Cyber Insurance
Blog Home All Blogs
Cyber coverage is increasingly a "must have" for businesses, including insurance agencies. For an overview of all PIAK posts, visit our "Blog Post Library List" at "All Blogs"


Search all posts for:   


Top tags: insurance  cyber  cybersecurity  cyber insurance  risk  risks  agent  assess  breach  business  business interruption  clients  coverage  cyber security  facebook  growth  holidays  independent agent  liability  mobile  personal  predictions  safety  sales  shopping  threat  value 

Remote Workers Big Cyber Risk for Small Business

Posted By Administration, Tuesday, August 13, 2019


Remote employees place businesses at risk, yet many small business owners are not properly mitigating potential cyberthreats, nor are they adequately protecting their employee platforms, a new report says.

As work-life and technology continue to evolve, a growing number of small business owners find themselves adopting remote work policies or “WFH” perks. However, their employees, who use company platforms and networks in popular locations such as coffee shops and airports, are more susceptible to the risk of an online attack.

According to Nationwide’s fifth annual Business Owner Survey, 83 percent of small business owners allow and offer employees the option to work securely from a remote location when needed and appropriate. With young business owners (those ranging from ages 18-34), this number jumps up to 95 percent. Yet, only 50 percent of small business owners have updated their remote work security policy in the past year.

Failing to continually revise remote work policies in the growing digital workplace could put those business owners at higher risk of a cyber-attack, the insurer says.

The survey found that one in five small business owners have not committed their employees to formal cybersecurity training.

Only four percent of business owners have implemented all of the cybersecurity best practices and recommendations from the U.S. Small Business Administration cited below.

“What may seem like a harmless public Wi-Fi network could ultimately pose serious troubles for a business,” says Catherine Rudow, vice president of cyber insurance at Nationwide. “Many employees may not realize the magnitude of risk associated with a cyberattack as they may not have engaged in a formal training process. The scary truth is that many small business owners, even if they are aware of these risks, have not implemented all the proper measures of protection.”

Nationwide’s Business Owner Survey also found:

  • 65 percent of business owners admit they have been victim of a cyberattack; computer virus attacks are the top type of attack reported at 33 percent, phishing is number two at 29 percent.
  • 86 percent of business owners believe that digital risk will continue to grow.
  • 30 percent of companies with 11-50 employees do not provide any type of formal training on cybersecurity.
  • Despite the simplicity of regularly updating software, seven percent of companies still fail to take that step.
  • Reputational risk is among the top reasons (45 percent) why business owners would consider investing in or purchasing a cybersecurity policy.
  • 35 percent of business owners who have never experienced a cyberattack are unaware of the financial cost to recover, highlighting a dangerous gap in knowledge from the implications.

Best Practices

The U.S. Small Business Administration recommends the following best practices:

  • Establish security practices and policies to protect sensitive information
  • Educate employees about cyberthreats and hold them accountable
  • Require employees to use strong passwords and to change them often
  • Employ best practices on payment cards
  • Make backup copies of important business data and information
  • Create a mobile device action plan
  • Protect all pages on public-facing websites, not just the checkout and sign-up pages

Nationwide commissioned Edelman Intelligence to conduct an online survey between June 6-12, 2019, among a sample of 400 U.S. small business owners with between 11-500 employees.

This post has not been tagged.

Share |
PermalinkComments (0)

Cyber Insurance Market Update 2019

Posted By Aubrey Gene, Wednesday, July 10, 2019


Historically, buyers of cyber coverage have been large organizations in industries like health care, finance and retail. Makes sense, right? They store a lot of valuable personal and financial data, and a breach of that data could be detrimental to a business when they’d need to spend millions in response.

But in 2019, small to midsize businesses (SMBs) across various industries are increasingly starting to look over their shoulders at cyber coverage, watching it curiously and wondering: “Could that be for me?”

The answer is: Yes. Yes it could.

Picture this: An employee at an SMB receives an email from the owner or CEO asking the worker to urgently perform a task. It requires they share sensitive information over email, like passwords or bank information, or requests an electronic file transfer, ASAP. In a rush to get things done, and with a lack of awareness of how to spot threats, that employee can inadvertently expose that business to a cyberattack, costing that business losses that a traditional property policy doesn’t cover.

Thanks in part to the uptick in business email compromise, ransomware and malware threats in the last year — and the widespread media coverage of costly events like Wanna-Cry and NotPetya — cyber clients are growing. They recognize the need for coverage to help in the event of an attack and also for resources to help prevent attacks before they happen.

Although the market is competitive and buy-in for cyber policies is increasing, insurers note that not enough clients are adopting the coverage, especially when no organization is safe from a cyber event.

Meghan Hannes, U.S. cyber product head at specialty insurer Hiscox, says the company’s 2019 Hiscox Cyber Readiness Report found that 53% of U.S. businesses reported a cyberattack in the previous 12 months (up from 38% the previous year), with 45% of those companies experiencing three or more attacks in the past year. “Despite these alarming trends, 27% of firms have no plans to adopt cyber insurance,” Hannes explains.

That statistic is especially concerning, considering the high price that comes with a cyberattack. According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. Yet, as Eric Cernak, president of cyber at The Hanover, notes: “Less than 20% of all businesses are buying cyber,” according to a 2018 report from Keefe Bruyette & Woods Inc.

“Year-over-year, there are more buyers than there used to be, which is a trend in the right direction,” says Tim Francis, enterprise cyber lead at Travelers. “But there is still an awful lot of the market that does not buy cyber for one reason or another.”

One reason really tends to be a lack of awareness and education, and another is that ever-slippery yet dangerously pervasive “It won’t happen to me” mentality. According to Francis, a mistake many businesses continue to make is “thinking about the coverage more in terms of a data breach component as opposed to a vehicle that deals with extortion and business interruption type of events that don’t always have to do with data compromise.”

Historically, buyers of cyber coverage have been large organizations in industries like health care, finance and retail. Makes sense, right? They store a lot of valuable personal and financial data, and a breach of that data could be detrimental to a business when they’d need to spend millions in response.

But in 2019, small to midsize businesses (SMBs) across various industries are increasingly starting to look over their shoulders at cyber coverage, watching it curiously and wondering: “Could that be for me?”

The answer is: Yes. Yes it could.

Picture this: An employee at an SMB receives an email from the owner or CEO asking the worker to urgently perform a task. It requires they share sensitive information over email, like passwords or bank information, or requests an electronic file transfer, ASAP. In a rush to get things done, and with a lack of awareness of how to spot threats, that employee can inadvertently expose that business to a cyberattack, costing that business losses that a traditional property policy doesn’t cover.

Thanks in part to the uptick in business email compromise, ransomware and malware threats in the last year — and the widespread media coverage of costly events like Wanna-Cry and NotPetya — cyber clients are growing. They recognize the need for coverage to help in the event of an attack and also for resources to help prevent attacks before they happen.

Although the market is competitive and buy-in for cyber policies is increasing, insurers note that not enough clients are adopting the coverage, especially when no organization is safe from a cyber event.

