Category Archives: Technology

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

Catching All The Customers

If you plan on trying to catch a Pikachu this weekend, chances are you might be lured into a local pizzeria or bookstore, as savvy businessowners tap into the huge popularity of Pokémon Go and target the pocket monster crowd to boost business.

Now reports say Niantic Labs, the developer of Pokémon Go, will soon accept sponsorship deals with global brands to make certain locations appear more prominently, or to sponsor specific products within the game.

Insurers looking to evolve their business are sure to be among those companies looking at potential Pokémon Go tie-ins to reach and expand their digital audience.

After all, AXA Insurance was among those to partner with Niantic Labs when Pokémon’s predecessor augmented reality adventure game, Ingress was launched in 2013.

The partnership saw AXA retail agencies in the real world turned into Ingress “Portals”, sites that players visit and battle to control for their in-game faction.

In just five months the success of the partnership saw over 600,000 Ingress players visit real world AXA Insurance locations to find, collect and deploy more than 5 million AXA-branded virtual shields in Ingress. AXA representatives also interacted with over 55,000 Ingress players during live player events called “Anomalies” opportunities.

Insurers are also not new to using augmented reality technology in their actual business operations.

For example, Zurich Insurance last year turned to augmented reality smartphone apps to train 10,000 employees in 170 countries in the key skills needed by its next generation of managers.

Insurers are also using augmented or virtual reality (think Google Glasses) to train claim adjusters and streamline the claims process.

So while the insurance risks of disruptive technology like Pokémon Go are clear (and yes, insurers have you covered), it appears there are many ways for insurers to embrace the power of augmented reality to benefit their business and market reach.

As the Celent insurance blog noted:

“For those insurers with investments in the real world like agencies, offices, billboards – and for those that are agile enough – this surprise trend could serve as a great marketing route to catching all the customers, as well as all the Pokémon.”

Self-Driving Cars Still Evolving

A fatal car accident involving a Tesla Model S in autonomous driving mode is drawing widespread scrutiny both in the United States and overseas.

Joshua Brown was killed in May this year when a tractor trailer made a left turn in front of his Tesla and the self-driving car failed to apply the brakes.

The National Highway Traffic Safety Administration (NHTSA) said it is investigating the incident and will examine the design and performance of the automated driving systems in use at the time of the crash.

Its preliminary evaluation of the incident doesn’t indicate any conclusion about whether the Tesla vehicle was defective, the NHTSA said.

In a blog post, Tesla noted that this is the first known fatality in just over 130 million miles where autopilot was activated:

“Among all vehicles in the U.S., there is a fatality every 94 million miles. Worldwide, there is a fatality approximately every 60 million miles. It is important to emphasize that the NHTSA action is simply a preliminary evaluation to determine whether the system worked according to expectations.”

Tesla further noted that neither Autopilot nor the driver noticed the white side of the tractor trailer against a brightly lit sky, so the brake was not applied:

“The high ride height of the trailer combined with its positioning across the road and the extremely rare circumstances of the impact caused the Model S to pass under the trailer, with the bottom of the trailer impacting the windshield of the Model S.”

As companies continue to innovate and invest in self-driving technology, the crash indicates that fully automated cars are still a thing of the future.

The crash also raises important concerns over regulation.

According to this New York Times article:

“Even as companies conduct many tests on autonomous vehicles at both private facilities and on public highways, there is skepticism that the technology has progressed far enough for the government to approve cars that totally drive themselves.”

And the Wall Street Journal reports:

“Tesla now risks being the test case that could prompt new safety regulations or laws limiting the deployment of self-driving technology.”

The crash also highlights liability concerns regarding this emerging technology. Most car crashes are caused by human error, but presumably the NHTSA investigation will also evaluate potential product liability on the part of the manufacturer.

The crux of the issue is weighing up the risk of crashes versus crashes avoided via the use of self-driving technology.

As the Insurance Information Institute (I.I.I.) notes:

“As crash avoidance technology gradually becomes standard equipment, insurers will be able to better determine the extent to which these various components reduce the frequency and cost of accidents. They will also be able to determine whether the accidents that do occur lead to a higher percentage of product liability claims, as claimants blame the manufacturer or suppliers for what went wrong rather than their own behavior.”

Liability laws might evolve to ensure autonomous vehicle technology advances are not brought to a halt, the I.I.I. adds.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

Emerging Risk: the Internet

We think of the Internet as a borderless entity, but that could all change, according to an annual emerging risk report from Swiss Re.

The publication is based on the SONAR process, an internal crowdsourcing tool that collects inputs and feedback from underwriters, client managers, risk experts and others to identify, assess and manage emerging risks.

Increased localization of internet networks within country borders is one of the key emerging risks that industry players should prepare for, the report suggests.

It notes that as cybercrime has grown rapidly, so the Internet has become less safe and governments are instituting more regulation, requiring companies to protect their online assets more effectively and to store data on servers physically located within their geographical borders.

Some countries are even using special software to filter out unwanted information, firewalls and isolated IT infrastructure detached from global networks, Swiss Re reports.

“A step further in this direction is the design and development of internet protocols which make certain communications impossible. In China, for instance, the government already controls all Internet content as well as the physical infrastructure.”

