Tag Archives: Cyber Risks

What cybersecurity measures do businesses have in place?

In the third week of National Cyber Security Awareness Month, Insurtech Insights newsletter by CB Insights gives a timely update on the cyber insurance market, and where startups are playing in this growing industry.

It notes the “tremendous opportunity” to sell cyber insurance to small businesses.

A recent Better Business Bureau study estimates that 15 percent of small businesses have cyber insurance. BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance.

Fortunately, about nine out of 10 businesses reported to the BBB they have some cybersecurity measures in place, with the most common ones: antivirus; firewall; and employee education:

A first look at the Equifax cyber loss

$125 million. That’s the first estimate of the insurance industry loss due to the Equifax cyber breach published by Property Claim Services (PCS).

Per Artemis blog:

“PCS’ initial estimate of the insurance market impact due to the Equifax hack attack is $125 million, however the firm said that the economic impact to the credit giant is expected to be much larger.

“PCS noted that there are outstanding coverage issues which could reduce the likelihood of the Equifax cyber insurance loss reaching the $125 million estimate, so it could be revised down it would appear.”

Equifax’s specific cyber insurance policy could provide as much as $150 million of coverage, according to Artemis.

Launched in early September, the PCS Global Cyber service provides industry loss estimates for cyber risk loss events of at least $20 million worldwide. The Equifax hack was its first designated event and PCS has since designated its second global cyber loss event, the impact of the Petya/non-Petya malware attack on pharmaceutical giant Merck & Co in June.

A smart fish tank leaves a casino’s data exposed to hackers

The cyber savvy have heard of phishing – sending thousands of malware-laden emails hoping for one unsuspecting click – but the Internet of Things introduced a new kind of fishing. It involved actual fish.

An internet-connected fish tank in a North American casino was used as an initial entry point into the casino’s network. This is one of nine examples of unusual attack vectors listed in a recent report from the security firm Darktrace. This report contains nine real-world examples where sophisticated methods, advanced technologies, or unusual strategies were employed.

The report warns that “…we are seeing new areas of vulnerability arise as modern companies embrace the ‘Internet of Things’. The proliferation of new connected objects multiplies the inroads to critical networks and data, yet organizations often have remarkably poor visibility of these hidden outposts of their networks. ”

In addition to the threat posed by “things”, the increasing digitization of everyday work processes means that legitimate network users can (accidentally) expose data and systems to significant vulnerabilities.

Another growing security concern is that the automation of malware production means that attackers can spread malicious software at lightning speed, outpacing the efforts of human security teams to identify and block new variants of threats.

Cyber protection gap akin to nat cat

FedEx Corp has disclosed in a securities filing that its international delivery business, TNT Express BV, was significantly affected by the June 27 Petya cyberattack.

Apparently, the courier company did not have cyber insurance or any other insurance that would cover losses from Petya, according to this report by The Wall Street Journal, via the I.I.I. Daily.

A new emerging risk report from Lloyd’s and risk modeling firm Cyence notes that cyberattacks have the potential to trigger billions of dollars of insured losses, yet there is a massive underinsurance gap.

Take its first modeled scenario: a cloud service provider hack. The event produced a range of insured losses from $620 million for a large loss to $8.1 billion for an extreme loss (overall losses ranged from $4.6 billion to $53 billion).

This left an insurance protection gap of between $4 billion (large loss) and $45 billion (extreme loss), so between 87 percent and 83 percent of the overall losses respectively were uninsured.

In another modeled scenario, the mass vulnerability attack, the underinsurance gap is between $9 billion for a large loss and $26 billion for an extreme loss, meaning that just 7 percent of economic losses are covered by insurance.

From the report:

“In some ways, the cyber insurance market can be considered in the same light as underinsurance in the natural catastrophe space – risks are growing and insurance penetration figures are low.”

Demand For Commercial Insurance Up Slightly

Demand for commercial insurance continued to follow a slight upward trend in the first three months of 2017, according to the latest Council of Insurance Agents & Brokers’ Commercial P/C Market Survey.

A large number of brokers reported an increase in demand for cyber coverage as clients became more familiar with the product and more interested in purchasing stand-alone policies.

The majority of brokers, 68.5 percent, reported that demand for commercial insurance products stayed the same in the first quarter of 2017, compared to the fourth quarter of 2016.

Nearly 30 percent of broker responses saw an increase in demand, while only 2.2 percent saw a decrease.

As for pricing, the soft market continued in Q1 2017, with the average rate decline across all commercial P/C accounts at 2.5 percent, compared to 3.3 percent in Q4 2016.

