1 CONFIDENTIAL ©2015 AIR WORLDWIDE New Approaches for Managing Cyber Risk.

1CONFIDENTIAL ©2015 AIR WORLDWIDE

New Approaches for Managing Cyber Risk


Agenda

• Overview of the cyber market• AIR modeling framework• Data partners• Cyber data standards• Roadmap

AIR Model for Cyber Risk


The Worldwide Cyber Insurance Market Is Growing Rapidly

- “Cyber is a new risk and it is a concern, Lloyd’s is at the heart of cyber attacks, providing coverage right now. It’s going to grow dramatically ”

• Inga Beale, CEO, Lloyd’s of London, Oct. 2014

Sources: Betterley Report / Advisen

- “Cyber Insurance: Maybe next year turns into I need it now”

• Betterley Report, June 2014

- “Former U.S. Homeland Security Secretary Tom Ridge has teamed with reinsurance brokerage Guy Carpenter & Co. L.L.C. to offer a cyber security and insurance product”

• Business Insurance, Oct. 2014

2010 2011 2012 2013 2014 2015E 2020E0

1000000000

2000000000

3000000000

4000000000

5000000000

6000000000

600,000,000.0800,000,000.01,000,000,000.01,300,000,000.0

2,000,000,000.02,400,000,000.0

5,000,000,000.0

US Cyber Premiums


- Direct losses when intellectual property is stolen, data destroyed, or operations interrupted

- Indirect losses when data proprietary to its clients is compromised

- Reputational losses

- Physical damage

What Exposes Organizations to Cyber Risk?A Breach Is One Critical Type of Hazard

In the office At offsite data storage sites In the “cloud”


- What is typically covered?• Legal fees• Forensics• Notification and call center• Credit monitoring• Public relations fees

- Limits• Low, in the low millions

- Exclusions- Evaluation strategy

• Driven by industry, company size, etc.

• Companies offer network analyses

Facts About Cyber Coverage

< $2

.5M

$2.5

M to

$5M

$5M

to $

10M

$10M

to $

25M

$25M

to $

100M

$100

M to

$30

0M

$300

M to

$1B

$1B

to $

5B

> $5

B

0%

20%

40%

60%

80%

100%

Cyber insurance take-up rates

Company revenue (USD)

Take

up

rate


AIR’s Stochastic Modeling FrameworkCan Be Applied to Cyber

PolicyConditions

Exposure Information

DamageEstimation

Loss Calculation

PolicyConditions

Limit

Deductible

VULNERABILITY

FINANCIALIntensity CalculationEvent Generation

HAZARD


- Has developed a database of over 16,000 historical worldwide cyber incidents

- Based in Richmond, Virginia- Publically disclosed clients include AIG and Willis

Risk Based Security (RBS) Selected as Incident Data Provider


Risk Based Security Data Examples

Name

Password

E-mail a

ddress

Socia

l Secu

rity N

umber

Misc

ellaneous D

ata

User N

ame

Address

Date of Birt

h

Medica

l Reco

rds

Credit C

ard N

umber

Account In

formation

Financia

l Inform

ation

Unknown /

Not Disc

losed

Phone Number

Intellectu

al Pro

perty0

100020003000400050006000700080009000

10000

Count of RBS Events that Impacted Different Data Types

1 2 3 4 5 6 7 8 90.0000

0.0500

0.1000

0.1500

0.2000

0.2500

Probability of attack size by source

Inside

Inside-Ac-cidental

Inside-Ma-licious

Outside

Log (Number of Records)

Prob

abili

ty


- Analyzes public traffic on the Internet to unobtrusively give scores to companies

- Based in Cambridge, Massachusetts- Founded by several MIT graduates- Publically disclosed clients include AIG and Liberty

