Specialty Coverage


The financial impact of cyber exposures is close to exceeding those of traditional property, yet companies are reluctant to purchase cyber insurance coverage.

These are the striking findings of a new Ponemon Institute  survey sponsored by Aon.

Companies surveyed estimate that the value of the largest loss (probable maximum loss) that could result from theft or destruction of information assets is approximately $617 million, compared to an average loss of $648 million that could result from damage or total destruction of property, plant and equipment (PP&E).

Yet on average, only 12 percent of information assets are covered by insurance. By comparison, about 51 percent of PP&E assets are covered by insurance.

The survey found that self-insurance is higher for information assets at 58 percent, compared to 28 percent for PP&E.

In some ways, these results are not surprising.

Cyber insurance is a relatively new product, and while interest continues to increase, it will take time for the purchase rate to catch up with traditional insurances.

That said, the values at stake are enormous and as the report states, the likelihood of loss is higher for information assets than PP&E.

Another important takeaway from the survey is that business disruption has a much greater impact on information assets ($207 million) than on PP&E ($98 million).

This suggests the fundamental nature of probable maximum loss (PML) varies considerably for intangible assets vs. tangible assets, Ponemon says.

Business disruption represents 34 percent of the PML for information assets, compared to only 15 percent of the PML for PP&E.

A footnote states that while the survey results suggest PML in the neighborhood of $200 million, a growing number of companies are using risk analysis and modeling to suggest potential losses in excess of $500 million to over $1 billion and seek cyber insurance limit premium quotes and policy terms for such amounts.

More information on the growth in cyber insurance is available from the I.I.I. here.

Some 2,243 individuals involved in cyber and enterprise risk management at companies in 37 countries responded to the Ponemon survey.

The Kentucky Derby is upon us and insurers are more than just spectators at this major sporting event.

Bloodstock and equestrian insurance is big business with underwriters who specialize in offering tailored protection for high value animals.

Consider the staggering values at stake. A BloombergBusiness article by Mason Levinson tells the tale of American thoroughbred racehorse Tapit.

Tapit began his stud career with an initial stallion fee of $15,000. That fee has soared 20-fold in the past decade and in 2015 Tapit will generate over $30 million for his owners.

Why?

Tapit’s offspring tend to win races.

As Bloomberg reports:

By 2009, his offspring’s racetrack earnings placed him 28th on a national ranking of stallions, according to data compiled by the Bloodhorse. He climbed to 12th the next year, then third in 2011 and first in 2014, a position he has maintained over the first four months of this year.”

One of Tapit’s sons, Frosted, is a top contender in Saturday’s Kentucky Derby.

Today, Tapit’s total value is estimated at about $120 million, the article reports.

Luckily, there’s insurance for that. Whether you own racehorses, stallions, broodmares, or showjumpers, insurers are able to tailor a policy that meets your needs.

A bloodstock insurance policy typically would cover a number of different risks.

For example, all risks mortality would cover the value of the animal if it dies as a result of accident, disease or illness. Theft can also be covered, as well as loss of use (covering financial loss) and public liability.

If you run an equine breeding program, permanent infertility insurance is another important coverage. Stallions are the “calling card” of a major farm and can be synonymous with the farm’s name and reputation.

If a stallion becomes permanently impotent, infertile, or incapable of serving mares, it can be a huge setback for the owner, breeder or shareholder. This important coverage protects one of their most valuable assets.

Perhaps one of the most high-profile equine insurance claims over the years involved the death of thoroughbred Alydar in 1990. Check out this Blood-Horse feature article by Tom Dixon, the Lloyd’s of London insurance adjuster who was first on the scene when Alydar was found in his stall at Calumet Farm with a broken leg.

The decision by Texas-based Blue Bell Creameries to recall all of its products after two samples of its ice cream tested positive for listeria is a timely reminder of the importance of product recall insurance.

Product recalls can be costly and logistically complex. In Blue Bell Creameries’ case the expanded voluntary recall announced Monday night includes ice cream, frozen yogurt, sherbet and frozen snacks distributed in 23 states and international locations.

Blue Bell said it was pulling its products “because they have the potential to be contaminated with listeria.”

The company had issued an earlier more limited recall last month after the U.S. Centers for Disease Control and Prevention (CDC) linked ice cream contaminated with listeria to three deaths in Kansas.

As of April 21, 2015, the CDC says a total of 10 people with listeriosis related to this outbreak have been confirmed from four states.

A 2014 report by Aon notes that the number of product recalls in the United States and Canada for both food products and nonfood products continues to grow year over year.

Each year, hundreds of products are recalled in the U.S. Some historically significant recall events have included such well-known brands as Tylenol, Perrier, Firestone Tires, Pepsi and Coca-Cola.

The Insurance Information Institute (I.I.I.) reminds us that product recalls can be financially devastating and potentially put a company out of business. No organization is immune to the risk of a product recall—even those with the best safety records, operational controls and manufacturing oversight.

In a post in the Wall Street Journal’s Morning Risk Report, crisis management experts note that how well a company succeeds at regaining customer trust following a product recall will likely determine whether it recovers from the negative hit to its reputation and bottom line.

True. Insurance can also help defray the financial hit on a company.

Product recall insurance helps cover a wide range of costs including advertising and promotional expenses to launch a recall, as well as the costs related to product destruction and disposal, business interruption and repairing a damaged reputation, the I.I.I. says.

Another coverage worth considering is product contamination insurance, which protects a company’s bottom line in the event its product is accidentally or maliciously contaminated.

