Entries tagged with “Cyber Risks”.


The cyber insurance market for small- to mid-sized companies is much friendlier than the market for larger insureds, according to the findings of an annual survey just released by Betterley Risk Consultants.

The Cyber/Privacy Insurance Market Survey 2015 notes that there are many insurance products competing for the business of small and mid-sized (SME) organizations.

Brokers are actively selling cyber policies to their SME insureds, and more are buying than ever before, as they realize the potential for liability, breach and response costs, arising out of the possession of private data.

The report says:

Rates for the SME segment are still competitive and renewals are generally flat, even a bit soft, undoubtedly affected by the numerous insurers getting a foothold in the cyber insurance market. Smaller insureds tend to have lower limits and often have relatively modest claims.”

In contrast, cyber coverage for larger organizations, especially those in retail and healthcare, are finding it more difficult to buy adequate limits at a reasonable price, the report suggests, as insurers are increasingly strict about adherence to cyber security and payment card industry standards.

For the larger/retail/healthcare insured, rates are rising, with increases in the 10-25 percent range most common. But the report points out:

This is for untroubled organizations; it’s worse (up to 200 percent) if they have claims experience that has yet to result in significantly improved cybersecurity measures.”

While annual premium volume information about the U.S. cyber insurance market is hard to come by, the report concludes that annual gross written premium is growing and may be as much $2.75 billion in 2015, up from $2 billion in last year’s report.

We think the market has nowhere to go but up—as long as insurers can still write at a profit.”

This year’s report includes products offered by 31 insurers, up from 28 in 2014.

Check out the Insurance Information Institute’s (I.I.I.) online resource for business insurance here.

 

Technology is not enough in the fight against cybercrime, effective cybersecurity measures require policy and process changes as well.

That’s the takeaway from an analysis of cyber-risk spending included in the 2015 U.S. State of Cybercrime Survey recently released by PwC.

While cybersecurity budgets are on the rise, companies are mostly reliant on technology solutions to fend off digital adversaries and manage risks.

Among the 500 U.S. executives, security experts and others from public and private sectors responding to the survey, almost half (47 percent) said adding new technologies is a spending priority, higher than all other options.

Notably, only 15 percent cited redesigning processes as a priority and 33 percent prioritized adding new skills and capabilities.

When asked whether they have the expertise to address cyber risks associated with implementation of new technologies, only 26 percent said they have capable personnel on staff. Most rely on a combination of internal and external expertise to address cyber risks of new solutions.

PWCCyberSpending2015

As PwC advises:

Companies that implement new technologies without updating processes and providing employee training will very likely not realize the full value of their spending. To be truly effective, a cybersecurity program must carefully balance technology capabilities with redesigned processes and staff training skills.”

Employee training and awareness continues to be a critical, but often neglected component of cybersecurity, PwC said. Only half (50 percent) of survey respondents said they conduct periodic security awareness and training programs, and the same number offer security training for new employees.

Some 76 percent of respondents to the survey said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent the year before.

As PwC noted, in today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how successful an attack will be.

Check out Insurance Information Institute (I.I.I.) facts and statistics on cybercrime here.

The unfolding story on what is being described as the largest cyberattack into the systems of the United States government reads like an episode out of CSI Cyber.

Today the head of the Office of Personnel Management (OPM) Katherine Archuleta resigned as fallout continued in the wake of Thursday’s revelation that the second of two massive data breaches exposed the personal data of 21.5 million federal employees, contractors, applicants and family members.

This follows the previous breach OPM announced in June in which some 4.2 million federal personnel records were exposed.

The magnitude of the second breach is incredible. In a release, OPM states:

OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”

As the New York Times reports here, every person given a background check for the last 15 years was probably affected (that’s 19.7 million people), as well as 1.8 million others, including their spouses and friends.

It is thought that both OPM attacks emanated from China, though this is not confirmed.

In a week in which reported technical issues halted trading on the New York Stock Exchange, grounded United Airlines flights and took the Wall Street Journal’s website offline for several hours, the OPM announcement once again highlights the limitless nature of cyber exposures.

Meanwhile, a joint report from Lloyd’s and the University of Cambridge, points to the insurance implications of a cyber attack on the U.S. power grid and potential aggregation issues for insurers.

A hypothetical blackout that plunges 15 states into darkness, including New York City and Washington DC, leaving 93 million people without power would result in estimated insurance claims of $21.4 billion, rising to $71.1 billion in the worst case scenario, the report suggests.

Insurers would see losses across many lines of business, including property damage, business interruption, contingent business interruption, liability, homeowners and events cancellation.

Claims across other areas of insurance not included in the estimate are also possible, such as: injury-related claims; auto; property fire; industrial accidents; and environmental liability.

As Lloyd’s says in the report, one of the biggest concerns for insurers is that cyber risk is not constrained by the conventional boundaries of geography, jurisdiction or physical laws:

The scalability of cyber attacks – the potential for systemic events that could simultaneously impact large numbers of companies – is a major concern for participants in the cyber insurance market who are amassing large numbers of accounts in their cyber insurance portfolio.”

A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.

In its analysis, S&P says:

Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”

And:

It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”

S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.

Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.

S&P notes that threat alone does not determine rating responses and threat risk varies by sector:

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.

While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.

S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.

While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.

Hat tip to Insurance Journal which reports on this story here.

 

The financial impact of cyber exposures is close to exceeding those of traditional property, yet companies are reluctant to purchase cyber insurance coverage.

These are the striking findings of a new Ponemon Institute  survey sponsored by Aon.

Companies surveyed estimate that the value of the largest loss (probable maximum loss) that could result from theft or destruction of information assets is approximately $617 million, compared to an average loss of $648 million that could result from damage or total destruction of property, plant and equipment (PP&E).

