Category Archives: Specialty Coverage

What IoT Cyber Attacks Mean for Insurers

The massive global distributed denial of service attack (DDoS) against internet infrastructure provider Dyn DNS Co. that left over 1,000 major brand name sites including Twitter, Netflix, PayPal and Spotify, inaccessible Friday has implications for insurers too.

While the nature and source of the attack is under investigation, it appears to have been (in the words of Dyn chief strategy officer Kyle York) “a sophisticated, highly distributed attack involving tens of millions of Internet Protocol addresses.”

As Bryan Krebs’ KrebsOnSecurity blog first reported, the attack was launched with the help of hacked Internet of Things (IoT) connected devices such as CCTV video cameras and digital video recorders (DVRs) that were infected with software (in this case the Mirai botnet) that then flooded Dyn servers with junk traffic.

The World Economic Forum (WEF) recently warned that failing to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure could have far-reaching consequences for national economics, economic sectors, and global enterprises.

As the IoT leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem, the WEF noted.

While IoT connected devices have the potential to transform how businesses and individuals—and their insurers—conduct, manage and monitor their operations, workplaces and their homes, clearly there are embedded risks that insurers need to consider.

Over at Celent’s insurance blog, Donald Light, director of Celent’s North America property/casualty practice, says the Dyn DDoS attack has a number of potentially serious implications for insurers.

Light writes:

“An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholders and the insurer providing the discount to a variety of potential losses.”

If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses, Light suggests.

The Insurance Information Institute white paper on cyber threats and opportunities is available here.

Cyber Claims Costly To Businesses Large and Small

Data breaches can be costly, no matter how large or small an organization may be.

That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.

While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.

This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.

The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.

The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.

Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000

The highest average claim payout—$1.3 million—was in the financial services sector.

The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.

NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.

Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.

A point that underscores the growing need for smaller companies to purchase cyber insurance.

While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.

“It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.”

Allergic Reaction: EpiPen Needed to Restore Reputation

As the mother of a young child with a life-threatening nut and sesame allergy, it’s hard to remain objective and impartial when it comes to a company increasing the price of EpiPen, the life-saving allergy injector, by more than 400 percent since 2007.

However, the latest example of a company facing a public backlash, political pressure and social media storm due to its business practices illustrates the importance of having the necessary resources in place to mitigate the effects of a reputational risk crisis if and when it occurs.

As we’ve noted before in an earlier blog post, reputational risk is among the most challenging categories of risk to manage. A survey from ACE Group found that 81 percent of companies view reputation as their most significant asset—and most of them admit that they struggle to protect it.

The survey suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

Mylan, the company at the center of the EpiPen controversy, has moved quickly to respond to the angry mob and to stem the drop in its share price which has so far lost investors $3 billion.

Yesterday, Mylan’s CEO Heather Bresch went on CNBC to announce the company was increasing financial assistance to patients to offset out-of-pocket costs of the EpiPen.

However, as The New York Times reports, Mylan did not say it would lower the list price — which has risen to about $600 for a pack of two EpiPens, from about $100 when Mylan acquired the product in 2007.

By the way, actress Sarah Jessica Parker also announced she is ending her relationship with Mylan after the pricing debacle broke.

Wherever you stand in this debate, the reality is the pharmaceutical industry is for-profit, as noted by Ms Bresch, and in the absence of a competitor or a generic, EpiPen is the latest example of a company trying to maximize profit.

Reputational risk is not covered by a standard business insurance policy, but companies can purchase coverage via a stand-alone policy which typically would pay fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs including research, events, social media and directly associated costs.

Newer reputation insurance products have also been developed that would cover a company’s financial losses due to reputational and brand damages.

In the mean time, in a climate of increased public, regulatory and investor scrutiny, the Mylan case is a good example of why companies need to be more proactive than ever to respond to challenges before they do serious damage to their brand and reputation.

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

Insurers Ready for the Summer Olympics

Opening ceremonies for 2016 Summer Olympics in Rio de Janeiro are just days away and amid crime, security and public health concerns, it is the global insurance industry that provides the critical risk coverage needed for this sporting event to go ahead.

More than 10,000 athletes from 206 countries will come together in Rio to participate in a total of 665 events which are expected to attract up to 500,0000 international spectators as well as a considerable number of domestic tourists.

Approximately $1 billion in insurance is in place for this event, via a policy purchased by the International Olympic Committee (IOC), Business Insurance reports.

The policy, underwritten by major reinsurers Swiss Re and Munich Re, covers the IOC in the event the games need to be canceled due to a natural catastrophe, civil unrest, pandemic or terrorism.