A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

Cyber attacks against businesses may dominate the news headlines, but recent events point to the growing number and range of cyber threats facing public entities and government agencies.

City officials yesterday confirmed that city and county computer systems in Madison, Wisconsin were being targeted by cyber attackers in retaliation for the shooting death of Tony Robinson, an unarmed biracial man, by a Madison police officer last Friday. A Reuters report says the cyber attack is thought to have been initiated by hacker group Anonymous.

Then on Sunday the website of Colonial Williamsburg was hit in a cyber attack attributed to ISIS. The attack targeted the history.org website and comes just a week after the living history museum offered to house artifacts at risk of destruction in Iraq.

Meanwhile, Florida’s top law enforcement agency is reported to be investigating testing delays in public school districts caused by cyber attacks on the Florida Standards Assessment (FSA) testing system.

And a recent cyber attack at multiple New York City agencies including the office of the NYC mayor recently took down computer systems for most of a day.

There are many more examples.

Given the large amounts of confidential data held by public entities and government agencies, it’s not surprising that they are a target for cyber attacks.

Last year data breaches in the government/military sector accounted for 11.7 percent of U.S. breach incidents, according to the Identity Theft Resource Center (ITRC).

A GAO report here points to the cyber security risk to Federal agencies and critical infrastructure.

In a viewpoint at American City & County blog, Robin Leal, underwriting director at Travelers Public Sector Services recently warned of the growing cyber risks facing public sector organizations.

Leal cited data from a survey at the 2014 Public Risk Management Conference and 2014 National Association of Counties (NACo) conference showing that public officials’ confidence in their cyber protections is alarmingly low.

Only 13 percent of respondents to the survey were “very confident” that their public entity has adequate protection against cyber threats.

As well as written policies and procedures to handle cyber threats, Leal said public entities should consider cyber insurance.

Only 10 percent of current public sector clients add cyber protections to existing insurance policies, and for the majority of new business submissions cyber insurance is not part of their current coverage, Leal noted.

Check out the I.I.I. white paper Cyber Risks: The Growing Threat.

As a longtime Madonna fan and as a parent of two young cape-wearing superheroes, I was concerned to read of the 56-year-old star’s fall on stage – view here – during the closing performance at the UK’s Brit Awards earlier this week.

The Queen of Pop apparently suffered whiplash in the incident as she was dragged backwards when the tightly tied Armani cape she was wearing wouldn’t come undone.

Madonna managed to go on with the show, but it’s good to know that if she hadn’t there’s insurance for that.

From providing appearance/event cancellation coverage, to insuring celebrity body parts, to writing death and disgrace policies, specialist insurers play a major role in providing protection to the stars – and the companies that promote and sponsor them.

For example, through the years the Lloyd’s insurance market has insured a long line of celebrities and celebrity body parts.

This Lloyd’s article notes that Rolling Stones guitarist Keith Richards’ hands were insured for $1.6 million, while Marlene Dietrich insured her voice for $1 million and actress Bette Davis once insured her waistline against expansion to the tune of $28,000.

More recently, in 2006, soccer giant David Beckham’s legs were insured for £100 million and in 2007, Ugly Betty television star America Ferrera’s smile was insured for $10 million.

Whether a musician, sports star, TV personality, or a top chef, each celebrity risk profile comes with its own unique set of risks, according to the individual’s occupation, health, lifestyle and associated risks.

Another type of celebrity fall from grace is covered by a recently launched product from AIG’s Lexington Insurance Company. Known as Celebrity Product RecallResponse, the new product covers companies in the event of a celebrity endorser’s public fall from grace, scandal or unexpected death.

Basically, the product covers certain costs incurred by companies to recall products bearing a celebrity endorser’s name and image.

AIG says the insurance is triggered when “significant news media coverage of an endorser’s actual or alleged criminal act or other distasteful conduct that results in (or is likely to result in) public contempt for the individual and a significant adverse impact on a company’s product.”

As Jeremy Johnson, president and CEO of Lexington Insurance Company, notes:

In this age of social media and instant news, reports of indiscretions by celebrities or high profile athletes can spread worldwide instantly, with swift, adverse implications for products or brands associated with the individual.”

Just another example of how innovative insurance can be.

Just in time for Valentine’s Day Jim Lynch brings us a heartfelt tale of love and insurance:

Last year I wrangled a review copy of Love Insurance, a century-old novel by Earl Derr Biggers, whose better known works created Charlie Chan in a spectacularly unsuccessful attempt to sweep away anti-Chinese stereotypes. The book was re-released by London’s Hesperus Press.

2015.02.03 PHOTO Love insurance

The story: A member of the British peerage buys a Lloyd’s policy that will pay him £75,000 if his impending marriage falls through. To protect his investment, the underwriter sends an earnest delegate to monitor the engagement. Earnest delegate falls in love with fiancée. They end up together despite several plot twists, most not memorable to me six weeks after finishing the book. So unfortunately I cannot recommend the work.

I do remember the insurance policy: £7,500 for a £75,000 limit. The cash-strapped lord can’t afford more cover – he’s marrying into an American fortune, a fact that addresses adverse selection.

Anyhow, as you can see above the policy is priced at 10 percent rate on line. Back then, the load for expenses and profit was a factor like 100/80ths or 100/75ths. Stripping that from the rate on line implies the underwriter and the lord implicitly agreed the probability the policy would pay was between 7.5 percent and 8 percent.

When you’re an actuary, you think like that.

These days wedding insurance covers calamities from the event, not of the heart, as the linked I.I.I. article and video explain.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Next Page »