Cyber Resilience Framework
EMEA Cyber
EMEA Cyber | March 2017. Proprietary & Confidential
Aon Cyber Team – Fast Facts
610+
Over
500
Globally dedicated professionals in the US, Canada, London, EMEA, Asia-Pacific and Bermuda
cyber claims handled by Aon since 2012
Over
1,050 Stand-alone cyber clients
EMEA Cyber | March 2017. Proprietary & Confidential
Over
$400M Estimated standalone cyber premium placed in 2017
Cyber consulting services include: risk assessment, risk quantification, digital forensics and incident response capabilities
Cyber industry specialists aligned with Aon industry practices
Risk Transfer Innovation Tailor Solutions Global Expertise Access to Global Markets
EMEA Cyber • Main Centre of Excellence in London with professionals dedicated to strategy, execution, and service the network and its clients empowering local Cyber Champions • Industry Cyber Champions link to EMEA Casualty and EMEA Property round tables • Product Development Specialist • Sales Leader • Broking Strength • Risk Consulting Strength Experienced teams and resources
• EMA Cyber Round Table Q2 –Lead by EMEA Broking • Local Cyber Champions • EU Data Protect • Aon Cyber Enterprise Solution™, a first-of-its-kind property / casualty and Internet of Things insurance policy that offers comprehensive and integrated enterprise-wide coverage against cyber risk
Market impacting solutions
• Cyber Captive Solution • GDPR Readiness Assessment
Proprietary data and analytics Industry leading talent
Strategic Appointment
• Aon Cyber 360 Suite of Solutions • Aon Cyber Impact Analysis / Risk Financing Decision Platform • 2016 appointment of James Trainor as Senior Vice President of the Cyber Solutions Group. Mr. Trainor joins Aon after a distinguished career at the FBI, where he most recently led the Cyber Division • Aon has been selected as exclusive cyber brokerage consultant by the European Union Agency for Network and Information Security (ENISA) in its study of commonality of risk assessment language for cyber insurance (February 14, 2017). • On November 1, 2016, Aon finalized its acquisition of cyber risk consulting firm Stroz Friedberg
Strategic acquisition EMEA Cyber | March 2017. Proprietary & Confidential
• Aon’s union with Stroz Friedberg provides a comprehensive suite of assessment and quantification solutions to support our clients
Cyber Resilience Solutions Framework Identifying and protecting your critical assets by aligning your cybersecurity strategy with your corporate culture and risk tolerance.
Our Approach Assess
Test
Improve
Identify critical assets, pinpoint vulnerabilities and assess cyber preparedness to improve risk exposure
Uncover, test, and remediate application, network, and endpoint vulnerabilities
Prepare, optimize, and enhance security governance and incident detection and protocols
We collaborate to understand both your near- and long-term business priorities, how we can add value to your organization, and help you respond to changing market dynamics. We jointly author a plan to define how we will work together, outline our commitments to you, and define how we will measure our success.
Quantify
Transfer
Model potential loss, mass exposure, and remediation costs to optimize risk mitigation strategy
Risk transfer solutions to minimize balance sheet risk
Respond Limit business disruption, minimize economic loss, and expedite the claims management process
EMEA Cyber | March 2017. Proprietary & Confidential
We seek your input on how we are doing both through informal feedback sessions and annual surveys.
Linking Asset and Risk Data Analytics to Lower Total Cost of Risk
We follow through on our plan, executing with excellence and tracking outcomes.
