A Retail Perspective on the Growth and Development of ...

Carrie Yang & Ron Sung

May 27, 2021

A Retail

Perspective on the

Growth and

Development of

Cyber Insurance

Aon’s Cyber Solutions

Proprietary & Confidential 1

Cyber insurance projected to grow from

~$5.5 billionat year-end 2019 to

$20 billion

by 2025

Sources

Aon proprietary data; Aon Inpoint; 2017 “Global Cyber Risk Transfer Comparison Report,” Aon/Ponemon Institute; 2016 Cyber—The Fast Moving Target: Benchmarking views and

attitudes by industry; Insurance Business America, PwC, The Betterley Report, Advisen, Allianz, Allied Market Research; CSIS

Growth Drivers

▪ C–suite and Board-level awareness and concern

▪ Reputational risk and balance sheet protection

▪ Stricter regulatory environments, led by GDPR

▪ Supply chain risk – emanating from both third

parties and software compromises

▪ Increases in recent attacks, malware proliferation,

and levels of sophistication

▪ Increased small and medium enterprise (SME) demand

based on exposure and resource constraints

2019 2020 2022 2025

~$9bn

~$14bn

~$20bn

▪ ~$4.4bn in GWP*

▪ 10%-20% growth

▪ All 50 states regulatedUS

▪ ~$800mn in GWP

▪ ~50% growth

▪ GDPR now active

UK &

EU

▪ ~$300mn in GWP

▪ GDPR spurring new

privacy laws beyond

Europe

RoW

$5-6bn

Growth of Cyber (Re)insurance Market

Total cost

2018in

cybercrime of

Total cost

2022in

cybercrime of



High Profile Events / Incidents

2000

Aon founded its

Technology Cyber

Group

2002

2008

2013

Heartland Payment

Systems Data Breach

2015

2016

Anthem Data Breach

2017

2018

2018

2019

Yahoo Data Breach

2020

2021

Marriott/Starwood Data

Breach

2021

Dot com bubble

California Senate Bill

1386 passed – first

Mandatory Data

Breach Disclosure

Law

Target Data Breach

All 50 states enacted

data breach notification

law

WannaCry

NotPetya

COVID 19

Equifax Data Breach

EU GDPR Effective

Mondelez vs Zurich

Significant increase in

ransomware attacks

Solarwinds Cyber

Attack

Microsoft Exchange

Server Breach

C N A Cyber Incident

Colonial Pipeline

Ransomware Attack



Organizations across all industries continue to invest in deploying digital

technologies to stay competitive and drive quality and efficiency objectives

The Evolving Cyber Threat

Automation

▪ Production

▪ Distribution / Supply Chain

▪ Sales

▪ Critical Infrastructure

▪ Property Damage

▪ Bodily Injury

▪ Products Liability

DisruptionRisk

ConfidentialRisk

SupplierRisk

▪ PII

▪ PCI

▪ PHI

▪ IP

▪ Regulations

Connectivity

Artificial Intelligence

Social MediaCloud

Computing

MobilityInternet

of Things

Distributed Ledger /

Blockchain

Virtual RealityBig Data

Economic

Drivers Technology Drivers Strategic Threats



Key Pillars of a Cyber Insurance Policy

▪ Pre-breach

assessments

▪ Access to

pre-vetted

vendors

▪ Cyber security

information

Prevention Assistance Operations Liability

▪ Forensic

investigators

▪ Legal services

▪ Notification

▪ Credit Monitoring

▪ Call Center

Services

▪ Crisis

Management/

Public Relations

▪ Costs incurred to

keep or return the

business to

operational

▪ Loss of revenue,

income, turnover

▪ Costs incurred to

recreate or

restore data and

information

▪ Legal costs and

damages from

claims alleging

privacy breach

or network

security failure



Market Standard Cyber Coverages Overview

– Network Business

Interruption

– System Failure

– Dependent Business

Interruption/ System

Failure

– Cyber Extortion

– Digital Asset Restoration

Operational

Risk

Privacy and

Network Security

Risk

