What IoT Cyber Attacks Mean for Insurers

The massive global distributed denial of service attack (DDoS) against internet infrastructure provider Dyn DNS Co. that left over 1,000 major brand name sites including Twitter, Netflix, PayPal and Spotify, inaccessible Friday has implications for insurers too.

While the nature and source of the attack is under investigation, it appears to have been (in the words of Dyn chief strategy officer Kyle York) “a sophisticated, highly distributed attack involving tens of millions of Internet Protocol addresses.”

As Bryan Krebs’ KrebsOnSecurity blog first reported, the attack was launched with the help of hacked Internet of Things (IoT) connected devices such as CCTV video cameras and digital video recorders (DVRs) that were infected with software (in this case the Mirai botnet) that then flooded Dyn servers with junk traffic.

The World Economic Forum (WEF) recently warned that failing to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure could have far-reaching consequences for national economics, economic sectors, and global enterprises.

As the IoT leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem, the WEF noted.

While IoT connected devices have the potential to transform how businesses and individuals—and their insurers—conduct, manage and monitor their operations, workplaces and their homes, clearly there are embedded risks that insurers need to consider.

Over at Celent’s insurance blog, Donald Light, director of Celent’s North America property/casualty practice, says the Dyn DDoS attack has a number of potentially serious implications for insurers.

Light writes:

“An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholders and the insurer providing the discount to a variety of potential losses.”

If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses, Light suggests.

The Insurance Information Institute white paper on cyber threats and opportunities is available here.

Cyber Claims Costly To Businesses Large and Small

Data breaches can be costly, no matter how large or small an organization may be.

That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.

While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.

This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.

The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.

The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.

Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000

The highest average claim payout—$1.3 million—was in the financial services sector.

The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.

NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.

Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.

A point that underscores the growing need for smaller companies to purchase cyber insurance.

While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.

“It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.”

Caribbean Catastrophe Pool Aids Hurricane Matthew Recovery

By tomorrow four Caribbean countries will have received payouts from the CCRIF PC (formerly the Caribbean Catastrophe Risk Insurance Facility) due to Hurricane Matthew, for a total of $29.2 million.


The chart above shows a $20.4 million payout by the CCRIF to the Government of Haiti on its Tropical Cyclone (TC) policy as a result of Hurricane Matthew, and an additional payment of just over $3 million on its excess rainfall policy, for a total of $23.4 million.

The payments come just two weeks since Hurricane Matthew hit Haiti as a Category 4 storm, devastating the southern portion of the country and leaving more than 1,000 dead.

Barbados will also see a payout of just under $1 million on its TC policy for a total payment to the country of $1.7 million due to Matthew.

The excess rainfall policies of Saint Lucia and St. Vincent & the Grenadines were also triggered by Hurricane Matthew, resulting in CCRIF payments to those countries of $3.8 million and $285,349, respectively.

Including the Hurricane Matthew payments, CCRIF has now made a total of 21 payouts to 10 member governments totaling almost $68 million since 2007, all within 14 days of an event.

CCRIF is able to make quick payouts because it offers parametric insurance products to its member countries.

TC policies make payments based on hurricane wind speed and storm surge levels and do not include losses due to rainfall. To fill this gap, CCRIF’s Excess Rainfall (XSR) product was developed a few years ago. Under the excess rainfall policies, payments are triggered based on the volume of rainfall from a hurricane or other rain event.

Each government selects its own attachment point or deductible, so the individual country’s policies are triggered when the modeled losses surpass that point.

Most CCRIF members have purchased both TC and XSR policies and many members also have earthquake coverage.

Just last year, the CCRIF expanded its membership to countries in Central America as well as the Caribbean.

Artemis blog reports that the $29.2 million of payouts due to Hurricane Matthew  by the CCRIF will not come close to troubling its catastrophe bond coverage, but could result in the facility being able to call on reinsurance support for some of the loss.

It also predicts increasing uptake of parametric insurance for disaster protection and recovery funding as more corporate buyers become aware of the opportunities.



Home Fire Drill

My older son has a fire safety drill at school today and my younger son’s class field trip to the firehouse is next week, which is my personal reminder that it’s time to test our home smoke alarms.

In fact smoke alarms are once again the theme of this year’s National Fire Prevention Week,  and there are good reasons why.

National Fire Protection Association (NFPA) statistics show that three of every five residential fire deaths in the United States result from fires in homes with no smoke alarms or no working smoke alarms.

