Suffering shopper fatigue? With Black Friday in full swing and Cyber Monday imminent, the biggest online shopping days of the year are upon us, but for businesses trying to see off cyber attacks, fatigue can be a danger at any time of the year.

The just-released annual global fraud survey by Kroll—which found that incidence of fraud, including information theft, is at its highest level in eight years—warns that cyber fatigue is real, but not an excuse for inaction.

It’s easy to become fatigued at the thought of cyber security. With so many things to do and to learn, you can lose sight of the benefits. If the process does become too overwhelming, remember this: Each step your company takes to protect itself makes it that much more difficult for attackers. They will move on to an easier target—one without as much security in place.”

Information theft was identified as being of particular concern among the 768 senior executives worldwide polled for the fraud survey.

More than half of executives (51 percent) believe their businesses are highly or moderately vulnerable to information theft risks such as cyber incidents, according to Kroll’s analysis.

The good news is that this increased awareness level has led to an increase in the number of companies proactively looking after their cyber security stance.

Some two-thirds (67 percent) of companies report that they regularly conduct data and IT infrastructure assessments, and a majority (60 percent) regularly conduct data and IT infrastructure assessments.

Some 60 percent also report they have an up-to-date information security incident response plan and 59 percent have tested it in the past six months, an increase on the previous survey.

Another interesting takeaway: while media attention is focused on external cyber threats to companies, the report findings tell a different story.

Of those companies that have fallen victim to information loss, theft or attack over the past 12 months, the most common cause was employee malfeasance–involved in 45 percent of cases, according to Kroll. Vendor/supplier malfeasance was also involved in 29 percent of cases.

By comparison, only a small minority of cases involved an attack by an external hacker on the company itself (2 percent) or on a vendor/supplier (7 percent).

For information on how insurance can help businesses protect themselves from the cyber threat, check out I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

I.I.I. facts and statistics on cybercrime and identity theft are available here.


There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

Our mission at the Insurance Information Institute (I.I.I.) is to help people understand how insurance operates. Sometimes that means understanding how insurers handle new technologies, particularly auto insurance. Chief Actuary James Lynch answers a question we got last week:

Q: I am researching driver assist technology and the advantages and pitfalls that could be associated with it. Do driver assist technologies raise or lower insurance premiums? A few of the technologies I’m looking at are lane-keeping devices, blind spot warning systems and hands-free cruise control.

A: As far as technological innovations go, insurance companies adjust their rates after a technology has proved its worth on the road. Only then do they know that a technology is effective and how much discount is warranted, if any. That means hands-free driving systems, which have only been introduced in the past couple months, are not earning anyone discounts right now.

You mention lane departure warnings. That is a technology that has yet to prove valuable on its own. The feature alerts a driver that is beginning to drift from one lane to another. When the driver drifts, an alarm beeps. One problem, it appears, is that drivers have trouble understanding what the beep means.

In addition, the feature can be turned on and off by the owner, and owners frequently find it so annoying that they turn it off. I happen to have a car with this technology, and I drove with it for about 10 minutes before turning it off. You would be surprised how many times your wheels touch a lane line; I know I was, particularly when the road curved. So insurers probably aren’t giving a lot of credits for the system.

That doesn’t mean that the idea of a lane departure warning is useless. The problem may be that the notification system doesn’t help the driver do a better job. There’s every chance that manufacturers will be able to refine the system so that it does better later. If that happens, rates will eventually adjust.

Another possibility: Sometimes a feature by itself doesn’t work as touted but will become an important part of a larger system. An example here is antilock brakes, which were introduced a couple of decades ago. The brakes had a special feature that was supposed to help a car stop more quickly when its brakes were slammed on. By itself, they weren’t much of a help – which surprised a lot of people – but they have become an important part of electronic stability control, a computerized system that figures out when a car is starting to skid and corrects the situation.

Electronic stability control is perhaps the biggest safety advance of our generation. The feature, standard since 2012 on all new vehicles, has cut the risk of a fatal single-vehicle crash in half. Insurers closely monitor this stuff, particularly the Insurance Institute for Highway Safety and its sister organization, the Highway Loss Data Institute.

Here at I.I.I. we offer more information on auto crashes in our Issues Update on the topic.

There’s a lot of buzz around the Internet of Things (IoT), not least with latest forecasts from Gartner suggesting that 20.8 billion connected things will be in use worldwide by 2020.

Already the estimated number of connected things in 2016—6.4 billion, according to Gartner—is a 30 percent increase on 2015. In fact 5.5 million new things will get connected every day in 2016, Gartner predicts.

A press release notes:

Aside from connected cars, consumer uses will continue to account for the greatest number of connected things, while enterprise will account for the largest spending.”

