Business Risk


Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

The Ukraine crisis is making headlines around the world, and also in the insurance world.

While events are still unfolding, Russia’s move to annex the Crimea region of Ukraine has prompted United States and European Union leaders to impose economic and travel sanctions on some Russian officials.

U.S. and EU leaders will meet next week in the Netherlands to discuss the crisis and further sanctions are possible.

As for insurance implications, the ongoing turmoil has the potential to impact the political risk, structured credit and trade credit insurance markets.

Broker Marsh said in a briefing last week that some insurers had stopped underwriting political risk insurance in the two countries due to concern over the political unrest and credit ratings in Ukraine and potential sanctions in Russia.

Canadian Underwriter reported on the story here.

Noting the uncertainty of the evolving situation, Marsh said:

Companies with interests in the region face the potential for damage to assets through political violence and possible broader expropriation measures or sanctions against foreign interest in Russia should sanctions be imposed against the country. This is in addition to the potential for payment delays on trade payment obligations due from customers, especially those in Ukraine.”

Marsh also noted that because Russia is the political risk and structured credit market’s largest country exposure, if the current conflict results in large-scale insurable damage, global premiums and insurance capacity for these coverages could be adversely affected.

There is also the potential for a downgrade of the country rating by the ratings agencies and possible payment difficulties for creditors of Ukrainian companies, either commercial or economic, Marsh added.

The broker advised businesses with operations in Ukraine, especially those in Crimea, to check their crisis response and insurance programs to ensure they sufficiently mitigate the potential effects on their operations.

The I.I.I.’s International Insurance Fact Book has insurance and economic data on Russia and Ukraine here.

Two months after Target announced a massive data breach in which hackers stole 40 million debit and credit card accounts from stores nationwide and the rising costs related to the incident are becoming clear.

Costs associated with the Target data breach have reached more than $200 million for financial institutions, according to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA).

Breaking out the numbers, CBA estimates the cost of card replacements for its members have reached $172 million, up from an initial finding of $153 million. CUNA has said the cost to credit unions has increased to $30.6 million, up from an original estimate of $25 million.

So far, cards replaced by CBA members and credit unions account for more than half (54.5 percent) of all affected cards.

In a press release, CBA notes that the combined $200 million cost does not factor in costs to financial institutions other than credit unions or CBA members, nor does it take into account any fraudulent activity which may have occurred or may occur in the future:

Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.”

A post over at the Wall Street Journal Corporate Intelligence blog points out that cyber attacks like these continue to be a drain on the wider economy.

It cites a study backed by computer security firm McAfee that last year estimated the total cost of cybercrime and cyber espionage to the United States at up to $100 billion each year.

Meanwhile, legal experts caution that companies need to take stock in the wake of the Target breach and make sure they have adequate insurance in place.

A post by Emily R. Caron in Media, Privacy and Beyond published by law firm Lathrop & Gage notes that fortunately Target appears to have a lot of insurance in place.

It cites reports suggesting that between cyber coverage and directors and officers (D&O) coverage, Target has $165 million in total limits, after self-insuring the first $10 million. (Hat tip to @LexBlogNetwork for highlighting this article)

However, The New York Times recently reported that total damages to banks and retailers could exceed $18 billion according to estimates by Javelin Strategy & Research.

In addition the NYT noted that nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

As Caron notes in her article at Media, Privacy & Beyond, there is a big gap between $165 million and $18 billion.

Check out I.I.I. facts + statistics on ID theft and cyber security.

Job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) dropped to 93,727 in fiscal year 2013, down 5.7 percent from 99,412 charges in 2012, and a 6.6 percent decrease from the record 99,947 charges reported in fiscal year 2011.

But the decline in the number of charges was offset by an increase in the amount of monetary relief obtained for victims.

Monetary relief obtained for victims increased by $6.7 million to $372.1 million – the highest monetary recovery from private sector employers in agency history through its administrative process, the EEOC said.

As in prior years, retaliation under all statutes was the most frequently cited basis for charges of discrimination, increasing in both actual numbers (38,539 up from 37,836) and as a percentage of all charges (41.1 percent up from 38.1 percent) from the previous year.

This was followed by race discrimination (33,068/35.3 percent); sex discrimination, including sexual harassment and pregnancy discrimination (27,687/29.5 percent); and discrimination based on disability (25,957/27.7 percent).