And almost 40 percent of fire fatalities that occur in the U.S. are in homes with no smoke alarms.

Being prepared in the event of a home fire is also critical.

Despite the fact that nine in 10 structure fires occur in the home, a recent survey by Nationwide found that only one in five parents regularly practice fire escape plans at home.

Nearly half of all parents surveyed (45 percent) also report that their children do not know what to do in the event of a home fire.

To raise awareness of this issue and encourage families to be more prepared, tomorrow Nationwide is launching Home Fire Drill Day as part of its Make Safe Happen program.

What can you do?

First, know where to go. Pick a safety spot that’s near your home and a safe distance away. Explain to your kids that when the smoke alarm beeps they need to get out of the house quickly and meet at that safety spot.

Test your smoke alarms with your kids so they know what they sound like. Then, do the drill and see if you can all make it out of the house to the safety spot in under two minutes. If not, do it again.

As Nationwide says: “We do fire drills at school. We do them at work. Now, let’s do them at home.”

Sounds like a plan.

The Insurance Information Institute has facts and statistics on fire losses here.

Hurricane Matthew: Early Loss Estimates and More

Early estimates put the insured property loss to U.S. residential and commercial properties from Hurricane Matthew at up to $6 billion.

While this figure covers wind and storm surge damage to about 1.5 million properties in Florida, Georgia and South Carolina, CoreLogic’s estimate does not include insured losses related to additional flooding, business interruption or contents.

Parts of North Carolina are expected to remain under dangerous flood risk for at least the next three days, according to the state’s governor Pat McCrory in a report by the Capital Weather Gang blog.

As Dr. Jeff Masters’ WunderBlog reminds us, the potentially huge cost of damage caused by inland flooding is still unfolding.

The WunderBlog post suggests:

“A roughly comparable storm, Hurricane Floyd in 1999, produced about $9.5 billion in U.S. economic damage.”

And given the ongoing flooding across the Carolinas and southeast Virginia, that is a fair starting point for Hurricane Matthew, according to Wunderblog’s account of a conversation with Steve Bowen, director and meteorologist at Aon Benfield.

Catastrophe modeler RMS expects the losses to commercial lines will be the primary driver of total flood insured losses, predominately through multi-peril or all-risks policies.

In a blog post, Tom Sabbatelli, RMS hurricane expert noted:

“We expect that the contribution to insured losses by residential claims will be limited because a proportion of the residential property losses will be covered by the National Flood Insurance Program (NFIP).”

As of July 31, 2016, there were approximately 417,000 NFIP policies in-force in Georgia, South Carolina, and North Carolina.

Penetration of NFIP coverage varies significantly by distance to the coastline, RMS said. While in coastal regions it can be as high as 25 percent in some areas, inland participation can be less than 1 percent.

“This means that although much of the storm surge-driven coastal flood losses will be covered to some extent by the NFIP, many flood-related losses further inland are expected to be uninsured.”

Ratings agency Fitch has said that the insured loss from Hurricane Matthew “is not expected to present a major capital challenge” to the industry.

Fitch estimates that if the storm results in insured losses in excess of $10 billion, a greater proportion of losses will be borne by reinsurers as opposed to primary companies.

More than 30 fatalities have been attributed to Hurricane Matthew in the U.S. alone, but in Haiti the rising death toll is now more than 1,000.

Hurricane Matthew became post-tropical on Sunday, after heading eastward from the North Carolina coast out to sea.

The Insurance Information Institute offer the following tips for filing an insurance claim in the wake of Hurricane Matthew.


Hurricane Matthew: Storm Surge Risk

Almost 2 million homes in Florida, South Carolina, North Carolina and Georgia are at risk of storm surge damage from Hurricane Matthew with an estimated $405 billion in total reconstruction cost value, according to new analysis from CoreLogic.

Here’s the CoreLogic graphic showing the total number and value of residential properties at risk of storm surge damage from Hurricane Matthew by state:


The estimates come as Hurricane Matthew, still a major Category 3 storm packing 120 mph winds, continues its northward trek brushing along Florida’s northeast coast Friday, with its eye remaining just offshore.

In its latest advisory, the National Hurricane Center (NHC) said that Matthew is expected to remain a hurricane until it begins to move away from the U.S. on Sunday, though it is forecast to weaken during the next 48 hours.