Gartner estimates that 4 billion connected things will be in use in the consumer sector in 2016, and will reach 13.5 billion in 2020. (Hat tip Canadian Underwriter for its report here)

Numerous analysts have pointed to IoT’s power to transform the insurance industry.

In this Deloitte QuickLook blog post, Sam Friedman writes that IoT will likely accelerate the vast amounts of data available to insurers as Web-connected sensors become the norm.

For example, telematics for usage-based auto insurance can provide carriers with 24/7 updates about where, when and how fast an insured travels, as well as assessing their turning and braking habits, traffic navigation skills and response time.

This same IoT technology has applications in a number of other coverages in personal, life and health and commercial insurance, Friedman writes.

Another example is “smart” homes which will allow homeowners to monitor their property, its security and elements like heating remotely. Insurers could provide loss control advice to minimize threats and perhaps take action to secure insured properties, he suggests.

And in this Accenture blog post, Daniele Presutti writes about how IoT will change how insurance is sold and who sells it. He predicts an increasing presence in the insurance business by tech-savvy competitors, such as Google and Amazon.

But it’s not all bad news, he writes:

As people, homes, organizations and even cities become increasingly interconnected, an array of new opportunities will emerge. Smart and agile insurance companies will be able to take advantage of the IoT to launch new products, with new customers and capture new markets. These companies will be the Insurers of Things. For them the possibilities will be huge.”

Read more about how insurers are innovating along with the evolution of IoT in our latest paper Cyber Risks: Threat and Opportunities.


Broker Willis has just published its commercial insurance rate predictions for 2016.

What’s the outlook for insurance buyers?

Overall, the property/casualty insurance market continues to soften and Willis predicts further softening ahead, fueled by relatively benign losses and an oversupply of capacity from traditional and non-traditional sources.

For 2016, 10 lines of insurance—property, casualty, aviation, energy, health care professional, marine, political risks, surety, terrorism and trade credit—are expecting decreases.

In contrast, just five lines of insurance—cyber, employee benefits, errors & omissions (E&O), fidelity and kidnap & ransom—are expecting increases.

The main exception to the overall softening trend is in cyber and E&O insurance, Willis reports, where the growing threat of cyber intrusion and data theft is sending rates upward.

By how much?

For retailers with POS (point-of-sale) exposures and large health care companies, rate increases are up to an eye-opening 150 percent at renewal, with additional increases on excess layers.

In fact most buyers of cyber insurance are seeing primary premium increases of up to 15 percent, Willis says. For smaller organizations (with revenues less than $1 billion) lower premium increases are typical.

What about terms and conditions?

Willis observes that underwriting requirements continue to rise and cyber insurers are also increasing retentions, reducing capacity and exiting certain sectors.

Despite the reduction in capacity by some carriers, available limits in the cyber marketplace are around $350 million to $400 million.

Willis also predicts the marketplace for first-time buyers of cyber insurance (except for POS retailers and large healthcare organizations) will continue with relatively favorable terms, conditions and pricing.

Willis offers this single piece of advice to buyers of cyber insurance:

In approaching the markets, be ready to identify key investments in security and privacy protections over the past policy year that will help differentiate you from your peers.”

The I.I.I.’s new paper Cyber Risks: Threat and Opportunities sheds more light on the rapidly evolving market for cyber insurance.

The Internet of Things (IoT) is expanding rapidly—even permeating the minds of five-year olds.

My own Kindergartener’s query from the back of the car during a routine drive to swim class the other day is a good example:

“Mummy, how did God know to create all these things that we need?” As I paused to consider the appropriate response, he answered for me: “You can just ask Siri, or Google it.”

Just how far we’ve come in our technological transformation is reflected by the development of innovative insurance products to cover the associated—and growing—risk.

A new white paper from the Insurance Information Institute (I.I.I.) Cyber Risk: Threat and Opportunity which I co-authored with I.I.I. president Dr. Robert Hartwig, offers us a glimpse of how cyber insurance has evolved as a product since the mid- to late-1990s.

From a coverage that has its origins in the so-called “Y2K” or Millennium bug that prompted fears the Year 2000 date change would cause widespread computer failure, cyber coverage in the U.S. took off in response to the enactment of numerous privacy and data breach notice laws across the country.

More than 60 insurance carriers now offer stand-alone cyber insurance policies, the I.I.I. says, and interest in this coverage continues to grow following numerous high profile data breaches. Broker Marsh estimates the U.S. cyber insurance market was worth over $2 billion in gross written premiums in 2014.

And while there are many guesstimates out there, PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.

No business or industry is immune from the cyber threat. Our paper takes a look at where the threats are coming from and the challenges that cyber insurers face writing this coverage given the rapidly evolving nature of cyber attacks.

How insurers manage these risks while creating products for this multi-billion market opportunity as the legal and regulatory landscape becomes more defined will determine how best we all are protected from cyber risks in the years to come.

A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.

Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.

There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.

