Entries tagged with “Cyber Risks”.
Did you find what you wanted?
Tuesday, November 24, 2015
Posted by Claire under Business Risk, Risk Management, Technology
There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.
In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.
While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”
According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.
Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.
On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.
A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:
We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”
Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.
Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.
However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.
Hat tip to Reuters for its article here.
Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.
Friday, November 13, 2015
Posted by Claire under Emerging Risks, Technology
There’s a lot of buzz around the Internet of Things (IoT), not least with latest forecasts from Gartner suggesting that 20.8 billion connected things will be in use worldwide by 2020.
Already the estimated number of connected things in 2016—6.4 billion, according to Gartner—is a 30 percent increase on 2015. In fact 5.5 million new things will get connected every day in 2016, Gartner predicts.
A press release notes:
Aside from connected cars, consumer uses will continue to account for the greatest number of connected things, while enterprise will account for the largest spending.”
Gartner estimates that 4 billion connected things will be in use in the consumer sector in 2016, and will reach 13.5 billion in 2020. (Hat tip Canadian Underwriter for its report here)
Numerous analysts have pointed to IoT’s power to transform the insurance industry.
In this Deloitte QuickLook blog post, Sam Friedman writes that IoT will likely accelerate the vast amounts of data available to insurers as Web-connected sensors become the norm.
For example, telematics for usage-based auto insurance can provide carriers with 24/7 updates about where, when and how fast an insured travels, as well as assessing their turning and braking habits, traffic navigation skills and response time.
This same IoT technology has applications in a number of other coverages in personal, life and health and commercial insurance, Friedman writes.
Another example is “smart” homes which will allow homeowners to monitor their property, its security and elements like heating remotely. Insurers could provide loss control advice to minimize threats and perhaps take action to secure insured properties, he suggests.
And in this Accenture blog post, Daniele Presutti writes about how IoT will change how insurance is sold and who sells it. He predicts an increasing presence in the insurance business by tech-savvy competitors, such as Google and Amazon.
But it’s not all bad news, he writes:
As people, homes, organizations and even cities become increasingly interconnected, an array of new opportunities will emerge. Smart and agile insurance companies will be able to take advantage of the IoT to launch new products, with new customers and capture new markets. These companies will be the Insurers of Things. For them the possibilities will be huge.”
Read more about how insurers are innovating along with the evolution of IoT in our latest paper Cyber Risks: Threat and Opportunities.
Monday, October 26, 2015
Posted by Claire under Market Conditions, Specialty Coverage, Technology
Broker Willis has just published its commercial insurance rate predictions for 2016.
What’s the outlook for insurance buyers?
Overall, the property/casualty insurance market continues to soften and Willis predicts further softening ahead, fueled by relatively benign losses and an oversupply of capacity from traditional and non-traditional sources.
For 2016, 10 lines of insurance—property, casualty, aviation, energy, health care professional, marine, political risks, surety, terrorism and trade credit—are expecting decreases.
In contrast, just five lines of insurance—cyber, employee benefits, errors & omissions (E&O), fidelity and kidnap & ransom—are expecting increases.
The main exception to the overall softening trend is in cyber and E&O insurance, Willis reports, where the growing threat of cyber intrusion and data theft is sending rates upward.
By how much?
For retailers with POS (point-of-sale) exposures and large health care companies, rate increases are up to an eye-opening 150 percent at renewal, with additional increases on excess layers.
In fact most buyers of cyber insurance are seeing primary premium increases of up to 15 percent, Willis says. For smaller organizations (with revenues less than $1 billion) lower premium increases are typical.
What about terms and conditions?
Willis observes that underwriting requirements continue to rise and cyber insurers are also increasing retentions, reducing capacity and exiting certain sectors.
Despite the reduction in capacity by some carriers, available limits in the cyber marketplace are around $350 million to $400 million.
Willis also predicts the marketplace for first-time buyers of cyber insurance (except for POS retailers and large healthcare organizations) will continue with relatively favorable terms, conditions and pricing.
Willis offers this single piece of advice to buyers of cyber insurance:
In approaching the markets, be ready to identify key investments in security and privacy protections over the past policy year that will help differentiate you from your peers.”
The I.I.I.’s new paper Cyber Risks: Threat and Opportunities sheds more light on the rapidly evolving market for cyber insurance.
Wednesday, October 21, 2015
Posted by Claire under Specialty Coverage, Technology
The Internet of Things (IoT) is expanding rapidly—even permeating the minds of five-year olds.
