Category Archives: Technology

Cyber Claims Costly To Businesses Large and Small

Data breaches can be costly, no matter how large or small an organization may be.

That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.

While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.

This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.

The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.

The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.

Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000

The highest average claim payout—$1.3 million—was in the financial services sector.

The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.

NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.

Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.

A point that underscores the growing need for smaller companies to purchase cyber insurance.

While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.

“It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.”

Cybersecurity Among Biggest Presidential Challenges

Just days after the disclosure of a massive data breach at email provider Yahoo, believed to have been the work of a state-sponsored actor, it’s notable that cybersecurity made news during the first of three U.S. presidential debates last night.

As Democratic U.S. presidential nominee Hillary Clinton and Republican U.S. presidential nominee Donald Trump squared off, moderator Lester Holt, asked:

“Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?”

In her response, Clinton described cybersecurity, cyber warfare as one of the biggest challenges facing the next president.

She said the U.S. faced two different kinds of adversaries: independent hacking groups that try to steal information so they can use it commercially to make money; and cyber attacks coming from states and organs of states.

Clinton noted:

“We need to make it very clear—whether it’s Russia, China, Iran or anybody else—the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private sector information or our public sector information.”

Trump and Clinton then went back-and-forth on whether Russia was responsible for the hacking of Democratic National Committee emails earlier this year.

Setting that discussion aside, both nominees appeared to agree on the enormity of the cybersecurity challenge, as Trump said:

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem… The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

The just-disclosed 2014 Yahoo breach, in which 500 million accounts were compromised, highlights concerns around the number of state-sponsored cyber attacks, according to this article by the Wall Street Journal.

While organizations should consider the purchase of cyber insurance to manage the financial consequences of an attack, a 2015 Ponemon study found that a more popular approach to managing the risk of a nation state attack is a government-subsidized insurance policy (see below).


What do you think?

Some 17,475 IT and IT security practitioners located in all regions of the U.S. participated in the Ponemon survey.

The Insurance Information Institute’s latest white paper on cyber risk threats and challenges is available here.

Samsung Recall Underscores Emerging Tech Fire Risks

A formal recall by US safety regulators of the Samsung Galaxy Note 7 smartphone due to serious fire and burn hazards should put users on notice to power down and stop using their devices immediately and return them for a free replacement or refund.

Samsung has received 92 reports of batteries overheating in the United States, including 26 reports of burns and 55 reports of property damage, including fires in cars and a garage.

In its warning, the Consumer Product Safety Commission (CPSC) states:

“The lithium-ion battery in the Galaxy Note7 smartphones can overheat and catch fire, posing a serious burn hazard to consumers.”

The recall covers 1 million phones in the U.S., but some 2.5 million of the devices need to be recalled globally, Samsung said.

It follows a Federal Aviation Administration (FAA) brief last week urging passengers not to use Samsung Galaxy Note 7 devices on planes, nor to stow them in their checked luggage.

As the Wall Street Journal reported, identifying a specific brand or model as a potential hazard is a highly unusual move for the FAA, though agency officials previously issued warnings about the overall dangers of checking any kind of cellphones, other battery-powers electronic devices or spare batteries in the holds of planes.

Following the FAA announcement, Samsung accelerated its massive recall.

The cost of the recall to Samsung have been estimated at about $1 billion, but the costs in terms of the hit to market value, tarnished brand and reputation, and lost revenues, as well as opportunity cost could be much higher, as Forbes reports. (Note: Apple’s new iPhone 7 goes on sale today)

From the insurance perspective, the story does underscore broader concerns over increased fire risks from lithium-ion batteries.

As this National Fire Protection Association blog post explains:

“Rechargeable lithium batteries overheat more than any other type of batteries and tend to have manufacturing defects. They are also very poorly regulated. The low weight batteries house substantial energy and fit into smaller devices, but have been causing fire safety issues in smart phones, tablets, hover boards and other emerging tech devices that are popular with the buying public.”

The homeowners line of business saw the majority of fire losses in 2014, according to Insurance Information Institute facts and statistics on fire losses here.

The risks of lithium batteries are also on the radar of commercial insurers. FM Global has partnered with fire protection groups to research the fire hazards of lithium-ion batteries in warehouse storage and cargo containers, for example.



Faster Decisions, Fewer Challenges Among Cyber Buyers

Good news for cyber insurers. A majority of companies continue to have network security and data privacy insurance, and are making their purchase decisions faster and experiencing fewer purchasing challenges than in 2015.