▪ Privacy and Network

Security Liability

▪ Privacy Regulatory Fines

and Penalties

▪ PCI Fines and Penalties

▪ Breach Event Expenses

Supply Chain

Disruption

Network

Business

Interruption

Technology

Infrastructure

Evolving

Regulation

Reputational

Risk

Liability

Breach

Expenses



2020 Aon Sponsored Ponemon Institute: The total value of PP&E and

information assets

$919 $933 $947

$1,082 $1,032

$1,161 $1,223

$1,274

$0

$200

$400

$600

$800

$1,000

$1,200

$1,400

Total value of PP&E Total value of information assets

FY2015 FY2017 FY2019 FY2020

Extrapolated value ($ millions)



2020 Aon Sponsored Ponemon Institute: The PML value for PP&E and

information assets

$804

$1,170

$796

$1,080

$770

$979

$701

$773

$0 $200 $400 $600 $800 $1,000 $1,200 $1,400

Value of the largest loss (PML) that could result fromdamage or the total destruction of PP&E

Value of the largest loss (PML) that could result fromthe theft and/or destruction of information assets

FY2015 FY2017 FY2019 FY2020

Extrapolated value ($ millions)



2020 Aon Sponsored Ponemon Institute: The percentage of PP&E and

information assets covered by insurance

55%

12%

59%

15%

60%

16%

61%

15%

0%

10%

20%

30%

40%

50%

60%

70%

Percentage of potential loss to PP&E assetscovered by insurance

Percentage of potential loss to information assetscovered by insurance

FY2015 FY2017 FY2019 FY2020



Purchasing Trends by Industry

Limit increases at renewal for existing buyers

▪ Industries that have traditionally purchased cyber insurance are generally seeking higher limits options

Rapid growth in cyber captive market*

▪ Healthcare & energy industries leading the way, utilizing their captives for cyber coverage

▪ 41% of captives surveyed are incubating cyber risk

▪ Range in limits of cover taken out is up to USD$100 million

▪ Estimated that 34% of all captives will be writing cyber in five years’ time

New buyers focused on business interruption

▪ Manufacturing, critical infrastructure, pharmaceutical / life sciences, industrials & materials / automotive, public

sector, energy / power and utilities, higher education, real estate / construction, agribusiness and transportation /

logistics industries continue to lead new cyber insurance purchases

Shifting focus on cyber risk exposures

▪ New privacy regulations have refocused many buyers on breach exposures and the potential for fines and

penalties

▪ Clients across industries continue to focus on business interruption coverage, including, among other things,

system failure cover, cyber extortion and digital asset restoration

▪ Non-affirmative (“silent”) cyber coverage on property and casualty policies demonstrate the critical importance of

matching customized cyber policy language to specific insured cyber exposures

*Aon's 2019 Cyber Captive Survey - Creating Value for the Cyber Risk Agenda

https://www.aon.com/captives/insights/cyber-captive-survey-2019.jsp



Non-affirmative (“Silent”) Cyber:

Potential Cyber Perils Under Property and Casualty Policies

Note that coverage in policy forms can vary materially from carrier to carrier, and from base policy forms to manuscript policy forms. All descriptions, summaries or highlights of

coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the

terms and conditions of the relevant policy.

Business interruption resultant from non-physical damage to computer systems due to a system failure

Security and privacy liability including settlements and defense costs

Breach response expenses

Cyber extortion

Bodily Injury and Property Damage (possible)

