Cyber Insurance
Blog Home All Blogs
Cyber coverage is increasingly a "must have" for businesses, including insurance agencies. For an overview of all PIAK posts, visit our "Blog Post Library List" at "All Blogs"

 

Search all posts for:   

 

Top tags: insurance  cyber  cybersecurity  cyber insurance  risk  risks  agent  assess  breach  business  business interruption  clients  coverage  cyber security  facebook  growth  holidays  independent agent  liability  mobile  personal  predictions  safety  sales  shopping  threat  value 

Cyber Risk Insights: 2019 and Beyond

Posted By Danielle Ling, Wednesday, November 6, 2019

Hackers are becoming increasingly sophisticated in their tactics, broadening their targets and methods for cyberattacks.

from PropertyCasualty360.com

Advisen hosted its annual regional Cyber Risk Insights Conference in New York City last Thursday during New York Cyber Week.

The conference kicked off with an opening keynote by a key figure at the middle of the infamous Facebook-Cambridge Analytica political scandal in which Cambridge Analytica collected the personal data of 87 million Facebook users without their consent and used it for political advertising purposes.

In this general session, “Cambridge Analytica: Myths, Facts, and Lessons Learned,” Dr. Alex Kogan, CEO of Philometrics and former researcher at Cambridge Analytica, discussed how this scandal arose and the impact it had globally on privacy discussions.

The morning general sessions continued with a critical conversation on diversity and inclusion in “Making Inclusion and Equality a Priority in the Cyber Market.” Panelists discussed how diversity brings broader perspectives to the market, improves innovation and adds new expertise.

In “The State of the Cyber Market: Current Trends and Future Predictions,” Michelle Chia, Head of Professional Liability and Cyber at Zurich North America, led a panel of risk managers as they analyzed the findings of Zurich and Advisen’s 2019 Information Security and Cyber Risk Management report.

The 2019 study found that cyber-related business interruptions are now a top concern among corporate risk managers. Additionally, the study concluded that this increased worry over cybersecurity is fueling change within the cyber insurance marketplace as customers’ demands increase and expectations evolve.

Chia noted that customers want and expect policies that include more coverages and more sophisticated services in protecting their companies.

In “Emerging Threats: More Things to Keep You Awake,” panelists identified new tactics and targets of cyberattacks and data breaches. Among the more sophisticated new tactics being used by hackers, adversaries are now targeting new tech devices, like iPhones and iPads.

Business email compromise and the use of deep-fake voices to impersonate corporate executives is also on the rise, posing a terrifying new threat to organizations on a commercial and personal level.

These more sophisticated tactics are being used increasingly in ransomware attacks, which are also on the rise. Patrick Cannon, Head of Enterprise Risk Claims at Tokio Marine says insurers are now regularly paying out $1 million ransom claims every 24 hours.

The day concluded with a closing keynote by Arceo’s Ben Beeson and CNN’s Jim Sciutto, Chief National Security Correspondent for the network and author of The Shadow War. 

Sciutto presented information covered in his new book about how cyber warfare has become an effective and debilitating war tactic deployed by Russia and China against the U.S. and other adversaries.

Breaking down how U.S. adversaries are deploying these cyber warfare tactics, Sciutto emphasized how these “invisible” attacks pose severe threats to the country’s most essential democratic functions, military operations and the security of classified government data.

Throughout the many sessions of the Cyber Risk Insights Conference, one general theme was hit repeatedly.

Hackers are becoming more and more sophisticated in their tactics, broadening their targets and methods for cyberattacks and data breaches. Insureds are demanding more coverage options and stronger protections, and insurers need to keep pace with the changes in risk and consumer demands.

This post has not been tagged.

Share |
PermalinkComments (0)
 

Insurance Coverage Options Before Ransomware Attacks

Posted By Eric Stern and Andrew Lipkowitz, Wednesday, October 30, 2019

from PropertyCasualty360.com

Computer systems everywhere have become the targets of ransomware attacks in recent years. Ransomware is a form of “malware” (malicious software that gets installed on a computer without the user’s consent and is harmful to the computer) in which the access to important data and computer systems are locked or encrypted unless the victim agrees to pay a ransom to regain access to the affected computer system or data. AIG announced in May 2018 that of all the cyber claims it received in 2017, ransomware was the largest cause of loss, making up 26% of the cyber claims that it received that year. By comparison, the next largest cause of loss was data breaches caused by hackers, at 12% of all claims received.

The decision regarding payment of a ransomware demand is a complex one, which becomes even more layered when there is coverage for the loss. This article examines some of the issues faced by insurers and insureds in dealing with a ransomware attack and provides guidance for evaluating insurance coverage options.

Recent ransomware attacks against municipalities

The targets of ransomware attacks are forced to confront a difficult and consequential decision: whether to pay the ransom that is demanded, or whether to refuse to pay in favor of working around the problem. Indeed, the U.S. government doesn’t encourage payment of ransom. Payment of a ransomware demand may not lead to release of the seized system back to the impacted user and may lead to further attacks. As a recent example of payment and further attacks, according to reports, in March 2019 the court system of Jackson County, Georgia, paid attackers $400,000. A few months later, in June 2019, the Administrative Office of the Georgia Courts was the victim of another ransomware attack. Currently, this latest attack is still ongoing so the ultimate outcome is not known.

Conversely, not paying the ransom can sometimes be even more costly — both in terms of the costs to restore service as well as the cost of having operations interrupted for an extended period of time.

To illustrate the costs of this difficult decision, in mid-2019, two municipalities took two different approaches to the question of payment of ransom. One widely reported ransomware attack in May 2019 affected the city of Baltimore’s servers, blocking access to important municipal services, and preventing city employees from accessing emails. Baltimore’s city government refused to pay the ransom that the hackers demanded (13 bitcoins, which at the time was the equivalent of approximately $76,000), and the impact from the attack is still ongoing months later.

Baltimore was forced to contract with a series of experts to assist in restoring systems that were disrupted by the attack. According to news reports, the city estimates that the attack will cost at least $18.2 million (a combination of both lost or delayed revenue and direct costs to restore the city’s systems), substantially more than the $76,000 that was sought in ransom payments. Further, according to reports, Baltimore was not insured for this loss.

