Cyber Insurance
Private & Confidential
The Industry Landscape Traditional banking systems have updated its services to adapt to the demands of the increasingly digitized consumer requirements Traditional Banking
• •
•
Digital Banking
Customers are demanding intuitive and easy digital experiences with effective and round-the-clock support. The high penetration of mobile phones in India, and its potential in conducting banking activities is waiting to be exploited, which will further reduce the dependence on the traditional banking model. Digital Financial Services are reducing the need for branch banking in the Digital environment and shifting the focus to digital banking instead.
“There is a strong need for banks to keep up with the pace of growing India since the digital revolution has moved from ‘potential threat' to 'survival strategy’ “ - Deloitte Customer Survey 2017
Banking Business Line Division ❖ ❖ ❖ ❖
Core Banking System Third Party Offerings Treasury Credit Cards & Loans
❖ ❖ ❖ ❖
E Banking System Wealth Management Forex Digital Wallets, etc.
Operations carried out by the Group Core Banking Services
Trading in financial products
Sales of first / third party products
Credit Cards & Retail loans
Asset Management & Asset Reconstruction
Advisory services
Medium
Branch Banking
Online Banking
Phone Banking
Social Media Banking 3
Top 5 Global Risks in terms of Likelihood over the last decade
4 Source: WEF_Global_Risks_Report_2019
Cyber Risks in India For India, the road to becoming a USD 1 Tn digital economy by 2025 can only be achieved when a robust cyber risk mitigation strategy is in place.
BUSINESSES IN INDIA HIGHLIGHT ‘CYBER INCIDENTS’ AS THE TOP RISK
Rise in Security Breaches in India India 2nd most affected country due to targeted attacks (for attacks between 2016 to 2018) The average cost for a data breach in India has gone up to INR 11.9 Cr (USD 1.7 Mn), an increase of 7.9% from 2017 with the average cost per record being INR 4,552 (USD 64) Source: Source: MeitY Report on India’s Trillion Dollar Digital Opportunity, 2019; NASSCOM Strategic Review FY 2018, Allianz Risk Barometer 2019, Symantec Threat Report, IBM-Ponemon Institute Study, Economic Times
5
Why Cyber Insurance?
•
Pervasive nature of cyber related risks that underwriters prefer to weigh and underwrite independent of other policies.
•
Limitations of the current set of policies to provide protection for cyber losses , whether pertaining to money , securities or data.
Looking for a right risk advisor to form an alliance that will capture the growth emanating from the changing landscape Source: A report published by Deloitte Center for Financial Services
Cyber Coverage Privacy & Data Liability
1st Party Expenses • Regulatory Investigation & Representation (includes lawyers professional fees, admin costs, etc.) Expenses: • Forensic • IT Audit • Crisis Management (includes Stakeholder Notification, Legal Costs) • Credit Monitoring • PR & Media
4
(includes 3rd party liabilities as well) • Loss of Personally Identifiable Info • Loss of Corporate Confidential Info • Cover for Outsourcers • Network Liability (such as DDoS Attacks) • Multimedia cover(includes copyright issues)
1
TYPICAL COVERAGE OFFERED IN INDIA
3
2
Business Interruption
Cyber Theft
Income loss, business interruption costs, system damage and restoration costs, any extra expenses
Where can the losses come from • • • • •
Internal Fraud External Fraud Business Practices & Execution / Delivery Business disruption & system failures Damage to Physical Assets & Employment practices
• • • •
Fund Transfer Frauds E-Theft Loss E-Communication Loss Cyber Extortion
Constituents who can take a claim • • • •
Customers Regulators Employees Contracted Parties (Vendors , Service Providers etc. )
7
The Key risks due to network security breach Banks have high risk of Network Breach which may occur on most commonly used platforms by bank, the banks are the source of most active data •
•
•
Bank Account Details : Banks have a large active database of its customers and several other critical information pieces. A network breach may expose them. Online Banking : Banks are transitioning to Online Banking systems wherein a network breach makes the system susceptible to severe financial loss both to the bank and its customers. Credit Cards : Transactional data, credit data and active data of Card users breach poses a threat to confidentiality
•
•
Mobile Banking: With Application based Banking systems available on devices, a potential network breach can affect many customers. Online Trading : Sensitive Trading data of customers using the online platform can get affected by a network attack and can cause huge Financial Losses All the above are instances where a network breach can lead to financial loss to bank and third party, making systems vulnerable to permanent damage.
8
Coverage Under Bankers Blanket Bond • First party loss insurance • Losses arising due to employee fidelity applicable on banking / security based transactions. • Loss within Premises due to theft , larceny , burglary, etc. • Customisations are permitted to take care of transit , counterfeit , forgery and fraud / dishonesty originated by third parties. 9
The Key Insurance coverages in a Cyber Insurance Policy • Failure to prevent unauthorised access to identity information / Failure to provide access to an authorised user • Failure to prevent the transmission of a computer virus through a computer system into a network • Security breach remediation costs & Notification expenses • Computer program and data restoration expenses • Business Interruption losses and related expenses
10
What is Covered? Broadly, Cyber Liability insurance provides coverage addressing Third Party Liability due to a cyber attack and first party expenses likely to be incurred due to the cyber attack Liability Claims made against you
Business Interruption
Crisis Management
▪ Defence ▪ Settlement costs (for the liability of the insured arising out of a cyber event) ▪ Denial of Service Claims
Data Restoration costs
Response costs following a data breach such as :
Forensic Costs ▪ Investigation, ▪ Public relations ▪ Customer notification ▪ Credit monitoring ▪ Extortion rewards and payments.
