Category Archives: Business Risk

Ransomware: Does Cyber Insurance Make Sense?

As organizations look to recover from the disruption caused by Friday’s massive global ransomware cyberattack, the value of cyber insurance, and other cybersecurity tools, just multiplied exponentially.

Security researchers at Kaspersky Lab recorded more than 45,000 attacks in 74 countries including the UK, Russia, Ukraine, India, China and Italy, the Guardian reports.

The UK’s National Health Service, French car manufacturer Renault, and Spain’s telecommunications giant Telefonica were among those hit by the so-called WannaCry ransomware, which locks up computer systems until the victims pay a ransom.

Cyber risk modeling firm Cyence estimates the average individual ransom cost from the attacks at $300, and the total economic costs from interruption to business at $4 billion, according to this Reuters report.

Kevin Kalinich, global head of Aon’s cyber risk practice, told Reuters:

“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send a package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware.”

Insurance coverage for ransomware (see earlier post), and other forms of extortion, is available under cyber insurance policies, or other types of policies that specifically cover cyber extortion.

An insured’s ransom payment following an attack is typically covered, subject to individual policy terms and conditions, according to this I.I.I. white paper.

Cyber policies also provide coverage for the costs of forensic investigation, restoring lost or corrupted data, legal expenses and business interruption.

Here are some of the considerations that go into the decision to purchase coverage.

Where To Go For Small Business Cybersecurity Advice

Small businesses are increasingly vulnerable to cyberattacks. A new website launched by the Federal Trade Commission (FTC) is aimed at helping small business owners be better prepared.

The site – ftc.gov/SmallBusiness – is a one-stop shop where small business owners can find information to protect themselves from scammers and hackers, as well as resources they can use if they are hit with a cyberattack.

Online FTC resources include a new Small Business Computer Security Basics guide with information to help companies protect their files and devices, train employees to think twice before sharing the business’s account information, and keep their wireless network protected, as well as how to respond to a data breach.

Specific information on ransomware and phishing schemes targeting small businesses is also provided.

According to the U.S. Small Business Administration, there are more than 28 million small businesses nationwide, employing nearly 57 million people.

Cyberattacks can be particularly damaging to small businesses, and many lack the resources that larger companies have to devote to cybersecurity.

For example, the percentage of spear-phishing attacks targeting small business rose from 18 percent to 43 percent between 2011 and 2015.

Insurance is one of the ways in which small businesses can protect themselves. See I.I.I. resources on cyber liability risks.

Small Business Insurance Is Going Digital

The way in which small business owners buy insurance is changing, as the number of ventures owned by Millennials/GenXers increases.

Up to 25 percent of total small business insurance premium could be digitally underwritten by 2020, Willis Towers Watson Securities reports.

“Small businesses are expected to grow an average of 6 percent annually through 2020, at which point over 60 percent of businesses are expected to be owned by Millennials/ GenXers who are much more likely to favor digital management of insurance coverages.”

Traditional insurers are embracing new technologies, both by creating proprietary platforms and partnering with small business insurance distribution focused start-ups.

Here are some recent examples of digital innovation in the $100 billion small business insurance market, via Willis Towers Watson Securities inaugural Quarterly InsurTech Briefing:

Whether a start-up or an established company, disruptions can devastate a business. Small business week is the perfect time to tune up your insurance coverage, the I.I.I. says.

Need For Political Risk Coverage Accelerates

Amid ongoing political upheaval in Venezuela and a volatile geopolitical landscape elsewhere, the need for political risk insurance is rising to prominence for multinational companies.

AP reports that General Motors just became the latest corporation to have a factory or asset seized by the government of Venezuela.

GM said assets such as vehicles were taken from the plant causing the company irreparable damage.

To protect themselves against loss or damage to physical assets caused by political action and instability, businesses should consider purchasing political risk insurance.

This specialty type of insurance can protect against a variety of risks, including:

  • Expropriation
  • Political violence (including terrorism and war).
  • Currency inconvertibility.
  • Non-payment.
  • Contract frustration due to political events.

Due to the accelerating pace of geopolitical uncertainty, the market for political risk insurance is pushing toward $10 billion in 2018, up from $8.1 billion in 2015, according to a KPMG LLP report published last year.

Willis Towers Watson advises multinational companies to buy political risk coverage on operations worldwide — particularly for select regions —while it is still available, Business Insurance reports.

Political risk insurance is available from both private insurers and from government-backed insurers, including the Overseas Private Investment Corporation (OPIC), an agency of the U.S. government.

Aon’s Political Risk Map 2017 captures changing risks for businesses and countries across emerging and frontier markets.