Yet on average, only 12 percent of information assets are covered by insurance. By comparison, about 51 percent of PP&E assets are covered by insurance.

The survey found that self-insurance is higher for information assets at 58 percent, compared to 28 percent for PP&E.

In some ways, these results are not surprising.

Cyber insurance is a relatively new product, and while interest continues to increase, it will take time for the purchase rate to catch up with traditional insurances.

That said, the values at stake are enormous and as the report states, the likelihood of loss is higher for information assets than PP&E.

Another important takeaway from the survey is that business disruption has a much greater impact on information assets ($207 million) than on PP&E ($98 million).

This suggests the fundamental nature of probable maximum loss (PML) varies considerably for intangible assets vs. tangible assets, Ponemon says.

Business disruption represents 34 percent of the PML for information assets, compared to only 15 percent of the PML for PP&E.

A footnote states that while the survey results suggest PML in the neighborhood of $200 million, a growing number of companies are using risk analysis and modeling to suggest potential losses in excess of $500 million to over $1 billion and seek cyber insurance limit premium quotes and policy terms for such amounts.

More information on the growth in cyber insurance is available from the I.I.I. here.

Some 2,243 individuals involved in cyber and enterprise risk management at companies in 37 countries responded to the Ponemon survey.

A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

Cyber attacks against businesses may dominate the news headlines, but recent events point to the growing number and range of cyber threats facing public entities and government agencies.

City officials yesterday confirmed that city and county computer systems in Madison, Wisconsin were being targeted by cyber attackers in retaliation for the shooting death of Tony Robinson, an unarmed biracial man, by a Madison police officer last Friday. A Reuters report says the cyber attack is thought to have been initiated by hacker group Anonymous.

Then on Sunday the website of Colonial Williamsburg was hit in a cyber attack attributed to ISIS. The attack targeted the history.org website and comes just a week after the living history museum offered to house artifacts at risk of destruction in Iraq.

Meanwhile, Florida’s top law enforcement agency is reported to be investigating testing delays in public school districts caused by cyber attacks on the Florida Standards Assessment (FSA) testing system.

And a recent cyber attack at multiple New York City agencies including the office of the NYC mayor recently took down computer systems for most of a day.

There are many more examples.

Given the large amounts of confidential data held by public entities and government agencies, it’s not surprising that they are a target for cyber attacks.

Last year data breaches in the government/military sector accounted for 11.7 percent of U.S. breach incidents, according to the Identity Theft Resource Center (ITRC).

A GAO report here points to the cyber security risk to Federal agencies and critical infrastructure.

In a viewpoint at American City & County blog, Robin Leal, underwriting director at Travelers Public Sector Services recently warned of the growing cyber risks facing public sector organizations.

Leal cited data from a survey at the 2014 Public Risk Management Conference and 2014 National Association of Counties (NACo) conference showing that public officials’ confidence in their cyber protections is alarmingly low.

Only 13 percent of respondents to the survey were “very confident” that their public entity has adequate protection against cyber threats.

As well as written policies and procedures to handle cyber threats, Leal said public entities should consider cyber insurance.

Only 10 percent of current public sector clients add cyber protections to existing insurance policies, and for the majority of new business submissions cyber insurance is not part of their current coverage, Leal noted.

Check out the I.I.I. white paper Cyber Risks: The Growing Threat.

Much hay is being made of an apparent decline in the number of identity theft victims and losses, amid an ongoing number of significant data breaches.

The headlines follow release of the 2015 Identity Fraud Study by Javelin Strategy & Research. The study found that there were 12.7 million identity fraud victims in 2014, down 3 percent from the near record high of 13.1 million victims in 2013.

At the same time, some $16 billion was stolen from fraud victims in 2014, an 11 percent decline from $18 billion in 2013. Javelin attributes the decrease to the combined efforts of industry, consumers and monitoring and protection systems that are catching fraud more quickly.

As we know, 2014 saw a number of major data breaches, notably from retailers Home Depot, Neiman Marcus, Staples and Michael’s as well as financial institutions such as JP Morgan Chase.

But lest you think that the swift response to data breaches has nullified the identity theft threat, think again.

Javelin found that two-thirds of identity fraud victims in 2014 had previously received a data breach notification in the same year. Also, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

Meanwhile, identity theft just topped the Federal Trade Commission’s (FTC) national ranking of consumer complaints for the third consecutive year, accounting for 13 percent of all complaints.

Government documents/benefits fraud (39 percent) was the most common form of reported identity theft, followed by credit card fraud (17 percent), phone or utilities fraud (13 percent), and bank fraud (8 percent), the FTC said.

Whether or not identity theft is caused by a data breach (remember, stolen laptops, wallets, dumpster diving, phishing scams are some of the most common causes of identity theft), or whether an individual even knows how their information was compromised (many don’t), it’s important to stay vigilant to this threat.

A 3 percent decline in identity fraud victims in one year isn’t much. As Al Pascual, director of fraud & security at Javelin notes:

Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem.”

Wondering if your homeowners insurance policy includes coverage for identity theft? Check out these useful tips from the I.I.I.

In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website – www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number – 1-877-263-7995 FREE – that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches – the largest among industry sectors – as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.

The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.

The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.

Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?

The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.

As the report states:

The financial services industry has used sophisticated quantitative modeling for the past three decades and has a great deal of experience in achieving accurate and reliable risk quantification estimates. To quantify cyber resilience, stakeholders should learn from and adopt such approaches in order to increase awareness and reliability of cyber threat measurements.”

One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.

The report points out that the goal is not to provide a single model for quantifying risk. Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:

A shared approach to modeling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.”