Technology


As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider non-U.S. victims and unreported losses, that figure is likely much higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.

“Alexa, what is insurance?”

This is just one of many questions that can be asked of an Amazon Echo, our smart home companion that arrived over the holidays.

And as I’m finding out, the part-Siri part-bluetooth speaker that can stream music, tell me the weather or what the traffic’s like, can also be integrated with our smart home devices and hubs.

Turning on the lights, locking the doors and changing the temperature at home are all possible once Alexa is introduced to compatible products and hubs.

As Internet of Things (IoT) devices proliferate and debut at CES 2016, the world’s largest technology trade show happening in Las Vegas this week, insurers will be taking note.

A new International Data Corporation (IDC) report estimates worldwide spending on the IoT will grow from $699 billion in 2015 to nearly $1.3 trillion in 2019—at a 17 percent compound annual growth rate (CAGR).

While manufacturing and transportation (at $165.6 billion and $78.7 billion respectively) led the world in IoT spending in 2015, IDC says the insurance, health care and consumer industries are expected to see the fastest growth over the next five years:

Over the next five years, the industries forecast to have the fastest IoT spending growth will be insurance (31.8 percent CAGR), healthcare, and consumer.”

While insurers have already explored the benefits of connectivity in the auto insurance sector, the connected home represents a major opportunity for property/casualty insurers, according to a report by Accenture.

Insurers can leverage data from connected home devices to assess and mitigate risk, increase pricing sophistication, and offer new products, all of which help drive operational efficiency and top-line growth.”

Key areas of opportunity for insurers identified by Accenture include:

—Better risk management and risk mitigation, through claims avoidance and better claims handling;

—Better underwriting, based on increased data flows and a keener understanding of risk factors and behavioral elements;

—New product offerings, including value-added services delivered in a partnership

Security, energy management, lighting, water, thermostats, weather, appliances, and smoke and fire are the major areas within the connected home where insurers have the potential for improving underwritten precision and limiting losses while strengthening customer relationships, Accenture says.

However, insurers will also need to tackle challenges presented by large inflows of new data such as customer indifference or lack of understanding of new offerings, as well as privacy and regulatory concerns, to convert that opportunity into profitable growth, Accenture notes.

As we get ready to ring out the old and ring in the new, we wanted to share with you our most popular posts in 2015.

Our most-read posts here at Terms + Conditions illustrated how interested our readers are in the advancing technology landscape and its impact on the insurance industry. Self-driving cars, cyber insurance and the sharing economy were all featured among the top 10 posts during the year.

In Self-Driving Cars — With or Without You? we recounted a Time.com writer’s chauffeured ride by a prototype Audi from Silicon Valley to Las Vegas for last year’s Consumer Electronics Show. Self-driving vehicles are no longer a thing of the future, we wrote, and this has evolving implications for insurers.

Our post Cyber Business Interruption Risk Often Underestimated reported on a study by Allianz warning that the impact of business interruption (BI) from a cyber attack is a risk that is often underestimated. It predicted that BI costs could be equal to—or even exceed—direct losses from a data breach.

The growing appetite for cyber insurance among small and mid-sized companies was another popular post.

Two of our most-read posts during 2015 also revisited the impact of Obamacare on workers compensation insurance.

In case you missed them, here’s a complete list of our top 10 posts from the year:

  1. Self-Driving Cars – With or Without You?
  2. WCRI Looks At Impact of Affordable Care Act on Workers Comp
  3. A Revisit: Impact of Obamacare on Workers Comp
  4. Cyber Business Interruption Risk Often Underestimated
  5. More Small and Mid-Sized Companies Buying Cyber Insurance
  6. Cyber Value-At-Risk
  7. Homeowners Claims: A Picture of Volatility
  8. Cyber Losses vs. Property Losses
  9. One Ruling, but Uber Impact
  10. Litigation Trends and the Class Action Factor

Thanks for following. We wish all our readers a happy and healthy new year!

“Clear rules that are fit for the digital age.” That’s how Vera Jourova, the European justice commissioner, described tough new European data protection regulations just agreed by European policy makers.

The long-awaited reforms, which are expected to take effect in early 2018, will establish one set of rules on data protection across all 28 member nations in the European Union (EU).

As the New York Times reports, the new regulations would apply to any company with customers in the EU, whether or not it is based in the region.

