Specialty Coverage


Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

No industry sector is immune from cyber threats, and a round-up of recent headlines and reports underscores the increasing risk and cost businesses face.

Just this week, U.S. Treasury Secretary Jacob Lew urged financial institutions and firms to redouble their efforts against cyber threats and said information-sharing and collaboration among businesses and with government is key.

Speaking at a conference in New York, Secretary Lew noted that the consequences of cyber incidents are serious and our cyber defenses are not yet where they need to be:

Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Secretary Lew noted that some banks are already spending as much as $250 million a year to strengthen their cyber security. (Note: this is a cost borne by businesses).

Meanwhile, a new report from the New York attorney general’s office revealed that the number of reported data security breaches in the state more than tripled between 2006 and 2013, with some 22.8 million personal records of New Yorkers exposed in nearly 5,000 data breaches.

The cost to the public and private sectors in New York? In 2013 alone, upward of $1.37 billion, according to the report’s findings.

The Insurance Information Institute’s (I.I.I.) newly updated report Cyber Risks: The Growing Threat (of which I am a co-author) sheds light on the specialist cyber insurance policies developed by insurers to help businesses and individuals protect themselves from the cyber threat.

Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding rapidly in response to this fast-growing market need.

I.I.I. facts and stats on identity theft and cyber security are available here.

If a strong hurricane were to pass through the Gulf of Mexico the overall effect on U.S. oil and natural gas supply would not be as severe as in past years, due to declining production in the region, according to a report from the U.S. Energy Information Administration (EIA).

However, Artemis blog warns that this won’t change the potential impact to insurers and reinsurers, particularly with the removal and decommissioning of rigs also being insured.

In its post, Artemis notes that the reinsurance and insurance-linked securities (ILS) market in recent years has been placing an increasing focus on gaining access to underwriting energy risks, particularly physical damage risks due to storms and earthquakes.

With an increasing amount of ILS capital at risk in the Gulf of Mexico, as well as on the shore through catastrophe bonds and collateralized reinsurance, the exposure to hurricane impacts on the oil and gas production network in and around the Gulf is growing.”

The EIA estimates that up to 11.6 million barrels of crude oil and 29.7 billion cubic feet of natural gas production could be disrupted by storms during the 2014 Atlantic hurricane season. Its estimate is based on NOAA’s Atlantic Hurricane Season Outlook released May 22.

NOAA expects that 8 to 13 named storms are likely to form within the Atlantic Basin over the next six months, including 3 to 6 hurricane, of which 1 to 2 will be intense.

In recent years offshore energy production has experienced relatively minor disruptions due to tropical weather, the EIA reports. However, a single strong storm can cause significant levels of shut-in production:

During September of 2008, category-4 hurricanes Gustav and Ike at one point caused nearly 100 percent of production capacity to be shut in. EIA estimates that these two storms (along with a tropical storm in July) resulted in the loss of 25 percent of the GOM crude oil and natural gas that would have been produced during the 2008 hurricane season.”

Check out the EIA chart showing recent impact of storms on GOM oil and natural gas production:

Check out I.I.I. facts and statistics on energy.

Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

Two months after Target announced a massive data breach in which hackers stole 40 million debit and credit card accounts from stores nationwide and the rising costs related to the incident are becoming clear.

Costs associated with the Target data breach have reached more than $200 million for financial institutions, according to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA).

Breaking out the numbers, CBA estimates the cost of card replacements for its members have reached $172 million, up from an initial finding of $153 million. CUNA has said the cost to credit unions has increased to $30.6 million, up from an original estimate of $25 million.

So far, cards replaced by CBA members and credit unions account for more than half (54.5 percent) of all affected cards.

In a press release, CBA notes that the combined $200 million cost does not factor in costs to financial institutions other than credit unions or CBA members, nor does it take into account any fraudulent activity which may have occurred or may occur in the future:

Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.”

A post over at the Wall Street Journal Corporate Intelligence blog points out that cyber attacks like these continue to be a drain on the wider economy.

It cites a study backed by computer security firm McAfee that last year estimated the total cost of cybercrime and cyber espionage to the United States at up to $100 billion each year.

Meanwhile, legal experts caution that companies need to take stock in the wake of the Target breach and make sure they have adequate insurance in place.

A post by Emily R. Caron in Media, Privacy and Beyond published by law firm Lathrop & Gage notes that fortunately Target appears to have a lot of insurance in place.

It cites reports suggesting that between cyber coverage and directors and officers (D&O) coverage, Target has $165 million in total limits, after self-insuring the first $10 million. (Hat tip to @LexBlogNetwork for highlighting this article)

However, The New York Times recently reported that total damages to banks and retailers could exceed $18 billion according to estimates by Javelin Strategy & Research.

In addition the NYT noted that nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

As Caron notes in her article at Media, Privacy & Beyond, there is a big gap between $165 million and $18 billion.

Check out I.I.I. facts + statistics on ID theft and cyber security.

Job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) dropped to 93,727 in fiscal year 2013, down 5.7 percent from 99,412 charges in 2012, and a 6.6 percent decrease from the record 99,947 charges reported in fiscal year 2011.

But the decline in the number of charges was offset by an increase in the amount of monetary relief obtained for victims.

Monetary relief obtained for victims increased by $6.7 million to $372.1 million – the highest monetary recovery from private sector employers in agency history through its administrative process, the EEOC said.

As in prior years, retaliation under all statutes was the most frequently cited basis for charges of discrimination, increasing in both actual numbers (38,539 up from 37,836) and as a percentage of all charges (41.1 percent up from 38.1 percent) from the previous year.

This was followed by race discrimination (33,068/35.3 percent); sex discrimination, including sexual harassment and pregnancy discrimination (27,687/29.5 percent); and discrimination based on disability (25,957/27.7 percent).