This is the ninth straight quarter that commercial rates have declined across small, medium and large accounts, The Council said.

Additional I.I.I. facts and statistics on the commercial lines insurance market are available here.

Ransomware: Does Cyber Insurance Make Sense?

As organizations look to recover from the disruption caused by Friday’s massive global ransomware cyberattack, the value of cyber insurance, and other cybersecurity tools, just multiplied exponentially.

Security researchers at Kaspersky Lab recorded more than 45,000 attacks in 74 countries including the UK, Russia, Ukraine, India, China and Italy, the Guardian reports.

The UK’s National Health Service, French car manufacturer Renault, and Spain’s telecommunications giant Telefonica were among those hit by the so-called WannaCry ransomware, which locks up computer systems until the victims pay a ransom.

Cyber risk modeling firm Cyence estimates the average individual ransom cost from the attacks at $300, and the total economic costs from interruption to business at $4 billion, according to this Reuters report.

Kevin Kalinich, global head of Aon’s cyber risk practice, told Reuters:

“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send a package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware.”

Insurance coverage for ransomware (see earlier post), and other forms of extortion, is available under cyber insurance policies, or other types of policies that specifically cover cyber extortion.

An insured’s ransom payment following an attack is typically covered, subject to individual policy terms and conditions, according to this I.I.I. white paper.

Cyber policies also provide coverage for the costs of forensic investigation, restoring lost or corrupted data, legal expenses and business interruption.

Here are some of the considerations that go into the decision to purchase coverage.

Ransomware: Is Cyber Insurance On Your Radar?

Hotel guests locked out of their rooms at a four-star hotel in the Austrian Alps? Washington DC’s CCTV system disrupted days before Donald Trump’s inauguration? Libraries in St Louis brought to a standstill? Eight years of digital evidence lost by a Texas police department?

Ransomware is not just grabbing headlines, it’s now the favorite method of cyberattack used against businesses, particularly in North America and Europe, according to this Malwarebytes report.

In the fourth quarter of 2016 alone, Malawarebytes catalogued nearly 400 variants of ransomware, and 81 percent of ransomware detected in corporate environments occurred in North America.

Lloyd’s insurer Beazley saw ransomware attacks quadruple in 2016 and projects them to double again in 2017.

“Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the most valuable files unencrypted.”

In its white paper Cyberrisk: Threat and Opportunity, the Insurance Information Institute reports that insurers are issuing an increasing number of cyber insurance policies and coverage for cyber extortion, including payment of a ransom following a ransomware attack, is available.

According to the FBI, ransomware attacks are on the up, particularly targeting organizations because the payoffs are higher.

How To Cover Electronic Aggression, or Cyberbullying

Recent events have reminded us that cyberbullying is not limited to children, with at least one survey indicating that 73 percent of adult internet users have seen someone harassed online, while 40 percent have personally experienced it.

For example, professional golfer Paige Spiranac last week spoke about the harassment she and her family experienced following her professional debut last year. The recent U.S. Presidential campaign has also highlighted the increasing prevalence of cyberbullying that targets adults.

Electronic aggression is the definition used by the Centers for Disease Control and Prevention (CDC) to describe any type of harassment or bullying that occurs through email, a chat room, instant messaging, a website (including blogs), or text messaging.

And the National Conference of State Legislatures (NCSL) defines cyberbullying as the willful and repeated use of cell phones, computers, and other electronic communication devices to harass and threaten others.

NCSL notes that cyberbullying differs from more traditional forms of bullying in that it can occur at any time, its messages and images can be spread and shared instantaneously to a wide audience, and perpetrators can remain anonymous, often making them difficult to trace.

Adult cyberbullying often takes the form of trolling where someone posts inflammatory messages in an online platform, such as on Facebook, or Twitter or in a chatroom or blog, with the sole intent to provoke a reaction from other users.

While there are many examples of cyberbullying against celebrities or public figures, any adult who uses the internet is increasingly at risk.

Social media platforms, including Instagram, Twitter and Facebook have responded by introducing new tools aimed at combating cyberbullying.

Just as technology is changing the way we interact with each other, so insurers have been moving to provide insurance coverage that can mitigate the financial loss and emotional harm suffered as a result of a cyberbullying incident.

For example, earlier this year Chubb made cyberbullying coverage available to its U.S. homeowners customers. The coverage provides up to $60,000 in compensation to clients and family members for expenses related to harassment and intimidation committed via personal computers, telephones or mobile devices. It can help mitigate the cost of wrongful termination, false arrest, wrongful discipline in an educational institution, or diagnosed debilitating shock, mental anguish or mental injury.

