Entries tagged with “Cyber Risks”.


As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider non-U.S. victims and unreported losses, that figure is likely much higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.

As we get ready to ring out the old and ring in the new, we wanted to share with you our most popular posts in 2015.

Our most-read posts here at Terms + Conditions illustrated how interested our readers are in the advancing technology landscape and its impact on the insurance industry. Self-driving cars, cyber insurance and the sharing economy were all featured among the top 10 posts during the year.

In Self-Driving Cars — With or Without You? we recounted a Time.com writer’s chauffeured ride by a prototype Audi from Silicon Valley to Las Vegas for last year’s Consumer Electronics Show. Self-driving vehicles are no longer a thing of the future, we wrote, and this has evolving implications for insurers.

Our post Cyber Business Interruption Risk Often Underestimated reported on a study by Allianz warning that the impact of business interruption (BI) from a cyber attack is a risk that is often underestimated. It predicted that BI costs could be equal to—or even exceed—direct losses from a data breach.

The growing appetite for cyber insurance among small and mid-sized companies was another popular post.

Two of our most-read posts during 2015 also revisited the impact of Obamacare on workers compensation insurance.

In case you missed them, here’s a complete list of our top 10 posts from the year:

  1. Self-Driving Cars – With or Without You?
  2. WCRI Looks At Impact of Affordable Care Act on Workers Comp
  3. A Revisit: Impact of Obamacare on Workers Comp
  4. Cyber Business Interruption Risk Often Underestimated
  5. More Small and Mid-Sized Companies Buying Cyber Insurance
  6. Cyber Value-At-Risk
  7. Homeowners Claims: A Picture of Volatility
  8. Cyber Losses vs. Property Losses
  9. One Ruling, but Uber Impact
  10. Litigation Trends and the Class Action Factor

Thanks for following. We wish all our readers a happy and healthy new year!

Suffering shopper fatigue? With Black Friday in full swing and Cyber Monday imminent, the biggest online shopping days of the year are upon us, but for businesses trying to see off cyber attacks, fatigue can be a danger at any time of the year.

The just-released annual global fraud survey by Kroll—which found that incidence of fraud, including information theft, is at its highest level in eight years—warns that cyber fatigue is real, but not an excuse for inaction.

It’s easy to become fatigued at the thought of cyber security. With so many things to do and to learn, you can lose sight of the benefits. If the process does become too overwhelming, remember this: Each step your company takes to protect itself makes it that much more difficult for attackers. They will move on to an easier target—one without as much security in place.”

Information theft was identified as being of particular concern among the 768 senior executives worldwide polled for the fraud survey.

More than half of executives (51 percent) believe their businesses are highly or moderately vulnerable to information theft risks such as cyber incidents, according to Kroll’s analysis.

The good news is that this increased awareness level has led to an increase in the number of companies proactively looking after their cyber security stance.

Some two-thirds (67 percent) of companies report that they regularly conduct data and IT infrastructure assessments, and a majority (60 percent) regularly conduct data and IT infrastructure assessments.

Some 60 percent also report they have an up-to-date information security incident response plan and 59 percent have tested it in the past six months, an increase on the previous survey.

Another interesting takeaway: while media attention is focused on external cyber threats to companies, the report findings tell a different story.

Of those companies that have fallen victim to information loss, theft or attack over the past 12 months, the most common cause was employee malfeasance–involved in 45 percent of cases, according to Kroll. Vendor/supplier malfeasance was also involved in 29 percent of cases.

By comparison, only a small minority of cases involved an attack by an external hacker on the company itself (2 percent) or on a vendor/supplier (7 percent).

For information on how insurance can help businesses protect themselves from the cyber threat, check out I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

I.I.I. facts and statistics on cybercrime and identity theft are available here.

 

There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

There’s a lot of buzz around the Internet of Things (IoT), not least with latest forecasts from Gartner suggesting that 20.8 billion connected things will be in use worldwide by 2020.

Already the estimated number of connected things in 2016—6.4 billion, according to Gartner—is a 30 percent increase on 2015. In fact 5.5 million new things will get connected every day in 2016, Gartner predicts.

A press release notes:

Aside from connected cars, consumer uses will continue to account for the greatest number of connected things, while enterprise will account for the largest spending.”

Gartner estimates that 4 billion connected things will be in use in the consumer sector in 2016, and will reach 13.5 billion in 2020. (Hat tip Canadian Underwriter for its report here)

Numerous analysts have pointed to IoT’s power to transform the insurance industry.

In this Deloitte QuickLook blog post, Sam Friedman writes that IoT will likely accelerate the vast amounts of data available to insurers as Web-connected sensors become the norm.

For example, telematics for usage-based auto insurance can provide carriers with 24/7 updates about where, when and how fast an insured travels, as well as assessing their turning and braking habits, traffic navigation skills and response time.

This same IoT technology has applications in a number of other coverages in personal, life and health and commercial insurance, Friedman writes.

Another example is “smart” homes which will allow homeowners to monitor their property, its security and elements like heating remotely. Insurers could provide loss control advice to minimize threats and perhaps take action to secure insured properties, he suggests.

And in this Accenture blog post, Daniele Presutti writes about how IoT will change how insurance is sold and who sells it. He predicts an increasing presence in the insurance business by tech-savvy competitors, such as Google and Amazon.