Regulatory Defence costs and Fines and Penalties The costs to investigate, defend, and settle fines and penalties that may be assessed by a regulator (* allowed depending upon admissibility of the same in various jurisdictions)
Summarising Key Cyber Risk for Banks Banks have high potential of Network Breach which might occur on most commonly used platforms by bank, the banks are the source of most active data
Coverage Points • •
•
Denial of Access to Customers Network Security Breach causing Data Breach - Notification Cost for Data Breach - Ransom for Data Breach Business Interruption
What is not covered? •
Actual Loss of Money, due to Breach doesn't get covered under Cyber Liability Policy this can get covered under the Crime Policy or Crime Section of BBB. This is very important cover and needs to be watertight.
Recent Claims Settled • • •
Invest Bank ( UAE ) Data Hacked of customers hackers asked for US$ 3 Mio ransom in bit coins Bangladesh Bank Heist of US$ 81 Mio UK Bank Denial of Access Claim affecting millions of customer 12
Case study of Pune based Auto Ancillary Vs a state-owned Bank Scenario: Around Rs.80 lakhs was fraudulently transferred to an account of a Textile Firm. The amount was subsequently transferred to various others accounts from the account of Sutlej textiles Sutlej filed a police complaint stating the authorised debits and credits in their account
Final Adjudication : The Adjudicator appointed maintained that , there was a unauthorised access to data (As per section 43 of the IT Act) The bank was ordered to make good the loss suffered by the complainant.
Findings : None of the account holders could be traced at the addresses provided The Pune based company’s acknowledged to have responded to a Phishing email. Bank’s Defence : •Penetration testing •Vulnerability of the Auto company
Case study of Cyber Attack on a Bank Scenario: Hackers managed to siphon off over Rs 94 crore through a malware attack on the server of Pune-based Cosmos Bank and cloning thousands of the bank's debit cards over a period of two days.
What happened? The bank receives debit card payment requests via 'switching system’. In this malware attack, a proxy switch was created. All fraudulent payment approvals were passed through it. While cloning the cards using proxy switch system, the hackers withdrew over Rs 80.5 crore in 15,000 transactions. The Bank observed that unusual repeated transactions took place through Visa and Rupay cards used at various ATMs for nearly two hours.
Impact : In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India. As per the payment settlement system, Visa and Rupay raised the payment demand for all these transactions and as per the agreement, bank had to pay this Rs 80.5 crore amount to them
Case study of cyber attack on a Private BankSeptember 2016 Findings : Scenario: India's third-largest private sector lender -received an unexpected telephone call. The caller, an engineer at Kaspersky Lab, the wellknown Moscow-headquartered cybersecurity firm, rattled off the names of several Bank computers which, he claimed, have been breached. The Kaspersky man said his firm had stumbled on the information in the course of a separate probe.
When the bank team investigated the bank’s servers, it found out that there was indeed an unauthorized login by an unnamed, offshore hacker. There are no reports of any fund transfers but the bank and EY are trying to figure out the extent of damage, data loss if any, and most importantly whether the virus is still crawling in the institution’s server zone
• Pioneer Investcorp (PINC) is an India-focused integrated financial services company specializing in insurance advisory services • A decade of experience in serving the needs of corporates across several industries such as Pharma,
OVERVIEW
Healthcare, IT, Liability & BFSI. • Registered
Broker
• PINC Group has a professional team of over 250+ members with a strong entrepreneurial mindset • Presence across 8 cities – Mumbai | Delhi | Chennai | Bengaluru | Kolkata | Pune | Coimbatore | Ahmedabad
Services We Offer • Appointment as Risk advisors – Propose a set of Insurers – Self evaluate, upgrade,identify the right set of carriers, and get better pricing on premiums – Address Buyers’ reluctance on sharing data that can help carriers evaluate risks – Involvement of an agent at no cost to the bank (No empanelment needed)
Cyber Insurance- Overview Causes:
Loss History
Risk Advisory
•
Dearth of data leaves insurers in the dark
•
Cyberattacks continually evolve, while new risks keep emerging
Obstacles:
Robust Cyber Risk Management
Severity
•
Buyers often don’t understand cyber risks or their insurance options
•
Cyber policies lack standardization
Why Cyber Insurance? • •
Limits & Restrictions
• •
As brokers, we handle risk advisory and bring standardization. We offer holistic cyber risk management programs. Constantly raising risk awareness Look forward to offer one of the few opportunities for substantial, long-term growth
PINC has a history of ensuring success of businesses while managing risk and maintaining a high level of advisory services
Thank you
Disclaimer The information and material provided in this presentation do not constitute an offer or solicitation for the purchase or sale of any security and financial instrument. The information may be obtained from various sources and PINC and/or its affiliates do not represent that the information is accurate or complete, and it should not be relied upon as such. PINC accepts no liability whatsoever for any direct or consequential loss arising from the use of this material or its contents. All estimates and opinions provided herein constitute the original researcher’s judgment as of the date of the report and may be subject to change without notice. PINC will not be responsible for the consequences of reliance upon any opinion or statement contained herein. The returns on the products discussed in this material are not guaranteed by any bank unless specifically stated and are subject to investment risks, including possible loss of the principal amount invested. An investment in any product should be made only after careful study of the most recent sales prospectus, term sheets, relevant fund regulations and basic legal information contained therein. Furthermore, investments in foreign currencies are subject to exchange rate fluctuations. Before entering into any transaction, you should consider the suitability of the transaction to your particular circumstances and independently review (with your professional advisors as necessary) the specific financial risks as well as legal, regulatory, credit, tax and accounting consequences.