Aon Cyber Resilience Framework Assess
Test
Improve
Quantify
Need: Solution:
Identify critical assets, vulnerabilities and risks to assess organizational preparedness Aon Cyber Diagnostic Tool, Aon Cyber Coverage Gap Analysis, Aon / Stroz Friedberg Cyber 360 Suite of Solutions
Need: Solution:
Uncover, test and remediate application, network and endpoint vulnerabilities Stroz Friedberg Penetration & Social Engineering Testing, Red Team Testing, Application Testing, Application Code Review, Threat Hunting
Need: Solution:
Prepare, optimize and enhance security governance and incident detection protocols Stroz Friedberg Incident Response Retainer, IR Planning & Playbook, Tabletops, CISO / Board Advisory
Need: Solution:
Quantify the financial impact of cyber risks to inform risk reduction and transfer strategies Aon Cyber Insight, Aon Cyber Impact Analysis, Aon Risk Financing Decision Platform
Need: Solution:
Structure manuscript cyber insurance coverage terms with strategic global carriers Aon Cyber Enterprise Solution, Aon Cyber Captive Solution, Aon Benchmarking, Aon Client Treaty, Aon Benfield Reinsurance Capacity
Need: Solution:
Limit business disruption, minimize financial loss and expedite the claims management process Stroz Friedberg Incident & Breach Response, Stroz Friedberg Reverse Malware Engineering, Aon Claims Advocacy, Aon Business Interruption Claims Preparation
Transfer
Respond EMEA Cyber | March 2017. Proprietary & Confidential
Proprietary
Peer
Cyber Risk Impacts All Loss Quadrants 3rd Party
Financial
1st Party
Any major cyber event will result in • Public relations, response, and continuity costs • Immediate and extended revenue loss • Restoration expenses • Defense costs
Tangible
Third parties will seek to recover • Civil penalties and awards • Consequential revenue loss • Restoration expenses
Cyber Loss Spectrum
Physical damage is now possible • 1st party property damage • 1st party bodily injury
Physical damage may cascade to others • 3rd party property damage • 3rd party bodily injury
EMEA Cyber | March 2017. Proprietary & Confidential
6
Traditional Cyber Coverage First party coverage
Third party coverage
Costs and services
Covers the cost for the insured business
Liability insurance covers the cost for third parties
Crisis Management / IT services
Private breach expense / cost coverage – expenses and remediation cost associated with crisis management, investigation cost, notification costs, credit monitoring, pre-claims legal expenses, call centre and forensic expenses
Network security liability – breach of duty by insured resulting in unauthorised access or use, denial of access use, transmission of virus
Breach-related legal advice
Business interruption / extra expense – breach, denial of service attack, unauthorised access – resulting in loss of income First party loss of data, damaged network, digital assets – restoration cost and expenses incurred to replace or restore electronic data or programs as a result of a virus
Privacy liability – liability arising from unauthorised disclosure of personal information, identity theft Media / content liability – libel, slander, copyright / trademark infringement, violation of privacy Professional services liability – liability resulting from scheduled professional services
Forensic investigation costs Notification costs Call centre Credit / identity monitoring Communication costs following damage to reputation
Regulatory fines, penalties, defence costs and regulatory assessments – expenses and costs to investigate, defence costs and fines where allowed by law, if in violation of privacy law or regulations; regulatory compliance, sub-limits/other limitations may apply Cyber extortion – amounts paid to stop threats of introduction of virus, denial of service attacks, release person information
Insured’s Loss
Defense Costs + Damages + Regulator Fines
Expenses Paid to Vendors
Cyber insurance both augments Cyber Response Capabilities and provides Balance Sheet Protection Aon Global Risk Consulting | Capabilities & Experience Proprietary & Confidential
7
2017 Cyber Exposure Trends IoT - The Internet of Things Reliance on technology & increasing connectivity
Cloud Computing / Big Data Analytics Increased use of technology vendors Social Media Social Engineering Phishing / Spear Phishing
Ransomware / Malware / Cyber Heist / Blockchain
International Regulatory Environment EU General Data Protection Regulation – effective May 25, 2018 US
EMEA Cyber | March 2017. Proprietary & Confidential
Stroz Friedberg – Top Cyber Risks in 2017 1.
Criminals harness IoT devices as botnets to attack infrastructure: In 2017, Stroz Friedberg predicts there will be an increase in IoT devices compromised, harnessed as botnets, and used as launching points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities.
2.
Nation state cyber espionage and information war influences global and political policy: Cyber espionage will continue to influence global politics and will spread to the upcoming elections in Latin America and Europe. Russia, China, Iran, and North Korea will be regions of great concern in 2017, as they continue to develop deep pools of cybercrime talent.
3.
Data integrity attacks rise: Data sabotage as the next big threat will become a reality in 2017. Criminals will seek to sow confusion and doubt over the accuracy and reliability of information, impairing decision-making across the private and public sector.
4.