The EEOC noted that both race and disability discrimination increased in percentage of all charges while decreasing in raw numbers from the previous year, while charges of sex discrimination were down by over 2,600 charges.

The EEOC also received 333 charges under the Genetic Information Nondiscrimination Act, which prohibits discrimination on the basis of genetic information, including family medical history.

Despite the overall positive trend, employers should remain vigilant, legal experts say.

In a post on legal newsfeed Lexology, Hannesson Murphy, a partner at law firm Barnes & Thornburg, writes:

While employers should be encouraged by current trends, this is no time to let down their guard: EEOC charges remain well above the levels of the mid-1990’s or mid-2000’s, retaliation claims are on the rise, and the EEOC is as active as ever. In short: remain vigilant.”

Check out further I.I.I. facts and statistics on employment practices liability insurance here.

The fallout continues in the wake of the massive data breach at Target in which hackers stole 40 million debit and credit card accounts from stores nationwide between November 27 and December 15.

USA Today reports that so far three class-action lawsuits have been filed in the wake of the incident, seeking more than $5 million in damages. Two of the cases were filed in California and one in Oregon.

The same USA Today article reports that the Attorney General in at least four states – Connecticut, Massachusetts, New York and South Dakota – have asked Target for information about the breach, in what is regarded as the first step to a possible multi-state investigation into the breach.

Meanwhile, the Krebs on Security blog which broke the story of the Target breach last Wednesday December 18, reports that card accounts stolen in the breach are flooding the underground markets. Check out the latest reports here and here.

For anyone who shopped at Target during the breach period, the New York Times has a helpful Q&A on what you should do.

While latest studies indicate U.S. companies continue to improve their preparation for and response to a data breach, the security breach at Target highlights the vulnerability of major companies to this threat.

Both the organizational cost of a data breach and the cost per lost or stolen record declined last year, according to the 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec.

The organizational cost of a breach declined from $5.5 million to $5.4 million and the cost per record from $194 to $188.

The Ponemon report also noted that while the cost of a data breach can vary widely because of the types of threats and data protection laws, the financial consequences are serious worldwide.

Check out I.I.I. facts and statistics on identity theft and cyber security.

Direct foreign investors operating in the Middle East and North Africa (MENA) face an increasing level of political risk as a result of the instability and uncertainty created by the Arab Awakening, according to an annual risk report.

The 2014 Marsh-Maplecroft Political Risk Map reveals that more than 60 percent of countries in the MENA region have experienced a significant increase in the level of political violence since 2010.

According to the map, 17 countries since 2010 have experienced a significant increase in their level of dynamic political risk, more than half of which are located in the MENA region.

Note: dynamic political risks focus on short-term challenges, such as rule of law, political violence, the macroeconomic environment, resource nationalism and regime stability.

Syria has seen the most significant increase in risk and is now ranked as the second-highest risk country behind only Somalia.  For the first time, Egypt is now categorized as “extreme” risk for political violence, a deterioration driven by post-coup violence and increased terrorist activity in the Sinai Peninsula.

Over the past year, East Africa was host to the most countries with an increase in political violence, according to the map.

Marsh notes that the increase in political violence in East Africa presents significant challenges to foreign investors looking to the region following the discovery of substantial oil and gas reserves.

Despite these risks, the map points to opportunities for investors in six growth markets where overall dynamic political risk has significantly improved since 2010: the Philippines, India, Uganda, Ghana, Israel, and Malaysia.

The map draws from Maplecroft’s Political Risk Atlas 2014 and highlights dynamic political risks across 197 countries, including conflict, terrorism, macroeconomic stability, rule of law, and regulatory and business environments.

Hat tip to Business Insurance which reports here.

Health care organizations are facing a much more challenging directors and officers (D&O) liability insurance market as they adapt to changes arising from the Affordable Care Act (ACA), according to a new report from Marsh.

It reveals that average primary D&O rates for midsize and large health systems increased by 9.6 percent in the third quarter of 2013, while total program D&O rates renewed with 7.9 percent increases on average.

Nearly all organizations – 91 percent – renewed with rate increases, according to its findings.

Marsh notes that since the passage of the ACA in 2010, the health care industry has undergone rapid consolidation resulting in organizations working more closely together and sharing information.

As a result, many health care organizations face increased exposure to antitrust risks and this has insurers concerned.

In some cases D&O insurers have lowered their antitrust sublimits and increased antitrust-related coinsurance requirements and retentions, Marsh says. In addition to raising rates, some D&O insurers are also pulling back on offering full policy limit defense coverage.

