Category Archives: Technology

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.

Don’t Ask, Don’t Tell

We’re reading an item of interest from across the pond where the United Kingdom’s Institute of Directors (IoD) has issued a new report that gives insight into how companies tend to react if they are under a cyber attack.

The IoD study, supported by Barclays, revealed that most companies keep quiet, with under one third (28 percent) of cyber attacks reported to the police.

This is despite the fact that half (49 percent) of cyber attacks resulted in interruption of business operations, the IoD noted.

Hat tip to forbes.com which reports on the IoD findings in this blog post.

It’s worth noting that here in the United States, the Identity Theft Resource Center (ITRC) has long maintained that the record number of U.S. data breaches it tracks are by no means the whole story.

Many data breaches fly under the radar, the ITRC says, because businesses want to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.

Back to the UK the survey of nearly 1,000 IoD members also showed a worrying gap between awareness of cyber risks and preparedness.

Even though nine in 10 of business leaders said cyber security was important, only 57 percent had a formal strategy in place to protect themselves, and just one fifth (20 percent) held insurance against an attack.

In the words of Professor Benham, author of the IoD report:

No shop=owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

With 34,500 members, ranging from start-up entrepreneurs to CEOs of multinational companies, the IoD is the UK’s largest organization for business leaders.

More on cyber security in the Insurance Information Institute’s paper Cyber Risks: Threat and Opportunities.

PwC: Incidence of Cybercrime Sharply Higher

Cybercrime has jumped to the second most reported type of economic crime affecting 32 percent of global businesses, according to a just-released survey by PwC.

PwC’s Global Economic Crime Survey 2016 found that while traditional leaders of economic crime–asset misappropriation, bribery and corruption, procurement fraud and accounting fraud–all showed a slight decrease over 2014 statistics, cybercrime is on a steady increase.

In fact over one quarter of the 6,000 respondents to PwC’s survey said they’d been affected by cybercrime.

Despite a sharply higher incidence of reported cybercrime among PwC’s respondents, the survey found that most companies are still not adequately prepared for–or even understand the risks faced.

Only 37 percent of organizations have a cyber incident response plan in place and many boards are not sufficiently proactive regarding cyber threats.

Even though  boards have a fiduciary responsibility to shareholders when it comes to cyber risk in several countries, PwC found that less than half of board members actually request information about their organization’s state of cyber-readiness.

Losses from cybercrime can be heavy, PwC reported. A handful of respondents (around 50 organizations) said they had suffered losses over $5 million. Of these, nearly one-third reported cybercrime-related losses sin excess of $100 million.

Reputational damage was considered the most damaging impact of a cyber breach among survey respondents, followed by legal investment and/or enforcement costs.

According to PwC:

The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it.”

This year’s results show that the incidence of economic crime has come down, for the first time since the global financial crisis of 2008-9 (albeit marginally by 1 percent).

Check out  the I.I.I. white paper  Cyber Risk: Threat and Opportunity  for the latest on cybercrime, risks and insurance.

Commercial Insurance Market: Generally Favorable For Buyers

Ample capacity and continued competition are expected to continue to put near term downward pressure on insurance rates in major classes of commercial property/casualty business, according to Marsh.

However, industry developments including recent earnings announcements, senior management changes and re-underwriting at several companies bear watching, said Marsh in its just-released U.S. Insurance Market Report.

Marsh’s analysis put average rate decreases in the fourth quarter of 2015 at between 5 percent and 10 percent for non-catastrophe exposed risks and by between 5 percent and 15 percent for moderately catastrophe-exposed risks.

Likewise, U.S. public company directors and officers (D&O) insurance rates were on average flat to down 10 percent in the fourth quarter, while U.S. commercial general liability rates on average renewed at between 10 percent rate decreases and 5 percent increases.

Amid the rate decreases across most classes of business, cyber insurance bucked the trend.

Typical cyber rate increases in the first half of 2015 were 10 percent to 15 percent over the prior year.