BitSight Collaboration will Give the AIR Model Several Key Benefits


AIR’s Collaboration with BitSight Will Provide Many Benefits to Clients


AIR Is Collaborating With Several Cyber Insurance Carriers


The Verisk Enterprise Offers AIR Unique Resources, Information, and Data

ISO Cyber Program Argus Cyber Forum

Information Sharing and

Analysis Centers

Maplecroft


AIR Categorizes Risks by Exposure Type


Cyber Insurance Record

Company Information

Insurance Coverages

DataAssets / Storage

Transfer


Minimum Data Required to Run Model:Industry, Revenue, and Insurance Information

Revenue InsuranceIndustry


Company Information—Detailed

Industry Recovery Plans Demographics Revenue Security

$£€


Multiple Insurance Coverages Will be Supported

• Security Breach Expense• Security Breach Liability• Business Interruption

• Fines• Replacement of Electronic Data• Website Publishing Liability• Programming Errors and Omissions• Extortion• Public Relations• Physical

Insurance Coverages


Data Are the Basis of Potential Cyber Losses

Type Country of Origin

Number and Value

Asset / Storage Record

Transfer Record


Storage Can Lead to Aggregation Risks

Type Security OS Type Cloud


Transferring Data Introduces Additional Vulnerabilities

Type Security Service / Vendor Type Cloud


Data Type Record Value Country of Origin OwnershipCredit Card ? ? ?PII ? US ?

Annual Revenue Total % from Internet % Domestic % Foreign1,300,000,000 ? ? ?

Data Type Record Value Country of Origin OwnershipCredit Card $225 US 3rd PartyPII $99 US 1st Party

Company Revenue Total % from Internet % Domestic % Foreign1,300,000,000 17% 72% 28%

- Most refined results are obtained when every field of an exposure record is correctly filled in

- But what if we have only some of the information that completely describes an exposure?

- AIR’s Cyber Model will populate “unknown” fields with values derived from our planned Cyber Industry Exposure Database

Developing a Cyber IED Will Allow the Model to Account for “Unknowns”


Distribution of Limits by Coverage

Mock-up of Cyber Exposure Aggregation and Accumulation in Touchstone

Distribution of Records by Industry

Distribution of Employees by Age BandDistribution of Revenue by Geography


United States

UK Germany France Australia Italy India Japan All Others $-

$50.00 $100.00 $150.00 $200.00 $250.00

Loss per record by country

Mea

n L

oss

Per

Rec

ord

Studies Provide Data for Our Prototype Model

$1,000

$10,000

$100,000

$1,000,000

$10,000,000 Insured loss by industry

Median

Mean

NetDiligence

Symantec


The “Hurricane Andrew” of Cyber Is Coming

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=3e0F-DVRbv6CuM&tbnid=8bgU3YOx-iWd8M:&ved=0CAUQjRw&url=http://floridainapjaim.wordpress.com/2012/08/24/andrew-20-evforduloja/&ei=SX_RU93dKtGbyATLmYCADw&bvm=bv.71667212,d.aWw&psig=AFQjCNGdNHPffw_XFdWjZfaYANd25PLkpw&ust=1406324925530391


Aggregation Is More than the Cloud


AIR’s Prototype Cyber Framework and Its Roadmap

Catalog Frequency of attack data from sample VERIS breach database

Stochastically generated breach events

Signed with RBS to get a comprehensive dataset

Creating a 100K catalog using all available data

Exposure Over 400 companies in our sample exposure database

Getting Internet footprint data from BitSight

Open data standards schema released and implemented in Touchstone

Building a cyber industry exposure database

Vulnerability 10 key basic risk factors, including company industry and encryption Signed with BitSight Relative vulnerabilities between

industry, company size, etc.BitSight score as real-time

secondary features in model

Loss Loss per record information from Symantec, accounting for risk features

Framework calibrated to the reported loss from the 2013 Target breach

Partnering with insurance companies to receive cyber loss data

Modelling of loss aggregation scenarios

Model Results and reports available through consulting studies

Deterministic and probabilistic results Will be in Touchstone in the future

1 CONFIDENTIAL ©2015 AIR WORLDWIDE New Approaches for Managing Cyber Risk.

Documents

air worldwide air

air model

air worldwiderisk

air worldwide13

air worldwide2the

air worldwide1agenda

air worldwide4what

air worldwidehas