Conversely, in June 2019, Lake City, Florida, reportedly agreed to pay ransom to hackers to regain access to its municipal computer systems two-weeks after systems were disrupted. According to news reports, Lake City did have ransomware coverage. Once the request for ransom was received by the city it was sent to the city’s insurer. The insurer then began negotiating directly with the hackers. The ransom payment still required approval by the city council, which voted to approve the payment. Presumably, because of the required vote of the city council, the policy at issue allowed payment for ransomware demands but only with the consent of the insured. According news reports, Lake City and its insurer agreed to pay the ransom that was demanded: 42 bitcoins, the equivalent at the time of $460,000. The payment was covered entirely by the insurer, except for a $10,000 deductible, which the city was required to pay itself.

Insurance options

The options for cyber-insurance, specifically for ransomware coverage, vary among insurers. Such policies may provide reimbursement for ransom payments made in response to a ransomware attack, as well as the costs to conduct a forensic investigation to determine the validity, cause and scope of the cyber threat, or reimburse or make ransomware payments. A ransomware policy may also cover the costs to evaluate the system post- attack to identify vulnerabilities, however, insurers will typically not cover the costs of upgrading the system.

As to the issue of whether to pay a demanded ransom, it’s important for insurers and insureds to understand which party decides whether such payments are to be made. Different insurance policies have taken different approaches. Some explicitly require the insured’s consent to any ransom payment. Conversely, some policies allow the insured to control the decision, subject to the insurer’s consent. The important takeaway is that because the decision as to whether to make a ransom payment or not is controlled by different factors, many of which are weighed differently by insurers and insureds, it is in the best interests of both insurers and insureds to delineate the powers of decision-making at the inception of the policy to avoid conflict should a payment become necessary.

As ransomware attacks continue to spread, insurance companies and their insureds need to be aware of the increasing risk that such attacks pose and the policy-solutions for how to deal with them before the attacks occur to avoid conflict.

This post has not been tagged.

Share |
PermalinkComments (0)
 

Protecting Your Clients' Information

Posted By Andreas Rivera, Wednesday, October 30, 2019

The Do's and Don'ts

from PropertyCasualty360.com

Insurance work typically requires a lot of a client’s personal information in order to create policies, process claims, and payout reimbursements. This is just the type of private, financial data craved by malicious parties on the internet, and they go to great lengths just for a chance to obtain it.

As are insurance clients demand their insurance providers and agencies communicate quickly and efficiently, insurance agencies have been moving away from the traditional postal correspondence. Email, text and the like are faster and more convenient, but they also introduce more risk.

As with any business, it’s your professional responsibility to make sure you’re safeguarding your clients’ information to the best of your abilities, employing all the necessary security practices to make sure it’s not easily obtained by criminals.

In our current environment of large corporations suffering major data breaches on a regular basis, customers are more concerned with security than ever. They’re going to ask you certain questions and will be paying attention to how you handle confidential data.

Here are a few don’ts when it comes to handling client information and documents:

Don’t: Send documents containing sensitive information to your clients via email. Also, avoid asking them to email you documents. 

Email attachments are not as safe as you think. When you share documents via email, you’re placing your trust in multiple email providers and their servers that they are secure and not susceptible to getting accessed by hackers. There have been instances of messages and attachments getting intercepted by malicious parties through insecure email servers.

More clients are wising up to the security of email attachments and won’t be happy that their private data is being shared this way. Instead, take security into your own hands and use a service that allows you to directly share files between your system and the client.

A document management system can provide instant, secure file-sharing. Rather than sending your client the document as an attachment, they’ll instead receive a link that takes you directly to the document management interface, through an encrypted connection. Rather than having the document sit in an unknown email server, the client can directly download the file. Likewise, they can use the connection to send you documents.

Don’t: Save sensitive documents in an office-wide network drive that all employees have access to. 

Network drives are useful for quickly sharing files between coworkers, but for long-term storage, it could be a recipe for disaster. All it takes is for one user’s password to fall into the wrong hands and everything in the drive is at risk. If your network storage is an open book, it’s time to implement a more judicious system.

Role-based permissions allows you to efficiently assign permissions to users to access certain documents and folders within the system. You can create groups of users to mass-assign permissions to them. A user without permissions for certain folders and files won’t even be able to see them in the system.

Don’t: Use a system without multi-factor authentication.

As mentioned earlier, all it could take is one user to mishandle their password, allowing outsiders to gain access to the system. This is commonly done through phishing, a simple technique used by hackers to deceive employees into giving up their passwords willingly.

While employees should be trained to spot and report phishing attempts, multi-factor authentication can go a long way toward thwarting attempts to break into the system. It requires not just a password, but a second form of authentication, usually in the form of a key or temporary pin code only the user can access. Some systems allow the use of biometric authentication like a fingerprint reader.

This post has not been tagged.

Share |
PermalinkComments (0)
 

Time to Close the Cyber Coverage Gaps

Posted By Elizabeth Blosfield, Tuesday, October 8, 2019

from InsuranceJournal.com

As Cybersecurity Awareness Month is underway, it may be time for businesses – especially small- or mid-sized firms – to assess their understanding of current cyber risks and whether they’re adequately covered by a cyber insurance policy.

According to a Hiscox 2019 Cyber Readiness Report, the number of firms reporting cyber incidents has risen from 45% last year to 61% in 2019. 2019 is the third year that Hiscox has released its Cyber Readiness Report, and for the first time, the report found that a majority of firms surveyed said they experienced one or more cyber attacks in the past year.

Additionally, findings from the report show that the cost and frequency of attacks have increased when compared with last year, and small- and medium-sized firms are now equally as vulnerable as larger companies, which hackers have historically targeted.

“The impact is real,” Tim Francis, enterprise cyber lead at Travelers, told Insurance Journal earlier this year. “Sometimes people feel like, ‘Well, I’m a small or mid-sized company, and I’m not going to be a target.’ Because they read headlines about nation state actors taking down major corporations, it creates this culture where they think that they have to be a targeted entity.”

