MITIGATING CYBER RISKS

8 MARCH 2019
AGENDA

 JLT Intro & Evolving Risk Landscape - Amit Solanki, JLT

 Quantification & the need for Monitoring Risk – Burgess Cooper, E&Y

 Current Regulatory Climate – Fines and insurability – Sarah

Stephens, JLT

 Insurance as Solution – Vernica Walia, JLT

JLT INDEPENDENT INSURANCE BROKERS 2

WHO WE ARE

JLT is a global organisation of specialists and one of the world’s leading providers of insurance, reinsurance and employee benefits related
advice, brokerage and associated services.

Our collaborative approach enables us to share knowledge, solve problems and deliver the best solutions for our clients. We have the freedom
to take on new challenges, think creatively and capture opportunities that others may not. We always aim to do what is right for our clients, our
colleagues, our trading partners and our shareholders.

10,000+ 2017 Revenues of Market Capitalisation

of over
Over 10,000 colleagues
£1.39bn £2.8bn*

£191.5m £11.1bn 115+Offices

Premiums placed
2017 Underlying profit
before tax (2017) 40+Territories
The full results of the JLT Group to 31 December 2017 are available at jlt.com *
March 2018

JLT INDEPENDENT INSURANCE BROKERS 3

JLT INDEPENDENT SPECIALTIES

JLT INDEPENDENT INSURANCE BROKERS 4

GLOBAL SPECIALISTS

Focusing and growing in specialist areas where we offer distinctive products, services and independent choice, such as:

£100bn 60%
CONSTRUCTION SPECIAL RISKS
JLT’s London construction team JLT has been broker to over 60%
manages the insurance of the world’s biggest sporting
requirements for projects globally events over the last decade
with a value in excess of £100bn

40% 50%
AEROSPACE REAL ESTATE
Representing 40% of the world’s Broker to more than 50% of all
airline operators with 10 or more commercial properties in the City
aircraft in service of London

UK’sNo.1 30%
EMPLOYEE BENEFITS ENERGY
JLT is the UK’s largest JLT handles in excess of 30% of
administrator of private sector the world’s mobile drilling rig fleet
pensions

JLT INDEPENDENT INSURANCE BROKERS 5

RISK LANDSCAPE
WHAT IS CYBER RISK
WHO CAN IT IMPACT?
What is Cyber Risk?
Any threat connected to the use of technology or data, impacting a business or an individual, is a cyber
risk.
Any entity that utilizes a computer network or processes/collects confidential information is at risk

JLT INDEPENDENT INSURANCE BROKERS 7

POTENTIAL IMPACT OF A BREACH

A data and security breach can have serious operational, financial, legal and reputational implications for an organization.
Costs associated with a privacy breach and a security breach

JLT INDEPENDENT INSURANCE BROKERS 8

CYBER INSURANCE ECOSYSTEM

Identification Management

Notification &
Extortion
Response Public Relations Forensic Experts Legal Experts
Specialist
Consultants

Establishing Response to
Notification Call center Ransom
the extent of third party
letters support Negotiation
the breach liability claims

Payment of
Mailing and Setting up e- Forensic
settlements Ransom
other support examination
and court Payment
transmission mechanism costs
judgements

Monitoring Remediation Responding to Mitigation

Mitigating
support and of identified a regulatory expenses &
reputation loss
expenses vulnerabilities investigations support