Meghan Hannes, U.S. cyber product head at specialty insurer Hiscox, says the company’s 2019 Hiscox Cyber Readiness Report found that 53% of U.S. businesses reported a cyberattack in the previous 12 months (up from 38% the previous year), with 45% of those companies experiencing three or more attacks in the past year. “Despite these alarming trends, 27% of firms have no plans to adopt cyber insurance,” Hannes explains.

That statistic is especially concerning, considering the high price that comes with a cyberattack. According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. Yet, as Eric Cernak, president of cyber at The Hanover, notes: “Less than 20% of all businesses are buying cyber,” according to a 2018 report from Keefe Bruyette & Woods Inc.

“Year-over-year, there are more buyers than there used to be, which is a trend in the right direction,” says Tim Francis, enterprise cyber lead at Travelers. “But there is still an awful lot of the market that does not buy cyber for one reason or another.”

One reason really tends to be a lack of awareness and education, and another is that ever-slippery yet dangerously pervasive “It won’t happen to me” mentality. According to Francis, a mistake many businesses continue to make is “thinking about the coverage more in terms of a data breach component as opposed to a vehicle that deals with extortion and business interruption type of events that don’t always have to do with data compromise.”

The Rise of Ransomware

While costly and dangerous, data breaches aren’t the biggest cyber threat on insurers’ radars in 2019. The first half of this year alone has seen an uptick in the frequency and severity of attacks that have always existed in the space in some sense but are now gaining traction among cyber criminals for being unsophisticated and easy to deploy.

Francis notes Travelers is finding increases across all industry segments in ransomware, the sophistication of malware, and business email compromise claims, as well as the expense associated with those claims.

Hannes says that in the last year, Hiscox has “observed a heightening frequency and severity of risk due to ransomware attacks.” The attacks have resulted in business interruption events for unprepared organizations that “have difficulty in efficiently returning to normal business operations.” Insurers are responding to the need for coverage accordingly.

Francis notes there has been “a trend of increasing the limits and increasing the coverage around things like social engineering compromise, business interruption and systems failure, contingent business interruption, and additional coverages such as bricking.”

Cernak adds, “Business interruption, contingent business interruption, and reputational harm are all coverages that are becoming increasingly visible and important.”

Ransomware and malware aren’t necessarily new exposures, but “how they are implemented in targeted attacks and the pervasive damage they can cause within a computer system continues to be a top risk,” says Jason Glasgow, vice president, U.S. cyber lead, Allied World.

“Prior to about two years ago, malware was sent blindly in an effort to ensnare as many unsuspecting companies who stumbled into the trap as possible. Now ransomware is targeted and deployed with other types of attacks to both extort companies for payment and damage data and systems,” he notes. “The evolution of attack methodologies has been alarming. The extent of damage that a ransomware infection can cause within a single company is certainly near the top of the list of what risks carriers are watching closely.”

Fraudulent transfer of funds through business email compromises and social engineering tactics are a substantial area of exposure, according to Josh Ladeau, global head of tech E&O and cyber at Aspen. The awareness of the wide-scale, dramatic impacts that attacks like NotPetya raised has influenced criminal enterprises to “seek greater financial reward through larger ransom demands,” he explains.

“The market has really shifted to making sure that we’re covering a lot of these exposures that were always there but are more prominent now because of the ease-of-use to deploy ransomware as a service or a phishing scam that could be quite lucrative for the criminal,” says Bob Wice, cyber & U.S. focus group leader, Beazley.

Chipping Away at Growth

The growth opportunity for insurers is with SMBs across all industries, says Glasgow. “Many of these businesses purchase a cyber policy due to a contractual requirement to do so, but all of them could benefit from the risk management services, expertise and financial backing a strong cyber carrier can provide.”

An industry segment where there has been a notable uptick in cyber insurance adoption has been manufacturers and wholesalers, according to Wice. The increase in ransomware and malware attacks has left supply chains extra vulnerable to business interruption and contingent business interruption.

“A contractor or a manufacturer may be a target because the entities with whom they conduct business are the ultimate targets,” says Cernak. “They may have systems access or other pertinent information that criminals will look to exploit in their quest to access their ultimate target.”

For example, if companies a manufacturer relies on “from a hosted environment, credit card processing or E&S servicing standpoint” were to be compromised, those companies are exposed to a business interruption loss that isn’t covered by a traditional property policy, Wice explains.

“That really lured a lot of manufacturers and wholesalers — companies that really did not have much data other than their own employee data at stake,” he continues. “They’re looking to buy because of business interruption and cyber extortion issues. Once that started to become standard offering by the insurance market, a lot more buyers came in.”

“Manufacturers, distributors, and contractors increasingly rely upon computer systems to run their operations,” explains Cernak. “Any type of system outage — including ransomware attacks — could result in a meaningful loss of business income.”

According to the Council of Better Business Bureaus’ 2017 State of Cybersecurity Among Small Business in America report, 65% of businesses would be unprofitable in less than one fiscal quarter if they apparently lost access to essential data.

“We are paying considerable attention to supply-chain-related threats,” says Hannes. According to the Hiscox report, 56% of firms experienced cyber-related issues in their supply chain in the past year alone, and only 7% are increasing evaluation of their supply chain threats as a result of a cybersecurity incidents. “Businesses are only as secure as their supply chain and a third-party cyber incident can yield considerable financial challenges.”

But other businesses are slow to realize the potential for an attack, whether individual or contingent, oftentimes making the mistake of not recognizing the value of a cyber policy and expecting other general policies to cover them in an event.

“Some clients believe they are protected from cyber exposures such as false pretense or business email compromises based on contracts with suppliers,” says Cernak. This can offer a false sense of security, as many contracts don’t provide adequate protection.

“[These] businesses continue to rely upon other lines of business such as property, D&O and professional liability to respond (or partially respond) in the wake of a cyber event and, therefore, do not feel the additional affirmative protection afforded by a cyber policy is necessary,” Cernak explains.

“Cyber risks pose a real threat to businesses of all types and insurers continue to respond with coverages that help protect against these risks,” Cernak says.

Think Again

We can all agree on one thing: No business is immune to cyber threats, no matter the industry or size. As Cernak notes, as long as an organization uses a computer in any part of its business processes, they are at risk of some kind of cyber event.

“The businesses that think they are free of risk are the ones most likely to be exposed,” Glasgow adds.

Risk management and prevention are key to mitigating cyber risk, and many insurers are providing resources and programs to help clients educate and train employees to recognize an attack before it happens. But organizations need to be diligent on their end and recognize that cybersecurity needs to be taken seriously across the board.

“There still seems to be a lack of institutional buy-in around cybersecurity at many organizations,” Ladeau notes. “This can be characterized by things like a [chief information security officer] being buried in an organization chart, with no direct exposure to the board or top executive leadership and a budget that’s indistinct from IT.

“As an underwriter, the top organizations that I’ve seen view cybersecurity through the lens of competitive advantage; there is consistent investment and active participation at all levels of management,” Ladeau says.

