Entries tagged with “Tech”.


The recent disclosure of a major data breach at retailer Home Depot has once again put the spotlight on the increasing vulnerability of businesses to cyber threats and the need for cyber insurance.

But companies are uncertain of how much insurance coverage to acquire and whether their current policies provide them with protection, according to a new report by Guy Carpenter.

It speculates that one of the roots of the uncertainty stems from the difficulty in quantifying potential losses because of the dearth of historical data for actuaries and underwriters to model cyber-related losses.

Furthermore, traditional general liability policies do not always cover cyber risk, Guy Carpenter says.

It notes that in the United States, ISO’s revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

Though still in its infancy the cyber insurance market potential is vast, Guy Carpenter reports. It cites Marsh statistics estimating that the U.S. cyber insurance market was worth $1 billion in gross written premiums in 2013 and could reach as much as $2 billion this year.

The European market is currently a fraction of that, at approximately $150 million, but could reach as high as EUR900 million by 2018, according to some estimates.

Guy Carpenter also warns that cyber attacks are now top of mind for governments, utilities, individuals, medical and academic institutions and companies of all sizes, noting:

Because of increasing global interconnectedness and explosive use of mobile devices and social media, the risk of cyber attacks and data breaches have increased exponentially.”

Cyber attacks also present a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, counterparties and supply chains, it adds.

Check out the I.I.I. paper on this topic: Cyber Threats: The Growing Risk.

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

No industry sector is immune from cyber threats, and a round-up of recent headlines and reports underscores the increasing risk and cost businesses face.

Just this week, U.S. Treasury Secretary Jacob Lew urged financial institutions and firms to redouble their efforts against cyber threats and said information-sharing and collaboration among businesses and with government is key.

Speaking at a conference in New York, Secretary Lew noted that the consequences of cyber incidents are serious and our cyber defenses are not yet where they need to be:

Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Secretary Lew noted that some banks are already spending as much as $250 million a year to strengthen their cyber security. (Note: this is a cost borne by businesses).

Meanwhile, a new report from the New York attorney general’s office revealed that the number of reported data security breaches in the state more than tripled between 2006 and 2013, with some 22.8 million personal records of New Yorkers exposed in nearly 5,000 data breaches.

The cost to the public and private sectors in New York? In 2013 alone, upward of $1.37 billion, according to the report’s findings.

The Insurance Information Institute’s (I.I.I.) newly updated report Cyber Risks: The Growing Threat (of which I am a co-author) sheds light on the specialist cyber insurance policies developed by insurers to help businesses and individuals protect themselves from the cyber threat.

Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding rapidly in response to this fast-growing market need.

I.I.I. facts and stats on identity theft and cyber security are available here.

U.S. businesses are losing more financially from cybercrime, compared to their global peers, but are generally less aware of the cost, according to PWC’s 2014 Global Economic Crime Survey.

As cybercrime continues to increase in volume, frequency and sophistication, PWC’s findings suggest that U.S. organizations are more at risk of suffering financial losses in excess of $1 million due to cybercrime.

According to the study, some 7 percent of U.S. companies lost $1 million or more, compared to just 3 percent of global organizations.

In addition, 19 percent of U.S. organizations lost $50,000 to $1 million, compared to 8 percent of global respondents.

PWC doesn’t elaborate on the reasons for this discrepancy, but other studies have noted that the types and frequencies of attacks vary from country to country.

U.S. companies are also more likely to experience the most expensive types of cyber attacks, such as malicious insiders, malicious code, and web-based incidents, the research suggests.

Despite having more to lose, some 42 percent of U.S. companies were unaware of cybercrime’s cost to their organizations, compared to 33 percent of global respondents, according to PWC.

Yet, overall U.S. companies appear to have a greater understanding of the risk of cybercrime than their global peers.

PWC notes that U.S. organizations’ perception of the risks of cybercrime exceeded the global average by 23 percent.

Also, 71 percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent since 2011.

Hat tip to CNBC.com which reports on this story here.

Some 5,128 executives from 99 countries responded to the survey, of which 50 percent were senior executives of their respective companies. Some 35 percent represented listed companies and 54 percent represented organizations with more than 1,000 employees.