JLT INDEPENDENT INSURANCE BROKERS 9

CASE STUDIES
BRITISH AIRWAYS (BA) – BUSINESS INTERRUPTION
SYSTEM FAILURE IMPACTED
Operational Negligence Analysis
The Incident
• On May 27th, 2017, BA
cancelled all flights from
Heathrow and Gatwick
following a massive global IT
failure
• The CEO suggested that the
failure happened due to a
power outage
• However, reports pointed that
the failure was due to BA’s
decision to outsource
hundreds of IT jobs to India
JLT INDEPENDENT INSURANCE BROKERS
Business Impact Conclusion
• The system outage • Internal enquiry was
impacted 75,000 conducted to determine
whether BA outage was
customers human error
• All flights from Heathrow
• IT worker responsible for
and Gatwick were cancelled
accidently switching off
on May 27th and several
power supply
flights were delayed for the
next few days
• GBP 80,000,000 cost
incurred by British Airways
11
MARRIOTT BREACH – BREACH OF PRIVACY
Full System Failure Analysis
The Incident
• On November 30th 2018,
Marriott disclosed data breach
impacting as many as 500mn
consumers.
• Hack began at Starwood in
2014 before it was acquired
by Marriot.
• Waited 3 months to reveal
the hack - Inadequate and
delayed
• Drop in share price by 7%;
securities class action lawsuit
JLT INDEPENDENT INSURANCE BROKERS
Business Impact
• Class action lawsuits - by
customers & shareholders.
• One lawsuit for $12.5
billion in damages, or $25
for each of the 500 million
individuals affected
• Marriott might be exposed
to GDPR data privacy rules
Conclusion
• Highlights the systemic
nature of cyber risk
• Focuses on potential fallout
of cutting costs from
mergers.
• This has the potential to be
the largest standalone cyber
insurance loss in history – if
considered insured
12
MORRISON CASE
VICARIOUS LIABILITY
Inherent Liability
The Incident
• A former senior employee of
Morrisons, leaked personal
details of 100,000 of
Morrisons' employees on a file
sharing website and sent the
data to the press.
• 5,500 affected employees
sued Morrisons for breach of
the Data Protection Act 1998
(UK), alleging misuse of
private information and for
breach of confidence
JLT INDEPENDENT INSURANCE BROKERS
Business Impact Conclusion
• The (ex)employee was • Courts tend to use the
found guilty of fraud, broad and evaluative
securing unauthorised approach when considering
access to computer material employer's vicarious liability.
and disclosing personal
data and was given an
eight year sentence
• The court also held
Morrison vicariously liable
stating that acts of the
Morrisons' employee in
sending data to third parties
were within the field of
activities assigned to him by
Morrisons.
13
MONDELEZ - COVERAGE AND CHALLENGES
Coverage Issue & War Exclusion
The Incident
• In June 2017, the food
company Mondelez
International was hit by
NotPetya
• the malware caused damage
to the company’s network
servers and computers in
excess of $100 million
• Mondelez submitted its losses
to its property insurer, which
denied coverage in reliance
on the policy’s war exclusion.
• Mondelez disagreed, and filed
suit against Zurich on October
10, 2018
JLT INDEPENDENT INSURANCE BROKERS
Insurer’s Stand & Impact
• Insurer will have the burden
to prove that the NotPetya
attack was a “hostile or
warlike action – can be true
for all Cyber attacks.
• War exclusions were
developed with physical
conflicts in mind.
• While a cyber attack by one
warring party against
another could be an act of
war, the same would not be
true of an unintended attack
on an innocent third party.
Conclusion
• Cyber insurers are
increasingly willing to
modify war exclusions so
that they don’t apply to
cyber terrorism.
• An unexpectedly broad
ruling in Zurich’s favor might
give cyber insurers an
argument under their war
exclusions.
14
GOOGLE
FRENCH REGULATORY ACTION
Regulatory Fine
The Incident
• Investigations against
Google’s basis a complaint
filed by local groups.
• The regulator CNIL stated that
- Google breached the GDPR
by failing to meet
transparency and information
requirements,
• Failing to obtain a legal basis
for processing.
• Invalid consent for ads
personalization, because it
isn't specific and users aren't
sufficiently informed
JLT INDEPENDENT INSURANCE BROKERS
Business Impact
• $57 million fine, the
biggest handed out for a
data protection violation and
the French agency's first
penalty under GDPR, are
justified by the regulator due
to severity of the
infringements
• This is small compared to
the maximum limits allowed
by GDPR
• Google announced that it
planned to appeal the fine
Conclusion
• Besides the fine regulator
pointed out that maintaining
status quo will lead to
further fines in France and
also by other regulators.
• Separately, Google has
been accused of GDPR
privacy violations by
consumer groups across
seven European countries
15
FACEBOOK MULTIPLE INCIDENTS
CYBER & MANAGEMENT LIABILITY
Regulatory Fine/ D&O Derivative Claim
The Incident
• Earlier in 2018, Facebook
disclosed they had granted
access to 87 million user data to
Cambridge Analytica.
• In July 2018, Facebook reported
slower-than-expected revenue
growth and predicted reduced
margins for the coming quarters.
• The value of the company’s
shares declined 19%,
representing a drop in market
capitalization of nearly $120
billion. There was no regulatory
action
JLT INDEPENDENT INSURANCE BROKERS
Financial / Business
Impact
• Facebook Inc. was slapped
with a symbolic 500,000-
pound fine by the UK’s
privacy regulator – highest
possible under old rules
• A recent UK report calls for
sites such as Facebook to be
brought under regulatory
control,
• Facebook and the Federal
Trade Commission are
discussing a settlement that
could amount to a record,
multibillion-dollar fine
Litigation/Enquiries
• The investigation in New York
continues with increased
scrutiny on unlawful practices.
• Lawsuits filed alleging
company had mispresented
its policies with respect to the
use and sale of its user data;
on the company’s disclosures
about its GDPR readiness
and related privacy issues
• Continuing investigations in
Europe under privacy and anti
trust laws – Germany,
Ireland(10), UK
16
INDIA SCENARIO