But it’s not all bad news, he writes:

As people, homes, organizations and even cities become increasingly interconnected, an array of new opportunities will emerge. Smart and agile insurance companies will be able to take advantage of the IoT to launch new products, with new customers and capture new markets. These companies will be the Insurers of Things. For them the possibilities will be huge.”

Read more about how insurers are innovating along with the evolution of IoT in our latest paper Cyber Risks: Threat and Opportunities.

 

Broker Willis has just published its commercial insurance rate predictions for 2016.

What’s the outlook for insurance buyers?

Overall, the property/casualty insurance market continues to soften and Willis predicts further softening ahead, fueled by relatively benign losses and an oversupply of capacity from traditional and non-traditional sources.

For 2016, 10 lines of insurance—property, casualty, aviation, energy, health care professional, marine, political risks, surety, terrorism and trade credit—are expecting decreases.

In contrast, just five lines of insurance—cyber, employee benefits, errors & omissions (E&O), fidelity and kidnap & ransom—are expecting increases.

The main exception to the overall softening trend is in cyber and E&O insurance, Willis reports, where the growing threat of cyber intrusion and data theft is sending rates upward.

By how much?

For retailers with POS (point-of-sale) exposures and large health care companies, rate increases are up to an eye-opening 150 percent at renewal, with additional increases on excess layers.

In fact most buyers of cyber insurance are seeing primary premium increases of up to 15 percent, Willis says. For smaller organizations (with revenues less than $1 billion) lower premium increases are typical.

What about terms and conditions?

Willis observes that underwriting requirements continue to rise and cyber insurers are also increasing retentions, reducing capacity and exiting certain sectors.

Despite the reduction in capacity by some carriers, available limits in the cyber marketplace are around $350 million to $400 million.

Willis also predicts the marketplace for first-time buyers of cyber insurance (except for POS retailers and large healthcare organizations) will continue with relatively favorable terms, conditions and pricing.

Willis offers this single piece of advice to buyers of cyber insurance:

In approaching the markets, be ready to identify key investments in security and privacy protections over the past policy year that will help differentiate you from your peers.”

The I.I.I.’s new paper Cyber Risks: Threat and Opportunities sheds more light on the rapidly evolving market for cyber insurance.

The Internet of Things (IoT) is expanding rapidly—even permeating the minds of five-year olds.

My own Kindergartener’s query from the back of the car during a routine drive to swim class the other day is a good example:

“Mummy, how did God know to create all these things that we need?” As I paused to consider the appropriate response, he answered for me: “You can just ask Siri, or Google it.”

Just how far we’ve come in our technological transformation is reflected by the development of innovative insurance products to cover the associated—and growing—risk.

A new white paper from the Insurance Information Institute (I.I.I.) Cyber Risk: Threat and Opportunity which I co-authored with I.I.I. president Dr. Robert Hartwig, offers us a glimpse of how cyber insurance has evolved as a product since the mid- to late-1990s.

From a coverage that has its origins in the so-called “Y2K” or Millennium bug that prompted fears the Year 2000 date change would cause widespread computer failure, cyber coverage in the U.S. took off in response to the enactment of numerous privacy and data breach notice laws across the country.

More than 60 insurance carriers now offer stand-alone cyber insurance policies, the I.I.I. says, and interest in this coverage continues to grow following numerous high profile data breaches. Broker Marsh estimates the U.S. cyber insurance market was worth over $2 billion in gross written premiums in 2014.

And while there are many guesstimates out there, PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.

No business or industry is immune from the cyber threat. Our paper takes a look at where the threats are coming from and the challenges that cyber insurers face writing this coverage given the rapidly evolving nature of cyber attacks.

How insurers manage these risks while creating products for this multi-billion market opportunity as the legal and regulatory landscape becomes more defined will determine how best we all are protected from cyber risks in the years to come.

A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.

Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.

There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.

However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.

Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.

The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.

For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.

The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.

Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.

Something to bear in mind: the response rate to the 2015 survey was low – with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.

Corporate data breaches and privacy concerns may dominate the headlines, but a new report by Allianz Global Corporate & Specialty makes the case that future cyber threats will come from business interruption (BI), intellectual property theft and cyber extortion.

The impact of BI from a cyber attack, or from operational or technical failure, is a risk that is often underestimated, according to Allianz.

It predicts that BI costs could be equal to—or even exceed—direct losses from a data breach, and says that business interruption exposures are particularly significant in sectors such as telecoms, manufacturing, transport, media and logistics.

Vulnerability of industrial control systems (ICS) to attack poses a significant threat, Allianz says.

To-date, there have been accounts of centrifuges and power plants being manipulated, such as the 2012 malware attack that disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week.

However, the damage could be much higher from security sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.

Business interruption can also be caused by technical failure or human error, Allianz notes.

For example, in July 2015, stocks worth $28 trillion were suspended for several hours on the New York Stock Exchange due to a computer glitch, and that same month 4,900 United Airlines flights were impacted by a network connectivity issue.

As a result, Allianz believes that within the next five to 10 years BI will be seen as a key risk and a major element of the cyber insurance landscape.

It points out that in the context of cyber and IT risks, BI cover can be very broad including business IT computer systems, but also extending to ICS used by energy companies or robots used in manufacturing.

Allianz currently estimates the cyber insurance market is worth around $2 billion in premium worldwide, with U.S. business accounting for around 90 percent of the market. However, the cyber market is expected to experience double-digit growth year-on-year and could reach in excess of $20 billion in the next 10 years.

The Allianz Cyber Risk Guide is available here.

Check out I.I.I. facts and statistics on cybercrime here.