It quotes Mark Karlson, Marsh’s FINPRO Health Care Practice Leader:

Ongoing merger and acquisition activity and the transition to accountable care organizations and similar networks are creating new exposures for many health care organizations, including antitrust risks.

This has resulted in a much more challenging D&O market for health care companies. Risk managers should expect to face additional rate increases in 2014 and be prepared to provide underwriters with detailed answers about their response to health care reform.”

PC360 has more on this story.

Check out I.I.I. information on D&O liability insurance.

More and more companies are using social media and many recognize the potential risks, but few have an adequate plan in place to manage those risks.

Two separate surveys point to the fact that as social media becomes even more widely used in the corporate setting, businesses need to properly assess and monitor the risks involved.

Chubb’s just-published 2013 Private Company Survey found that 68 percent of companies are using social media – up from 39 percent in 2010 – but only 12 percent are concerned that they will be sued for allegedly making defamatory posts.

Further, only 49 percent have a written social media usage policy for their employees, Chubb found.

Executives at 450 U.S. for-profit private companies were interviewed for the Chubb survey.

An earlier report from Grant Thornton LLP and the Financial Executives Research Foundation (FERF), found that some 71 percent of public and private company executives are concerned about the potential risks involved in the use of social media, but they believe the risks can be mitigated or avoided.

More than half (59 percent) of executives surveyed said their companies do not perform a social media risk assessment.

Also, two-thirds (66 percent) of respondents see their company’s use of social media increasing during the next 12 months, but only a third of respondents (36 percent) reported that their company has social media training.

As the report says:

The evaluation and monitoring of risk needs to be a key component of any organization’s social media strategy, and its importance cannot be overstated.”

More than 100 senior-level executives from public and private companies participated in the 2013 Social Media Risks and Rewards survey, which was conducted during May and June of this year.

Check out the I.I.I. paper Social Media, Liability and Insurance.

The percentage of companies buying cyber liability insurance is increasing substantially, according to an annual survey jointly produced by Advisen and Zurich.

For the first time in the three years that the survey has been administered, more than half of respondents claim to purchase cyber liability insurance.

In response to the question “Does your organization purchase cyber liability insurance?” some 52 percent responded yes, compared to 44 percent in 2012, and 35 percent in 2011.

Only 38 percent said their organization did not purchase this protection, down from 50 percent in 2012 and 60 percent in 2011.

Of those companies that do purchase coverage, some 72 percent have done so for more than three years. This represents a 10-point increase from 2012 suggesting that when organizations purchase the coverage they see enough value to renew it year after year.

Even those companies that have not bought cyber coverage are thinking about it.

Half (53 percent) of survey respondents that do not currently buy cyber insurance are considering purchasing it in the next year – a 28 percentage point increase from 2012.

Advisen notes:

This is an indication of the continued shift in the cyber insurance marketplace, from a product that was interesting but not a necessity to one that is becoming a must have.”

Check out a recent I.I.I. paper on cyber risks.

The impact of a data breach at software maker Adobe appears to be worsening. When it first announced the breach on October 3, Adobe said that cyber attackers had compromised accounts and passwords of nearly 3 million users. Now that number has jumped to at least 38 million users.

What’s more a blog post at PCWorld indicates that a further 150 million usernames and hashed passwords were taken from Adobe. While Adobe says these could include inactive IDs, test accounts and IDs with invalid passwords, the company is still investigating.

PCWorld also reports that the hackers stole source code for flagship Adobe products such as Photoshop, Acrobat, and Reader.

It cites a blog post by Hold Security that suggests the source code theft could have far-reaching security implications.

Here’s the direct quote from the Hold Security blog post:

While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits.”

Despite the major news headlines about cybercriminals, it’s worth remembering that mistakes made by people and systems actually cause the majority of data breaches.

The 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec, found that negligence and system glitches together accounted for 64 percent of data breaches last year. Such incidents include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

However, U.S. companies represented in this study are apparently continuing to improve their preparation for and response to a data breach.

Both the organizational cost of data breach and the cost per lost or stolen record declined last year, with the organizational cost declining from $5.5 million to $5.4 million and the cost per record from $194 to $188.

Ponemon and Symantec attribute this to more organizations using data loss prevention technologies, fewer records being lost in the breaches and less customer churn.

« Previous PageNext Page »