framework – a tool created by AIG’s partner – demonstrates the full spectrum of cyber risk • It’s useful for both conceptualizing the impacts of a cyber event, and mapping them to insurance coverage
  • 6. # R S A C • The first cyber insurance products were (and many of those branded as such today still are) a collection of coverages offered a la carte • Half of our buyers didn’t even purchase business interruption until a few years ago The First Cyber Insurance Products 6 1st Party Damages FinancialTangible 3rd Party Damages Business Interruption Extortion Response Costs Defense & Indemnity
  • 7. # R S A C The First Cyber Insurance Products 7 The first cyber insurance products respond well to data breaches and other financial impacts where there was no tangible damage, but have important limitations: They are typically subject to an exclusion for bodily injury or (tangible) property damage They typically do not cover theft of monies/securities They almost never cover the loss of intellectual property on a first- party basis
  • 8. # R S A C Evolution Of Cyber Insurance Products 8 Some early limitations of cyber insurance have mostly disappeared as both the products themselves and the insurers have matured: Exclusions for “known shortcomings of security”, including a requirement to patch, have diminished Insurers understand that “just patch” is an oversimplification; coverage is available even for organizations with end of life software Coverage for the most in demand costs – legal advice, forensics, and notification and monitoring costs – is typically not limited to smaller amounts than the policy limit
  • 9. # R S A C • “All risk” property and general liability policies have typically covered loss of tangible property and liability for property loss/bodily injury, respectively, even if arising out a cyber incident • This is referred to as “silent cyber” given the policies do not explicitly provide coverage for cyber incidents Cyber-Physical Loss And Silent Cyber 9 1st Party Damages FinancialTangible 3rd Party Damages Property Policies? General Liability Policies?
  • 10. # R S A C Cyber Physical Loss and Silent Cyber 10 How property and general liability policies address both physical cyber losses and financial losses is changing: Some insurers don’t feel they have the expertise and/or appetite for cyber risk, and are excluding typically covered losses arising out of cyber incidents In contrast, some insurers are expanding coverage; for example, some property carriers are covering corruption of data even where there is no tangible property damage Even where coverage positions are not changing, more insurers are writing in affirmative coverage (no longer “silent”); insurance regulators desire certainty
  • 11. # R S A C Other Cyber Losses And Insurance Products 11 Cyber Property General Liability Crime Directors & Officers Theft of funds (monies/securities) via cyber means x x x x Coverage for shareholder actions following a cyber incident x x x x
  • 12. # R S A C Other Cyber Losses And Insurance Products 12 Other insurance policies may provide coverage for certain situations Kidnap, Ransom, and Extortion policies o May cover the cost of investigating ransomware or other cyber extortion, the demand itself, and any business interruption o The market was adversely impacted by ransomware, and most carriers are either now excluding coverage or changing the structure of coverage Errors and Omissions/Professional Liability policies o May provide defense and indemnity for claims brought by third parties alleging negligence with respect to a cyber incident o Example: legal malpractice policies may cover client suits, but typically do not cover first-party costs (investigation, notification, etc.)