Cyber

Property

▪ Hacking automated manufacturing

facilities to halt production

▪ Inflicting bodily injury or property damage

through compromised network systems

▪ Plant explosions or damage due to a

cyber related event

General / Product Liability

▪ Automated system hacking modifies

product specs, creating faulty devices

▪ Increased products exposures to Internet

of Things (“IoT”) vulnerabilities

Crime

▪ Business Email Compromise

via social engineering

▪ Hacking major financial institutions or

accounting software to steal monies

▪ Bitcoin wallet manipulation

Kidnap & Ransom

▪ Social media extortion

Intellectual Property

▪ Proprietary design specs for

tangible and intangible assets

▪ Trade secrets

▪ Copyright materials

D&O

▪ Disclosures of cyber incidents

have a material impact on the

organizations’ financial statements

▪ Reporting requirements

▪ Regulatory scrutiny

Marine

▪ Computerized hijacking

▪ Container tracking systems

▪ GPS navigation systems

▪ Automated shipyard processes

Terrorism

▪ Hacking medical devices to inflict bodily

harm to political or public figures

▪ Deliberate release of misinformation

to cause riot or civil unrest

Recall

▪ Hacking automated manufacturing plants

▪ Hacker contamination of design

specs

▪ Nanotechnology and 3D printing

Environmental

▪ Attacks on nuclear or energy

facilities release hazardous chemicals

or air emissions

▪ Untreated sewage releases to poison

water supply

▪ Disablement of critical infrastructure

leading to fires or explosions



Mondelez v Zurich

June 27, 2017: Mondelez

affected by malicious code later

dubbed NotPetya: 1700 Servers

and 24,000 Laptops affected

June 1, 2018: Zurich formally

denies Mondelez’ claim based on

exclusion b(2)a: War Exclusion

October 9, 2018: Zurich reasserts

denial

July 18, 2018: Zurich rescinds

denial – offers $10M partial

payment

Relevant Details:

Exclusion b(2)(a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected

attack by any:

(i) government or sovereign power (de jure or de facto);

(ii) military, naval, or air force; or

(iii) agent or authority of any party specified in i or ii above.

~$104M earnings reduction, $84M extra expense – 2017 Q4 Earnings Release

According to Property Claim Services (PCS) the total industry loss from the Petya / NotPetya cyber attack has now passed $3 billion, roughly 90% of which was driven

by silent cyber impacts, the remainder from affirmative losses. https://www.reinsurancene.ws/petya-cyber-industry-loss-passes-3bn-driven-by-merck-silent-cyber-pcs/

Sample Cyber Carve-back language: “Cyberterrorism means the premeditated use of disruptive activities against any computer system or network by an individual or

group of individuals, or the explicit threat by an individual or group of individuals to use such activities, with the intention to cause harm, further social, ideological,

religious, political, or similar objectives, or to intimidate any person(s) in furtherance of such objectives. ‘Cyberterrorism’ does not include any such activities which are

part of or in support of any military action or war.”

October 10, 2018: Mondelez files

suit for coverage for losses in

excess of $100M

https://www.reinsurancene.ws/petya-cyber-industry-loss-passes-3bn-driven-by-merck-silent-cyber-pcs/



Ransomware Loss Trends Expected to Continue Through 2021

Pricing - While average pricing increased

from 2019 to 2020 by 5% –10%,

guidance from almost all insurers has been

that those rate adjustments were

not enough to compensate for the increase

in frequency and severity of losses.

Claim Severity - The average loss

severity climbed each quarter of 2020. In

many instances, clients experienced eight-

figure ransomware event-related losses.

Also, many of those large matters continue

to be adjusted over the course of a year,

as subsequent business interruption losses

are reviewed, and liability claims are

litigated.

Risk Selection - Insurers bolstered

supplemental tools throughout 2020. Some

carriers are using public-facing scanning

resources to search for vulnerabilities that

could be subject to cyber threats, and many

have introduced new ransomware specific

applications. These efforts are focused on

improving insured risk controls, as well

as improving risk selection for insurers.

Claim Frequency - Aon’s Cyber

Solutions saw a typical cadence of three

new E&O/Cyber matters per business day

in 2020, up almost 100% from full year

2019, the majority being ransomware event-

related.