Spear-phishing and social engineering tactics: In 2017, advanced social engineering tactics will become more targeted, cunning, and more effective, exploiting the weakest link – employees – that organizations always find challenging to safeguard.
5.
Red teaming and cybersecurity talent development: Increased pressure from regulators worldwide will push inhouse red teaming capabilities to accelerate in 2017. In addition, companies that are not in the cyber business will face a different challenge: recruiting, motivating, and retaining highly technical cyber talent to keep their red teams at the forefront of cybersecurity.
6.
Pre-M&A cybersecurity due diligence: The financial services industry will be early-adopters of making cybersecurity due diligence a critical part of the pre-M&A due diligence process. While 2017 will see one to two additional high profile instances that impact the M&A deal process outcome, only the financial services industry will react accordingly and conduct judicious cyber assessments.
EMEA Cyber | March 2017. Proprietary & Confidential
The General Data Protection Regulation (GDPR) Compliance Deadline: May 25, 2018 Global applicability of the GDPR
• Applies to data controllers and processors that process the personal data of people in the EU in the context of offering goods or services or monitoring behavior, regardless of where the processing takes place
Stringent enforcement mechanisms
• Fines of up to 4% of annual worldwide revenue, potentially calculated at group level • Fines can be imposed for “any infringement” of the GDPR • Regulators can also audit organizations, issue warnings and issue temporary or permanent bans on processing. • Resulting Liabilities; Legal action costs; Data / Credit monitoring costs; Crisis response; Remedial actions
Right to compensation & joint liability
• The GDPR provides that “data subjects” have a right to a judicial remedy against data controllers and data processors • Individuals can recover material and non-material damage (e.g. distress) • Where more than one organisation is involved, they will be jointly liable for compensation • Class action law suits
GDPR Requirements
EMEA Cyber | March 2017. Proprietary & Confidential
• The GDPR will provide enhanced rights for data subjects, additional obligations for data controllers and processors, and will introduce a new cross-border regulatory regime with stronger enforcement powers. • Mandatory Privacy Impact Assessment (PIA) • Appoint a Data Protection Officer (DPO) • Data breach report within 72 hours to the Authority
CONFIDENTIAL
Aon Cyber Enterprise Solution™ Policy Form
The Aon Cyber Enterprise Solution™ Policy form addresses emerging areas of cyber risk and related regulation including: •
Property damage arising out of a network security breach
•
Products liability coverage to address Internet of Things exposures
•
Business interruption and extra expense coverage arising out of a systems failure
•
•
Cyber terrorism coverage
•
European Union General Data Protection Regulation (effective May 25, 2018) fines and penalties, where insurable and arising out of a covered event
•
Privacy/security liability and event expense coverage
Contingent network business interruption for IT vendors and the supply chain •
EMEA Cyber | March 2017. Proprietary & Confidential
Media liability and technology errors and omissions by endorsement
Aon Cyber Captive Solution The Aon Approach:
Coverage Details:
•
Proprietary Aon Cyber Resilience Review ( $25k fee)
•
Business Interruption Proof of Loss calculation included
•
Proprietary Aon Cyber Enterprise Solution Form
•
•
Captive participation to manage risk retention
Prior acts coverage subject to a No Claims Declaration
•
Capacity of potentially up to USD 400 mm available excess USD 25 mm captive retention
•
Product liability coverage arising out of a network security breach
•
Participation in the Aon Cyber Risk Forum
•
•
Coverage not intended to include product recall or product liability batch claims
Pre-agreed panel of knowledgeable loss adjusters with welldefined claims process
•
Access to cybersecurity governance and advisory services platform*
Target Industries:
*includes penetration testing, incident response, digital forensics, eDiscovery and due diligence capabilities. EMEA Cyber | March 2017. Proprietary & Confidential
Q1 2017 Market Snapshot Capacity
Coverage
Claims & Losses
Retentions
Pricing
Capacity is continuing to grow across geographies
Coverage continues to evolve and become more valuable
Stronger data is being gathered as more breaches are reported
Retentions have normalized since 2015 pressures
Pricing trends are stable
• Over 65 Insurers providing E&O / Cyber capacity
• Coverage breadth and limit availability continues to expand
• Increased ransomware activity and business interruption concerns
• Insurers continue to differentiate their offerings with new or enhanced coverage components