However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.

Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.

The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.

For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.

The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.

Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.

Something to bear in mind: the response rate to the 2015 survey was low – with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.

Corporate data breaches and privacy concerns may dominate the headlines, but a new report by Allianz Global Corporate & Specialty makes the case that future cyber threats will come from business interruption (BI), intellectual property theft and cyber extortion.

The impact of BI from a cyber attack, or from operational or technical failure, is a risk that is often underestimated, according to Allianz.

It predicts that BI costs could be equal to—or even exceed—direct losses from a data breach, and says that business interruption exposures are particularly significant in sectors such as telecoms, manufacturing, transport, media and logistics.

Vulnerability of industrial control systems (ICS) to attack poses a significant threat, Allianz says.

To-date, there have been accounts of centrifuges and power plants being manipulated, such as the 2012 malware attack that disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week.

However, the damage could be much higher from security sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.

Business interruption can also be caused by technical failure or human error, Allianz notes.

For example, in July 2015, stocks worth $28 trillion were suspended for several hours on the New York Stock Exchange due to a computer glitch, and that same month 4,900 United Airlines flights were impacted by a network connectivity issue.

As a result, Allianz believes that within the next five to 10 years BI will be seen as a key risk and a major element of the cyber insurance landscape.

It points out that in the context of cyber and IT risks, BI cover can be very broad including business IT computer systems, but also extending to ICS used by energy companies or robots used in manufacturing.

Allianz currently estimates the cyber insurance market is worth around $2 billion in premium worldwide, with U.S. business accounting for around 90 percent of the market. However, the cyber market is expected to experience double-digit growth year-on-year and could reach in excess of $20 billion in the next 10 years.

The Allianz Cyber Risk Guide is available here.

Check out I.I.I. facts and statistics on cybercrime here.

The cyber insurance market for small- to mid-sized companies is much friendlier than the market for larger insureds, according to the findings of an annual survey just released by Betterley Risk Consultants.

The Cyber/Privacy Insurance Market Survey 2015 notes that there are many insurance products competing for the business of small and mid-sized (SME) organizations.

Brokers are actively selling cyber policies to their SME insureds, and more are buying than ever before, as they realize the potential for liability, breach and response costs, arising out of the possession of private data.

The report says:

Rates for the SME segment are still competitive and renewals are generally flat, even a bit soft, undoubtedly affected by the numerous insurers getting a foothold in the cyber insurance market. Smaller insureds tend to have lower limits and often have relatively modest claims.”

In contrast, cyber coverage for larger organizations, especially those in retail and healthcare, are finding it more difficult to buy adequate limits at a reasonable price, the report suggests, as insurers are increasingly strict about adherence to cyber security and payment card industry standards.

For the larger/retail/healthcare insured, rates are rising, with increases in the 10-25 percent range most common. But the report points out:

This is for untroubled organizations; it’s worse (up to 200 percent) if they have claims experience that has yet to result in significantly improved cybersecurity measures.”

While annual premium volume information about the U.S. cyber insurance market is hard to come by, the report concludes that annual gross written premium is growing and may be as much $2.75 billion in 2015, up from $2 billion in last year’s report.

We think the market has nowhere to go but up—as long as insurers can still write at a profit.”

This year’s report includes products offered by 31 insurers, up from 28 in 2014.

Check out the Insurance Information Institute’s (I.I.I.) online resource for business insurance here.


Technology is not enough in the fight against cybercrime, effective cybersecurity measures require policy and process changes as well.

That’s the takeaway from an analysis of cyber-risk spending included in the 2015 U.S. State of Cybercrime Survey recently released by PwC.

While cybersecurity budgets are on the rise, companies are mostly reliant on technology solutions to fend off digital adversaries and manage risks.

Among the 500 U.S. executives, security experts and others from public and private sectors responding to the survey, almost half (47 percent) said adding new technologies is a spending priority, higher than all other options.

Notably, only 15 percent cited redesigning processes as a priority and 33 percent prioritized adding new skills and capabilities.

When asked whether they have the expertise to address cyber risks associated with implementation of new technologies, only 26 percent said they have capable personnel on staff. Most rely on a combination of internal and external expertise to address cyber risks of new solutions.


As PwC advises:

Companies that implement new technologies without updating processes and providing employee training will very likely not realize the full value of their spending. To be truly effective, a cybersecurity program must carefully balance technology capabilities with redesigned processes and staff training skills.”

Employee training and awareness continues to be a critical, but often neglected component of cybersecurity, PwC said. Only half (50 percent) of survey respondents said they conduct periodic security awareness and training programs, and the same number offer security training for new employees.

Some 76 percent of respondents to the survey said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent the year before.

As PwC noted, in today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how successful an attack will be.

Check out Insurance Information Institute (I.I.I.) facts and statistics on cybercrime here.

Next Page »