Aadhaar Data Breach Largest in the World, Says WEF’s Global Risk Report

- (1.1 Billion Registered Citizens)

• Privacy has been recognized as a fundamental Constitutional right by the Supreme Court.

• Ministry of Electronics and Technology committee - The B.N. Sri Krishna Committee released the Draft Data
Protection bill.

Modeled on EU GDPR and China regulations the act maintains similar fines for non compliance and holds organizations
responsible. – proposed fine of 2 - 4% of worldwide turnover OR INR 5 cr to INR 15cr, whichever is higher

This if and when passed should act as the one comprehensive legislation encompassing all industry specific cyber laws.

• The Ministry of Health and Welfare - Digital Information Security in Healthcare Act ("DISHA" Establish National
eHealth Authority ("NeHA") ;

• Telecom Regulatory Authority of India (TRAI) - Privacy Regulations

JLT INDEPENDENT INSURANCE BROKERS 17

QUANTIFICATION OF
RISK
CYBERSECURITY MANAGEMENT FRAMEWORK

Cybersecurity Program Management Framework aligns with information security frameworks such as ISO 27001/2, NIST,
SANS, PCI DSS 3.0 and industry leading practices and regulations which help assess and improve your security posture
and program. These are also some of the things insurers look at while evaluating your risk.

19
EY CYBER PROGRAM MANAGEMENT ASSISTS WITH..

Diagnose Design and deliver Sustain

Plan work and Determine future Measurable
establish Assess current state and areas Develop security Execute program Continuous impact
engagement state for improvement roadmap recommendations improvement
protocols

First Insurer Evaluation Annual Renewal Discussions

 Understanding your organization’s risk exposure

 Assessing the maturity of your current information security program and identifying areas for improvement
 Ensuring a process of continuous monitoring and assessment