In fact, a Willis Towers Watson report on cyber insurance trends to watch in 2019 stated that mid-sized companies, which it defines as organizations with annual revenue of less than $1 billion, will continue to drive market growth in the cyber insurance space as they realize the threat and potential financial consequences of a cyber attack.

“Midsize companies can be prime targets for cyber attacks because they often lack the resources and protocols of larger firms to defend against them,” wrote Joe DePaul, National Cyber/E&O Practice leader for North America at Willis Towers Watson and author of the report. “For others, the menacing headlines alone are enough to drive them off the sideline and into the buying market.”

That said, The Travelers Companies 2019 Travelers Risk Index – which comprised 1,200 business leaders participating in an insurer-sponsored survey – found that although for the first time in the survey’s six-year history, cyber was named as the top concern among businesses of all sizes, only roughly half of surveyed participants reported purchasing a cyber insurance policy this year (51%), creating a business continuity plan in the event of a cyber attack (47%) or taking a cyber risk assessment for themselves (49%).

Francis said that while more businesses are taking steps to prevent a cyber event, “it’s still alarming that nearly half don’t have the proper insurance coverage,” Insurance Journal previously reported.

U.K. based data and analytics firm GlobalData stated in a recent report that where the uptake of cyber insurance is far lower than the percentage of business owners detecting a cyber breach, cyber risks could pose a threat even for insurers that don’t offer cyber insurance.

This could mean commercial insurance providers may be exposed to cover the cost of cyber claims on traditional policies such as business interruption, according to a report based on findings from GlobalData’s 2018 UK small- and medium-sized enterprises (SME) Insurance Survey.

“Even insurers not offering cyber cover could find themselves being impacted financially by having to cover the cost of cyber-related claims due to ambiguous policy wording,” GlobalData stated in the report.

It pointed to finance and insurance company AIG’s plans to transition toward affirmative cyber insurance as one strategy for clarifying how insurance policies cover cyber risks.

Indeed, from 2020, all of AIG’s commercial property and casualty insurance policies will affirmatively cover or exclude both physical and non-physical cyber risks, addressing concerns that traditional commercial insurance policies across the industry are often silent about cyber coverage, according to an AIG press release.

“AIG believes P&C policies globally should be clear about the cyber coverage they provide. For the most part, across the industry, typical P&C policies have not been written to adequately deal with cyber exposure,” said Tracie Grella, global head of Cyber Insurance, in the release. “As we shift to affirmative cyber coverages and exclusions, our clients can more closely consider the cyber peril they face and evaluate how that exposure impacts coverages and policies across their enterprise.”

For more than 20 years, AIG has offered specific, standalone cyber insurance products. As the cyber threat has grown in the last five years, AIG has been drawing on that expertise to provide more holistic cyber coverage for clients across standard commercial insurance lines and to incorporate affirmative cyber coverage into traditional property and casualty policies on a product-by-product basis, the release stated.

“Moves such as AIG’s transition towards affirmative cyber insurance will help ensure policyholders have a clear understanding of which cyber perils are covered through a commercial insurance policy that is not cyber-specific,” said Daniel Pearce, insurance analyst at GlobalData, in the GlobalData report. “This, in turn, will help businesses owners more easily identify the benefits offered by a specialist cyber insurance product.”

While ensuring proper insurance coverage in the event of a cyber incident is important, having a preparation and response plan in place is also a vital factor in building resilience.

Shawn Ram, head of insurance at Coalition, a cyber insurance company focused on small-and mid-sized businesses, said businesses need to start by understanding that it is their entire company that needs defending, not just their network.

“In this day and age, it is a rare business whose core operations are not dependent on technology,” Ram said in a Coalition press release. “A cyber incident can easily trigger many forms of loss from fines and penalties, to stolen funds, to ransomware extortions.”

He stated it’s important for businesses to focus on the basics: routinely patch software, use strong passwords and enable multi-factor authentication, particularly for email, among other strategies.

“By our estimates, enabling multi-factor authentication in front of email would have eliminated over 50% of the cyber insurance claims submitted by our policyholders,” Ram said in the release. “These practices, of course, should be accompanied by a coherent incident response plan and a comprehensive insurance policy to help the business remain resilient.”

Coalition announced in September that it is expanding its cyber and technology errors and omissions coverage — previously only available to companies with less than $250 million in revenue — to include middle market companies with up to $1 billion in annual revenue. Middle market companies now have access to Coalition’s cybersecurity tools as well as up to $15 million in coverage backed by Swiss Re Corporate Solutions and Lloyd’s of London.

As the month of October is Cybersecurity Awareness Month, be sure to check out Insurance Journal’s Research and Trends page for additional resources and information on all things cyber.

This post has not been tagged.

Share |
PermalinkComments (0)
 

Remote Workers Big Cyber Risk for Small Business

Posted By Administration, Tuesday, August 13, 2019

from InsuranceJournal.com

Remote employees place businesses at risk, yet many small business owners are not properly mitigating potential cyberthreats, nor are they adequately protecting their employee platforms, a new report says.

As work-life and technology continue to evolve, a growing number of small business owners find themselves adopting remote work policies or “WFH” perks. However, their employees, who use company platforms and networks in popular locations such as coffee shops and airports, are more susceptible to the risk of an online attack.

According to Nationwide’s fifth annual Business Owner Survey, 83 percent of small business owners allow and offer employees the option to work securely from a remote location when needed and appropriate. With young business owners (those ranging from ages 18-34), this number jumps up to 95 percent. Yet, only 50 percent of small business owners have updated their remote work security policy in the past year.

Failing to continually revise remote work policies in the growing digital workplace could put those business owners at higher risk of a cyber-attack, the insurer says.

The survey found that one in five small business owners have not committed their employees to formal cybersecurity training.

Only four percent of business owners have implemented all of the cybersecurity best practices and recommendations from the U.S. Small Business Administration cited below.