It also covered the 2012 London Summer Olympics and the 2014 Winter Olympics in Sochi, Russia.

Terrorism coverage for the Olympic Village which will house the athletes, has been underwritten in the London and international markets, according to the Business Insurance article.

Though a major global sporting event gives terrorists a worldwide audience for spectacular attacks, London-based risk consulting firm Control Risks continues to assess the terrorism threat in Rio as low.

Screen Shot 2016-08-01 at 10.55.54 AM

Bomb disposal experts detonated a controlled explosion Sunday night to destroy a suspicious package found at Maracana Stadium, site of the Olympics opening ceremonies (pictured above). There are also concerns about lone wolf attacks.

In a security briefing, Control Risks notes that there is no history of transnational terrorism in Brazil, and the country continues to rely heavily on its foreign policy (based on principles of multilateralism, peaceful settlement of disputes and non-interventionism) as a main source of protection.

Brazil has set up its largest security operation in history to address the unique challenges surrounding the event and its counter-terrorism strategy is built on the lessons learned from the country’s successful hosting of the 2014 World Cup.

Some 47,000 Brazilian security professionals have been deployed and the country is also relying on foreign expertise. In 2015, Brazil sent around 100 police officers abroad to learn about best practices for managing large international events, including the Boston and Berlin marathons, and the Tour de France.

In addition to the events taking place in Rio, the football tournament will also be held in five other cities: Manaus, Belo Horizonte, Brasília, Salvador and São Paulo. Some 38,000 members of the armed services as well as security forces will patrol the five football host cities.

Crime and public safety will be the most pressing concerns during the sporting events, Control Risks notes, though significant disruption to travel and logistics is also anticipated due to protests.

Tensions in many urban centers, including Rio de Janeiro, remain elevated as a result of Brazil’s ongoing political and economic crisis. While most demonstrations are likely to be peaceful, there is a credible risk of clashes between security forces and protesters, particularly if the security forces adopt a heavy-handed approach.

Control Risks advises companies to continue to monitor the situation closely.

While the Zika virus has been billed as the biggest public health threat, experts say the bigger concerns for visitors are actually traffic accidents, the Flu, and pollution.

Check out Insurance Information Institute facts and statistics on terrorism. Check out CDC guidance on the Zika virus in Brazil here.

Employment Matters Cost

If you’re a small or medium-sized business with fewer than 500 employees you might think that none of your employees would file discrimination charges against your company.

But a just-released survey by Hiscox dispels that myth, showing just how costly employment matters can be for small and medium-sized enterprises (SMEs)–and how important it is to have employment practices liability (EPL) insurance.

A representative study of 446 closed claims reported by SMEs with fewer than 500 employees found that some 19 percent of employment charges resulted in defense and settlement costs averaging a total of $125,000. On average, those matters took 275 days to resolve, Hiscox found.

While the average self-insured retention (deductible) for these charges was $35,000, without employment practices liability insurance, these companies would have been out of pocket by an extra $90,000, Hiscox said.

“Most employment matters don’t end up in court, but for those that do, the damages can be substantial,” Hiscox noted.

Its survey cites data showing the median judgment is approximately $200,000, which is in addition to the cost of defense. About 25 percent of cases result in a judgment of $500,000 or more.

Where a business is located can make a big difference in the potential employment exposure it faces.

The 2015 Hiscox Employee Lawsuit Handbook found states with the highest risk of employees filing lawsuits are: New Mexico (66 percent higher than national average), Washington DC (65 percent higher), Nevada (47 percent higher), Alabama (41 percent higher) and California (40 percent higher).

Overall, U.S.-based companies of all sizes have at least an 11.7 percent chance of having an employment charge filed against them, Hiscox found.

Claims Journal has more on this story here.

Wondering what’s covered by EPL insurance? The Insurance Information Institute (I.I.I.) explains all here.


Bucking the Rating Trend

Broker Willis has just published its commercial insurance rate predictions for 2016.

What’s the outlook for insurance buyers?

Overall, the property/casualty insurance market continues to soften and Willis predicts further softening ahead, fueled by relatively benign losses and an oversupply of capacity from traditional and non-traditional sources.

For 2016, 10 lines of insurance–property, casualty, aviation, energy, health care professional, marine, political risks, surety, terrorism and trade credit–are expecting decreases.

In contrast, just five lines of insurance–cyber, employee benefits, errors & omissions (E&O), fidelity and kidnap & ransom–are expecting increases.

The main exception to the overall softening trend is in cyber and E&O insurance, Willis reports, where the growing threat of cyber intrusion and data theft is sending rates upward.

By how much?