My own Kindergartener’s query from the back of the car during a routine drive to swim class the other day is a good example:
“Mummy, how did God know to create all these things that we need?” As I paused to consider the appropriate response, he answered for me: “You can just ask Siri, or Google it.”
Just how far we’ve come in our technological transformation is reflected by the development of innovative insurance products to cover the associated—and growing—risk.
A new white paper from the Insurance Information Institute (I.I.I.) Cyber Risk: Threat and Opportunity which I co-authored with I.I.I. president Dr. Robert Hartwig, offers us a glimpse of how cyber insurance has evolved as a product since the mid- to late-1990s.
From a coverage that has its origins in the so-called “Y2K” or Millennium bug that prompted fears the Year 2000 date change would cause widespread computer failure, cyber coverage in the U.S. took off in response to the enactment of numerous privacy and data breach notice laws across the country.
More than 60 insurance carriers now offer stand-alone cyber insurance policies, the I.I.I. says, and interest in this coverage continues to grow following numerous high profile data breaches. Broker Marsh estimates the U.S. cyber insurance market was worth over $2 billion in gross written premiums in 2014.
And while there are many guesstimates out there, PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.
No business or industry is immune from the cyber threat. Our paper takes a look at where the threats are coming from and the challenges that cyber insurers face writing this coverage given the rapidly evolving nature of cyber attacks.
How insurers manage these risks while creating products for this multi-billion market opportunity as the legal and regulatory landscape becomes more defined will determine how best we all are protected from cyber risks in the years to come.
Thursday, October 8, 2015
Posted by Claire under Risk Management, Specialty Coverage, Technology
A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.
Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.
There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.
However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.
Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.
The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.
For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.
The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.
Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.
Something to bear in mind: the response rate to the 2015 survey was low – with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.
Thursday, September 10, 2015
Posted by Claire under Business Risk, Specialty Coverage, Technology
Corporate data breaches and privacy concerns may dominate the headlines, but a new report by Allianz Global Corporate & Specialty makes the case that future cyber threats will come from business interruption (BI), intellectual property theft and cyber extortion.
The impact of BI from a cyber attack, or from operational or technical failure, is a risk that is often underestimated, according to Allianz.
It predicts that BI costs could be equal to—or even exceed—direct losses from a data breach, and says that business interruption exposures are particularly significant in sectors such as telecoms, manufacturing, transport, media and logistics.
Vulnerability of industrial control systems (ICS) to attack poses a significant threat, Allianz says.
To-date, there have been accounts of centrifuges and power plants being manipulated, such as the 2012 malware attack that disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week.
However, the damage could be much higher from security sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.
Business interruption can also be caused by technical failure or human error, Allianz notes.
For example, in July 2015, stocks worth $28 trillion were suspended for several hours on the New York Stock Exchange due to a computer glitch, and that same month 4,900 United Airlines flights were impacted by a network connectivity issue.
As a result, Allianz believes that within the next five to 10 years BI will be seen as a key risk and a major element of the cyber insurance landscape.
It points out that in the context of cyber and IT risks, BI cover can be very broad including business IT computer systems, but also extending to ICS used by energy companies or robots used in manufacturing.
Allianz currently estimates the cyber insurance market is worth around $2 billion in premium worldwide, with U.S. business accounting for around 90 percent of the market. However, the cyber market is expected to experience double-digit growth year-on-year and could reach in excess of $20 billion in the next 10 years.
The Allianz Cyber Risk Guide is available here.
Check out I.I.I. facts and statistics on cybercrime here.
Thursday, August 13, 2015
Posted by Claire under Business Risk, Specialty Coverage, Technology
The cyber insurance market for small- to mid-sized companies is much friendlier than the market for larger insureds, according to the findings of an annual survey just released by Betterley Risk Consultants.
The Cyber/Privacy Insurance Market Survey 2015 notes that there are many insurance products competing for the business of small and mid-sized (SME) organizations.
Brokers are actively selling cyber policies to their SME insureds, and more are buying than ever before, as they realize the potential for liability, breach and response costs, arising out of the possession of private data.
The report says:
Rates for the SME segment are still competitive and renewals are generally flat, even a bit soft, undoubtedly affected by the numerous insurers getting a foothold in the cyber insurance market. Smaller insureds tend to have lower limits and often have relatively modest claims.”
In contrast, cyber coverage for larger organizations, especially those in retail and healthcare, are finding it more difficult to buy adequate limits at a reasonable price, the report suggests, as insurers are increasingly strict about adherence to cyber security and payment card industry standards.