In a survey of the top 12 E&O/Cyber insurers Aon trades with, 58% of respondents

suggested they are seeking rate increases greater than 30% throughout Q2 2021.1

1Guidance is provided through Aon’s proprietary survey of the top 12 E&O/Cyber insurers Aon trades with. This is not proposed pricing, or guidance specific to

a particular insured’s program. This is portfolio level guidance offered by underwriters who participated in the survey.2Source: Aon’s Cyber Solutions U.S. Underwriter Survey, January 2021



Cyber Incident Rates Over the Past 12 Quarters(Percent change relative to 2018-Q1)

Proprietary & Confidential: The content, analysis and commentary included herein are understood to be the intellectual property of Aon.

Further distribution, photocopying or any form of third-party transmission of this document in part or in whole, is not permitted without the express, written permission of Aon.

Source: Risk Based Security, analysis by Aon. Data as of 1/5/2021; Ransomware payment per Coveware Ransomware Report as of 11/4/2020

4% 21%

215%

173%

24%49%

27%9%

-39% -40%-57%

0%-6%-11%

34%

103%

189%

237%

354%

311%

380%

486%

-100%

0%

100%

200%

300%

400%

500%

600%

2018-Q1 2018-Q2 2018-Q3 2018-Q4 2019-Q1 2019-Q2 2019-Q3 2019-Q4 2020-Q1 2020-Q2 2020-Q3 2020-Q4

Data Breach / Privacy Ransomware

Key Observations:

▪ Ransomware activity has

dramatically outpaced Data

Breach/Privacy Event activity

over trailing four quarters.

▪ Ransomware up 486%

from Q1 2018 to Q4 2020.

▪ Aon Cyber Claims Intake indicates

2020 will show a compounding

increase of 150%, +300% over

trailing two years.

▪ Data Breach/Privacy Events

tracking to decline in 2020, first

decline in trailing 5 years.



Global Incident Growth Compared to 2012*

Source: Chubb Cyber Index. https://chubbcyberindex.com/#/incident-growth

https://chubbcyberindex.com/#/incident-growth



Total Claims Costs Since 2009

Source: Chubb Cyber Index. https://chubbcyberindex.com/#/incident-growth

*The "Other First Party

Costs" category may

include other types of

losses such as business

interruption and

ransomware payments.

** The "Third Party Costs"

category may include

other types of losses,

including PCI

assessments, regulatory

fines, and defense and

settlements of third-party

matters.

https://chubbcyberindex.com/#/incident-growth



E&O/Cyber Insurance – Market Trends as of Q2 2021

▪ Complex cyber losses have impacted the cyber insurance market, particularly traditional excess insurers where pricing has historically been extremely thin

▪ Ransomware activity has stressed SME and Middle Market segment of insurer portfolios

▪ Regulatory environment continues to gain complexity, particularly with emerging privacy legislation and litigation connected to BIPA, CCPA, and GDPR

▪ Certain insurers have started to retract coverage for ransomware events, in terms of adding coinsurance and/or sublimits

▪ Certain carriers have started to retract coverage for IT supply chain related events

▪ Insurers continue to emphasize panel arrangements, including use of pre-arranged vendors and legal support

▪ Insurers are aggressively managing their global capacity deployment

▪ Insurers are revisiting retentions, with pressure to increase on a primary basis; also evaluating their excess attachment points, and may limit capacity based on market segment or lack of security controls

▪ Certain insurers have started to increase waiting periods for Business Interruption/Systems Failure

▪ Certain carriers have started adding coinsurance for Dependent Business Interruption and with increased waiting periods

▪ The market conditions for E&O / Cyber are firming with a continued acceleration in Q2 2021, due to ransomware activity and concerns around systemic loss aggregation

▪ Insurer feedback suggests the need for 30% - 50% rate increase in the large enterprise segment

▪ The Middle Market / SME segments continue to show average premium increasing at +30%

▪ Aon anticipates continued amplified rate pressure on excess market placements, with more significant premium rate increases to underlying increased limit factors

