Tag Archives: Cyber Risks

What IoT Cyber Attacks Mean for Insurers

The massive global distributed denial of service attack (DDoS) against internet infrastructure provider Dyn DNS Co. that left over 1,000 major brand name sites including Twitter, Netflix, PayPal and Spotify, inaccessible Friday has implications for insurers too.

While the nature and source of the attack is under investigation, it appears to have been (in the words of Dyn chief strategy officer Kyle York) “a sophisticated, highly distributed attack involving tens of millions of Internet Protocol addresses.”

As Bryan Krebs’ KrebsOnSecurity blog first reported, the attack was launched with the help of hacked Internet of Things (IoT) connected devices such as CCTV video cameras and digital video recorders (DVRs) that were infected with software (in this case the Mirai botnet) that then flooded Dyn servers with junk traffic.

The World Economic Forum (WEF) recently warned that failing to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure could have far-reaching consequences for national economics, economic sectors, and global enterprises.

As the IoT leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem, the WEF noted.

While IoT connected devices have the potential to transform how businesses and individuals—and their insurers—conduct, manage and monitor their operations, workplaces and their homes, clearly there are embedded risks that insurers need to consider.

Over at Celent’s insurance blog, Donald Light, director of Celent’s North America property/casualty practice, says the Dyn DDoS attack has a number of potentially serious implications for insurers.

Light writes:

“An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholders and the insurer providing the discount to a variety of potential losses.”

If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses, Light suggests.

The Insurance Information Institute white paper on cyber threats and opportunities is available here.

Cyber Claims Costly To Businesses Large and Small

Data breaches can be costly, no matter how large or small an organization may be.

That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.

While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.

This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.

The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.

The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.

Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000

The highest average claim payout—$1.3 million—was in the financial services sector.

The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.

NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.

Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.

A point that underscores the growing need for smaller companies to purchase cyber insurance.

While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.

“It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.”

Cybersecurity Among Biggest Presidential Challenges

Just days after the disclosure of a massive data breach at email provider Yahoo, believed to have been the work of a state-sponsored actor, it’s notable that cybersecurity made news during the first of three U.S. presidential debates last night.

As Democratic U.S. presidential nominee Hillary Clinton and Republican U.S. presidential nominee Donald Trump squared off, moderator Lester Holt, asked:

“Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?”

In her response, Clinton described cybersecurity, cyber warfare as one of the biggest challenges facing the next president.

She said the U.S. faced two different kinds of adversaries: independent hacking groups that try to steal information so they can use it commercially to make money; and cyber attacks coming from states and organs of states.

Clinton noted:

“We need to make it very clear—whether it’s Russia, China, Iran or anybody else—the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private sector information or our public sector information.”

Trump and Clinton then went back-and-forth on whether Russia was responsible for the hacking of Democratic National Committee emails earlier this year.

Setting that discussion aside, both nominees appeared to agree on the enormity of the cybersecurity challenge, as Trump said:

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem… The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

The just-disclosed 2014 Yahoo breach, in which 500 million accounts were compromised, highlights concerns around the number of state-sponsored cyber attacks, according to this article by the Wall Street Journal.

While organizations should consider the purchase of cyber insurance to manage the financial consequences of an attack, a 2015 Ponemon study found that a more popular approach to managing the risk of a nation state attack is a government-subsidized insurance policy (see below).


What do you think?

Some 17,475 IT and IT security practitioners located in all regions of the U.S. participated in the Ponemon survey.

The Insurance Information Institute’s latest white paper on cyber risk threats and challenges is available here.

Faster Decisions, Fewer Challenges Among Cyber Buyers

Good news for cyber insurers. A majority of companies continue to have network security and data privacy insurance, and are making their purchase decisions faster and experiencing fewer purchasing challenges than in 2015.

The findings come in the newly-released 2016 Network Security and Data Privacy Study by Wells Fargo Insurance.

While in 2015 the study showed that 22 percent of companies buying insurance took more than 12 months to make the purchase decision, in 2016 just 8 percent of companies are currently taking that long, while 59 percent are taking six months or less.

Cost of coverage and finding a policy that meets a company’s needs remain the top two insurance purchasing challenges of 2016. However, the study found that 19 percent of companies did not experience any purchasing challenges, a significant improvement over 2015 when only 6 percent did not experience challenges.

The easier purchasing process may be related to less internal resistance, Wells Fargo said. Likewise, in 2016, fewer companies (24 percent) believed the risk was not big enough to warrant the purchase of network security and data privacy insurance.


Of the companies in the study that had purchased insurance, one-fifth reported filing a network security and data privacy insurance claim in the last 12 months, and most were satisfied with their coverage.

Another key takeaway for cyber insurers? Protecting the business against financial loss was the primary reason for purchasing coverage (81 percent) in 2016, as in 2015. However, protecting the company’s reputation is an increasing concern, with 70 percent citing it in 2016, compared to just 58 percent in 2015.

Purchasing insurance is an important step, but it should be used in tandem with developing and testing a comprehensive incident response plan and performing a thorough cyber risk assessment, Wells Fargo noted.