The findings come in the newly-released 2016 Network Security and Data Privacy Study by Wells Fargo Insurance.

While in 2015 the study showed that 22 percent of companies buying insurance took more than 12 months to make the purchase decision, in 2016 just 8 percent of companies are currently taking that long, while 59 percent are taking six months or less.

Cost of coverage and finding a policy that meets a company’s needs remain the top two insurance purchasing challenges of 2016. However, the study found that 19 percent of companies did not experience any purchasing challenges, a significant improvement over 2015 when only 6 percent did not experience challenges.

The easier purchasing process may be related to less internal resistance, Wells Fargo said. Likewise, in 2016, fewer companies (24 percent) believed the risk was not big enough to warrant the purchase of network security and data privacy insurance.


Of the companies in the study that had purchased insurance, one-fifth reported filing a network security and data privacy insurance claim in the last 12 months, and most were satisfied with their coverage.

Another key takeaway for cyber insurers? Protecting the business against financial loss was the primary reason for purchasing coverage (81 percent) in 2016, as in 2015. However, protecting the company’s reputation is an increasing concern, with 70 percent citing it in 2016, compared to just 58 percent in 2015.

Purchasing insurance is an important step, but it should be used in tandem with developing and testing a comprehensive incident response plan and performing a thorough cyber risk assessment, Wells Fargo noted.

The second annual study analyzed trends of network security and data privacy issues among 100 decision makers at companies with $100 million or more in annual revenue.

Check out Insurance Information Institute’s (I.I.I.’s) latest white paper on cyber risk threats and challenges here.

Disaster Preparedness? There’s an App for That

Research tells us that 40 percent of Americans use their smartphone to look up government services or information, so if you’re charging your mobile devices in preparation for Tropical Storm Hermine you might want to download the Federal Emergency Management Agency’s (FEMA) updated disaster app.

The free FEMA app now lets you receive weather alerts from the National Weather Service, so you can get alerts on severe weather happening anywhere in the country even if your phone is not located in the area. This makes it easy to track severe weather—such as a hurricane—that may be threatening you, your family and friends.

Other features of the FEMA app that will help you weather the storm include a customizable checklist of emergency supplies, maps of open shelters and disaster recovery centers, and tips on how to survive natural and man-made disasters.

Important features of the app for after the storm, include a disaster reporter where you can upload and share photos of damage and recovery efforts to help first responders, as well as easy access to apply for federal disaster assistance.

Craig Fugate, FEMA administrator:

“Emergency responders and disaster survivors are increasingly turning to mobile devices to prepare for, respond to and recover from disasters. This new feature empowers individuals to assist and support family and friends before, during, and after a severe weather event.”

The FEMA app is available for free in the Apple store for Apple devices and Google Play for Android devices.

Here at the Insurance Information Institute (I.I.I.) we also recommend you download our award-winning Know Your Plan app which helps you, your family and even your pets prepare to safely get out of harm’s way ahead of the storm.

In addition, the I.I.I. Know Your Stuff home inventory app allows you to keep an up-to-date record of your belongings so you’re fully covered in the event of an emergency.

Both I.I.I. apps are available for iPhone or Android.

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

Catching All The Customers

If you plan on trying to catch a Pikachu this weekend, chances are you might be lured into a local pizzeria or bookstore, as savvy businessowners tap into the huge popularity of Pokémon Go and target the pocket monster crowd to boost business.

Now reports say Niantic Labs, the developer of Pokémon Go, will soon accept sponsorship deals with global brands to make certain locations appear more prominently, or to sponsor specific products within the game.

Insurers looking to evolve their business are sure to be among those companies looking at potential Pokémon Go tie-ins to reach and expand their digital audience.

After all, AXA Insurance was among those to partner with Niantic Labs when Pokémon’s predecessor augmented reality adventure game, Ingress was launched in 2013.

The partnership saw AXA retail agencies in the real world turned into Ingress “Portals”, sites that players visit and battle to control for their in-game faction.

In just five months the success of the partnership saw over 600,000 Ingress players visit real world AXA Insurance locations to find, collect and deploy more than 5 million AXA-branded virtual shields in Ingress. AXA representatives also interacted with over 55,000 Ingress players during live player events called “Anomalies” opportunities.

Insurers are also not new to using augmented reality technology in their actual business operations.

For example, Zurich Insurance last year turned to augmented reality smartphone apps to train 10,000 employees in 170 countries in the key skills needed by its next generation of managers.

