New A.M. Best Cyber Questionnaire
PAMIC Eastern Conference
October 2015
Agenda
 Questions
 The A.M. Best Cyber Risk Questions
 Cybersecurity Framework
 Guiding Principles for Boards
2
Cyber Security vs Information Security
 Cyber Security is the use of various technologies and processes to protect networks,
computers, programs and data from attack, damage or unauthorized access.
 Information Security is protecting information from unauthorized access, use,
disruption, modification or destruction regardless of how the information is stored –
electronic or physical
4
Content of the Questionnaire
 Cyber Risks
 Coverage offered
 Privacy (HIPAA) violations
 Credit monitoring costs
 Cloud technologies and exposures
 General liability exposures
 Coverage Obtained
 Business interruption exposures
 D & O risks
 Reconstruction costs
 Reputation risks
January 01, 2015
Footer text replaced in Header/Footer area 5
Information from A.M. Best Presentation*
 A.M Best Survey Results Show
 Only 3% of companies surveyed have written over 1000 cyber risk policies
 Companies with larger surplus positions have experienced more cyber attacks, but
size does not eliminate risk
 72% of companies report responsibility for cyber-security rests with IT Department.
 Most significant challenges reported by management is lack of data and
consequent oriented analytics
*A.M. Best Insurance Industry Update, IASA NY/NJ Chapter, Robert Raber, Senior Financial Analyst, A.M. Best Company, May 18, 2015
6
Information from A.M. Best Presentation*, Continued
 A.M. Best added specific questions to the Supplemental Rating Questionnaire and
analysts are including cyber coverage in rating meeting discussions
 A.M. Best Special Report “Cyber Security Presents Challenging Landscape for
Insurers and Insureds”, December 5, 2014
7
Cyber Questions
 Has your company been a target of a data breach/cyber-attack?
 Where does the responsibility lie in your organization to manage cyber related risks?
 What controls do you have in place?
 Do you offer coverage as a separate policy or bundled?
 What are your premium and loss expectations?
 What are your costs for Crisis Services (forensics, notification)?
 What is your legal defense cost?
8
Other Questions Asked
 What controls (internal and external) do you have in place to manage a data breach /







cyber attack (policies and procedures)?
How often to you conduct penetration testing?
How often do the company’s cyber security professionals receive training?
During the past five years, how much have you invested in upgrading systems
(hardware and software)?
How much of such investment was specifically dedicated to preventive measures on
cyber attacks and data breaches?
How much are you planning to invest during the next two years?
If you use TPA’s, cloud, shared devices (storage or otherwise) how are you managing
your risks?
Briefly describe your efforts to ensure up to date “best practices” and latest
preventative methods are used.
9
Framework for Improving Critical Infrastructure Cybersecurity
National Institute of Standards and Technology (NIST) Framework
Identify
Recover
Respond
Protect
Detect
Five Principles – Boards seeking to enhance oversight of cyber
risks
I. Cybersecurity is an
Enterprise Risk
Management issue:
Not just an Information
Technology issue
II. Boards should understand
the legal implications of
cyber risks
IV. Board should set
expectation that
management establish
an ERM framework with
adequate staffing &
budget
III. Boards should access
cybersecurity expertise
and discuss regularly –
standing agenda item
V. Board & Management
discussion of cyber risk
strategies - avoidance,
acceptance, mitigation or
transfer – with specific
plans
National Association of Corporate Directors + AIG + Internet Security Alliance, Five Guiding
Principles
Contact Information
Lisa Cosentino, CPA, CIA, CFE, FLMI
Managing Director
Cell 215.300.7361
Office 267.670.7320
[email protected]
12