For retailers with POS (point-of-sale) exposures and large health care companies, rate increases are up to an eye-opening 150 percent at renewal, with additional increases on excess layers.

In fact most buyers of cyber insurance are seeing primary premium increases of up to 15 percent, Willis says. For smaller organizations (with revenues less than $1 billion) lower premium increases are typical.

What about terms and conditions?

Willis observes that underwriting requirements continue to rise and cyber insurers are also increasing retentions, reducing capacity and exiting certain sectors.

Despite the reduction in capacity by some carriers, available limits in the cyber marketplace are around $350 million to $400 million.

Willis also predicts the marketplace for first-time buyers of cyber insurance (except for POS retailers and large healthcare organizations) will continue with relatively favorable terms, conditions and pricing.

Willis offers this single piece of advice to buyers of cyber insurance:

In approaching the markets, be ready to identify key investments in security and privacy protections over the past policy year that will help differentiate you from your peers.”

The I.I.I.’s new paper Cyber Risks: Threat and Opportunities sheds more light on the rapidly evolving market for cyber insurance.

Cyber Insurance: Growing and Innovating

The Internet of Things (IoT) is expanding rapidly–even permeating the minds of five-year olds.

My own Kindergartener’s query from the back of the car during a routine drive to swim class the other day is a good example:

“Mummy, how did God know to create all these things that we need?” As I paused to consider the appropriate response, he answered for me: “You can just ask Siri, or Google it.”

Just how far we’ve come in our technological transformation is reflected by the development of innovative insurance products to cover the associated–and growing–risk.

A new white paper from the Insurance Information Institute (I.I.I.) Cyber Risk: Threat and Opportunity which I co-authored with I.I.I. president Dr. Robert Hartwig, offers us a glimpse of how cyber insurance has evolved as a product since the mid- to late-1990s.

From a coverage that has its origins in the so-called “Y2K” or Millennium bug that prompted fears the Year 2000 date change would cause widespread computer failure, cyber coverage in the U.S. took off in response to the enactment of numerous privacy and data breach notice laws across the country.

More than 60 insurance carriers now offer stand-alone cyber insurance policies, the I.I.I. says, and interest in this coverage continues to grow following numerous high profile data breaches. Broker Marsh estimates the U.S. cyber insurance market was worth over $2 billion in gross written premiums in 2014.

And while there are many guesstimates out there, PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.

No business or industry is immune from the cyber threat.  Our paper takes a look at where the threats are coming from and  the challenges that cyber insurers face writing this coverage given  the rapidly evolving nature of cyber attacks.

How insurers manage these risks while creating products for this multi-billion market opportunity as the legal and regulatory landscape becomes more defined will determine how best we all are protected from cyber risks in the years to come.

Cybersecurity Governance Moves Up Boardroom Agenda

A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.

Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.

There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.

However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.

Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.

The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.

For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.

The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.

Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.

Something to bear in mind: the response rate to the 2015 survey was low — with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.

Cyber Business Interruption Risk Often Underestimated

Corporate data breaches and privacy concerns may dominate the headlines, but a new report by Allianz Global Corporate & Specialty makes the case that future cyber threats will come from business interruption (BI), intellectual property theft and cyber extortion.

The impact of BI from a cyber attack, or from operational or technical failure, is a risk that is often underestimated, according to Allianz.

It predicts that BI costs could be equal to–or even exceed–direct losses from a data breach, and says that business interruption exposures are particularly significant in sectors such as telecoms, manufacturing, transport, media and logistics.

Vulnerability of industrial control systems (ICS) to attack poses a significant threat, Allianz says.

To-date, there have been accounts of centrifuges and power plants being manipulated, such as the 2012 malware attack that disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week.

However, the damage could be much higher from security sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.

Business interruption can also be caused by technical failure or human error, Allianz notes.

For example, in July 2015, stocks worth $28 trillion were suspended for several hours on the New York Stock Exchange due to a computer glitch, and that same month 4,900 United Airlines flights were impacted by a network connectivity issue.

As a result, Allianz believes that within the next five to 10 years BI will be seen as a key risk and a major element of the cyber insurance landscape.

It points out that in the context of cyber and IT risks, BI cover can be very broad including business IT computer systems, but also extending to ICS used by energy companies or robots used in manufacturing.

Allianz currently estimates the cyber insurance market is worth around $2 billion in premium worldwide, with U.S. business accounting for around 90 percent of the market. However, the cyber market is expected to experience double-digit growth year-on-year and could reach in excess of $20 billion in the next 10 years.

The Allianz  Cyber Risk Guide  is available here.

Check out I.I.I. facts and statistics on cybercrime here.