Specialty Coverage


A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

Cyber attacks against businesses may dominate the news headlines, but recent events point to the growing number and range of cyber threats facing public entities and government agencies.

City officials yesterday confirmed that city and county computer systems in Madison, Wisconsin were being targeted by cyber attackers in retaliation for the shooting death of Tony Robinson, an unarmed biracial man, by a Madison police officer last Friday. A Reuters report says the cyber attack is thought to have been initiated by hacker group Anonymous.

Then on Sunday the website of Colonial Williamsburg was hit in a cyber attack attributed to ISIS. The attack targeted the history.org website and comes just a week after the living history museum offered to house artifacts at risk of destruction in Iraq.

Meanwhile, Florida’s top law enforcement agency is reported to be investigating testing delays in public school districts caused by cyber attacks on the Florida Standards Assessment (FSA) testing system.

And a recent cyber attack at multiple New York City agencies including the office of the NYC mayor recently took down computer systems for most of a day.

There are many more examples.

Given the large amounts of confidential data held by public entities and government agencies, it’s not surprising that they are a target for cyber attacks.

Last year data breaches in the government/military sector accounted for 11.7 percent of U.S. breach incidents, according to the Identity Theft Resource Center (ITRC).

A GAO report here points to the cyber security risk to Federal agencies and critical infrastructure.

In a viewpoint at American City & County blog, Robin Leal, underwriting director at Travelers Public Sector Services recently warned of the growing cyber risks facing public sector organizations.

Leal cited data from a survey at the 2014 Public Risk Management Conference and 2014 National Association of Counties (NACo) conference showing that public officials’ confidence in their cyber protections is alarmingly low.

Only 13 percent of respondents to the survey were “very confident” that their public entity has adequate protection against cyber threats.

As well as written policies and procedures to handle cyber threats, Leal said public entities should consider cyber insurance.

Only 10 percent of current public sector clients add cyber protections to existing insurance policies, and for the majority of new business submissions cyber insurance is not part of their current coverage, Leal noted.

Check out the I.I.I. white paper Cyber Risks: The Growing Threat.

As a longtime Madonna fan and as a parent of two young cape-wearing superheroes, I was concerned to read of the 56-year-old star’s fall on stage – view here – during the closing performance at the UK’s Brit Awards earlier this week.

The Queen of Pop apparently suffered whiplash in the incident as she was dragged backwards when the tightly tied Armani cape she was wearing wouldn’t come undone.

Madonna managed to go on with the show, but it’s good to know that if she hadn’t there’s insurance for that.

From providing appearance/event cancellation coverage, to insuring celebrity body parts, to writing death and disgrace policies, specialist insurers play a major role in providing protection to the stars – and the companies that promote and sponsor them.

For example, through the years the Lloyd’s insurance market has insured a long line of celebrities and celebrity body parts.

This Lloyd’s article notes that Rolling Stones guitarist Keith Richards’ hands were insured for $1.6 million, while Marlene Dietrich insured her voice for $1 million and actress Bette Davis once insured her waistline against expansion to the tune of $28,000.

More recently, in 2006, soccer giant David Beckham’s legs were insured for £100 million and in 2007, Ugly Betty television star America Ferrera’s smile was insured for $10 million.

Whether a musician, sports star, TV personality, or a top chef, each celebrity risk profile comes with its own unique set of risks, according to the individual’s occupation, health, lifestyle and associated risks.

Another type of celebrity fall from grace is covered by a recently launched product from AIG’s Lexington Insurance Company. Known as Celebrity Product RecallResponse, the new product covers companies in the event of a celebrity endorser’s public fall from grace, scandal or unexpected death.

Basically, the product covers certain costs incurred by companies to recall products bearing a celebrity endorser’s name and image.

AIG says the insurance is triggered when “significant news media coverage of an endorser’s actual or alleged criminal act or other distasteful conduct that results in (or is likely to result in) public contempt for the individual and a significant adverse impact on a company’s product.”

As Jeremy Johnson, president and CEO of Lexington Insurance Company, notes:

In this age of social media and instant news, reports of indiscretions by celebrities or high profile athletes can spread worldwide instantly, with swift, adverse implications for products or brands associated with the individual.”

Just another example of how innovative insurance can be.