Two months after Target announced a massive data breach in which hackers stole 40 million debit and credit card accounts from stores nationwide and the rising costs related to the incident are becoming clear.

Costs associated with the Target data breach have reached more than $200 million for financial institutions, according to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA).

Breaking out the numbers, CBA estimates the cost of card replacements for its members have reached $172 million, up from an initial finding of $153 million. CUNA has said the cost to credit unions has increased to $30.6 million, up from an original estimate of $25 million.

So far, cards replaced by CBA members and credit unions account for more than half (54.5 percent) of all affected cards.

In a press release, CBA notes that the combined $200 million cost does not factor in costs to financial institutions other than credit unions or CBA members, nor does it take into account any fraudulent activity which may have occurred or may occur in the future:

Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.”

A post over at the Wall Street Journal Corporate Intelligence blog points out that cyber attacks like these continue to be a drain on the wider economy.

It cites a study backed by computer security firm McAfee that last year estimated the total cost of cybercrime and cyber espionage to the United States at up to $100 billion each year.

Meanwhile, legal experts caution that companies need to take stock in the wake of the Target breach and make sure they have adequate insurance in place.

A post by Emily R. Caron in Media, Privacy and Beyond published by law firm Lathrop & Gage notes that fortunately Target appears to have a lot of insurance in place.

It cites reports suggesting that between cyber coverage and directors and officers (D&O) coverage, Target has $165 million in total limits, after self-insuring the first $10 million. (Hat tip to @LexBlogNetwork for highlighting this article)

However, The New York Times recently reported that total damages to banks and retailers could exceed $18 billion according to estimates by Javelin Strategy & Research.

In addition the NYT noted that nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

As Caron notes in her article at Media, Privacy & Beyond, there is a big gap between $165 million and $18 billion.

Check out I.I.I. facts + statistics on ID theft and cyber security.

The fallout continues in the wake of the massive data breach at Target in which hackers stole 40 million debit and credit card accounts from stores nationwide between November 27 and December 15.

USA Today reports that so far three class-action lawsuits have been filed in the wake of the incident, seeking more than $5 million in damages. Two of the cases were filed in California and one in Oregon.

The same USA Today article reports that the Attorney General in at least four states – Connecticut, Massachusetts, New York and South Dakota – have asked Target for information about the breach, in what is regarded as the first step to a possible multi-state investigation into the breach.

Meanwhile, the Krebs on Security blog which broke the story of the Target breach last Wednesday December 18, reports that card accounts stolen in the breach are flooding the underground markets. Check out the latest reports here and here.

For anyone who shopped at Target during the breach period, the New York Times has a helpful Q&A on what you should do.

While latest studies indicate U.S. companies continue to improve their preparation for and response to a data breach, the security breach at Target highlights the vulnerability of major companies to this threat.

Both the organizational cost of a data breach and the cost per lost or stolen record declined last year, according to the 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec.

The organizational cost of a breach declined from $5.5 million to $5.4 million and the cost per record from $194 to $188.

The Ponemon report also noted that while the cost of a data breach can vary widely because of the types of threats and data protection laws, the financial consequences are serious worldwide.

Check out I.I.I. facts and statistics on identity theft and cyber security.

More and more companies are using social media and many recognize the potential risks, but few have an adequate plan in place to manage those risks.

Two separate surveys point to the fact that as social media becomes even more widely used in the corporate setting, businesses need to properly assess and monitor the risks involved.

Chubb’s just-published 2013 Private Company Survey found that 68 percent of companies are using social media – up from 39 percent in 2010 – but only 12 percent are concerned that they will be sued for allegedly making defamatory posts.

Further, only 49 percent have a written social media usage policy for their employees, Chubb found.

Executives at 450 U.S. for-profit private companies were interviewed for the Chubb survey.

An earlier report from Grant Thornton LLP and the Financial Executives Research Foundation (FERF), found that some 71 percent of public and private company executives are concerned about the potential risks involved in the use of social media, but they believe the risks can be mitigated or avoided.