Last year an equal number of countries showed a reduction in political risk as showed an increase, a trend which highlights the persistence of political risk across the globe, Aon said.

@united: Do You Have A Reputational Risk Policy?

While the social media firestorm following the forcible removal of a passenger from a United Airlines flight highlights the importance of crisis and reputation risk management, it also underscores the potential liability airlines face from balancing duties to their customers, employees and to shareholders.

USA Today reports that three things govern a carrier’s relationship with its passengers: contracts of carriage, the U.S. Department of Transportation and laws approved by Congress:

United’s dispute with a passenger forcible removed from a Sunday flight shines a spotlight on the contracts that set rules and expectations between carriers and travelers.

“Those contracts are well thought through. They are generally fair and balanced, and they reflect the market,” said Roy Goldberg, a partner at Steptoe & Johnson who practices aviation law in Washington, D.C. “As a general matter, passengers have rights, but airlines have rights, too.”

A Reuters analysis of federal data shows U.S. airlines are bumping passengers off flights at the lowest rate since 1995.

Many insurers and brokers offer reputational risk policies that include crisis management and PR services to assist companies before, during and after a crisis.

More on the story in today’s I.I.I. Daily, via the Wall Street Journal:

On April 11 Oscar Munoz, head of United Airlines, apologized for the forcible removal by the police of Dr. David Dao, a passenger, from United Express Flight 3411 in Chicago. The apology came two days after the altercation led to the widespread expression of anger on social media, including millions of angry posts in the airline’s rapidly growing market in China. Politicians in Washington, D.C., also condemned the airline’s forcible removal of a passenger. Munoz sent a message to employees of United Continental Holdings Inc. apologizing for an incident he characterized as horrific and acknowledging the general public outrage, which he said he shared. The message was in sharp contrast to Munoz’s initial response.

FAA guidance for planning and preparing for your next airline trip here.

Impact Of Collision/Crash Top Cause of Liability Loss In U.S.

Despite advances in safety, the impact of collision/crash, particularly motor-related, is the main driver of liability loss activity in the United States.

The impact of collision/crash accounted for close to half (42 percent) of the value of business liability claims in the U.S., according to the latest global claims review by Allianz Global Corporate & Specialty (AGCS).

New technology will drive a big shift in liability claims, AGCS warns. For example, the rise of autonomous driving presents new loss scenarios for insurers:

“A decline in car ownership in favor of motor fleets, car-sharing and driverless taxis could see insurers move away from providing millions of single annual motor insurance policies to drivers, instead providing large policies purchased by manufacturers, fleet owners and operators.”

The shift to product liability will require insurers to develop technical expertise and not rely on historic data and driver profiling for pricing. Allianz has already started building teams of engineers with experience in automotive and driverless technology.

(Read this Insuring California blog post for more insight on how driverless cars will change auto insurance.)

The growing “sharing economy” also raises new liability questions:

”A road traffic accident featuring an autonomous car share vehicle could involve the vehicle manufacturer, software provider and the fleet operator, as well as third parties involved in the accident. This would make liability harder to apportion and claims more complex to settle.”

AGCS Global Claims Review analyzes over 100,000 corporate liability insurance claims from more than 100 countries, with a total value of €8.85bn (US$9.3bn), paid by AGCS, and other insurers, between 2011 and 2016.

Over 80 percent of losses arise from these 10 causes:

See Insurance Information Institute (I.I.I.) information on litigiousness here.

Sugar: The Next Tobacco?

Is sugar the next tobacco? Liability insurance experts say it could be.

Excessive, but not always obvious use of sugar (also salt) in food has the potential for systemic loss, a recent Lloyd’s report found.

The potential loss scenario unfolds if excessive levels of sugar are found to be harmful by scientific studies and if courts find food producers and/or the distribution chain liable for resulting damages.

“A societal shift may make the addition of significant amounts of sugar to our food unacceptable, with liability risks affecting food manufacturers (and possibly distributors and retailers).”

A sample footprint in the report (below), starting from sugar beet and cane farming to sugar and confectionary manufacturing and spreading to various other food manufacturers, wholesalers, retailers, and food and drink outlets shows the widespread distribution of sugar and the potential impact on many customers:

“Historical data suggests that the spread would also be amplified by the presence of large corporates with large insurance cover and funds.”

Businesses address their liability concerns through many types of risk management, of which insurance is an important component, according to the Insurance Information Institute.

A Swiss Re study indicated that the United States in 2013 had the largest commercial liability insurance market in the world both in premium volume ($84 billion) and as a percentage of Gross Domestic Product (0.50 percent).