20
MATURITY RATINGS
Maturity ratings provide a quantitative
method for identifying gaps,
benchmarking against industry and
tracking progress.
The following maturity rating scale was used to
assess the current maturity of Company A
information security program and capabilities and
identify where improvements are required.
The maturity scale:
► Considers governance, metrics, people,
processes, technologies and tools
► Helps determine strategic program initiatives
to implement to reach desired future maturity
► Can be used to evaluate changes in maturity
over time as recommendations are
implemented
Maturity level descriptions
Initial
1 ► Basic,ad-hoc, undocumented; changing capability may be in place with
some technology and tools; limited local processes; limited organizational
support.
Managed
► Partial capability is in place with a combination of some technology and
2 tools; local processes covering some regions/business units or processes
are repeatable but may not be good practice or maintained; limited
organizational support to implement good practice.
Defined
► Defined capability is in place with significant technology and tools for some
3 key resources and people; processes defined for some regions and/or
business units; organizational guidance and support is in place for some key
regions and/or business units.
Quantitatively managed
► Mature capability is in place with advanced technology and tools for most
key resources and people; consistent processes exist for most regions
4
and/or business units; some governance is in place
(accountability/responsibility/metrics) for most key regions and/or business
units.
Optimizing
► Advanced capability is in place that is leading-edge technology and tools for
5 all key resources and people; consistent process across regions and
business units; effective governance is in place
(accountability/responsibility/continual monitoring for improvement).
21
MATURITY ‘SPIDER GRAPH’ RATING
FOR ILLUSTRATION PURPOSE ONLY
Domain
Domain name Client Sector
category Cyber Program Maturity Ratings
Govern Governance and organization 1.2 1.8
Governance and
Strategy 1.4 1.7 organization
Awareness 3.5 Strategy
Policy and standards 1.1 1.0
3 Policy and
Incident response
Complicate Architecture 1.4 1.4 2.5
standards

Asset management 1.8 1.8 2

BCP/DR Architecture
Host security 2.0 2.5 1.5

Identity and access management 1

1.6 2.4
Security monitoring Asset management
0.5
Network security 2.7 2.2 0
Operations 2.7 3.0 Vulnerability
identification & Host security
Data protection 1.7 1.5 remediation

Privacy 2.0 2.3

Third party Identity and access
Software security 1.2 1.9 management management

Third party management 2.2 1.9

Software security Network security
Vulnerability identification &
remediation 1.7 1.8 Privacy Operations
Data protection
OT Security 1.8 -

Detect Threat intelligence 0.9 - Company A DIP Banking

Security monitoring 1.4 1.9

Respond BCP/DR 2.7 1.4

Overall Maturity Rating : 1.62
Incident response 1.4 2.0

Educate Awareness 1.6 1.6

Legend: Better than peers in Diversified Worse than peers in Diversified At par with peers in Diversified
Industrial Products (DIP) Industrial Products (DIP) Industrial Products (DIP)

22
EVOLVING
REGULATORY
SCENARIO
CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

EUROPEAN UNION
The General Data Protection Regulation has given data protection wider territorial scope, harsher sanctions (max
fines of EUR 20M or 4% of global turnover); broader investigative and corrective powers (on-site data protection
audits and public warnings/orders for remediation processes); and it has made it easier for individuals to claim
compensation.
The other changes resulting from GDPR include;
• A bigger variety of data covered by the regulations due to the broader definition of “any information relating to
an identified or identifiable natural person (data subject).”
• Suppliers and processors are now being directly regulated for the first time
• Controllers are now responsible for ensuring that the data protection principles are complied with (need clear
processes to help them meet tightened protocols for data collection)
• The legal requirements for data processing are now more difficult for companies to meet, so they need to be
more vigilant with processing checks
• Increased focus on international information transfers by the media and regulators
• Compulsory notification to supervisory authorities and victims within 72 hours of breach alerts and “without
undue delay” for high risk cases
• More transparency is required with the introduction of subject access rights (affecting individuals). Data subjects
now have the right to require information about the data being processed concerning them; access to data in
certain circumstances and the ability to correct inaccurate data.
• Companies now have to be more accountable, with thorough evidence of their compliance available for regular
inspection and appointed data protection officers
EU member states retain the right to introduce their own laws, so companies need to stay on top of all the territorial
differences to see if the various laws impact their processing activities.