Claims &Losses

Coverage

Capacity

Rate Environment



Change of Underwriting Strategy ---- Hardening Cyber Market

AppsSupplem

entalsUW

Meeting

Insurability

/ Eligibility

ProfitabilityFrequency Severity Differentiation

Retention

Limit /

Sublimit

Co-insurance

Rate Exclusion

Breath of

Coverage



Global Cyber and E&O Insurance Marketplace—2021

72%

23%

5%

Domestic

London

Bermuda

▪ AEGIS

▪ AIG

▪ Allianz

▪ Alterra

▪ AmTrust

▪ Argo

▪ Ascot

▪ Aspen

▪ At-Bay

▪ AWAC

▪ AXA XL

▪ AXIS

▪ BCS

▪ Beazley

▪ Berkshire

Hathaway

▪ Chubb

▪ CNA

▪ Coalition

▪ Corvus

▪ Crum &

Forster

▪ Everest

▪ Hanover

▪ Hartford

▪ HDI

▪ Hiscox

▪ Intact

▪ Liberty

▪ Markel

▪ MunichRe

▪ Nationwide

▪ Old

Republic

▪ QBE

▪ Resilience

▪ RLI

▪ RSUI

▪ Safety

National

▪ SCOR

▪ Sompo

▪ Starr

▪ Swiss Re

▪ Tokio

Marine HCC

▪ Travelers

▪ W.R.

Berkley

▪ Validus

▪ Zurich

▪ AIG

▪ Allianz

▪ Arch

▪ Ascot

▪ Ascent

▪ Aspen

▪ Aviva

▪ AXA XL

▪ Axis

▪ Beazley

▪ Brit

▪ Canopius

▪ CFC

▪ Chubb

▪ EmergIn

Risk

▪ Generali

▪ Hamilton

▪ HannoverRe

▪ HDI Gerling

▪ Hiscox

▪ Liberty

▪ Markel

▪ Munich Re

▪ Tarian

▪ Occam

▪ QBE

▪ SCOR

▪ Swiss Re

▪ Talbot

▪ Tokio Marine

HCC

▪ W.R. Berkley

▪ Zurich

▪ AIG

▪ Arcadian

▪ Arch

▪ Argo

▪ Ascot

▪ Aspen

▪ AWAC (primary capacity as

well)

▪ AXA XL

▪ AXIS

▪ Chubb

▪ Iron-Starr

▪ Liberty Specialty

▪ Markel

▪ Mosaic

▪ Mutual Insurance Company

(MIC)

▪ RELM

▪ Sompo

LONDON BERMUDA(Excess only)

DOMESTIC

Aon Client Premium Spend



About Cyber Solutions

Aon’s Cyber Solutions offers holistic cyber risk management,

unsurpassed investigative skills, and proprietary

technologies to help clients uncover and quantify cyber risks,

protect critical assets, and recover from cyber incidents.

About Aon

Aon plc (NYSE:AON) is a leading global professional

services firm providing a broad range of risk, retirement and

health solutions. Our 50,000 colleagues in 120 countries

empower results for clients by using proprietary data and

analytics to deliver insights that reduce volatility and improve

performance.

Visit aon.com/cyber-solutions for more information.

© Aon plc 2021. All rights reserved.

Cyber security services offered by Stroz Friedberg Inc. and its

affiliates. Insurance products and services offered by Aon Risk

Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon

Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and

Aon Risk Services, Inc. of Florida and their licensed affiliates.

The information contained herein and the statements expressed are

of a general nature and are not intended to address the

circumstances of any particular individual or entity. Although we

endeavor to provide accurate and timely information and use sources

we consider reliable, there can be no guarantee that such information

is accurate as of the date it is received or that it will continue to be

accurate in the future. No one should act on such information without

appropriate professional advice after a thorough examination of the

particular situation.

A Retail Perspective on the Growth and Development of ...

Documents

Transcript of A Retail Perspective on the Growth and Development of ...