However, the retail and healthcare sectors, which have seen some of the costliest data breach events, saw increases ranging from 45 percent to 55 percent and 15 percent to 25 percent, respectively.

Marsh noted that demand for cyber insurance rose in 2015–a trend expected to continue in 2016.

Despite the overall pattern of soft pricing, amid ample capacity, competition and relatively low catastrophe losses, Robert Bentley, president of Marsh’s U.S. and Canada division warned that now is not the time to be complacent:

Organizations need to stay abreast of the ever-changing marketplace and risk landscape, where new and emerging risks can quickly escalate if not properly managed.”

More information on the cyber insurance market can be found in the Insurance Information Institute  white paper Cyber Risks: Threat and Opportunities.

Another Day, Another Hack

As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the  details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider  non-U.S. victims  and unreported losses, that figure is  likely much  higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.

Cyberattacks Top Risk To Doing Business in North America

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.

Smart Home, Smart Insurance

“Alexa, what is insurance?”

This is just one of many questions that can be asked of an Amazon Echo, our smart home companion that arrived over the holidays.

And as I’m finding out, the part-Siri part-bluetooth speaker that can stream music, tell me the weather or what the traffic’s like, can also be integrated with our  smart home devices and hubs.

Turning on the lights, locking the doors and changing the temperature at home are all possible once Alexa is introduced to compatible products and hubs.

As Internet of Things (IoT) devices proliferate and debut at CES 2016, the world’s largest  technology trade show happening in Las Vegas this week, insurers will be taking note.

A new International Data Corporation (IDC) report estimates worldwide spending on the IoT will grow from $699 billion in 2015 to nearly $1.3 trillion in 2019–at a 17 percent compound annual growth rate (CAGR).

While manufacturing and transportation (at $165.6 billion and $78.7 billion respectively) led the world in IoT spending in 2015, IDC says the insurance, health care and consumer industries are expected to see the fastest growth over the next five years:

Over the next five years, the industries forecast to have the fastest IoT spending growth will be insurance (31.8 percent CAGR), healthcare, and consumer.”

While insurers have already explored the benefits of connectivity in the auto insurance sector, the connected home represents a major opportunity for property/casualty insurers, according to a report by Accenture.

Insurers can leverage data from connected home devices to assess and mitigate risk, increase pricing sophistication, and offer new products, all of which help drive operational efficiency and top-line growth.”

Key areas of opportunity for insurers identified by Accenture include:

–Better risk management and risk mitigation, through claims avoidance and better claims handling;

–Better underwriting, based on increased data flows and a keener understanding of risk factors and behavioral elements;

–New product offerings, including value-added services delivered in a partnership

Security, energy management, lighting, water, thermostats, weather, appliances, and smoke and fire are the major  areas within the connected home where insurers have the potential for improving underwritten precision and limiting losses while strengthening customer relationships, Accenture says.

However, insurers will also need to tackle challenges presented by large inflows of new data such as customer indifference or lack of understanding of new offerings, as well as privacy and regulatory concerns, to convert that  opportunity into profitable growth, Accenture notes.

Top Ten Posts of 2015

As we get ready to ring out the old and ring in the new, we wanted to share with you our most popular posts in 2015.

Our most-read posts here at Terms + Conditions illustrated how interested our readers are in the advancing technology landscape and its impact on the insurance industry. Self-driving cars, cyber insurance and the sharing economy were all featured among the top 10 posts during the year.

In Self-Driving Cars – With or Without You? we recounted a Time.com writer’s chauffeured ride by a prototype Audi from Silicon Valley to Las Vegas for last year’s Consumer Electronics Show. Self-driving vehicles are no longer a thing of the future, we wrote, and this has evolving implications for insurers.

Our post Cyber Business Interruption Risk Often Underestimated reported on a study by Allianz warning that the impact of business interruption (BI) from a cyber attack is a risk that is often underestimated. It predicted that BI costs could be equal to–or even exceed–direct losses from a data breach.

The growing appetite for cyber insurance among small and mid-sized companies was another popular post.