This will expand potential liability for companies, experts note.

What key changes can businesses active in the EU market expect?

Among the policy changes the new law would require companies to inform national regulators within three days of any reported data breach.

The other proposed change that jumps off the page is one that would link sanctions (read: fines) to company revenues.

Policymakers have agreed that fines could total up to 4 percent of a company’s global revenue for the most serious breaches to European data privacy rules. This could amount to billions of dollars, according to this report by the Guardian.

While the tougher fines are seen as a major step forward for consumer protection, they have raised concerns among large tech companies such as Google and Facebook, the NYT says.

It cites Peter Church, a technology lawyer at Linklaters in London:

Europe’s approach to privacy is much stronger than in the United States. There’s a fundamental difference in culture when it comes to privacy.”

The new law will also expand potential liability for companies, bringing increased responsibility and accountability for those controlling and processing personal data, according to this politico.eu article.

Currently the data controller at a company is liable for data breaches in the EU, but Politico notes that once the law takes effect, both the controller and data processors will be jointly liability for any damages.

U.S. property-casualty insurers face another year of disruptive change in 2016, according to a new report by Ernst & Young.

In its 2016 U.S. Property-Casualty Insurance Outlook, EY says that digital technologies such as social media, analytics and telematics will continue to transform the market landscape, recalibrating customer expectations and opening new ways to reach and acquire clients.

The rise of the sharing economy, in which assets like cars and homes can be shared, is requiring carriers to rethink traditional insurance models.

An outlook for slower economic growth, along with increased M&A and greater regulatory uncertainty, will set the stage for innovative firms to capitalize on an industry in flux in 2016.

EY’s take:

Insurers that stay ahead of these shifts should reap substantial benefits, while laggards risk falling behind, or even out of the race.”

EY reports that competitive pressures in the insurance industry are building as digital technology erodes the advantages of scale enjoyed by established insurers and empowers smaller players to compete for market share through more flexible pricing models and new distribution channels.

It cites the recent launch of Google Compare, which allows customers to comparison shop for insurance, as the start of a larger wave of insurance tech activity in 2016.

Along with this, customer expectations and behaviors are evolving at a rapid pace, often faster than traditional mechanisms can react.

EY observes:

Driven by their interactions in other digitally enabled industries, such as retail and banking, property-casualty customers are increasingly demanding a more sophisticated and personalized experience—including digital distribution, anytime access, premiums accurately reflecting usage and individual risk and higher levels of product customization and advice.”

Policyholders are also seeking coverage of a broader range of risks, such as cybersecurity and under-protected property exposure, according to EY’s outlook.

Hat tip to Insurance Journal which reported on this story here.

Check out a recent presentation by I.I.I. president Dr. Robert Hartwig titled Insurance, the Sharing Economy, Millennials and More.

This is a good one for the holiday season—and ahead of your commute home.

A majority (78 percent) of U.S. adults believe that distracted walking is a serious issue, but only 29 percent see themselves as the culprit.

The new study by the American Academy of Orthopaedic Surgeons (AAOS) found that many (46 percent) feel distracted walking is a danger, yet 31 percent admit it is something they are likely to do.

In the words of Alan Hilibrand, MD, AAOS spokesperson:

Today, the dangers of the ‘digital deadwalker’ are growing with more and more pedestrians falling down stairs, tripping over curbs, bumping into other walkers, or stepping into traffic causing a rising number of injuries—from scrapes and bruises to sprains and fractures.”

The AAOS cited a 2013 study that showed a doubling in emergency department hospital visits for injuries involving distracted pedestrians on cell phones between 2004 and 2010 (see our earlier post on that study here).

So how common is distracted walking?

According to the AAOS, nearly four out of 10 Americans say they have witnessed a distracted walking incident, and just over one quarter (26 percent) say they have been in an incident themselves.

One of the challenges in combating distracted walking may be that people are overly confident in their ability to multitask, the AAOS found.

When asked why they walk distracted, 48 percent of respondents say they just don’t think about it, while 28 percent feel they can walk and do other things, and 22 percent say they are busy and want to use their time productively.

The AAOS survey which was conducted by polling firm IPSOS involved more than 2,000 respondents nationally and another 4,000 total in select urban areas.