“What may seem like a harmless public Wi-Fi network could ultimately pose serious troubles for a business,” says Catherine Rudow, vice president of cyber insurance at Nationwide. “Many employees may not realize the magnitude of risk associated with a cyberattack as they may not have engaged in a formal training process. The scary truth is that many small business owners, even if they are aware of these risks, have not implemented all the proper measures of protection.”

Nationwide’s Business Owner Survey also found:

  • 65 percent of business owners admit they have been victim of a cyberattack; computer virus attacks are the top type of attack reported at 33 percent, phishing is number two at 29 percent.
  • 86 percent of business owners believe that digital risk will continue to grow.
  • 30 percent of companies with 11-50 employees do not provide any type of formal training on cybersecurity.
  • Despite the simplicity of regularly updating software, seven percent of companies still fail to take that step.
  • Reputational risk is among the top reasons (45 percent) why business owners would consider investing in or purchasing a cybersecurity policy.
  • 35 percent of business owners who have never experienced a cyberattack are unaware of the financial cost to recover, highlighting a dangerous gap in knowledge from the implications.

Best Practices

The U.S. Small Business Administration recommends the following best practices:

  • Establish security practices and policies to protect sensitive information
  • Educate employees about cyberthreats and hold them accountable
  • Require employees to use strong passwords and to change them often
  • Employ best practices on payment cards
  • Make backup copies of important business data and information
  • Create a mobile device action plan
  • Protect all pages on public-facing websites, not just the checkout and sign-up pages

Nationwide commissioned Edelman Intelligence to conduct an online survey between June 6-12, 2019, among a sample of 400 U.S. small business owners with between 11-500 employees.

This post has not been tagged.

Share |
PermalinkComments (0)
 

Cyber Insurance Market Update 2019

Posted By Aubrey Gene, Wednesday, July 10, 2019

from PropertyCasualty360.com

Historically, buyers of cyber coverage have been large organizations in industries like health care, finance and retail. Makes sense, right? They store a lot of valuable personal and financial data, and a breach of that data could be detrimental to a business when they’d need to spend millions in response.

But in 2019, small to midsize businesses (SMBs) across various industries are increasingly starting to look over their shoulders at cyber coverage, watching it curiously and wondering: “Could that be for me?”

The answer is: Yes. Yes it could.

Picture this: An employee at an SMB receives an email from the owner or CEO asking the worker to urgently perform a task. It requires they share sensitive information over email, like passwords or bank information, or requests an electronic file transfer, ASAP. In a rush to get things done, and with a lack of awareness of how to spot threats, that employee can inadvertently expose that business to a cyberattack, costing that business losses that a traditional property policy doesn’t cover.

Thanks in part to the uptick in business email compromise, ransomware and malware threats in the last year — and the widespread media coverage of costly events like Wanna-Cry and NotPetya — cyber clients are growing. They recognize the need for coverage to help in the event of an attack and also for resources to help prevent attacks before they happen.

Although the market is competitive and buy-in for cyber policies is increasing, insurers note that not enough clients are adopting the coverage, especially when no organization is safe from a cyber event.

Meghan Hannes, U.S. cyber product head at specialty insurer Hiscox, says the company’s 2019 Hiscox Cyber Readiness Report found that 53% of U.S. businesses reported a cyberattack in the previous 12 months (up from 38% the previous year), with 45% of those companies experiencing three or more attacks in the past year. “Despite these alarming trends, 27% of firms have no plans to adopt cyber insurance,” Hannes explains.

That statistic is especially concerning, considering the high price that comes with a cyberattack. According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. Yet, as Eric Cernak, president of cyber at The Hanover, notes: “Less than 20% of all businesses are buying cyber,” according to a 2018 report from Keefe Bruyette & Woods Inc.

“Year-over-year, there are more buyers than there used to be, which is a trend in the right direction,” says Tim Francis, enterprise cyber lead at Travelers. “But there is still an awful lot of the market that does not buy cyber for one reason or another.”

One reason really tends to be a lack of awareness and education, and another is that ever-slippery yet dangerously pervasive “It won’t happen to me” mentality. According to Francis, a mistake many businesses continue to make is “thinking about the coverage more in terms of a data breach component as opposed to a vehicle that deals with extortion and business interruption type of events that don’t always have to do with data compromise.”

Historically, buyers of cyber coverage have been large organizations in industries like health care, finance and retail. Makes sense, right? They store a lot of valuable personal and financial data, and a breach of that data could be detrimental to a business when they’d need to spend millions in response.

But in 2019, small to midsize businesses (SMBs) across various industries are increasingly starting to look over their shoulders at cyber coverage, watching it curiously and wondering: “Could that be for me?”

The answer is: Yes. Yes it could.

Picture this: An employee at an SMB receives an email from the owner or CEO asking the worker to urgently perform a task. It requires they share sensitive information over email, like passwords or bank information, or requests an electronic file transfer, ASAP. In a rush to get things done, and with a lack of awareness of how to spot threats, that employee can inadvertently expose that business to a cyberattack, costing that business losses that a traditional property policy doesn’t cover.

Thanks in part to the uptick in business email compromise, ransomware and malware threats in the last year — and the widespread media coverage of costly events like Wanna-Cry and NotPetya — cyber clients are growing. They recognize the need for coverage to help in the event of an attack and also for resources to help prevent attacks before they happen.

Although the market is competitive and buy-in for cyber policies is increasing, insurers note that not enough clients are adopting the coverage, especially when no organization is safe from a cyber event.

Meghan Hannes, U.S. cyber product head at specialty insurer Hiscox, says the company’s 2019 Hiscox Cyber Readiness Report found that 53% of U.S. businesses reported a cyberattack in the previous 12 months (up from 38% the previous year), with 45% of those companies experiencing three or more attacks in the past year. “Despite these alarming trends, 27% of firms have no plans to adopt cyber insurance,” Hannes explains.

That statistic is especially concerning, considering the high price that comes with a cyberattack. According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. Yet, as Eric Cernak, president of cyber at The Hanover, notes: “Less than 20% of all businesses are buying cyber,” according to a 2018 report from Keefe Bruyette & Woods Inc.