“Generally speaking, those companies that are not patching their systems as frequently as they can be are more vulnerable,” Francis explains. “Additionally, those that are not doing employee training around how to identify and reduce the chance of opening up an email that might have malware associated with it increase their vulnerability.”

“Companies of all sizes and in all industries need to work with their broker to understand the exposures they face and how they can best be prepared,” Glasgow says.

Let's Get This

How companies prepare for the cyber risks they face makes all the difference, Glasgow adds. “Understanding threats and training employees and having senior executive-level incident response plans that are frequently tested can help prevent many cyber events as well as greatly mitigate the damage they can cause.”

Cyber risks have numerous stakeholders, so myriad organizations have been coming together to provide agents and clients with the proper resources to help mitigate risks.

“Insurers are partnering with various InsurTech-related companies to better help assess, prevent, mitigate and manage cyber-related threats and exposures,” Cernak says. “Agents can leverage carriers’ InsurTech relationships to educate their clients and assist them in developing plans to assess, prevent and respond to cyberattacks.”


This post has not been tagged.

Share |
PermalinkComments (0)

Cyber Risks to Exceed Natural Disaster

Posted By Helene Fouquet and William Horobin, Wednesday, May 15, 2019


(Bloomberg) — Cyber risks will soon become bigger risks than natural catastrophes for the insurance sector, Scor Chairman and CEO Denis Kessler said, recommending the industry build a comprehensive, common global scale to assess cyber-related incidents.
“I dream of a kind of Richter scale for cybersecurity,” Kessler said at a conference on cybersecurity held at the Bank of France, referring to the scale used to measure earthquakes. “It would be very helpful to have measurement and modeling tools. Unless we can model, it’s very difficult for us to provide coverage. We have scenarios but not modeling tools.”

Cybersecurity experts and top executives in the financial sector, as well as representatives from the European Central Bank (ECB), the Federal Reserve and the central banks of Canada and Japan, convened in Paris to assess the risk.

ECB Executive Board Member Sabine Lautenschlaeger said it was “but a matter of time” before serious incidents would hurt the systemic sector.

To try and prepare for potential attacks, the Group of Seven — currently presided by France — will simulate a cross-border crisis next month.
“This is a world first and I am confident we will be able to learn a great deal from it,” French Finance Minister Bruno Le Maire said at the conference in Paris.

Bank of France Governor Francois Villeroy said the cybersecurity threats are a “major and systemic risk” to the financial sector as attacks are more frequent and public action on cyberattacks in the sector is “sub-optimal.” He said the crisis-simulations should be repeated to enhance the resilience of the financial system.

“The monetary impact — of attacks so far — was not so high, negligible. But I don’t feel comfortable, calm, not at all, it is a question of time, let me be very clear,” Lautenschlaeger said. She called on the financial institutions to review their information systems infrastructure, conduct stress tests and joint exercises to improve their resilience, she said.

While the cost of cyber risks has been small until now, the panel agreed it was only bound to increase. Kessler said the cyber risk could exceed $600 billion per year “in the worst case scenario.” That compares with the yearly cost of natural catastrophes, which he said is about $230 billion. The cyber risk “would dwarf it. So it gives you a size of the risk,” he said.

Still, “the demand for cyber risk coverage well exceeds the supply and this is an issue,” Kessler said, calling for a “re-balance” of the situation. The lack of aggregated data monitoring incidents is partly responsible for the shortage of coverage, he said. Kessler said the sector needs to coordinate and also to partner with authorities “to build databases and a taxonomy to share information,” or a common vocabulary for policymakers and companies to use in assessing cyber-related impact on the financial or industrial sector.

For Lautenschlaeger and Kessler, cybersecurity is shared responsibility and companies must invest to have better protections and understanding of the risk, they said.

Tags:  cyber  insurance  threat 

Share |
PermalinkComments (0)

What Does Good Cyber Risk Management Security Look Like?

Posted By Ankur Sheth and Jano Bermudes, Ankura, Wednesday, April 17, 2019


In the world of cyber risk, we are dealing with unprecedented events. Apart from headline grabbing attacks such as the global malware incident that impacted Mondelēz’s business and the Russian military-run global cyber-attack, NotPetya, we are now seeing an epidemic of cyber attacks.

Concern has shifted from dealing with data being stolen and sold on the dark web to handling serious ransomware and destructive attacks, where attackers are looking for immediate monetary output. This is the new threat.

Malware such as TrickBot can infect an entire corporate network allowing hackers to surreptitiously gain access to systems, embed nefarious files and clean themselves, leaving no trace. The source of the attack is not, however, dealt with — allowing hackers time to monitor what is valuable to an organization and prepare a more sinister attack.

At a later date, entire networks are encrypted, and companies are brought to their knees, unable to access email, payment systems, and operational systems. Everything goes down, including email, calendars, Skype and VOIP, leaving a company unable to operate or communicate.

What remains is a ransom note demanding payment, usually in cryptocurrency, to regain keys to unlock the systems. These attacks can cost companies from $100,000 to over $1 million and specialist services are required to negotiate with the hackers.

We have seen companies with their entire information technology infrastructure brought down over multiple countries leaving them completely crippled. Added to that, companies face fines for data breaches, breached contracts with their customers due to an inability to perform services, the consequences of being unable to pay invoices, and of course their overall reputation is damaged.

Why are companies getting it wrong?

It has become much harder to protect a company’s digital assets because the digital landscape is shifting rapidly under our feet, catching many mature businesses off guard. Businesses need to determine which components of their business rely on technology and digital assets, exactly where those assets are (being less tangible than hard assets like real estate or cash), and how to protect them and the data flowing through them.

Often new systems are deployed, and the data being processed is not fully understood, classified or safeguarded appropriately.

The old “protecting the center” model of the last decade is no longer enough to keep companies secure. The old model involved protecting your network and protecting a company at its perimeter. Now with data being commonly housed in cloud applications with third parties and mobile devices, a new approach is needed.

Many companies now have legacy systems that cannot simply be replaced given the associated cost. These systems are not “safe by design” like some of the newer systems, and many lack even basic security mechanisms and still rely on non-complex passwords, which an attacker can easily overcome.

Protection methodologies have also gone out of date, including the “air gapping” of environments designed to isolate systems from each other and protect sensitive data. The old “people and process” security model has evolved, and we now rely on “people, process, and technology.”

Before the technology boom, security was a manual process — people had to monitor systems or processes looking for threats. Technology is now able to help automate threat monitoring.

What does good security today look like?

Firstly, it’s important to note that “good” is not a static state and what is needed for security should be dynamic and agile. Second, one can never totally eradicate risk, but can only reduce it to a level that any particular organization finds to be commercially acceptable.

“Good” is no longer having the highest walls or the deepest moats to stop the bad guys getting into a company’s systems. In a controlled environment “good” means:

  • Having increased visibility of potential threats which will tell you how and where to protect your systems.
  • Understanding how current threats could impact your organization and its information;
  • Understanding your key business processes and data.
  • Knowing how your data is regulated in each region and appreciating other risks relating to your business data, such as commercial risk.
  • Understanding where your business is underpinned by technology.
  • Understanding the degree of control you exercise over that technology, for example is it a legacy system with out of date security or is it controlled by a third party.
  • Understanding the skill of your workforce is and the effectiveness of your governance structure.
  • Quantifying the cost spent on cybersecurity versus the value that protected technology brings to the business.