  • 13. #RSAC CHECK-IN Q&A (don’t worry – we’ll do Q&A at the end too)
  • 15. # R S A C Hospital Data Breach 15 What happened? A hospital was notified by a third-party of a potential data breach Upon investigation, they confirmed the exposure of over 40K protected health information records, in violation of HIPAA What difference did insurance make? AIG reimbursed the insured $1.24M in costs, including forensic investigation, legal advice, notification and identity monitoring, and regulatory fines 1st Party Damages FinancialTangible 3rd Party Damages
  • 16. # R S A C Law Firm Data Deletion 16 What happened? A disgruntled employee deleted organizational data – including firm intellectual property – from information systems and backups What difference did insurance make? AIG reimbursed the insured $300K for the cost of re-creating/restoring the data 1st Party Damages FinancialTangible 3rd Party Damages
  • 17. # R S A C Cyber Extortion 17 What happened? An extortionist contacted an organization and provided evidence of both intrusion and exfiltration of data They threatened to make sensitive data public unless a ransom of $7M in BTC was paid What difference did insurance make? AIG reimbursed the insured the cost of the forensic investigation, legal advice, and public relations Insurance covers the ransom, but AIG supported the insured’s desire to refuse the ransom 1st Party Damages FinancialTangible 3rd Party Damages
  • 18. #RSAC INSURANCE AS A RISK MANAGEMENT TOOL
  • 19. # R S A C Cyber Risk Management 19 In the traditional approach to cyber risk management: IT groups were responsible for managing cyber risk; not recognized as an enterprise issue Risk management included risk mitigation, investment, risk acceptance (but very little, if any, risk transfer) Cyber risk was largely thought of as, and treated as, a technology problem
  • 20. # R S A C Cyber Risk Management 20 Cyber Risk Management Today: Enterprise issue Boards are concerned Social engineering and other “human” attacks a large part of cyber security Attackers generally target vulnerabilities, not organizations; collateral damage is significant “Not if, but when” – requires a comprehensive cyber risk strategy
  • 21. # R S A C Insurance’s Part In Your Cyber Risk Strategy 21 Insurance is another cyber control, but with some unique properties: Unlike advanced controls – which tend to apply to specific scenarios – cyber insurance’s benefit applies to most scenarios/costs Increasing cyber capabilities typically costs successively more, but cyber insurance generally decreases in cost with cyber maturity Cyber insurance is not a replacement for a cyber risk program: Cyber insurance is often prohibitively expensive when an organization doesn’t do the basics It also doesn’t cover all loss types
  • 22. # R S A C Insurance’s Part In Your Cyber Risk Strategy 22 In addition to the risk transfer, cyber insurance also provides other benefits both before and after a loss: Expertise in incident management and access to professionals Feedback, benchmarking, and trend analysis: claims statistics and common causes of loss help clients understand and mitigate the risk Risk quantification: cyber loss models are maturing and insurers are increasingly sharing model results with clients, both during underwriting and throughout the life of the policy
  • 23. # R S A C Insurance’s Part In Your Cyber Risk Strategy 23 Cyber insurance continues to evolve: Insurers are partnering with information security vendors to promote best practices, give clients credit for hardening their environments, and bring objective data to bear By combining integration with technology products and model sophistication, ‘continuous underwriting’ and dynamic pricing become possible Coverage continues to evolve: more coverage for third party failures, more covered types of loss (reputation damage)
  • 24. # R S A C Correcting Other Myths & Misconceptions 24 Insurers will cover ransomware; coverage exists for investigation costs, and the ransom payment (if necessary) Most cyber insurance policies cover both accidental and intentional acts by employees (executive leadership excepted) Cyber insurance does pay; insurers typically can’t talk about the success stories – only the disagreements between insurers and insureds make the news; these are not representative Policies themselves are just like any other control, they must be tuned; talk with your insurer about expectations
  • 25. # R S A C 25 Next Steps: Talk to your Risk Manager (or whoever manages your company’s risk program and insurance purchasing) — Get on the same page regarding your company’s cyber risk profile — Review what coverage your existing policies afford your company If you’re taking more risk than you’d like, or if you’re not sure if you are: Ask your broker how much experience they have placing cyber insurance — If they don’t have a lot of experience, they may need to hire a “wholesaler” (an expert), or you may need to use a specialty broker for this placement Get a quote which covers the risks you identified; if you don’t agree with the price, ask the insurer to share their rationale Apply What You Have Learned
  • 26. # R S A C Conclusion 26 Cyber risk is a constantly evolving threat with potentially critical impact Like other severe perils, insurance can help to protect a company from catastrophe Cyber insurance is not a singular insurance product, but a collection of policies; depending on your threat profile and risk appetite, your needs will differ Insurers offer value in addition to pure risk transfer, including expertise in handling cyber incidents and ensuing litigation, and information on both threats and risk mitigation
  • 27. # R S A C 27 American International Group, Inc. (AIG) is a leading global insurance organization. Founded in 1919, today AIG member companies provide a wide range of property casualty insurance, life insurance, retirement products, and other financial services to customers in more than 80 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIGinsurance www.twitter.com/AIGinsurance | LinkedIn: www.linkedin.com/company/aig. AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.