JLT INDEPENDENT INSURANCE BROKERS 24

CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

USA
Privacy and data protection regulation varies from state to state and can also be dependent on
industry. All individual state regulations address notification procedures, but some add further
requirements like developing formal information security programs (MA) and encrypting payment
card information in transit (NV). The industry-specific legislation for data regulation includes;
• Health Insurance Portability and Accountability Act
• Gramm-Leach-Bliley Act (finance)
• Children’s Online Privacy Protection Rule
• Fair Credit Reporting Act
• Payment Card Industry Data Security Standard (retail)
Insurers are increasingly wary of providing broad cover for all US privacy regulations. As the amount
of resources allocated to privacy and data protection increase, the amount of investigations and
resulting penalties are expected to rise. California has recently passed its own version of Europe’s
GDPR, known as the California Consumer Privacy Act, which will come into effect in January
2020. The act applies to all companies that hold data on over 50,000 people and imposes fines of
USD 7,500 per violation.
The Federal Trade Commission (FTC) is the only body with the authority to investigate broad
violations of privacy or perceived misleading trade practices nationwide and Attorney Generals have
the same authority at a state level. The FTC step in to enforce the rules predominantly when
companies have unlawful access to personal consumer information and use it in an illegal way.
They continue to engage with the global community and authorities to increase US company
awareness of the correct privacy and data protection practices, ensuring their compliance.

JLT INDEPENDENT INSURANCE BROKERS 25

CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

AUSTRALIA
Data privacy and protection consists of both Federal and State/Territory legislation. The Federal
Privacy Act 1988 and Australian Privacy Principles (APPs) apply to the private sector that earn at
least AUS 3 million annually and all Commonwealth Government and Capital Territory Government
agencies. The Australian Senate passed a bill establishing mandatory notification to the Privacy
Commissioner and victims of ‘eligible’ breaches, which came into effect in February 2018. The bill
affects the same people as the Privacy Act, plus foreign companies that deal directly with Australian
consumers and companies sending personal information offshore. Failure to comply could result in
maximum fines of AUS 1.8 million for serious and repeated offences. The bill has similar insurance
considerations as GDPR, but less extensive.
ASIA
The APEC Privacy framework published in 2005 compliments regional approaches to personal data
privacy, but these are only principles that aren’t as enforceable as the GDPR. Recent law changes in
Singapore, Malaysia, China and South Korea show that regulation is becoming more of a priority
across the continent. Chinese data protection has advanced significantly, and South Korea, the
Philippines, Indonesia and Japan also have mandatory reporting requirements. As Asia’s economies
increasingly deal with the global community and trade across borders, they are increasingly reliant on
technology, so their regulations are likely to tighten. Hong Kong’s Privacy Commissioner for personal
data has announced a study of GDPR with a view to implementing something similar in the coming
years. The same incident response considerations as Europe and Australia apply. In Asia, it is also
customary to offer small amounts of compensation to consumers after a breach, so insurers may
consider extending cover for voluntary ‘settlements’ or ‘costs to proactively compensate consumers.’

JLT INDEPENDENT INSURANCE BROKERS 26

CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES

CANADA
There is a patchwork of 28 different privacy laws on a federal and provincial level, which govern issues
like the protection of personal information, collection of data, online privacy and behavioural advertising.
The overarching federal law is the Personal Information Protection and Electronic Documents Act
(PIPEDA). In September 2017, regulations were also added to mandate breach reporting under
PIPEDA. There is increasing pressure for broader privacy laws to mirror GDPR, as there is currently
only an ‘adequate’ level of data protection during information transfers. Incident response coverage and
privacy violation considerations are the same as in Europe, but the wording should be as vague as
possible to encompass the patchwork of laws and to ensure that definitions aren’t too restrictive for
personal information.
LATIN AMERICA
Data protection and privacy rules across LatAm consist of both federal and local legislation. The
countries with specific data protection laws include; Columbia, Brazil, Argentina, Mexico, Peru, Chile,
Nicaragua, Costa Rica, Panama, Uruguay and Paraguay.
The EU traditionally sets the bar for data protection regulation around the world and some obligations
can be applied in non-EU countries. Countries in regions outside of Europe can also decide to follow
GDPR obligations for the potential monetary benefits of being considered “adequate” for data transfers
from Europe. For this reason, the introduction of GDPR has had a knock on effect in Latin America, with
their regulations becoming stricter and new bills being proposed that mirror some features of the
European legislation in Brazil, Argentina and Chile. This is bringing a new level of consistency to the
global community’s data protection and privacy laws, but companies should still be aware of the
different regional wording and requirements.