From the perspective of businesses, most traditional commercial general liability policies would not cover electronic aggression or cyberbullying claims. Specialist media liability policies developed by insurers may cover social media activities and industry experts say the number of insureds and insurance brokers looking at this type of coverage is increasing.

Specialized cyber policies developed by insurers may also be tailored to incorporate social media coverage. Check out the Insurance Information Institute white papers Cyber Risk: Threat and Opportunity and Social Media, Liability and Risks for more on this topic.

Prepared for #CyberMonday and #GivingTuesday?

With Cyber Monday and Giving Tuesday rounding out the Thanksgiving holiday digital spending and giving are expected to reach record levels, which means businesses and individuals need to be prepared for cyber threats.

In 2015, Cyber Monday was the largest e-commerce sales day ever with online orders totaling $3.07 billion and experts expect this year’s total will be higher still, according to a post on the The U.S. Chamber of Commerce’s Above the Fold blog.

It cautions businesses to be vigilant, especially when it comes to payment card protection, and offers the following tips:

—Change your passwords and make them strong: just as you would lock the doors before leaving, lock this door too. Make sure employees know this too.

—Install software updates known as patches that your payment service provider sends you for your payment systems: install updates, just as you would on your phone, so your payment system is protected.

—Keep business information private: keep passwords, user IDs, or other details for payment systems private. Confirm an unexpected call or email separately with the supposed caller or sender before proceeding.

Even digital philanthropy can bring out cybercriminals. According to the Identity Theft Resource Center (ITRC), in recent years there has been substantial growth in web-based giving or mobile donations.

In fact one of the first global-scale events that brought attention to mobile donations was the 2010 hurricane that struck Haiti. The Red Cross received millions of dollars in donations from cellphone users who simply texted the word “HAITI” to a five-digit number.

While it feels good to give, the ITRC says it’s important to remember to do your homework and check out a charity before clicking on a link or responding to potentially fraudulent email requests claiming to be a part of Giving Tuesday.

One cause you might consider supporting is The Insurance Industry Charitable Foundation’s Early Learning Initiative (ELI) which provides an opportunity for every young child – regardless of means – to learn to read and write.

Join your insurance industry colleagues in the worldwide #GivingTuesday movement by contributing $5 for ELI here.

Check out the Insurance Information Institute’s facts and statistics on corporate social responsibility here. The I.I.I. white paper Cyberrisk: Threat and Opportunity has the latest information on the current exposure and how insurers are responding.

Cybersecurity and the Presidential Election

Insurance leaders say the upcoming U.S. presidential election could impact a range of issues, including healthcare and international trade.

Cybersecurity is another insurance-related issue that next week’s election is likely to impact. Forrester even predicts that the new U.S. president will face a major cybercrisis within 100 days.

A new Insurance Information Institute (I.I.I.) white paper notes that governments are facing an unprecedented level of cyber attacks and threats with the potential to undermine national security and critical infrastructure.

The I.I.I. paper, Cyberrisk: Threat and Opportunity, also highlights rising concerns over how hacked information may be used to influence a political outcome:

“Hacks of both Democratic National Committee and Republican National Committee emails during an election year have raised concerns that groups are attempting to influence the outcome of the 2016 U.S. presidential campaign.”

Just last Friday U.S. government officials accused Russia of trying to interfere in the 2016 elections, including by hacking the DNC computers and other U.S. political organizations.

And on Tuesday Microsoft said the Russian hackers believed responsible for hacking the DNC computers had exploited previously undisclosed flaws in its Windows operation system and Adobe’s Flash software.

The Wall Street Journal reports that apparent Russian attempts to disrupt the U.S. election highlight more mundane risks as well as a new weapon in information wars: the disclosure of hacked information to influence policy or public perception.

Meanwhile, cybersecurity experts have warned that the election systems in the U.S. are vulnerable at the local, state and manufacturer level.

The mounting concerns have prompted the Department of Homeland Security (DHS) to consider whether the U.S. voting systems should be classified as critical infrastructure.

Currently, there are 16 critical infrastructure sectors, such as the U.S. power grid and water supply, whose systems and networks are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on national security and public health or safety.

In fiscal year 2015, there were around 295 attacks on critical infrastructure control systems in the U.S., a 20 percent increase on the previous year, according to DHS figures cited in the I.I.I. paper.