Just in time for Valentine’s Day Jim Lynch brings us a heartfelt tale of love and insurance:

Last year I wrangled a review copy of Love Insurance, a century-old novel by Earl Derr Biggers, whose better known works created Charlie Chan in a spectacularly unsuccessful attempt to sweep away anti-Chinese stereotypes. The book was re-released by London’s Hesperus Press.

2015.02.03 PHOTO Love insurance

The story: A member of the British peerage buys a Lloyd’s policy that will pay him £75,000 if his impending marriage falls through. To protect his investment, the underwriter sends an earnest delegate to monitor the engagement. Earnest delegate falls in love with fiancée. They end up together despite several plot twists, most not memorable to me six weeks after finishing the book. So unfortunately I cannot recommend the work.

I do remember the insurance policy: £7,500 for a £75,000 limit. The cash-strapped lord can’t afford more cover – he’s marrying into an American fortune, a fact that addresses adverse selection.

Anyhow, as you can see above the policy is priced at 10 percent rate on line. Back then, the load for expenses and profit was a factor like 100/80ths or 100/75ths. Stripping that from the rate on line implies the underwriter and the lord implicitly agreed the probability the policy would pay was between 7.5 percent and 8 percent.

When you’re an actuary, you think like that.

These days wedding insurance covers calamities from the event, not of the heart, as the linked I.I.I. article and video explain.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

No industry sector is immune from cyber threats, and a round-up of recent headlines and reports underscores the increasing risk and cost businesses face.

Just this week, U.S. Treasury Secretary Jacob Lew urged financial institutions and firms to redouble their efforts against cyber threats and said information-sharing and collaboration among businesses and with government is key.

Speaking at a conference in New York, Secretary Lew noted that the consequences of cyber incidents are serious and our cyber defenses are not yet where they need to be:

Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Secretary Lew noted that some banks are already spending as much as $250 million a year to strengthen their cyber security. (Note: this is a cost borne by businesses).

Meanwhile, a new report from the New York attorney general’s office revealed that the number of reported data security breaches in the state more than tripled between 2006 and 2013, with some 22.8 million personal records of New Yorkers exposed in nearly 5,000 data breaches.

The cost to the public and private sectors in New York? In 2013 alone, upward of $1.37 billion, according to the report’s findings.

The Insurance Information Institute’s (I.I.I.) newly updated report Cyber Risks: The Growing Threat (of which I am a co-author) sheds light on the specialist cyber insurance policies developed by insurers to help businesses and individuals protect themselves from the cyber threat.

Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding rapidly in response to this fast-growing market need.

I.I.I. facts and stats on identity theft and cyber security are available here.

If a strong hurricane were to pass through the Gulf of Mexico the overall effect on U.S. oil and natural gas supply would not be as severe as in past years, due to declining production in the region, according to a report from the U.S. Energy Information Administration (EIA).

However, Artemis blog warns that this won’t change the potential impact to insurers and reinsurers, particularly with the removal and decommissioning of rigs also being insured.

In its post, Artemis notes that the reinsurance and insurance-linked securities (ILS) market in recent years has been placing an increasing focus on gaining access to underwriting energy risks, particularly physical damage risks due to storms and earthquakes.

With an increasing amount of ILS capital at risk in the Gulf of Mexico, as well as on the shore through catastrophe bonds and collateralized reinsurance, the exposure to hurricane impacts on the oil and gas production network in and around the Gulf is growing.”

The EIA estimates that up to 11.6 million barrels of crude oil and 29.7 billion cubic feet of natural gas production could be disrupted by storms during the 2014 Atlantic hurricane season. Its estimate is based on NOAA’s Atlantic Hurricane Season Outlook released May 22.

NOAA expects that 8 to 13 named storms are likely to form within the Atlantic Basin over the next six months, including 3 to 6 hurricane, of which 1 to 2 will be intense.

In recent years offshore energy production has experienced relatively minor disruptions due to tropical weather, the EIA reports. However, a single strong storm can cause significant levels of shut-in production:

During September of 2008, category-4 hurricanes Gustav and Ike at one point caused nearly 100 percent of production capacity to be shut in. EIA estimates that these two storms (along with a tropical storm in July) resulted in the loss of 25 percent of the GOM crude oil and natural gas that would have been produced during the 2008 hurricane season.”

Check out the EIA chart showing recent impact of storms on GOM oil and natural gas production:

Check out I.I.I. facts and statistics on energy.

Next Page »