JLT INDEPENDENT INSURANCE BROKERS 27

INSURANCE AS A
SOLUTION
CYBER INSURANCE
FIRST PARTY COVER(OWN COSTS)

Forensic IT, Legal and PR Costs

Regulatory Investigations – Costs & Fines (where insurable)

Notification & Credit Monitoring

PCI Data Security Standards

Electronic Data Reconstitution

Cyber Extortion

Loss of Income & Costs – Interruption due to Security Breach,

Privacy Breach & Cyberterrorism

JLT INDEPENDENT INSURANCE BROKERS 29

 Personal & Corporate Data Liability

Outsourcing Liability

Data Security Liability – denial of access, virus transmission etc

Media Liability: infringement of copyright, plagiarism, libel/slander,

invasion of privacy

Defence Costs & Damages

JLT INDEPENDENT INSURANCE BROKERS 30

KEY EXCLUSIONS

• Antitrust

• Bodily Injury and Property Damage (carve back available now)

• Contractual Liability (carve back available now)

• Intellectual Property

• Prior Claims and Circumstances (retro date concept)

• Securities Claims

• Terrorism / War

• Unauthorised or unlawfully collected data (carve back available now)

• Uninsurable Loss

JLT INDEPENDENT INSURANCE BROKERS 31

EVOLVING CYBER COVERAGE

Third Party Business

Liability Interruption due Supply Chain Cloud
endorsements to breach cover cover Coverage

First party System Failure Outsourcing Individual

expenses and coverage Cover Cyber + Crime
liability policy cover

Recent Enhancements
• Network Security coverage

• Additional Costs for System Upgrade

• Property Damage Gap cover

• SLA Penalties cover

• Cyber Product Liability Cover

JLT INDEPENDENT INSURANCE BROKERS 32

COMMON QUESTIONS WE HOPE TO HAVE
ADDRESSED
• What a Cyber Policy covers

• Difference between first party costs and third party liability

• Cyber risk is just hacking, right?

• We outsource payment processing, data storage, so how are we at risk?

• My biggest risk is my reputation, and this can cover that?

JLT INDEPENDENT INSURANCE BROKERS 33

CONTACT INFORMATION

Amit Solanki | Lead Partner | JLT Independent

+91 9820769692
Amit_Solanki@jltindependent.com

Burgess Cooper | Partner Advisory, Services | E&Y

M: 99308 18333
E: Burgess.cooper@in.ey.com

Vernica Walia | Principal Consultant | JLT Independent

+919930423012
Vernica_Walia@jltindependent.com

Disclaimer: Insurance is the subject matter of solicitation. The information contained in this publication is based on sources we believe are reliable however we do not
guarantee its accuracy. This information provides only a general overview of subjects covered; is not intended to be taken as advice regarding any individual situation or as
legal, tax, or accounting advice; and should not be relied upon as such. Recipients of this publication should consult their own legal and other advisors regarding specific
coverage and other issues.

For more details on risk factors, terms and conditions please read sales brochure carefully before concluding a sale.

Authorised and regulated by the Insurance Regulatory and Development Authority of India (IRDAI). An associate of the
Jardine Lloyd Thompson Group. JLT Independent Insurance Brokers Private Limited, +91 22 4510 5900,
www.jltindependent.com