“Year-over-year, there are more buyers than there used to be, which is a trend in the right direction,” says Tim Francis, enterprise cyber lead at Travelers. “But there is still an awful lot of the market that does not buy cyber for one reason or another.”

One reason really tends to be a lack of awareness and education, and another is that ever-slippery yet dangerously pervasive “It won’t happen to me” mentality. According to Francis, a mistake many businesses continue to make is “thinking about the coverage more in terms of a data breach component as opposed to a vehicle that deals with extortion and business interruption type of events that don’t always have to do with data compromise.”

The Rise of Ransomware

While costly and dangerous, data breaches aren’t the biggest cyber threat on insurers’ radars in 2019. The first half of this year alone has seen an uptick in the frequency and severity of attacks that have always existed in the space in some sense but are now gaining traction among cyber criminals for being unsophisticated and easy to deploy.

Francis notes Travelers is finding increases across all industry segments in ransomware, the sophistication of malware, and business email compromise claims, as well as the expense associated with those claims.

Hannes says that in the last year, Hiscox has “observed a heightening frequency and severity of risk due to ransomware attacks.” The attacks have resulted in business interruption events for unprepared organizations that “have difficulty in efficiently returning to normal business operations.” Insurers are responding to the need for coverage accordingly.

Francis notes there has been “a trend of increasing the limits and increasing the coverage around things like social engineering compromise, business interruption and systems failure, contingent business interruption, and additional coverages such as bricking.”

Cernak adds, “Business interruption, contingent business interruption, and reputational harm are all coverages that are becoming increasingly visible and important.”

Ransomware and malware aren’t necessarily new exposures, but “how they are implemented in targeted attacks and the pervasive damage they can cause within a computer system continues to be a top risk,” says Jason Glasgow, vice president, U.S. cyber lead, Allied World.

“Prior to about two years ago, malware was sent blindly in an effort to ensnare as many unsuspecting companies who stumbled into the trap as possible. Now ransomware is targeted and deployed with other types of attacks to both extort companies for payment and damage data and systems,” he notes. “The evolution of attack methodologies has been alarming. The extent of damage that a ransomware infection can cause within a single company is certainly near the top of the list of what risks carriers are watching closely.”

Fraudulent transfer of funds through business email compromises and social engineering tactics are a substantial area of exposure, according to Josh Ladeau, global head of tech E&O and cyber at Aspen. The awareness of the wide-scale, dramatic impacts that attacks like NotPetya raised has influenced criminal enterprises to “seek greater financial reward through larger ransom demands,” he explains.

“The market has really shifted to making sure that we’re covering a lot of these exposures that were always there but are more prominent now because of the ease-of-use to deploy ransomware as a service or a phishing scam that could be quite lucrative for the criminal,” says Bob Wice, cyber & U.S. focus group leader, Beazley.

Chipping Away at Growth

The growth opportunity for insurers is with SMBs across all industries, says Glasgow. “Many of these businesses purchase a cyber policy due to a contractual requirement to do so, but all of them could benefit from the risk management services, expertise and financial backing a strong cyber carrier can provide.”

An industry segment where there has been a notable uptick in cyber insurance adoption has been manufacturers and wholesalers, according to Wice. The increase in ransomware and malware attacks has left supply chains extra vulnerable to business interruption and contingent business interruption.

“A contractor or a manufacturer may be a target because the entities with whom they conduct business are the ultimate targets,” says Cernak. “They may have systems access or other pertinent information that criminals will look to exploit in their quest to access their ultimate target.”

For example, if companies a manufacturer relies on “from a hosted environment, credit card processing or E&S servicing standpoint” were to be compromised, those companies are exposed to a business interruption loss that isn’t covered by a traditional property policy, Wice explains.

“That really lured a lot of manufacturers and wholesalers — companies that really did not have much data other than their own employee data at stake,” he continues. “They’re looking to buy because of business interruption and cyber extortion issues. Once that started to become standard offering by the insurance market, a lot more buyers came in.”

“Manufacturers, distributors, and contractors increasingly rely upon computer systems to run their operations,” explains Cernak. “Any type of system outage — including ransomware attacks — could result in a meaningful loss of business income.”

According to the Council of Better Business Bureaus’ 2017 State of Cybersecurity Among Small Business in America report, 65% of businesses would be unprofitable in less than one fiscal quarter if they apparently lost access to essential data.

“We are paying considerable attention to supply-chain-related threats,” says Hannes. According to the Hiscox report, 56% of firms experienced cyber-related issues in their supply chain in the past year alone, and only 7% are increasing evaluation of their supply chain threats as a result of a cybersecurity incidents. “Businesses are only as secure as their supply chain and a third-party cyber incident can yield considerable financial challenges.”

But other businesses are slow to realize the potential for an attack, whether individual or contingent, oftentimes making the mistake of not recognizing the value of a cyber policy and expecting other general policies to cover them in an event.

“Some clients believe they are protected from cyber exposures such as false pretense or business email compromises based on contracts with suppliers,” says Cernak. This can offer a false sense of security, as many contracts don’t provide adequate protection.

“[These] businesses continue to rely upon other lines of business such as property, D&O and professional liability to respond (or partially respond) in the wake of a cyber event and, therefore, do not feel the additional affirmative protection afforded by a cyber policy is necessary,” Cernak explains.

“Cyber risks pose a real threat to businesses of all types and insurers continue to respond with coverages that help protect against these risks,” Cernak says.

Think Again

We can all agree on one thing: No business is immune to cyber threats, no matter the industry or size. As Cernak notes, as long as an organization uses a computer in any part of its business processes, they are at risk of some kind of cyber event.

“The businesses that think they are free of risk are the ones most likely to be exposed,” Glasgow adds.

Risk management and prevention are key to mitigating cyber risk, and many insurers are providing resources and programs to help clients educate and train employees to recognize an attack before it happens. But organizations need to be diligent on their end and recognize that cybersecurity needs to be taken seriously across the board.

“There still seems to be a lack of institutional buy-in around cybersecurity at many organizations,” Ladeau notes. “This can be characterized by things like a [chief information security officer] being buried in an organization chart, with no direct exposure to the board or top executive leadership and a budget that’s indistinct from IT.