Technically this means having visibility of the people and processes in your business that interact with your technology and data so that you can identify risks. It also means having visibility of attacks through advanced threat detection and containment technology. You also need to be aware of times of heightened risk when the threat of cyber attack may be higher, for example, when a patent is being granted or when an M&A deal is announced.

Controls that respond to your business environment?

What is needed now are dynamic controls — controls that respond to your business environment or to the threats around you. A major utility company with an aggressive business strategy to develop software-based service offerings may find that its security posture is not dynamic and almost entirely built around a physical security strategy (protecting physical assets) — and therefore ineffective.

Businesses often have on-premise security tools to protect their businesses and then realize they have purchased cloud-based platforms that are entirely unprotected. Big banks in the UK, for example, have invested heavily in security over the years.

After the Financial Conduct Authority clarified its stance on the use of public cloud services through the publication of FG 16/5, none of this capability was effective in any of the public cloud offerings they developed. This has given challenger banks a clear advantage.

In other situations, major companies in the energy sector have made exorbitant investments on advanced threat intelligence but have an inability to change their controls to respond to the intelligence gleaned. For one company, the threat increased or decreased week-to-week but the control landscape could not respond or adapt to the changing landscape, rendering the investment ineffective. The result was that the control bore no resemblance to the threat level.

Why is agility so important?

Agility is crucial when it comes to reducing cyber risk and requires companies to understand their business and model their security strategy on current and future business strategy. Referring again to the big banks and oil and gas companies, many have offshored all their IT and processing centers, but not kept enough internal knowledge or skilled staff to manage third-party suppliers. This means they do not understand their environment and therefore cannot respond quickly to changing threats.

Agility in a control environment also means adapting to security threats. This could be allowing users greater degrees of functionality and freedom through the deployment of advanced threat detection tools instead of locking users down.

We have seen small organizations save themselves from significant impact by pulling the cables on the Internet during an active cyber attack. This approach is now being used in critical infrastructure organizations. By designing red button type processes, they can shut down an entire gas compressor or segment of the control network, for example, if it poses a risk to the entire grid.

In the old world, a plant operator would simply not be able to obtain the required executive authority to shut a plant down (given that it would cause millions in damages) within the time required to defend against an active cyber attack. Crisis plans need updating to consider and embed rapid responses to cyber specific threats.

What do best practices look like?

The approach to security that we advocate is risk-based. Risk based in this context means evaluating the business desires and goals, and underpinning and assuring elements that are the most reliant on technology. It also means that the level of investment in security should be linked to the value of the asset being protected within the specific commercial landscape.

A company can examine the types of threats it is exposed to and select where to deploy controls that reduce the risk to an acceptable level, but not at an untenable cost to the business. This might involve deployment of some enhanced detection controls, network segregation, and system recovery controls to a manufacturing environment to detect and contain threats and, if needed, rebuild parts of the environment.

Contrast this to a full redesign of the factory before it naturally becomes obsolete, bearing in mind a typical 30-year lifecycle of such assets.

Integrating controls and layering defenses to make sure they fit into one another is also important. Buying all the latest tools will not protect your business. Coherent security is an end to end integrated system of people, processes and technologies coming together to protect business value.

We often see customers deploy Office 365 because they have been told that it is secure, but then they neglect to deploy multi-factor authentication (MFA) and other advanced controls available to protect it, due to the perceived impact it has on users and usability. This is the akin to refusing to wear a seatbelt and then claiming that a car is unsafe.

In 2017 and 2018, Ankura dealt with approximately 1,000 data breaches — over half of which were due to business email being compromised, and 90% of which were due to a lack of MFA or other basic Office 365 security controls.

How do you weigh risk and cost?

Risk-based security is inherently business focused. If IT and security departments are not business focused, they will be viewed as cost centers rather than business partners. When practiced correctly, security should understand and advise the business but not seek to block it.

As such, security also needs to be cost appropriate. A security investment plan should always consider the value at risk and underpin that value with appropriate controls up to a percentage of the value and should never seek to deploy security for security or compliance sake.

Being able to articulate the business proposition of security is essential. Failure to do so is currently resulting in an underinvestment in technology evidenced by the significant number of breaches being reported in the media daily.

On the positive side, efficient cybersecurity can be a huge differentiator for example, when used to pursue opportunities in heavily regulated markets. Cybersecurity strategies can be leveraged to de-risk technology during mergers and acquisitions, investments in emerging technology such as the cloud, the Internet of Things and artificial intelligence to give a business the competitive edge.

Ankur Sheth ( is an experienced leader in cybersecurity and currently leads Ankura’s global proactive cybersecurity services team.  Jano Bermudes ( is an experienced consultant with two decades of professional experience as a technology subject matter expert, risk and controls professional, architect, and engagement leader, delivering complex cyber and technology transformation engagements with some of the world’s largest companies.

Tags:  cybersecurity  insurance  risk 

Share |
PermalinkComments (0)

Cyber Risk: It's Getting Personal

Posted By Patricia Harman, Wednesday, April 10, 2019


The cybersecurity landscape isn’t necessarily getting worse, but it is definitely changing. Ten years ago, insurers highlighted hypothetical scenarios to generate coverage options for policyholders, explains Graeme Newman, chief innovation officer at London-based CFC Underwriting. Five years ago, there were significant retail breaches and credit card security improved with point-to-point and end-to-end encryption. Now there are more data breaches and cyber hacks.

“The propensity for claims has more than doubled in the last two years,” says Newman. “Are they becoming more prevalent or are clients more aware that it’s an issue? It’s a combination of both. We’re seeing more incidents and they are easier to commit than ever before.”

Two years ago, ransomware was a huge problem. There were numerous low-level attacks and ransom demands. “Now we’re seeing more targeted attacks with criminals running automated tools to identify and exploit networks. Once they’re in they are using ransomware in a targeted way, and ransomware demands are going up. They used to run $500-$1000. Now we’ve seen several million-dollar ransom demands in the last six months,” adds Newman. “People are more aware of the danger of clicking on links and software is better at identifying ransomware, so that threat has changed. Criminals are using higher bounties from businesses and not smaller demands from more people.”

This still plays out on a personal level as well. Even though the IRS has gotten better about identifying fraudulent tax returns, it continues to be an issue around tax time. If a fraudulent return is filed in your name, be prepared to file paper returns for the next several years.

In England, parents were victims of school fee fraud when enterprising hackers emailed them and said they could get a discount on tuition if they paid in advance. “Hackers can extort a lot of money if they time it right,” finds Newman.

Escrow agents in real estate transactions have been targets as well. They are frequently dealing with unsophisticated buyers who aren’t used to online processes and procedures, and make easy targets for hackers when it comes to wiring down payments for homes or rental deposits.
Small and medium-sized business are still woefully unprotected and unaware of the impact a breach or theft of data could have on their enterprise. From protecting websites on web hosting sites to encrypting customer data, most have very little awareness of the dangers or consequences of a breach.