Two of our most-read posts during 2015 also revisited the impact of Obamacare on workers compensation insurance.

In case you missed them, here’s a complete list of our top 10 posts from the year:

  1. Self-Driving Cars – With or Without You?
  2. WCRI Looks At Impact of Affordable Care Act on Workers Comp
  3. A Revisit: Impact of Obamacare on Workers Comp
  4. Cyber Business Interruption Risk Often Underestimated
  5. More Small and Mid-Sized Companies Buying Cyber Insurance
  6. Cyber Value-At-Risk
  7. Homeowners Claims: A Picture of Volatility
  8. Cyber Losses vs. Property Losses
  9. One Ruling, but Uber Impact
  10. Litigation Trends and the Class Action Factor

Thanks for following. We wish all our readers a happy and healthy new year!

New Era Ahead for Protecting Personal Data in Europe

“Clear rules that are fit for the digital age.” That’s how Vera Jourova, the European justice commissioner, described tough new European data protection regulations just agreed by European policy makers.

The long-awaited reforms, which are expected to take effect in early 2018, will establish one set of rules on data protection across all  28 member nations in the European Union (EU).

As the New York Times reports, the new regulations would apply to any company with customers in the EU, whether or not it is based in the region.

This will expand potential liability for companies, experts note.

What key changes can businesses active in the EU market expect?

Among the policy changes the new law would require companies to inform national regulators within three days of any reported data breach.

The other proposed change that jumps off the page is one that would link sanctions (read: fines) to company revenues.

Policymakers have agreed that fines could total up to 4 percent of a company’s global revenue for the most serious breaches to European data privacy rules. This could amount to billions of dollars, according to this report by the Guardian.

While the tougher fines are seen as a major step forward for consumer protection, they have raised concerns among large tech companies such as Google and Facebook, the NYT says.

It cites Peter Church, a technology lawyer at Linklaters in London:

Europe’s approach to privacy is much stronger than in the United States. There’s a fundamental difference in culture when it comes to privacy.”

The new law will also expand potential liability for companies, bringing increased responsibility and accountability for those controlling and processing personal data, according to this politico.eu article.

Currently the data controller at a company is liable for data breaches in the EU, but Politico notes that once the law takes effect, both the controller and data processors will be jointly liability for any damages.

Disruptive Change to Continue in 2016

U.S. property-casualty insurers face another year of disruptive change in 2016, according to a new report by Ernst & Young.

In its 2016 U.S. Property-Casualty Insurance Outlook, EY says that digital technologies such as social media, analytics and telematics will continue to transform the market landscape, recalibrating customer expectations and opening new ways to reach and acquire clients.

The rise of the sharing economy, in which assets like cars and homes can be shared, is requiring carriers to rethink traditional insurance models.

An outlook for slower economic growth, along with increased M&A and greater regulatory uncertainty, will set the stage for innovative firms to capitalize on an industry in flux in 2016.

EY’s take:

Insurers that stay ahead of these shifts should reap substantial benefits, while laggards risk falling behind, or even out of the race.”

EY reports that competitive pressures in the insurance industry are building as digital technology erodes the advantages of scale enjoyed by established insurers and empowers smaller players to compete for market share through more flexible pricing models and new distribution channels.

It cites the recent launch of Google Compare, which allows customers to comparison shop for insurance, as the start of a larger wave of insurance tech activity in 2016.

Along with this, customer expectations and behaviors are evolving at a rapid pace, often faster than traditional mechanisms can react.

EY observes:

Driven by their interactions in other digitally enabled industries, such as retail and banking, property-casualty customers are increasingly demanding a more sophisticated and personalized experience–including digital distribution, anytime access, premiums accurately reflecting usage and individual risk and higher levels of product customization and advice.”

Policyholders are also seeking coverage of a broader range of risks, such as cybersecurity and under-protected property exposure, according to EY’s outlook.

Hat tip to Insurance Journal which reported on this story here.

Check out a recent presentation by I.I.I. president Dr. Robert Hartwig titled Insurance, the Sharing Economy, Millennials and More.