Case Of The Missing Comma

Grammarians and legal eagles among you will want to read about how a punctuation mark known as the Oxford comma is the crucial factor in a class action involving overtime pay for truck drivers.

This is just one of the items covered in our Insurance Information Institute (I.I.I.) Daily newsletter today, a must-read publication for anyone in and around the insurance industry. (Sign up by emailing daily@iii.org).

Citing the New York Times, the I.I.I. Daily reports that on March 13 the U.S. Court of Appeals for the First Circuit handed down a lengthy court decision that is seen as a grammar lesson that could lead to an estimated $10 million loss for a dairy company in Portland, Maine.

The backstory: In 2014 three truck drivers filed a lawsuit seeking more than four years of overtime pay they alleged that Oakhurst Dairy had denied them unfairly. Under Maine law, workers have to be paid 1.5 times their normal rate for each hour worked in excess of 40 per week, with some exceptions.

Punctuation refresher: Grammarians are very polarized about whether a comma should be placed before the last of a series of items in a list, and some insist on what is referred to as the Oxford comma, one preceding the final item, while others habitually omit it. The absence of the comma can change meaning.

Comma in question: The state law involved in the case says that overtime rules do not apply to “The canning, processing, preserving, freezing, drying, marketing, storing, packing for shipment or distribution of: 1) Agricultural produce; 2) Meat and fish products; and 3) Perishable foods.” The question before the court was whether the law intended to exempt distribution of the three categories or packing for their shipping or distribution.

The decision: The appeals court ruled in favor of the drivers, after finding that the absence of a comma after “shipment” led to uncertainty about whether the law exempts applies to delivery drivers who distribute perishable foods, although they do not pack them. The appeals court reversed a lower court decision that denied truckers overtime.

If you’re surprised at the $10 million difference a comma can make, consider how important it is to draft insurance contracts and policy language that use words and punctuation correctly. This Deepwater Horizon coverage dispute is a good example.

Uber Case Highlights Employment Liability Risk

By now you’ll have read the troubling tale of alleged workplace sexual harassment as told by a former Uber employee on her personal blog.

As the LA Times reports, Uber CEO Travis Kalanick has called in former U.S. Attorney General Eric Holder to conduct an independent investigation and claimed that the blog post was the first he knew of the incident.

The allegations are a warning to the tech industry and its so-called rockstar culture, the LA Times notes.

The New York Times goes into more detail here.

In a statement issued following a meeting with Kalanick and staff to discuss diversity and inclusion, Uber board member Arianna Huffington said:

“I view it as my responsibility to hold the leadership team’s feet to the fire on this issue.”

This is not the first time that the ridesharing company has been in the hot seat for behaving badly, as discussed in this earlier blog post.

Charges of sex discrimination, including sexual harassment and pregnancy discrimination accounted for 26,934, or 29.4 percent of all job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) in 2016.

As the Insurance Information Institute (I.I.I.) notes, the number of employee lawsuits has increased in recent years, and any size business is vulnerable to this type of risk.

Employment Practices Liability Insurance (EPLI) provides important financial protection to businesses against claims or lawsuits filed by employees, former employees, or potential employees.

EPLI covers legal costs, settlements and judgments that arise from claims of: discrimination (age, sex, race, disability, etc.); wrongful termination of employment; sexual harassment and other employment-related allegations and lawsuits.

In addition to insurance protection, I.I.I. says businesses should take key steps to reduce the risk of an employee lawsuit, such as creating clear workplace practices on employment practices and educating management and employees.

A recent Insurance Journal article took a look at what to expect in EPLI in 2017.

Ransomware: Is Cyber Insurance On Your Radar?

Hotel guests locked out of their rooms at a four-star hotel in the Austrian Alps? Washington DC’s CCTV system disrupted days before Donald Trump’s inauguration? Libraries in St Louis brought to a standstill? Eight years of digital evidence lost by a Texas police department?

Ransomware is not just grabbing headlines, it’s now the favorite method of cyberattack used against businesses, particularly in North America and Europe, according to this Malwarebytes report.

In the fourth quarter of 2016 alone, Malawarebytes catalogued nearly 400 variants of ransomware, and 81 percent of ransomware detected in corporate environments occurred in North America.

Lloyd’s insurer Beazley saw ransomware attacks quadruple in 2016 and projects them to double again in 2017.

“Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the most valuable files unencrypted.”

In its white paper Cyberrisk: Threat and Opportunity, the Insurance Information Institute reports that insurers are issuing an increasing number of cyber insurance policies and coverage for cyber extortion, including payment of a ransom following a ransomware attack, is available.

According to the FBI, ransomware attacks are on the up, particularly targeting organizations because the payoffs are higher.