Newman finds that credit monitoring is almost pointless and a limited tool at best. “It’s offered after the breach has already taken place. Criminals want to be satiated pretty quickly and aren’t going to hang onto information — they want to use it right away,” he adds.

A new danger is credential stuffing — where hackers take a user name and password and then run it through different sites to see if they can access information anywhere else. “If I can get your details from one site and use them on another like your Uber account, PayPal or an airline, I can start using your accounts for financial gain,” says Newman.

While the value of a user name or password is limited, it’s how it can be monetized that makes it valuable. Makes you think twice about using the same password and login for different accounts.

Tags:  cyber  insurance  personal 

Share |
PermalinkComments (0)

Employee Data Breach Trojan Horses

Posted By Victoria Hudgins, Wednesday, March 20, 2019


Email is the most common technology used in accidental data breaches, according to a survey of 1,000-plus U.S. companies sponsored by data security platform Egress and conducted by Opinion Matters research group.

Eighty-three percent (83%) of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51% of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46% said corporate email was used in an accidental data breach.

Pitfalls: emails to wrong address, forwarding sensitive info

Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey.

The respondents were senior and mid-level security professionals.
Egress cited the “explosive growth” in unstructured data, such as emails, documents and files, and the growing methods employees can use to communicate as factors that have significantly increased the chance of exposing sensitive data.

Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed, the survey noted. Indeed, 40% said file sharing technology was used in employee-caused breach accidents, followed closely (38%) by collaboration tools.

Encrypting everything isn’t the solution

The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79% of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64% were required to use encryption when internally sharing PII or critical business data.

While useful, Egress chief technology officer and co-founder Neil Larkins noted that encrypting everything isn’t the solution to minimizing breaches. “Encryption plays a part in this but doesn’t entirely solve the issue,” he said, adding that other steps to take include deploying software that logs normal patterns of data sharing and also flags abnormal behavior.

Despite the frequency of accidental breaches, organizations did not see them as an immediate threat. While most respondents said their biggest IT security risk was ransomware and malware (48%) and external attacks (45%), only 40% said accidental data breaches by employees was a risk. Larkins said that outlook was “historical” and is beginning to evolve as organizations are learning that phishing attacks are effective and the most common data attack.

Updated security policies needed in response to new data laws

Likewise, more companies are training employees to spot phishing, said Joseph Lazzarotti, the privacy, data and cybersecurity practice group founder and chair at the Jackson Lewis law firm. But he was concerned about the survey’s finding that only 59% of companies are implementing new security policies in response to data regulation laws.

“You want those numbers to be higher,” Lazzarotti said. “Given all the breaches that have happened in the last 10 years, you’d hope that number was higher in terms of companies taking steps.”

He noted that as more states enact data privacy and breach laws, more organizations in turn are pushed to implement security policies that are in-line with regulations. “There are laws being added to the books that will continue to give companies more reasons to take these steps … hopefully the numbers will go up.”

New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54% of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52% of organizations to invest in employee training and 44% have restricted the use of of external data sharing tools. Meanwhile, only 8% said new regulations haven’t changed their organization’s data sharing habits.

This post has not been tagged.

Share |
PermalinkComments (0)

How to Sell the Value of Cyber Liability Insurance

Posted By Joyce Anne Grabel, Tuesday, February 26, 2019


Whether you’re a major corporation or a mom-and-pop shop, any business that uses email, takes credit card payments, and has an online presence needs to protect itself from cyber risks.

Small and medium-sized businesses (SMBs) in particular are waking up to this reality and implementing what safeguards they can against cyber attacks. Unfortunately, even the best firewalls don’t provide sufficient protection — and a great number of businesses remain unconvinced of the need to purchase cyber liability coverage.

Unique set of exposures
The challenge for agents and brokers is to help clients and prospects to better comprehend that need, and to offer policies that directly address each business’ unique set of exposures. The threat is real, but the value proposition must be effectively communicated.
It isn’t enough to raise the specter of cyber threats in a wider context; they need to be made “real” for the client. And that entails describing a worst-case scenario that lays out just how much money could be lost in the event of a breach.

“More and more companies are worried about cyber risk,” says Tim Francis, enterprise cyber lead at Travelers. According to the 2017 Travelers Risk Index, cyber liability is the second-biggest worrisome risk for businesses of all sizes, right behind medical cost inflation. “The hope would be that any company vulnerable to a cyber attack — which means any company using technology — would strongly consider protecting itself with a risk management plan that includes cyber insurance.”

Opportunity & challenge
Francis notes an uptick in the number of SMBs buying cyber liability insurance, but adds that there are still a fair number that don’t. Therein lies the opportunity — and the challenge — for savvy producers.

“The reality of cyber exposure is that the internet has reached in, grabbed hold, and made the world we once knew totally unrecognizable,” says Shawn Ram, head of insurance at cyber insurer Coalition. According to Ram, businesses need better tools to manage this risk and better coverage to insure them — and he notes that middle-market clients in particular remain underserved.

Ram calls SMBs “the biggest untapped, underserved and underprotected market for cyber insurance.” He points to a 2017 Better Business Bureau report clearly illustrating that only 15% of small businesses have cyber insurance. For the majority of SMB owners, cybersecurity is simply too expensive and complex. “But smaller businesses, which do not have the resources to protect themselves and are also unlikely to survive the consequences of a cyber breach, have perhaps the greatest need for cyber liability coverage,” he stresses.

Eric Cernak, vice president and cyber risk practice leader at Hartford Steam Boiler–Munich Re, agrees that the SMB market is underserved from a cyber liability insurance perspective: “Within this market, many B2B companies, particularly manufacturers and light industrial, represent a considerable growth opportunity.”

Shallow penetration
Cernak characterizes the level of market penetration for cyber liability coverage as shallow, especially for middle-market clients. He points out that there are two primary causes, both of which result from a lack of education and understanding relative to the risks and coverages available.

First, he explains, cyber insurance is still largely perceived as data-breach coverage, and many organizations that do not collect personal information as part of their operations feel that they are not a target. Second, many SMBs believe that criminals target only large organizations.

“However, this is not the case — and, in fact, many small- to mid-sized organizations may be targeted for the connections they maintain to larger organizations,” Cernak cautions. A good example is the famed cyber attack on Target in 2013, which resulted in the theft of credit card information of more than 70 million customers. The hackers had gained access to Target’s data through the retail giant’s HVAC and refrigeration vendors.

From ‘nice-to-have’ to ‘must-have’
Although there are still businesses that don’t believe they’re at risk, cyber liability insurance has clearly moved into the category of “must-have” coverage for companies across all industries. Savvy agents and brokers should be stressing this fact regularly to clients and prospects and outlining ways they can help.

“Having a tailored cyber liability policy is no longer ‘nice-to-have.’ It is becoming mandatory for all organizations,” says Michael Schultz, senior broker for professional liability at Burns & Wilcox.