The second annual study analyzed trends of network security and data privacy issues among 100 decision makers at companies with $100 million or more in annual revenue.

Check out Insurance Information Institute’s (I.I.I.’s) latest white paper on cyber risk threats and challenges here.

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

P/C Rates: Trending Down, But Not As Steeply

Broker Willis Towers Watson has updated its commercial insurance rate predictions for 2016, and says that price declines are slowing.

A complex commercial insurance marketplace—marked by increased underwriting scrutiny and potential challenges stemming from the changing carrier landscape—is raising the likelihood that companies will experience some price increases in various lines.

Back in October 2015, Willis said 10 lines of insurance could expect decreases and just five lines of insurance could expect increases in 2016.

Now the updated outlook for 2016 is that nine lines of insurance are expecting decreases and eight lines of insurance—auto, cyber, employee benefits, employment practices liability, errors & omissions, fidelity, kidnap & ransom, and trade credit— are expecting increases.

And for lines where it anticipated the largest price hikes—cyber and errors & omissions—those price hikes are accelerating.

With hurricane season approaching, it’s worth noting that property remains among those lines expecting a decrease, but average rate reductions are slowing down.

Non-CAT accounts have enjoyed rate reductions for a longer period and carriers cannot afford to cut rates much further, Willis Towers Watson notes.

For cyber renewals, primary premium increases are 5 percent to 15 percent for most buyers and 15 percent to 30 percent for POS retailers and large health care companies with no losses—with additional increases on excess layers.

Willis Towers Watson notes that excess cyber losses have caused a few markets to stop writing large accounts and others to increase their premiums significantly in upper layers of $75+ million placements.

Despite the reduction in capacity by some carriers, available limits in the marketplace are approximately $350 million to $400 million.

Capital markets are also reviewing cyber to determine if they can provide additional relief.

Meanwhile, insurers are focused on employee training, handling of sensitive data, holistic security practices for outsourced data infrastructure, and internal reporting structure, according to Willis Towers Watson.

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.

Don’t Ask, Don’t Tell

We’re reading an item of interest from across the pond where the United Kingdom’s Institute of Directors (IoD) has issued a new report that gives insight into how companies tend to react if they are under a cyber attack.

The IoD study, supported by Barclays, revealed that most companies keep quiet, with under one third (28 percent) of cyber attacks reported to the police.

This is despite the fact that half (49 percent) of cyber attacks resulted in interruption of business operations, the IoD noted.

Hat tip to forbes.com which reports on the IoD findings in this blog post.

It’s worth noting that here in the United States, the Identity Theft Resource Center (ITRC) has long maintained that the record number of U.S. data breaches it tracks are by no means the whole story.

Many data breaches fly under the radar, the ITRC says, because businesses want to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.

Back to the UK the survey of nearly 1,000 IoD members also showed a worrying gap between awareness of cyber risks and preparedness.

Even though nine in 10 of business leaders said cyber security was important, only 57 percent had a formal strategy in place to protect themselves, and just one fifth (20 percent) held insurance against an attack.

In the words of Professor Benham, author of the IoD report:

No shop=owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

With 34,500 members, ranging from start-up entrepreneurs to CEOs of multinational companies, the IoD is the UK’s largest organization for business leaders.

More on cyber security in the Insurance Information Institute’s paper Cyber Risks: Threat and Opportunities.

PwC: Incidence of Cybercrime Sharply Higher

Cybercrime has jumped to the second most reported type of economic crime affecting 32 percent of global businesses, according to a just-released survey by PwC.

PwC’s Global Economic Crime Survey 2016 found that while traditional leaders of economic crime–asset misappropriation, bribery and corruption, procurement fraud and accounting fraud–all showed a slight decrease over 2014 statistics, cybercrime is on a steady increase.

In fact over one quarter of the 6,000 respondents to PwC’s survey said they’d been affected by cybercrime.

Despite a sharply higher incidence of reported cybercrime among PwC’s respondents, the survey found that most companies are still not adequately prepared for–or even understand the risks faced.

Only 37 percent of organizations have a cyber incident response plan in place and many boards are not sufficiently proactive regarding cyber threats.

Even though  boards have a fiduciary responsibility to shareholders when it comes to cyber risk in several countries, PwC found that less than half of board members actually request information about their organization’s state of cyber-readiness.

Losses from cybercrime can be heavy, PwC reported. A handful of respondents (around 50 organizations) said they had suffered losses over $5 million. Of these, nearly one-third reported cybercrime-related losses sin excess of $100 million.

Reputational damage was considered the most damaging impact of a cyber breach among survey respondents, followed by legal investment and/or enforcement costs.

According to PwC:

The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it.”

This year’s results show that the incidence of economic crime has come down, for the first time since the global financial crisis of 2008-9 (albeit marginally by 1 percent).

Check out  the I.I.I. white paper  Cyber Risk: Threat and Opportunity  for the latest on cybercrime, risks and insurance.