A hurricane warning now stretches as far as Surf City, North Carolina.

The NHC said:

“The combination of a dangerous storm surge, the tide and large and destructive waves will cause normally dry areas near the coast to be flooded by rising waters moving inland from the shoreline.”


“There is a danger of life-threatening inundation during the next 36 hours along the Florida northeast coast, the Georgia coast, the South Carolina coast, and the North Carolina coast from Sebastian Inlet, Florida, to Cape Fear, North Carolina. There is the possibility of life-threatening inundation during the next 48 hours from north of Cape Fear to Salvo, North Carolina.”

Here’s the 11am NHC prototype storm surge watch/warning graphic, showing locations most at risk for life-threatening inundation from storm surge extend from Florida to North Carolina:


It’s important to note that flood damage resulting from heavy rain, storm surge and hurricanes is excluded under standard homeowners, renters and business insurance policies.

Separate flood coverage is available, however, from FEMA’s National Flood Insurance Program (NFIP) and from a few private insurers.

Flood damage to cars would be covered under the optional comprehensive portion of an auto insurance policy.

The NHC has a storm surge inundation map which means anyone living in hurricane-prone coastal areas along the U.S. East and Gulf coasts can now check out and evaluate their own unique risk to storm surge.

Insurance Information Institute experts are available to discuss the insurance implications of Hurricane Matthew.

Check out the I.I.I. facts and statistics on flood insurance.

Hurricane Matthew: Expect Wind, Rain, Storm Surge

Hurricane Matthew, a dangerous Category 3 storm, appears to have the cities along Florida’s east coast in its sights as it heads across the Bahamas today and tomorrow.

On its current track, Hurricane Matthew is expected to be very near the east coast of Florida by Thursday evening, according to the latest advisory from the National Hurricane Center (NHC).

States of emergency are in effect for all of Florida, coastal parts of Georgia and the Carolinas, and an evacuation has been ordered in coastal parts of South Carolina

Some slight restrengthening is possible in the next few days, the NHC said.

Currently Hurricane Matthew’s maximum sustained winds are near 120 mph (195 km/h) with higher gusts. Hurricane-force winds extend outward up to 45 miles (75 km) from the center, and tropical-storm-force winds extend outward up to 175 miles (280 km).

Whether or not Hurricane Matthew makes landfall in Florida, clearly the storm poses a serious threat to Florida, Georgia and the Carolinas, though much depends on the exact track it takes.

Note: the insured value of coastal properties in those four states (FL, GA, SC, NC) totaled $3.4 trillion in 2012, according to AIR Worldwide.

As RMS blog reports:

“The general model consensus suggests that Matthew will slide northward very near, if not scraping along, the Florida coastline as a strong hurricane, making at least tropical storm force winds, high surf, and heavy rain likely for most of the cities along Florida’s East Coast.”

The fact that Hurricane Matthew is moving slowly (currently at around 12 mph) means that the storm is likely to impact the southeast U.S. for a number of days.

With that in mind, here’s a quick review, courtesy of the Insurance Information Institute, of how insurance policies respond to hurricane-related damage caused by wind, rain and storm surge:

—Wind damage from tropical storms, hurricanes and tornadoes is covered under standard homeowners, renters and business insurance policies.

Flood damage resulting from heavy rain, storm surge and hurricanes is excluded under standard policies. Flood coverage is available from FEMA’s National Flood Insurance Program (NFIP) and from some private insurers.

—Damage to cars from tropical storms or hurricanes is covered under the optional comprehensive portion of an auto insurance policy. This includes wind damage, flooding and even falling objects such as tree limbs.

CoreLogic analysis shows that just under 3.9 million homes located along the Atlantic coast of the United States are at risk of hurricane-driven storm surge, with an estimated total reconstruction cost value (RCV) of $953 billion.

The state of Florida, which has the longest coastal area, has the most homes at risk at 2.7 million, and an estimated RCV of $196.1 billion.

Here’s the visual of Hurricane Matthew’s track, via Weather Underground:


Hurricane Matthew A Major Storm

The fifth Atlantic hurricane and the 13th named storm of the season—Matthew—is now a major Category 3 storm with 115 mph winds and forecasters predict little change in strength during the next 48 hours.