“Cyber incidents are becoming less of an ‘if’ and more of a ‘when’ for companies of all sizes, so agencies and brokerages would be smart to stress to businesses the importance of having safeguards in place,” says Francis. Understanding why clients and prospects put off buying coverage can help agents and brokers overcome resistance. “There are many reasons some clients continue to hold off purchasing coverage,” says John Graham, vice president and cyber product manager at Chubb Commercial Insurance.

“Probably the most pervasive is the misguided belief that they’re not a target and that the bad guys will go after someone else.”

However, he notes, not all cyber attacks begin with a specific target in mind. “Often, bad actors cast a wide net, randomly looking for any vulnerabilities that can be exploited through an attack,” he says. Agents and brokers can win over clients and prospects by pointing this out and providing anonymous real claims examples that will bring the reality of the risks to light. Even sophisticated companies with large cyber security budgets can be taken down.

“No company or organization should feel immune to a cyber attack,” adds Graham. “If it hasn’t happened yet, then it’s just a matter of time before it does.”

A ripe client set
Manufacturers represent a particularly ripe market for cyber liability coverage. “When it comes to purchasing cyber coverage, manufacturing as an industry segment has historically lagged behind others, such as healthcare and retail,” says Graham. The reason, he notes, is because initially, the primary need of the cyber insurance policies was based upon exposure to data breaches and the loss of personal information. However, as cyber attacks have evolved — and cyber insurance along with them — many compelling reasons have emerged for manufacturers to consider cyber liability insurance for risk-transfer needs.

Shiraz Saeed, national practice leader for cyber risk at Starr Companies, also identifies manufacturing as a large untapped market for cyber liability coverage in 2018 and the foreseeable future. “Many types of manufacturing — as well as logistics, trucking, shipyards and distribution — are recognizing the need for cyber coverage stemming from two ransomware attacks from the summer of 2017: WannaCry and NotPetya. These led to business interruption losses that opened their eyes, and now we’re seeing a surge of demand in that space,” he notes.

Selling the value
Cyber liability policies offer a sweeping range of coverages that can be tailored to the needs of an organization based upon industry sector, risk factors, size and regulatory environment. “The agencies and brokerages that are successful are those who are able to understand the clients’ business operations and show them how and where that creates a cyber exposure,” says Graham. “Showing companies how others within their industry segment have experienced cyber attacks makes the exposure more real.”

Graham notes that data breaches or other types of cyber attacks can be very stressful to an organization and may lead to a loss of customer confidence, loss of revenues and the loss of personnel who are terminated in the aftermath. Having a capable and competent insurance carrier behind them can provide clients with peace of mind.

Schultz at Burns & Wilcox notes that good policies cover the costs resulting from data breaches, including coverage for third-party claims and first-party responsibilities, forensics, notification, credit protection, public relations and crisis management, business interruption, cyber extortion, media liability, and regulatory penalty costs. In addition, he points out that the European Union’s General Data Protection Regulations (GDPR) are scheduled to take effect in May 2018. Violating GDPR can cost an organization up to 4% of its overall revenue in fines.

Explaining to clients, especially those operating in the international space, the value of having a Cyber Liability policy is critical, he says, and detailing each of the individual coverage components helps to eliminate any confusions found within coverage and between policy forms.

Just the ‘right’ pricing
When it comes to pricing, the cyber liability market poses unique complexities, Schultz notes. Pricing can be complex because it is based on a number of variables, such as system vulnerabilities and strengths. “Most mid-sized organizations, however, can receive quote options with a gross revenues figure and Personal Identifiable Information (PII) count,” he says.

The key to cyber liability pricing is to identify exactly what each customer does and doesn’t need, and to use that information to build a customized policy.

“An SMB shouldn’t be paying for coverage it doesn’t need,” says Ram. “For example, if an SMB does not accept credit cards, then it is not subject to payment card information risks.”

When setting pricing, underwriters should evaluate cyber exposures and controls as an enterprise-wide issue, Graham says: “Technical controls are always an important aspect, but equally important is how the client involves all areas of the organization in their training and preparation for cyber incidents, as well as their policies and procedures for data governance.”

The market for cyber liability will continue to expand rapidly in 2018 within all industry segments, Schultz predicts. “The digital presence of organizations is in a period of continued rapid growth, and the accumulation of data via the Internet of Things (IoT) is only just beginning to take off,” he says. “Organizations will begin to see the necessity of protecting themselves from their digital risks financially.”

An ounce of prevention, in this case, is worth a pound of cure. And with cyber liability merely scratching the surface of where it should be, providing organizations with a clearer picture of their exposure — in pure dollars and cents — can go a long way.

Tags:  cyber insurance  sales  value 

Share |
PermalinkComments (0)

2019 Cyber Insurance Predictions: Strong Growth Ahead

Posted By Yakir Golan, Tuesday, February 26, 2019


Cyber insurance is trending upward, the industry is growing, and the technology around it is evolving at a very quick pace. While predictions are always hard to make, here are five trends that are likely to catapult the cyber insurance industry forward, creating fertile ground for growth in 2019. (See the graphic above, compiled by Munich Re, which highlights the escalating threats from cyber risks).

1. Regulation, Regulation, Regulation….

When it comes to regulation and cyber insurance, we need to think of indirect and direct regulation that may affect the market. Additionally, we need to consider how regulation affects insurers and insureds both from an affirmative and silent risk perspective. Silent cyber risk refers to potential cyber related losses due to inadvertent coverage within other P/C insurance policy wording which excludes cyber risk. Just look at the rapid increase in data privacy laws, such as those for personally identifiable information (PII) in the U.S., the HIPAA Privacy Rule (covering medical records and personal health information in the U.S.), the Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, and the EU’s General Data Protection Regulation (GDPR) – to name a few.

One of the ways businesses deal with risk hedging for these laws is via cyber insurance. While they actively try to focus on reducing the chances that leaks of this type of data may occur, they ultimately know that in the cyber landscape, anything can happen and thus insurance is key for their risk management strategy.

Additionally, there is direct regulation that specifically targets cyber insurers. For example, the EU’s largest insurers are to be assessed for their exposure to, and way in which they deal with cyber risks in any insurance book they own. Most recently, on Nov. 10, the European Insurance and Occupational Pensions Authority (EIOPA), together with the National Association of Insurance Commissioners (NAIC) and the Federal Insurance Office (FIO) of the U.S. Department of Treasury hosted the sixth EU-U.S. Forum in Luxembourg and discussed challenges and opportunities related to cyber risks, the use of big data, artificial intelligence and intra-group transactions in multinational insurance groups. It’s fair to predict that EIOPA’s stress test for insurers may be something that U.S. regulators may be looking to implement as well.

2. Development of Cyber Insurance Linked Securities (ILS) Market and Cyber Risk Pools

Insurance professionals are looking for innovative ways to expand the availability of cyber insurance and creative ways to enter the market. Cyber pools can potentially offer a facility for providing cyber insurance to corporate buyers and the use of capital markets funding, to back the risk, can allow for larger policy limits for specific use-cases. It can also be a safer way for professionals to learn the cyber risk landscape and become a part of the market.