Here’s the infographic:

151202132710_1_900x600

 

Suffering shopper fatigue? With Black Friday in full swing and Cyber Monday imminent, the biggest online shopping days of the year are upon us, but for businesses trying to see off cyber attacks, fatigue can be a danger at any time of the year.

The just-released annual global fraud survey by Kroll—which found that incidence of fraud, including information theft, is at its highest level in eight years—warns that cyber fatigue is real, but not an excuse for inaction.

It’s easy to become fatigued at the thought of cyber security. With so many things to do and to learn, you can lose sight of the benefits. If the process does become too overwhelming, remember this: Each step your company takes to protect itself makes it that much more difficult for attackers. They will move on to an easier target—one without as much security in place.”

Information theft was identified as being of particular concern among the 768 senior executives worldwide polled for the fraud survey.

More than half of executives (51 percent) believe their businesses are highly or moderately vulnerable to information theft risks such as cyber incidents, according to Kroll’s analysis.

The good news is that this increased awareness level has led to an increase in the number of companies proactively looking after their cyber security stance.

Some two-thirds (67 percent) of companies report that they regularly conduct data and IT infrastructure assessments, and a majority (60 percent) regularly conduct data and IT infrastructure assessments.

Some 60 percent also report they have an up-to-date information security incident response plan and 59 percent have tested it in the past six months, an increase on the previous survey.

Another interesting takeaway: while media attention is focused on external cyber threats to companies, the report findings tell a different story.

Of those companies that have fallen victim to information loss, theft or attack over the past 12 months, the most common cause was employee malfeasance–involved in 45 percent of cases, according to Kroll. Vendor/supplier malfeasance was also involved in 29 percent of cases.

By comparison, only a small minority of cases involved an attack by an external hacker on the company itself (2 percent) or on a vendor/supplier (7 percent).

For information on how insurance can help businesses protect themselves from the cyber threat, check out I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

I.I.I. facts and statistics on cybercrime and identity theft are available here.

 

There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

Our mission at the Insurance Information Institute (I.I.I.) is to help people understand how insurance operates. Sometimes that means understanding how insurers handle new technologies, particularly auto insurance. Chief Actuary James Lynch answers a question we got last week:

Q: I am researching driver assist technology and the advantages and pitfalls that could be associated with it. Do driver assist technologies raise or lower insurance premiums? A few of the technologies I’m looking at are lane-keeping devices, blind spot warning systems and hands-free cruise control.

A: As far as technological innovations go, insurance companies adjust their rates after a technology has proved its worth on the road. Only then do they know that a technology is effective and how much discount is warranted, if any. That means hands-free driving systems, which have only been introduced in the past couple months, are not earning anyone discounts right now.

You mention lane departure warnings. That is a technology that has yet to prove valuable on its own. The feature alerts a driver that is beginning to drift from one lane to another. When the driver drifts, an alarm beeps. One problem, it appears, is that drivers have trouble understanding what the beep means.

In addition, the feature can be turned on and off by the owner, and owners frequently find it so annoying that they turn it off. I happen to have a car with this technology, and I drove with it for about 10 minutes before turning it off. You would be surprised how many times your wheels touch a lane line; I know I was, particularly when the road curved. So insurers probably aren’t giving a lot of credits for the system.

That doesn’t mean that the idea of a lane departure warning is useless. The problem may be that the notification system doesn’t help the driver do a better job. There’s every chance that manufacturers will be able to refine the system so that it does better later. If that happens, rates will eventually adjust.

Another possibility: Sometimes a feature by itself doesn’t work as touted but will become an important part of a larger system. An example here is antilock brakes, which were introduced a couple of decades ago. The brakes had a special feature that was supposed to help a car stop more quickly when its brakes were slammed on. By itself, they weren’t much of a help – which surprised a lot of people – but they have become an important part of electronic stability control, a computerized system that figures out when a car is starting to skid and corrects the situation.

Electronic stability control is perhaps the biggest safety advance of our generation. The feature, standard since 2012 on all new vehicles, has cut the risk of a fatal single-vehicle crash in half. Insurers closely monitor this stuff, particularly the Insurance Institute for Highway Safety and its sister organization, the Highway Loss Data Institute.

Here at I.I.I. we offer more information on auto crashes in our Issues Update on the topic.

Next Page »