For the larger/retail/healthcare insured, rates are rising, with increases in the 10-25 percent range most common. But the report points out:
This is for untroubled organizations; it’s worse (up to 200 percent) if they have claims experience that has yet to result in significantly improved cybersecurity measures.”
While annual premium volume information about the U.S. cyber insurance market is hard to come by, the report concludes that annual gross written premium is growing and may be as much $2.75 billion in 2015, up from $2 billion in last year’s report.
We think the market has nowhere to go but up—as long as insurers can still write at a profit.”
This year’s report includes products offered by 31 insurers, up from 28 in 2014.
Check out the Insurance Information Institute’s (I.I.I.) online resource for business insurance here.
Technology is not enough in the fight against cybercrime, effective cybersecurity measures require policy and process changes as well.
That’s the takeaway from an analysis of cyber-risk spending included in the 2015 U.S. State of Cybercrime Survey recently released by PwC.
While cybersecurity budgets are on the rise, companies are mostly reliant on technology solutions to fend off digital adversaries and manage risks.
Among the 500 U.S. executives, security experts and others from public and private sectors responding to the survey, almost half (47 percent) said adding new technologies is a spending priority, higher than all other options.
Notably, only 15 percent cited redesigning processes as a priority and 33 percent prioritized adding new skills and capabilities.
When asked whether they have the expertise to address cyber risks associated with implementation of new technologies, only 26 percent said they have capable personnel on staff. Most rely on a combination of internal and external expertise to address cyber risks of new solutions.
As PwC advises:
Companies that implement new technologies without updating processes and providing employee training will very likely not realize the full value of their spending. To be truly effective, a cybersecurity program must carefully balance technology capabilities with redesigned processes and staff training skills.”
Employee training and awareness continues to be a critical, but often neglected component of cybersecurity, PwC said. Only half (50 percent) of survey respondents said they conduct periodic security awareness and training programs, and the same number offer security training for new employees.
Some 76 percent of respondents to the survey said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent the year before.
As PwC noted, in today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how successful an attack will be.
Check out Insurance Information Institute (I.I.I.) facts and statistics on cybercrime here.
Friday, July 10, 2015
Posted by Claire under Business Risk, Specialty Coverage, Technology
The unfolding story on what is being described as the largest cyberattack into the systems of the United States government reads like an episode out of CSI Cyber.
Today the head of the Office of Personnel Management (OPM) Katherine Archuleta resigned as fallout continued in the wake of Thursday’s revelation that the second of two massive data breaches exposed the personal data of 21.5 million federal employees, contractors, applicants and family members.
This follows the previous breach OPM announced in June in which some 4.2 million federal personnel records were exposed.
The magnitude of the second breach is incredible. In a release, OPM states:
OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
As the New York Times reports here, every person given a background check for the last 15 years was probably affected (that’s 19.7 million people), as well as 1.8 million others, including their spouses and friends.
It is thought that both OPM attacks emanated from China, though this is not confirmed.
In a week in which reported technical issues halted trading on the New York Stock Exchange, grounded United Airlines flights and took the Wall Street Journal’s website offline for several hours, the OPM announcement once again highlights the limitless nature of cyber exposures.
Meanwhile, a joint report from Lloyd’s and the University of Cambridge, points to the insurance implications of a cyber attack on the U.S. power grid and potential aggregation issues for insurers.
A hypothetical blackout that plunges 15 states into darkness, including New York City and Washington DC, leaving 93 million people without power would result in estimated insurance claims of $21.4 billion, rising to $71.1 billion in the worst case scenario, the report suggests.
Insurers would see losses across many lines of business, including property damage, business interruption, contingent business interruption, liability, homeowners and events cancellation.
Claims across other areas of insurance not included in the estimate are also possible, such as: injury-related claims; auto; property fire; industrial accidents; and environmental liability.
As Lloyd’s says in the report, one of the biggest concerns for insurers is that cyber risk is not constrained by the conventional boundaries of geography, jurisdiction or physical laws:
The scalability of cyber attacks – the potential for systemic events that could simultaneously impact large numbers of companies – is a major concern for participants in the cyber insurance market who are amassing large numbers of accounts in their cyber insurance portfolio.”
Tuesday, June 16, 2015
Posted by Claire under Business Risk, Risk Management, Technology
A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.
In its analysis, S&P says:
Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”
It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”
S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.
Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.
S&P notes that threat alone does not determine rating responses and threat risk varies by sector:
Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.
While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.
S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.
While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.
Hat tip to Insurance Journal which reports on this story here.