While property catastrophe risks are the prominent line of business across the ILS sector, both investors and sponsors are increasingly looking at other emerging risks, such as cyber, according to Willis Tower Watson’s ILS survey report, published in October 2018, Indeed, the Singaporean government announced in October 2018 that it plans to launch the world’s first commercial cyber risk pool. This facility will provide cyber insurance to corporate buyers in the Asia region and will be backed by insurance-linked securities and reinsurance. It is a great foreshadowing of similar moves soon expected in the European and American markets.

In order for these initiatives to develop, they’ll need to work with vendors that can provide advanced cyber threats intelligence, risk modeling and rating services to properly assess cyber risk within a diverse set of policies. As these vendors better predict cyber catastrophes that may affect policies, their track records will increase insurer’s confidence in these products and thus reinforce the growth of the cyber insurance market.

3. Awareness Around Silent Cyber Risk

Awareness about silent cyber, also referred to as non-affirmative cyber will increase. Insurers are gradually realizing they have unquantified exposures and are looking for solutions to quantify their exposures as well as give them the option to amend or exclude coverages in other lines that may leave them overly exposed. For example, we’re still seeing the effects of the NotPetya ransomware attack in 2017 on Maersk, FedEx and other companies. The insurance industry loss from this attack has been estimated by RMS at up to $3 billion.

Of course, regulations set by EIOPA (as discussed above), will also help promote this trend of quantifying cyber risk, while rating agencies are likely to demand that insurers quantify their silent exposure. For example, in November, Moody’s announced it will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyber attack. As awareness around non-affirmative cyber grows, insurers will be making larger strides to make changes to overcome coverage ambiguity.

4. Growth of Cyber MGAs/MGUs Across the Globe

Reinsurers currently seek specialized entities to distribute specific lines of product. The increase of cyber focused MGAs is most likely due to the need for deep expertise on the risks faced with providing cyber insurance and the need for dedicated efforts to best address the needs of cyber insurance purchasers. The trends in growth of MGAs and MGUs are being driven by both traditional and new companies. For example, Aon recently launched a new unit, Carrier Solutions, to grow their MGA and MGU network. Further, insurtech MGAs, such as Coalition, At Bay and Zeugro, have seen success. The combination of these two types of efforts will spearhead the MGA/MGU industry as traditional insurers vie for ways to grow their business and insurtechs find new creative ways to competitively enter the market with technological advancements. Specialized cyber MGAs will be a significant part of the future and start to form worldwide.

5. More Involvement from Board of Directors

The role of the board of directors surrounding cyber security continue to grow. Cyber security breaches can affect an entire organization and have proven to have a growing impact on business operations. Recent high-profile data breaches at Quora and Marriott highlight to boards of directors that cyber security should be approached as an enterprise-wide risk management issue with wide legal and regulatory implications. This means they’re extremely invested in the types of cyber insurance policies their companies take out and the type of coverage they will receive, particularly in order to use it as a form of risk transfer.

The insurance industry will go through major developments in the next year surrounding regulation, awareness of silent cyber risk and involvement from boards of directors. Additionally, we will see development of cyber pools worldwide and more MGAs sprouting up across the globe. These changes will propel the cyber insurance industry into the spotlight and force insurance professionals to become more educated about cyber risk and become more open to solutions that can help them control their exposure such as advanced risk modeling.

Tags:  cyber  growth  insurance  predictions 

Share |
PermalinkComments (0)

Cyber and Business Interruption Bigger Risks that Catastrophes

Posted By Administration, Tuesday, February 26, 2019


Cyber incidents join business interruption as the top risks facing global businesses, according to a survey conducted by Allianz Global Corporate & Specialty (AGCS).

The impact of business interruption (which includes supply chain disruption) is the major risk for companies for the seventh year in a row, according to the eighth annual Allianz Risk Barometer 2019*, with 37 percent of respondents ranking it as one of the three most important risks that threaten businesses.

For the first time, cyber incidents join bodily injury (BI) at the top of the rankings, also identified by 37 percent of respondents as one of the three top risks, said Allianz. It explained that cyber incidents include cyber crime, IT failure/outage, data breaches, fines and penalties, which are increasingly resulting in significant BI losses of their own.

Business Interruption

Drilling down into the findings, AGCS said, the average BI property insurance claim now totals €3.1 million (US$3.6 million), which is 39 percent higher than the corresponding average direct property damage loss of €2.2 million ($2.5 million).

Allianz noted that many BI events can occur without physical damage but can still cost millions.

“Events such as breakdown of core IT systems, product recall or quality incidents, terrorism, political violence or rioting and environmental pollution can bring businesses to a standstill, meaning firms may be unable to provide products and services — or customers stay away — having a devastating effect on revenues,” said Allianz in its survey report.

Allianz cited the example of the French retailers that lost about €1 billion ($1.1 billion) from four weekends of protests at the end of 2018. Further, it added, legislative change such as Brexit departure from the European Union in 2019 also poses a potential BI threat with anticipated disruption to supply chains.

“Potential BI scenarios are becoming ever more diverse and complex in a globally connected economy, including breakdown of core IT systems, product recalls/quality issues, terrorism, political rioting or environmental pollution,” Allianz said.

Survey respondents cited the top five causes of BI they fear the most as: 1) cyber incidents (cited by 50 percent of respondents); 2) fire, explosion (40 percent); 3) natural catastrophes (38 percent); 4) supplier failure, lean processes (28 percent), and 5) machinery breakdown (28 percent).

At the same time, BI is seen as the biggest cause of financial loss for businesses after a cyber incident (69 percent), said the survey report.

“Cyber incidents can cripple a company’s operations and severely impair its ability to deliver its services, yet they are just one of many loss triggers that can result in a BI for corporates,” said Volker Muench, global practice leader, Utilities & Services, IT Communication, AGCS, in comments in the report.

Cyber Incidents

The average insured loss from a cyber incident is now just over €2 million($2.3 million) compared with almost €1.5 million ($1.7 million) from a fire/explosion incident, said AGCS, noting that losses from major cyber events can be in the hundreds of millions or higher.

Cyber incidents rank as the BI trigger most feared by businesses, and BI is also the biggest cause of economic loss for businesses after a cyber incident, according to Allianz Risk Barometer respondents.

“Finally we have reached an important point where cyber is equally concerning for our customers as their major ‘traditional’ exposures, which means that entities across all industries and business segments now have this risk firmly on their radars,” said Marek Stanislawski, the deputy global head of Cyber and Tech PI at AGCS.

“As all businesses embrace digital business models, success is highly dependent on the technology facilitating the business,” said Georgi Pachov, global practice leader, Cyber, AGCS.

“Revenue streams can be easily interrupted following abnormal technological behavior. Cyber incidents leading to BI will become much more frequent in future due to the massive reliance on technology and data for running businesses,” Pachov affirmed. “In the age of the ‘internet of things,’ if two manufacturing devices cannot communicate and exchange data with each other, this will inevitably lead to a business disruption.”