• Complexity of breaches has driven an increase in incident response expenses incurred by Insureds
• Retentions of all levels are available in the market, but can vary greatly based on industry class, size and unique exposures
• Depending on loss history and claims experience, pricing has stabilized and is competitive
• Breach response coverage continues to increase and expand to meet Insured's needs
• Claims and loss data has expanded coverage offerings and improved actuarial data for loss modelling purposes
• Capacity is available domestically but in some cases with referrals (primary and excess), in US (primary and excess), London (primary and excess) and Bermuda (excess only, generally excess of $50M)
• From a primary perspective, there continues to be a growing number of Insurers developing appetites for large, complex risks • There is over $500M in theoretical capacity available in the E&O / Cyber market place
• Insurers continue to build out pre-breach offerings as part of their policy package • GDPR Affirmative coverage and enhancements are starting to be negotiating,
• Increasingly punitive legal and regulatory environment • Plaintiff’s bar continues to advance proof of “damages” theories in security / privacy context mainly US • Open privacy-related litigation can take years to conclude - mainly US
Note: This is a general summary and could vary based on client industry , size and risk profile EMEA Cyber | March 2017. Proprietary & Confidential
• Adjusting retentions can lead to increased coverage and / or increase flexibility in limits and pricing
• Renewal premiums are commensurate with exposure and breadth of coverage • Excess rate environment is competitive
2017 Purchasing Trends by Industry Limit increases at renewal •Companies in a number of industries, including financial institutions, hospitality, healthcare, retail, manufacturing, technology, media and transportation, are seeking higher limits options •For other industries, many organizations are still evaluating the purchase of Cyber insurance or use of their captive to provide Cyber cover due to regulatory, contract, D&O, benchmarking / loss information and financial statement pressures, among other reasons More new buyers •Manufacturing, critical infrastructure, pharmaceutical / life sciences, industrials & materials / automotive, public sector, energy / power and utilities, higher education, real estate / construction, agribusiness and transportation / logistics industries saw the biggest uptick in new cyber insurance purchases in 2016 •Major concern in these industries is business interruption loss and reliance on technology Shifting focus on cyber risk exposures •In prior years, organizations’ primary cyber concern was related to privacy breaches •In 2016, more clients across all industries have focused on business interruption coverage, including systems failure cover, cyber extortion and digital asset restoration •Cyber insurance cases where courts upheld denial of coverage demonstrate the critical importance of matching customized policy wording to specific insured cyber exposures
EMEA Cyber | March 2017. Proprietary & Confidential
Differentiating Our Clients
The key to a successful go to market strategy is to differentiate our clients. We do this by executing on the following: • • • • • • •
EMEA Cyber | March 2017. Proprietary & Confidential
Placement strategy discussion Submission creation Coverage priority matrix Underwriting meeting preparation Market meeting or conference call Worldwide market access Underwriting Information is required in English to access London Capacity
1
Contact List Andrea Garcia Beltran| EMEA Cyber Sales Leader Aon Risk Solutions | London Global Broking Centre| Financial and Professional Services The Aon Centre | The Leadenhall Building | 122 Leadenhall Street | London | EC3V 4AN T: +44 (0)20 7086 0428 | M: +44 07903568045
[email protected]
Simon Hodgson | Director (Claims) Aon Risk Solutions | London Global Broking Centre| The Aon Centre | The Leadenhall Building | 122 Leadenhall Street | London | EC3V 4AN T: +44 (0)20 7086 0224
[email protected]
International Deal Desk
[email protected]
EMEA Cyber | March 2017. Proprietary & Confidential
About Aon Aon plc (NYSE:AON) is the leading global provider of risk management, insurance and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 66,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative and effective risk and people solutions and through industry-leading global resources and technical expertise. Aon has been named repeatedly as the world’s best broker, best insurance intermediary, best reinsurance intermediary, best captives manager, and best employee benefits consulting firm by multiple industry sources. Visit aon.com for more information on Aon. © Aon plc 2017. All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. www.aon.com
EMEA Risk. Cyber Reinsurance. | March 2017. Human Resources. Proprietary & Confidential
United in team work, passion and results