“As an underwriter, the top organizations that I’ve seen view cybersecurity through the lens of competitive advantage; there is consistent investment and active participation at all levels of management,” Ladeau says.

“Generally speaking, those companies that are not patching their systems as frequently as they can be are more vulnerable,” Francis explains. “Additionally, those that are not doing employee training around how to identify and reduce the chance of opening up an email that might have malware associated with it increase their vulnerability.”

“Companies of all sizes and in all industries need to work with their broker to understand the exposures they face and how they can best be prepared,” Glasgow says.

Let's Get This

How companies prepare for the cyber risks they face makes all the difference, Glasgow adds. “Understanding threats and training employees and having senior executive-level incident response plans that are frequently tested can help prevent many cyber events as well as greatly mitigate the damage they can cause.”

Cyber risks have numerous stakeholders, so myriad organizations have been coming together to provide agents and clients with the proper resources to help mitigate risks.

“Insurers are partnering with various InsurTech-related companies to better help assess, prevent, mitigate and manage cyber-related threats and exposures,” Cernak says. “Agents can leverage carriers’ InsurTech relationships to educate their clients and assist them in developing plans to assess, prevent and respond to cyberattacks.”

 

This post has not been tagged.

Share |
PermalinkComments (0)
 

Cyber Risks to Exceed Natural Disaster

Posted By Helene Fouquet and William Horobin, Wednesday, May 15, 2019

from PropertyCasualty360.com

(Bloomberg) — Cyber risks will soon become bigger risks than natural catastrophes for the insurance sector, Scor Chairman and CEO Denis Kessler said, recommending the industry build a comprehensive, common global scale to assess cyber-related incidents.
“I dream of a kind of Richter scale for cybersecurity,” Kessler said at a conference on cybersecurity held at the Bank of France, referring to the scale used to measure earthquakes. “It would be very helpful to have measurement and modeling tools. Unless we can model, it’s very difficult for us to provide coverage. We have scenarios but not modeling tools.”

Cybersecurity experts and top executives in the financial sector, as well as representatives from the European Central Bank (ECB), the Federal Reserve and the central banks of Canada and Japan, convened in Paris to assess the risk.

ECB Executive Board Member Sabine Lautenschlaeger said it was “but a matter of time” before serious incidents would hurt the systemic sector.

To try and prepare for potential attacks, the Group of Seven — currently presided by France — will simulate a cross-border crisis next month.
“This is a world first and I am confident we will be able to learn a great deal from it,” French Finance Minister Bruno Le Maire said at the conference in Paris.

Bank of France Governor Francois Villeroy said the cybersecurity threats are a “major and systemic risk” to the financial sector as attacks are more frequent and public action on cyberattacks in the sector is “sub-optimal.” He said the crisis-simulations should be repeated to enhance the resilience of the financial system.

“The monetary impact — of attacks so far — was not so high, negligible. But I don’t feel comfortable, calm, not at all, it is a question of time, let me be very clear,” Lautenschlaeger said. She called on the financial institutions to review their information systems infrastructure, conduct stress tests and joint exercises to improve their resilience, she said.

While the cost of cyber risks has been small until now, the panel agreed it was only bound to increase. Kessler said the cyber risk could exceed $600 billion per year “in the worst case scenario.” That compares with the yearly cost of natural catastrophes, which he said is about $230 billion. The cyber risk “would dwarf it. So it gives you a size of the risk,” he said.

Still, “the demand for cyber risk coverage well exceeds the supply and this is an issue,” Kessler said, calling for a “re-balance” of the situation. The lack of aggregated data monitoring incidents is partly responsible for the shortage of coverage, he said. Kessler said the sector needs to coordinate and also to partner with authorities “to build databases and a taxonomy to share information,” or a common vocabulary for policymakers and companies to use in assessing cyber-related impact on the financial or industrial sector.

For Lautenschlaeger and Kessler, cybersecurity is shared responsibility and companies must invest to have better protections and understanding of the risk, they said.

Tags:  cyber  insurance  threat 

Share |
PermalinkComments (0)
 

What Does Good Cyber Risk Management Security Look Like?

Posted By Ankur Sheth and Jano Bermudes, Ankura, Wednesday, April 17, 2019

from PropertyCasualty360.com

In the world of cyber risk, we are dealing with unprecedented events. Apart from headline grabbing attacks such as the global malware incident that impacted Mondelēz’s business and the Russian military-run global cyber-attack, NotPetya, we are now seeing an epidemic of cyber attacks.

Concern has shifted from dealing with data being stolen and sold on the dark web to handling serious ransomware and destructive attacks, where attackers are looking for immediate monetary output. This is the new threat.

Malware such as TrickBot can infect an entire corporate network allowing hackers to surreptitiously gain access to systems, embed nefarious files and clean themselves, leaving no trace. The source of the attack is not, however, dealt with — allowing hackers time to monitor what is valuable to an organization and prepare a more sinister attack.

At a later date, entire networks are encrypted, and companies are brought to their knees, unable to access email, payment systems, and operational systems. Everything goes down, including email, calendars, Skype and VOIP, leaving a company unable to operate or communicate.

What remains is a ransom note demanding payment, usually in cryptocurrency, to regain keys to unlock the systems. These attacks can cost companies from $100,000 to over $1 million and specialist services are required to negotiate with the hackers.

We have seen companies with their entire information technology infrastructure brought down over multiple countries leaving them completely crippled. Added to that, companies face fines for data breaches, breached contracts with their customers due to an inability to perform services, the consequences of being unable to pay invoices, and of course their overall reputation is damaged.

Why are companies getting it wrong?

It has become much harder to protect a company’s digital assets because the digital landscape is shifting rapidly under our feet, catching many mature businesses off guard. Businesses need to determine which components of their business rely on technology and digital assets, exactly where those assets are (being less tangible than hard assets like real estate or cash), and how to protect them and the data flowing through them.

Often new systems are deployed, and the data being processed is not fully understood, classified or safeguarded appropriately.