Allianz Top Business Risks: 1-10

In addition to business interruption and cyber, the other top business risks named by survey respondents are:

  • Business interruption – 37 percent
  • Cyber incidents – 37 percent
  • Natural catastrophes – 28 percent
  • Changes in legislation and regulation (e.g., trade wars and tariffs, economic sanctions, protectionism, Brexit, Euro-zone disintegration) – 27 percent
  • Market developments (e.g., volatility, intensified competition/new entrants, M&A, market stagnation, market fluctuations) – 23 percent
  • Fire, explosion – 19 percent
  • New technologies (e.g., impact of increasing interconnectivity, nanotechnology, artificial intelligence, 3D printing, autonomous vehicles, blockchain) – 19 percent
  • Climate change/increasing volatility of weather – 13 percent.
  • Loss of reputation or brand value – 13 percent
  • Shortage of skilled workforce – 9 percent.

Climate change (at number 8 with 13 percent of respondents) and shortage of skilled workforce (at number 10 with 9 percent of respondents) are the biggest climbers in rank from last year (from 10th and 8th rankings, respectively, in 2018), noted the AGCS survey report.

Allianz explained that climate change rose up the list of business threats as a result of concerns that the recent spate of natural catastrophe activity could be a harbinger of increasing financial losses and disruption. In addition to damage and disruption to property, climate change is likely to have big implications for regulation and liability, including emissions targets, and reporting and disclosure requirements. Such concerns ensured that climate change rose to its highest-ever position, AGCS said.

The shortage of skilled workforce appears for the first time in the top 10 global risks, which Alllianz attributed to factors such as changing demographics and Brexit.

* Methodology: Allianz’ annual risk barometer incorporates the views of 2,415 respondents from 86 countries, including CEOs, risk managers, brokers and insurance experts in 22 industry sectors.

Tags:  business interruption  cyber  risks 

Share |
PermalinkComments (0)

How to Assess Your Clients' Cybersecurity Risks

Posted By Josh Ladeau, Tuesday, February 26, 2019


Tailoring to your insureds' cybersecurity coverage needs will depend on catering to a few of their key characteristics.

All cyber policies are not created equal, and some products are better than others for a given segment of business. To determine what is most appropriate for their clients, brokers and agents should begin their assessment of a client in much the same way underwriters do: by asking “what is the primary exposure(s), as it relates to privacy and network security, for a given risk?”

It may sound basic or obvious, but from the perspective of an underwriter, submission quality often makes it apparent that an agent or broker takes a shotgun approach to assessing the cybersecurity needs of their clients.

Why size matters

As an underwriter, one of the first things I do when I receive a submission is to spend time analyzing the operations of the applicant, in addition to gauging size of that organization (note that exposure basis —  read: “size” — can be defined differently for various organizations, a point I’ll come back to shortly). This information sets the stage for how I might give relative weight to various areas of controls, and my expectation for quality of those controls.
Agents and brokers would be well advised to start their engagement in the same place. The reason for this is simple: thinking about what an organization does and how “big” it is, will help to ensure agents are focused on gathering relevant information, and concentrate their marketing efforts on carriers with the most appropriate underwriting appetite, claims capabilities and products.

Focusing on an industry class, and importantly sub-class, can help guide a broker or agent around the best way to measure the size of risk. For some clients, the most appropriate measure of risk might be the number of uniquely identifiable records a business holds – often referred to as Personally Identifiable Information (PII).

For others, the amount of revenue generated annually, or the type of intellectual property it maintains, may be the best representation of its true exposure basis. If we look at healthcare for example, it’s a wide class with a lot of exposure differentiation between sub-classes. For a hospital, the number of unique individual lives on which they maintain data might be the best measure of their relative size.

For a pharmaceutical production facility specializing in generic drug manufacturing, the amount of annual revenue might be a more appropriate measure of their exposure. Both sit within healthcare, but with very different profiles and operational exposure.

Surveying cyber exposures

This same example of differentiated exposures can be applied to virtually any business or industry. If the class is “professional services,” a law firm specializing in personal injury claims (where PII may be the best measure of size) has a very different exposure basis than a design firm (which generally has limited PII, but might have material revenue exposure relating to network outage because of tight client marketing timeframes for example). Again, it’s best to focus on the individual operations of a given client rather than what overarching industry class they might fall into.

Once the most relevant area(s) of exposure is identified, an agent or broker can focus on collecting the most pertinent exposure basis data, as well as controls data. If it is determined PII is the best measure of a given entity’s exposure, where does it fit from a relative perspective? Is their client an independent rural county hospital with 83,000 records?

A hospital that size could be considered “small” even though they have $140 million in revenue. Or, is the client a health system operating across three states, managing nine hospitals, each with hundreds of thousands of PII records, totaling in excess of $4 million?

If it’s the small, independent hospital, a standard application from one of the major carriers offering cyber insurance may be the right application to use. If it’s the latter entity, an agent or broker should probably determine whether privacy and security controls are centrally managed. They need to determine whether all facilities share a common network domain, as that could indicate a need for multiple applications to be completed.

The agent or broker may want to prepare the client and focus energy on scheduling an underwriting conference call, as that may be the easiest way for the health system to communicate the complexity of their IT and data-related operations, as well as the sophistication of their privacy and network security-related controls.

In addition to guiding the application process for a broker or agent and their client, this assessment process can narrow the marketing process. Often, smaller organizations should be steered toward products that include built-in incident response. They usually provide “800” numbers for near-immediate interaction with cyber-specialist law firms, as well as pre-established relationships with forensics specialists and other post-incident responders.

Conversely, larger and more sophisticated organizations have existing vendor relationships and want a product/carrier that will provide them with the flexibility to leverage those relationships, large limits across a wide variety of coverage areas, and a willingness to draft bespoke coverage enhancements.

Use your cyber practice to remain competitive

I’ve been dedicated to cyber throughout my career in commercial insurance. It’s been a fascinating area, and the maturation of cyber policies has accelerated greatly over the last decade.

There are a fair number of quality choices when it comes to selecting a primary carrier, with a wide array of policy structures. The next frontier of competition is around pre-incident services.

Cybersecurity isn’t just about reducing risk, although that’s obviously a critical piece; it is fast becoming an area for competitive differentiation amongst businesses (our clients). Recognizing that policies with built-in response mechanisms are becoming more commoditized, it will be carriers offering deep, in-house technical personnel and tailored pre-incident services that are best positioned to capture market share. Agents and brokers need to keep this in mind when evaluating carriers.

Most agents and brokers aren’t going to have a cybersecurity background and shouldn’t be expected to evaluate the relative posture of their clients. However, most have the ability and opportunity to understand the nuanced operations of their client, and that effort can improve all aspects of the cyber insurance application and purchase process.

Tags:  assess  clients  cybersecurity  insurance  risks 

Share |
PermalinkComments (0)
Page 1 of 2
1  |  2

PIA of Kentucky
107 Consumer Lane
Frankfort, KY 40601


Phone: 502-875-3888
Fax: 502-227-0839