The EEOC noted that both race and disability discrimination increased in percentage of all charges while decreasing in raw numbers from the previous year, while charges of sex discrimination were down by over 2,600 charges.

The EEOC also received 333 charges under the Genetic Information Nondiscrimination Act, which prohibits discrimination on the basis of genetic information, including family medical history.

Despite the overall positive trend, employers should remain vigilant, legal experts say.

In a post on legal newsfeed Lexology, Hannesson Murphy, a partner at law firm Barnes & Thornburg, writes:

While employers should be encouraged by current trends, this is no time to let down their guard: EEOC charges remain well above the levels of the mid-1990’s or mid-2000’s, retaliation claims are on the rise, and the EEOC is as active as ever. In short: remain vigilant.”

Check out further I.I.I. facts and statistics on employment practices liability insurance here.

Health care organizations are facing a much more challenging directors and officers (D&O) liability insurance market as they adapt to changes arising from the Affordable Care Act (ACA), according to a new report from Marsh.

It reveals that average primary D&O rates for midsize and large health systems increased by 9.6 percent in the third quarter of 2013, while total program D&O rates renewed with 7.9 percent increases on average.

Nearly all organizations – 91 percent – renewed with rate increases, according to its findings.

Marsh notes that since the passage of the ACA in 2010, the health care industry has undergone rapid consolidation resulting in organizations working more closely together and sharing information.

As a result, many health care organizations face increased exposure to antitrust risks and this has insurers concerned.

In some cases D&O insurers have lowered their antitrust sublimits and increased antitrust-related coinsurance requirements and retentions, Marsh says. In addition to raising rates, some D&O insurers are also pulling back on offering full policy limit defense coverage.

It quotes Mark Karlson, Marsh’s FINPRO Health Care Practice Leader:

Ongoing merger and acquisition activity and the transition to accountable care organizations and similar networks are creating new exposures for many health care organizations, including antitrust risks.

This has resulted in a much more challenging D&O market for health care companies. Risk managers should expect to face additional rate increases in 2014 and be prepared to provide underwriters with detailed answers about their response to health care reform.”

PC360 has more on this story.

Check out I.I.I. information on D&O liability insurance.

The percentage of companies buying cyber liability insurance is increasing substantially, according to an annual survey jointly produced by Advisen and Zurich.

For the first time in the three years that the survey has been administered, more than half of respondents claim to purchase cyber liability insurance.

In response to the question “Does your organization purchase cyber liability insurance?” some 52 percent responded yes, compared to 44 percent in 2012, and 35 percent in 2011.

Only 38 percent said their organization did not purchase this protection, down from 50 percent in 2012 and 60 percent in 2011.

Of those companies that do purchase coverage, some 72 percent have done so for more than three years. This represents a 10-point increase from 2012 suggesting that when organizations purchase the coverage they see enough value to renew it year after year.

Even those companies that have not bought cyber coverage are thinking about it.

Half (53 percent) of survey respondents that do not currently buy cyber insurance are considering purchasing it in the next year – a 28 percentage point increase from 2012.

Advisen notes:

This is an indication of the continued shift in the cyber insurance marketplace, from a product that was interesting but not a necessity to one that is becoming a must have.”

Check out a recent I.I.I. paper on cyber risks.

A national survey has found that the majority of Americans fear that cyber warfare is imminent and that the country will attack or be attacked in the next decade.

Despite the threat, Americans also believe both the government and private sector networks are ill prepared for a surge in cyber conflict.

An overwhelming 93 percent of respondents to the survey, conducted by Tenable Network Security, believe that U.S. corporations and businesses are at least somewhat vulnerable to state-sponsored attacks. And 95 percent believe U.S. government agencies themselves are at least somewhat, to very, vulnerable to cyber attacks.

Some 94 percent of survey respondents also say they support the President having the same level of authority to react to cyber attacks as he has to respond to physical attacks on the country.

One key takeaway: the survey revealed conflicting results about whether the public or private sector should be held accountable for protecting corporate networks.

Some 66 percent of respondents believe corporations should be held responsible for cyber breaches when they occur. But an almost equal number of Americans, 62 percent – say government should be responsible for protecting U.S. businesses from cyber attacks.

The survey results come just days after President Barack Obama issued an executive order on sharing cyber threat information.

Check out I.I.I. facts and statistics on cyber security here.

Job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) remained close to a record high of nearly 100,000 in fiscal year 2012, even as the volume of cases fell.

The EEOC confirmed that it received a record 99,412 charges of private sector employment discrimination in fiscal year 2012, down slightly (-0.5 percent) from last year’s total.

Monetary relief obtained for victims totaled $365.4 million – the largest amount of monetary recovery from private sector and state and local government employers through its administrative process, the EEOC said.

The year-end data show that retaliation (37,836), race (33,512) and sex discrimination (30,356), which includes allegations of sexual harassment and pregnancy, were, respectively, the most frequently filed charges.

Retaliation charges under all statutes enforced by the EEOC again rose by 1.3 percent in FY 2012, after increasing by 3 percent in FY 2011.

The number of charges alleging sex discrimination (30,356) increased by 6 percent, while charges based on disability discrimination (26,379) were up 3 percent.

The EEOC also received 280 charges under the Genetic Information Nondiscrimination Act, which prohibits discrimination on the basis of genetic information, including family medical history.

In a press release, the EEOC said it achieved a significant reduction in its charge inventory for a second consecutive year, something not seen since 2002. The pending inventory of private sector charges was reduced by 10 percent from fiscal year 2011, bringing the inventory level to 70,312.

Business Insurance has more on this story.

The EEOC numbers again underscore the importance of employment practices liability insurance for businesses. Check out I.I.I. facts and statistics on EPL insurance.

Next Page »