The old “protecting the center” model of the last decade is no longer enough to keep companies secure. The old model involved protecting your network and protecting a company at its perimeter. Now with data being commonly housed in cloud applications with third parties and mobile devices, a new approach is needed.

Many companies now have legacy systems that cannot simply be replaced given the associated cost. These systems are not “safe by design” like some of the newer systems, and many lack even basic security mechanisms and still rely on non-complex passwords, which an attacker can easily overcome.

Protection methodologies have also gone out of date, including the “air gapping” of environments designed to isolate systems from each other and protect sensitive data. The old “people and process” security model has evolved, and we now rely on “people, process, and technology.”

Before the technology boom, security was a manual process — people had to monitor systems or processes looking for threats. Technology is now able to help automate threat monitoring.

What does good security today look like?

Firstly, it’s important to note that “good” is not a static state and what is needed for security should be dynamic and agile. Second, one can never totally eradicate risk, but can only reduce it to a level that any particular organization finds to be commercially acceptable.

“Good” is no longer having the highest walls or the deepest moats to stop the bad guys getting into a company’s systems. In a controlled environment “good” means:

  • Having increased visibility of potential threats which will tell you how and where to protect your systems.
  • Understanding how current threats could impact your organization and its information;
  • Understanding your key business processes and data.
  • Knowing how your data is regulated in each region and appreciating other risks relating to your business data, such as commercial risk.
  • Understanding where your business is underpinned by technology.
  • Understanding the degree of control you exercise over that technology, for example is it a legacy system with out of date security or is it controlled by a third party.
  • Understanding the skill of your workforce is and the effectiveness of your governance structure.
  • Quantifying the cost spent on cybersecurity versus the value that protected technology brings to the business.

Technically this means having visibility of the people and processes in your business that interact with your technology and data so that you can identify risks. It also means having visibility of attacks through advanced threat detection and containment technology. You also need to be aware of times of heightened risk when the threat of cyber attack may be higher, for example, when a patent is being granted or when an M&A deal is announced.

Controls that respond to your business environment?

What is needed now are dynamic controls — controls that respond to your business environment or to the threats around you. A major utility company with an aggressive business strategy to develop software-based service offerings may find that its security posture is not dynamic and almost entirely built around a physical security strategy (protecting physical assets) — and therefore ineffective.

Businesses often have on-premise security tools to protect their businesses and then realize they have purchased cloud-based platforms that are entirely unprotected. Big banks in the UK, for example, have invested heavily in security over the years.

After the Financial Conduct Authority clarified its stance on the use of public cloud services through the publication of FG 16/5, none of this capability was effective in any of the public cloud offerings they developed. This has given challenger banks a clear advantage.

In other situations, major companies in the energy sector have made exorbitant investments on advanced threat intelligence but have an inability to change their controls to respond to the intelligence gleaned. For one company, the threat increased or decreased week-to-week but the control landscape could not respond or adapt to the changing landscape, rendering the investment ineffective. The result was that the control bore no resemblance to the threat level.

Why is agility so important?

Agility is crucial when it comes to reducing cyber risk and requires companies to understand their business and model their security strategy on current and future business strategy. Referring again to the big banks and oil and gas companies, many have offshored all their IT and processing centers, but not kept enough internal knowledge or skilled staff to manage third-party suppliers. This means they do not understand their environment and therefore cannot respond quickly to changing threats.

Agility in a control environment also means adapting to security threats. This could be allowing users greater degrees of functionality and freedom through the deployment of advanced threat detection tools instead of locking users down.

We have seen small organizations save themselves from significant impact by pulling the cables on the Internet during an active cyber attack. This approach is now being used in critical infrastructure organizations. By designing red button type processes, they can shut down an entire gas compressor or segment of the control network, for example, if it poses a risk to the entire grid.

In the old world, a plant operator would simply not be able to obtain the required executive authority to shut a plant down (given that it would cause millions in damages) within the time required to defend against an active cyber attack. Crisis plans need updating to consider and embed rapid responses to cyber specific threats.

What do best practices look like?

The approach to security that we advocate is risk-based. Risk based in this context means evaluating the business desires and goals, and underpinning and assuring elements that are the most reliant on technology. It also means that the level of investment in security should be linked to the value of the asset being protected within the specific commercial landscape.

A company can examine the types of threats it is exposed to and select where to deploy controls that reduce the risk to an acceptable level, but not at an untenable cost to the business. This might involve deployment of some enhanced detection controls, network segregation, and system recovery controls to a manufacturing environment to detect and contain threats and, if needed, rebuild parts of the environment.

Contrast this to a full redesign of the factory before it naturally becomes obsolete, bearing in mind a typical 30-year lifecycle of such assets.

Integrating controls and layering defenses to make sure they fit into one another is also important. Buying all the latest tools will not protect your business. Coherent security is an end to end integrated system of people, processes and technologies coming together to protect business value.

We often see customers deploy Office 365 because they have been told that it is secure, but then they neglect to deploy multi-factor authentication (MFA) and other advanced controls available to protect it, due to the perceived impact it has on users and usability. This is the akin to refusing to wear a seatbelt and then claiming that a car is unsafe.

In 2017 and 2018, Ankura dealt with approximately 1,000 data breaches — over half of which were due to business email being compromised, and 90% of which were due to a lack of MFA or other basic Office 365 security controls.

How do you weigh risk and cost?

Risk-based security is inherently business focused. If IT and security departments are not business focused, they will be viewed as cost centers rather than business partners. When practiced correctly, security should understand and advise the business but not seek to block it.

As such, security also needs to be cost appropriate. A security investment plan should always consider the value at risk and underpin that value with appropriate controls up to a percentage of the value and should never seek to deploy security for security or compliance sake.

Being able to articulate the business proposition of security is essential. Failure to do so is currently resulting in an underinvestment in technology evidenced by the significant number of breaches being reported in the media daily.

On the positive side, efficient cybersecurity can be a huge differentiator for example, when used to pursue opportunities in heavily regulated markets. Cybersecurity strategies can be leveraged to de-risk technology during mergers and acquisitions, investments in emerging technology such as the cloud, the Internet of Things and artificial intelligence to give a business the competitive edge.