While no international consensus has emerged yet on how the internet should be governed, the report reveals that there is a chance that disconnected national and regional nets will become more common.

As Swiss Re says:

“Such developments would increase IT costs and regulation and would hurt insurance companies operating across borders.”

In particular, the report highlights that evolving regulation would increase operational risk and could trigger more liability claims in the directors and officers (D&O) and fidelity arena, as well as massively increasing costs for setting up and maintaining separate legal structures.

Another concern is that technology companies may face liability suits from customers if they are no longer able to access data stored on cross-border servers.

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.

Don’t Ask, Don’t Tell

We’re reading an item of interest from across the pond where the United Kingdom’s Institute of Directors (IoD) has issued a new report that gives insight into how companies tend to react if they are under a cyber attack.

The IoD study, supported by Barclays, revealed that most companies keep quiet, with under one third (28 percent) of cyber attacks reported to the police.

This is despite the fact that half (49 percent) of cyber attacks resulted in interruption of business operations, the IoD noted.

Hat tip to forbes.com which reports on the IoD findings in this blog post.

It’s worth noting that here in the United States, the Identity Theft Resource Center (ITRC) has long maintained that the record number of U.S. data breaches it tracks are by no means the whole story.

Many data breaches fly under the radar, the ITRC says, because businesses want to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.

Back to the UK the survey of nearly 1,000 IoD members also showed a worrying gap between awareness of cyber risks and preparedness.

Even though nine in 10 of business leaders said cyber security was important, only 57 percent had a formal strategy in place to protect themselves, and just one fifth (20 percent) held insurance against an attack.

In the words of Professor Benham, author of the IoD report:

No shop=owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

With 34,500 members, ranging from start-up entrepreneurs to CEOs of multinational companies, the IoD is the UK’s largest organization for business leaders.

More on cyber security in the Insurance Information Institute’s paper Cyber Risks: Threat and Opportunities.

PwC: Incidence of Cybercrime Sharply Higher

Cybercrime has jumped to the second most reported type of economic crime affecting 32 percent of global businesses, according to a just-released survey by PwC.

PwC’s Global Economic Crime Survey 2016 found that while traditional leaders of economic crime–asset misappropriation, bribery and corruption, procurement fraud and accounting fraud–all showed a slight decrease over 2014 statistics, cybercrime is on a steady increase.

In fact over one quarter of the 6,000 respondents to PwC’s survey said they’d been affected by cybercrime.

Despite a sharply higher incidence of reported cybercrime among PwC’s respondents, the survey found that most companies are still not adequately prepared for–or even understand the risks faced.

Only 37 percent of organizations have a cyber incident response plan in place and many boards are not sufficiently proactive regarding cyber threats.

Even though  boards have a fiduciary responsibility to shareholders when it comes to cyber risk in several countries, PwC found that less than half of board members actually request information about their organization’s state of cyber-readiness.

Losses from cybercrime can be heavy, PwC reported. A handful of respondents (around 50 organizations) said they had suffered losses over $5 million. Of these, nearly one-third reported cybercrime-related losses sin excess of $100 million.

Reputational damage was considered the most damaging impact of a cyber breach among survey respondents, followed by legal investment and/or enforcement costs.

According to PwC:

The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it.”

This year’s results show that the incidence of economic crime has come down, for the first time since the global financial crisis of 2008-9 (albeit marginally by 1 percent).

Check out  the I.I.I. white paper  Cyber Risk: Threat and Opportunity  for the latest on cybercrime, risks and insurance.

Commercial Insurance Market: Generally Favorable For Buyers

Ample capacity and continued competition are expected to continue to put near term downward pressure on insurance rates in major classes of commercial property/casualty business, according to Marsh.

However, industry developments including recent earnings announcements, senior management changes and re-underwriting at several companies bear watching, said Marsh in its just-released U.S. Insurance Market Report.

Marsh’s analysis put average rate decreases in the fourth quarter of 2015 at between 5 percent and 10 percent for non-catastrophe exposed risks and by between 5 percent and 15 percent for moderately catastrophe-exposed risks.

Likewise, U.S. public company directors and officers (D&O) insurance rates were on average flat to down 10 percent in the fourth quarter, while U.S. commercial general liability rates on average renewed at between 10 percent rate decreases and 5 percent increases.

Amid the rate decreases across most classes of business, cyber insurance bucked the trend.

Typical cyber rate increases in the first half of 2015 were 10 percent to 15 percent over the prior year.

However, the retail and healthcare sectors, which have seen some of the costliest data breach events, saw increases ranging from 45 percent to 55 percent and 15 percent to 25 percent, respectively.

Marsh noted that demand for cyber insurance rose in 2015–a trend expected to continue in 2016.

Despite the overall pattern of soft pricing, amid ample capacity, competition and relatively low catastrophe losses, Robert Bentley, president of Marsh’s U.S. and Canada division warned that now is not the time to be complacent:

Organizations need to stay abreast of the ever-changing marketplace and risk landscape, where new and emerging risks can quickly escalate if not properly managed.”

More information on the cyber insurance market can be found in the Insurance Information Institute  white paper Cyber Risks: Threat and Opportunities.

Another Day, Another Hack

As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the  details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider  non-U.S. victims  and unreported losses, that figure is  likely much  higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.