While any interaction with the U.S. coast is days away, and there is still considerable uncertainty in Hurricane Matthew’s modeled track, it’s important to be prepared for this major storm, as the National Hurricane Center (NHC) noted:

“Users are reminded that the average NHC track errors at days 4 and 5 are in the order of 175 and 230 miles, respectively. Therefore, it is too soon to rule out possible hurricane impacts from Matthew in Florida.”

Or, in the words of Wunderblog’s Dr. Jeff Masters:

“NHC has put Miami in the 5-day cone of uncertainty for Matthew, and it appears likely at this point that South Florida will experience at least the fringes of Matthew, with some heavy rains, if not a direct hit.”


For now forecasters expect Hurricane Matthew to continue heading west through the Caribbean,  and then turn to the north and northwest on Saturday/Sunday, putting the islands of Jamaica, Hispaniola and Cuba in its path.

The potential impact to those islands depends a lot on that turn, as NHC forecasters earlier noted:

“There is a significant spread in where the turn will occur and how fast Matthew will move afterwards.”

A hurricane watch may be required for Jamaica later today, according to the NHC.

Insurers, reinsurers and others will be monitoring Hurricane Matthew closely over the weekend and into next week.

Check out Insurance Information Institute facts and statistics on hurricanes here.



Cybersecurity Among Biggest Presidential Challenges

Just days after the disclosure of a massive data breach at email provider Yahoo, believed to have been the work of a state-sponsored actor, it’s notable that cybersecurity made news during the first of three U.S. presidential debates last night.

As Democratic U.S. presidential nominee Hillary Clinton and Republican U.S. presidential nominee Donald Trump squared off, moderator Lester Holt, asked:

“Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?”

In her response, Clinton described cybersecurity, cyber warfare as one of the biggest challenges facing the next president.

She said the U.S. faced two different kinds of adversaries: independent hacking groups that try to steal information so they can use it commercially to make money; and cyber attacks coming from states and organs of states.

Clinton noted:

“We need to make it very clear—whether it’s Russia, China, Iran or anybody else—the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private sector information or our public sector information.”

Trump and Clinton then went back-and-forth on whether Russia was responsible for the hacking of Democratic National Committee emails earlier this year.

Setting that discussion aside, both nominees appeared to agree on the enormity of the cybersecurity challenge, as Trump said:

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem… The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

The just-disclosed 2014 Yahoo breach, in which 500 million accounts were compromised, highlights concerns around the number of state-sponsored cyber attacks, according to this article by the Wall Street Journal.

While organizations should consider the purchase of cyber insurance to manage the financial consequences of an attack, a 2015 Ponemon study found that a more popular approach to managing the risk of a nation state attack is a government-subsidized insurance policy (see below).


What do you think?

Some 17,475 IT and IT security practitioners located in all regions of the U.S. participated in the Ponemon survey.

The Insurance Information Institute’s latest white paper on cyber risk threats and challenges is available here.

Charlotte Unrest and Business Insurance

Ongoing civil unrest and protests in Charlotte, North Carolina following the police shooting of Keith Scott are reported to have caused significant property damage to businesses in the central area of the city.

The Charlotte Observer reports that entertainment complex EpiCentre faced looting and sustained significant damage Wednesday night. Numerous businesses were damaged, including Sundries EpiCentre, CVS, Enso and Fleming’s Prime Steakhouse, it said.

The NASCAR Hall of Fame was among other sites hit by vandals, with adjacent restaurants and hotels also damaged after officials declared a state of emergency for the city.

As clean-up gets underway it’s important to note that most commercial insurance policies generally include coverage for losses caused by riots. civil commotions and fires.

The definition of rioting covers looting by people who steal merchandise or other property from a premises. Vandalism is also covered.

According to The Charlotte Observer, a possible curfew for Thursday night is being discussed by city officials.

The Insurance Information Institute (I.I.I.) notes that if a business has to suspend operations or limit hours due to rioting, business interruption coverage is only covered if there is direct physical damage to the premises, forcing a business to suspend operations.

A “civil authority provision” in a business policy provides coverage for lost income and extra expenses in the event the police or fire department bars access to a specific area as a result of the danger caused by a riot or civil commotion.

In April 2015, looting and arson in Baltimore, Maryland, following the funeral for Freddie Gray, a 25-year-old who died after suffering a severe spinal cord injury while in police custody, resulted in estimated property damage of about $24 million, according to the I.I.I..

Five of the costliest civil disorders in the U.S. occurred in the 1960s. Here’s they are:


Latest research and analysis