Ankur Sheth (ankur.sheth@ankura.com) is an experienced leader in cybersecurity and currently leads Ankura’s global proactive cybersecurity services team.  Jano Bermudes (jano.bermudes@ankura.com) is an experienced consultant with two decades of professional experience as a technology subject matter expert, risk and controls professional, architect, and engagement leader, delivering complex cyber and technology transformation engagements with some of the world’s largest companies.

Tags:  cybersecurity  insurance  risk 

Share |
PermalinkComments (0)
 

Cyber Risk: It's Getting Personal

Posted By Patricia Harman, Wednesday, April 10, 2019

from PropertyCasualty360.com

The cybersecurity landscape isn’t necessarily getting worse, but it is definitely changing. Ten years ago, insurers highlighted hypothetical scenarios to generate coverage options for policyholders, explains Graeme Newman, chief innovation officer at London-based CFC Underwriting. Five years ago, there were significant retail breaches and credit card security improved with point-to-point and end-to-end encryption. Now there are more data breaches and cyber hacks.

“The propensity for claims has more than doubled in the last two years,” says Newman. “Are they becoming more prevalent or are clients more aware that it’s an issue? It’s a combination of both. We’re seeing more incidents and they are easier to commit than ever before.”

Two years ago, ransomware was a huge problem. There were numerous low-level attacks and ransom demands. “Now we’re seeing more targeted attacks with criminals running automated tools to identify and exploit networks. Once they’re in they are using ransomware in a targeted way, and ransomware demands are going up. They used to run $500-$1000. Now we’ve seen several million-dollar ransom demands in the last six months,” adds Newman. “People are more aware of the danger of clicking on links and software is better at identifying ransomware, so that threat has changed. Criminals are using higher bounties from businesses and not smaller demands from more people.”

This still plays out on a personal level as well. Even though the IRS has gotten better about identifying fraudulent tax returns, it continues to be an issue around tax time. If a fraudulent return is filed in your name, be prepared to file paper returns for the next several years.

In England, parents were victims of school fee fraud when enterprising hackers emailed them and said they could get a discount on tuition if they paid in advance. “Hackers can extort a lot of money if they time it right,” finds Newman.

Escrow agents in real estate transactions have been targets as well. They are frequently dealing with unsophisticated buyers who aren’t used to online processes and procedures, and make easy targets for hackers when it comes to wiring down payments for homes or rental deposits.
Small and medium-sized business are still woefully unprotected and unaware of the impact a breach or theft of data could have on their enterprise. From protecting websites on web hosting sites to encrypting customer data, most have very little awareness of the dangers or consequences of a breach.

Newman finds that credit monitoring is almost pointless and a limited tool at best. “It’s offered after the breach has already taken place. Criminals want to be satiated pretty quickly and aren’t going to hang onto information — they want to use it right away,” he adds.

A new danger is credential stuffing — where hackers take a user name and password and then run it through different sites to see if they can access information anywhere else. “If I can get your details from one site and use them on another like your Uber account, PayPal or an airline, I can start using your accounts for financial gain,” says Newman.

While the value of a user name or password is limited, it’s how it can be monetized that makes it valuable. Makes you think twice about using the same password and login for different accounts.

Tags:  cyber  insurance  personal 

Share |
PermalinkComments (0)
 

Employee Data Breach Trojan Horses

Posted By Victoria Hudgins, Wednesday, March 20, 2019

from PropertyCasualty360.com

Email is the most common technology used in accidental data breaches, according to a survey of 1,000-plus U.S. companies sponsored by data security platform Egress and conducted by Opinion Matters research group.

Eighty-three percent (83%) of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51% of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46% said corporate email was used in an accidental data breach.

Pitfalls: emails to wrong address, forwarding sensitive info

Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey.

The respondents were senior and mid-level security professionals.
Egress cited the “explosive growth” in unstructured data, such as emails, documents and files, and the growing methods employees can use to communicate as factors that have significantly increased the chance of exposing sensitive data.

Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed, the survey noted. Indeed, 40% said file sharing technology was used in employee-caused breach accidents, followed closely (38%) by collaboration tools.

Encrypting everything isn’t the solution

The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79% of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64% were required to use encryption when internally sharing PII or critical business data.

While useful, Egress chief technology officer and co-founder Neil Larkins noted that encrypting everything isn’t the solution to minimizing breaches. “Encryption plays a part in this but doesn’t entirely solve the issue,” he said, adding that other steps to take include deploying software that logs normal patterns of data sharing and also flags abnormal behavior.

Despite the frequency of accidental breaches, organizations did not see them as an immediate threat. While most respondents said their biggest IT security risk was ransomware and malware (48%) and external attacks (45%), only 40% said accidental data breaches by employees was a risk. Larkins said that outlook was “historical” and is beginning to evolve as organizations are learning that phishing attacks are effective and the most common data attack.

Updated security policies needed in response to new data laws

Likewise, more companies are training employees to spot phishing, said Joseph Lazzarotti, the privacy, data and cybersecurity practice group founder and chair at the Jackson Lewis law firm. But he was concerned about the survey’s finding that only 59% of companies are implementing new security policies in response to data regulation laws.

“You want those numbers to be higher,” Lazzarotti said. “Given all the breaches that have happened in the last 10 years, you’d hope that number was higher in terms of companies taking steps.”

He noted that as more states enact data privacy and breach laws, more organizations in turn are pushed to implement security policies that are in-line with regulations. “There are laws being added to the books that will continue to give companies more reasons to take these steps … hopefully the numbers will go up.”

New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54% of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52% of organizations to invest in employee training and 44% have restricted the use of of external data sharing tools. Meanwhile, only 8% said new regulations haven’t changed their organization’s data sharing habits.

This post has not been tagged.

Share |
PermalinkComments (0)
 
Page 1 of 3
1  |  2  |  3

PIA of Kentucky
107 Consumer Lane
Frankfort, KY 40601

   
© PIA OF KENTUCKY

Phone: 502-875-3888
Fax: 502-227-0839
Email: info@piaky.org