Insurers are also using augmented or virtual reality (think Google Glasses) to train claim adjusters and streamline the claims process.

So while the insurance risks of disruptive technology like Pokémon Go are clear (and yes, insurers have you covered), it appears there are many ways for insurers to embrace the power of augmented reality to benefit their business and market reach.

As the Celent insurance blog noted:

“For those insurers with investments in the real world like agencies, offices, billboards – and for those that are agile enough – this surprise trend could serve as a great marketing route to catching all the customers, as well as all the Pokémon.”

Self-Driving Cars Still Evolving

A fatal car accident involving a Tesla Model S in autonomous driving mode is drawing widespread scrutiny both in the United States and overseas.

Joshua Brown was killed in May this year when a tractor trailer made a left turn in front of his Tesla and the self-driving car failed to apply the brakes.

The National Highway Traffic Safety Administration (NHTSA) said it is investigating the incident and will examine the design and performance of the automated driving systems in use at the time of the crash.

Its preliminary evaluation of the incident doesn’t indicate any conclusion about whether the Tesla vehicle was defective, the NHTSA said.

In a blog post, Tesla noted that this is the first known fatality in just over 130 million miles where autopilot was activated:

“Among all vehicles in the U.S., there is a fatality every 94 million miles. Worldwide, there is a fatality approximately every 60 million miles. It is important to emphasize that the NHTSA action is simply a preliminary evaluation to determine whether the system worked according to expectations.”

Tesla further noted that neither Autopilot nor the driver noticed the white side of the tractor trailer against a brightly lit sky, so the brake was not applied:

“The high ride height of the trailer combined with its positioning across the road and the extremely rare circumstances of the impact caused the Model S to pass under the trailer, with the bottom of the trailer impacting the windshield of the Model S.”

As companies continue to innovate and invest in self-driving technology, the crash indicates that fully automated cars are still a thing of the future.

The crash also raises important concerns over regulation.

According to this New York Times article:

“Even as companies conduct many tests on autonomous vehicles at both private facilities and on public highways, there is skepticism that the technology has progressed far enough for the government to approve cars that totally drive themselves.”

And the Wall Street Journal reports:

“Tesla now risks being the test case that could prompt new safety regulations or laws limiting the deployment of self-driving technology.”

The crash also highlights liability concerns regarding this emerging technology. Most car crashes are caused by human error, but presumably the NHTSA investigation will also evaluate potential product liability on the part of the manufacturer.

The crux of the issue is weighing up the risk of crashes versus crashes avoided via the use of self-driving technology.

As the Insurance Information Institute (I.I.I.) notes:

“As crash avoidance technology gradually becomes standard equipment, insurers will be able to better determine the extent to which these various components reduce the frequency and cost of accidents. They will also be able to determine whether the accidents that do occur lead to a higher percentage of product liability claims, as claimants blame the manufacturer or suppliers for what went wrong rather than their own behavior.”

Liability laws might evolve to ensure autonomous vehicle technology advances are not brought to a halt, the I.I.I. adds.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

Emerging Risk: the Internet

We think of the Internet as a borderless entity, but that could all change, according to an annual emerging risk report from Swiss Re.

The publication is based on the SONAR process, an internal crowdsourcing tool that collects inputs and feedback from underwriters, client managers, risk experts and others to identify, assess and manage emerging risks.

Increased localization of internet networks within country borders is one of the key emerging risks that industry players should prepare for, the report suggests.

It notes that as cybercrime has grown rapidly, so the Internet has become less safe and governments are instituting more regulation, requiring companies to protect their online assets more effectively and to store data on servers physically located within their geographical borders.

Some countries are even using special software to filter out unwanted information, firewalls and isolated IT infrastructure detached from global networks, Swiss Re reports.

“A step further in this direction is the design and development of internet protocols which make certain communications impossible. In China, for instance, the government already controls all Internet content as well as the physical infrastructure.”

While no international consensus has emerged yet on how the internet should be governed, the report reveals that there is a chance that disconnected national and regional nets will become more common.

As Swiss Re says:

“Such developments would increase IT costs and regulation and would hurt insurance companies operating across borders.”

In particular, the report highlights that evolving regulation would increase operational risk and could trigger more liability claims in the directors and officers (D&O) and fidelity arena, as well as massively increasing costs for setting up and maintaining separate legal structures.

Another concern is that technology companies may face liability suits from customers if they are no longer able to access data stored on cross-border servers.