More than half (59 percent) of executives surveyed said their companies do not perform a social media risk assessment.

Also, two-thirds (66 percent) of respondents see their company’s use of social media increasing during the next 12 months, but only a third of respondents (36 percent) reported that their company has social media training.

As the report says:

The evaluation and monitoring of risk needs to be a key component of any organization’s social media strategy, and its importance cannot be overstated.”

More than 100 senior-level executives from public and private companies participated in the 2013 Social Media Risks and Rewards survey, which was conducted during May and June of this year.

Check out the I.I.I. paper Social Media, Liability and Insurance.

More insurance buyers are using mobile devices to begin their search for insurance coverage, though most complete their purchase offline, according to a study from Telmetrics conducted by Nielsen.

It reports that around half of insurance buyers begin the insurance research process on a mobile device, but 60 percent still use PCs in their purchase decision.

Ultimately, one out of four mobile insurance searches result in a conversion, and most (43 percent) make that conversion via a phone call to a local agent or to a company’s toll-free number.

The majority (80 percent) of insurance buyers using mobile devices search for auto insurance, followed by 38 percent for home insurance and 22 percent for health insurance.

A press release quotes Bill Dinan, president of Telmetrics:

Generating a 60-40 offline-online conversion split, insurance is a true multi-media engagement category that requires insurance marketers to meet a range of consumers’ search and conversion needs.

To aid mobile-driven conversions via calls, mobile insurance campaigns should prominently feature phone numbers and local agent office information for consumers to easily connect and make a purchase.”

The study also reveals that insurance buyers take a long time to consider their purchase and mobile is involved at every stage.

Nearly half of mobile insurance users take a month or longer to make a purchase and less than a quarter of insurance purchases happen within the day.

Hat tip to Insurance & Technology which reports on the findings here.

Supply chain and operational disruptions from cyber attacks may be a more severe potential threat to businesses than data and privacy exposures, according to a new report from Marsh.

In its latest risk management research briefing, Marsh notes that technology outages and software failures resulting in supply chain and operational disruptions can cause significant loss of income, increase operating expenses, and damage an organization’s reputation.

Marsh suggests businesses may be overlooking this threat and says the risk of an IT outage or software failure needs to be managed and addressed not just with insurance, but in a well-planned and effective risk management program.

The good news is that although cyber insurance policies have historically been triggered primarily by data breaches and hacking attacks, many now provide coverage for a broad range of technology failures and outages.

But Marsh adds that the purchase of cyber insurance should be just one part of a well-planned and effective risk management program that also includes policies and protocols to prevent and mitigate technology risks.

If unplanned, information technology (IT) outages are the most debilitating source of supply chain disruption, affecting 52 percent of companies responding to the Business Continuity Institute’s Supply Chain Resilience 2012 report.

In fact, IT outages outpaced all other sources of supply chain disruption, including severe weather events, transportation disruptions, and product contamination.

Business Insurance has more on this story.

The Wall Street Journal today reports on the shrinking size of the global digital camera market as the number of photos being snapped with smartphones rises exponentially.

Research cited by the WSJ via IDC suggests the global digital camera market may shrink to as little as 102 million units this year, compared with a peak of about 144 million in 2010, even as the global smartphone market has skyrocketed.

Meanwhile, some say that smartphone pictures taken by policyholders of their homes and vehicles are going to play an increasing role in the relationship between insurers and their customers.

An article in the latest edition of Visualize, a quarterly magazine by Verisk Insurance Solutions – Underwriting, makes just that point.

John Cantwell, vice president, marketing and business development, at Verisk, explains that huge volumes of data support the insurance industry, but only a tiny fraction of data records have any picture or image associated with the information.

The bottom line is that pictures contain valuable information and could be the next big insurance innovation if combined with mobile apps, Cantwell says.

While mobile apps developed to-date by insurers have offered functional capabilities, such as the ability to pay a bill or report a claim, or provided consumers with an optional sales channel in the form of a quoting app, Cantwell believes this is about to change.

For example, he suggests that the smartphone could offer an alternative to property insurance inspections:

Property inspections cost insurers about $100 million annually. You need to assess new methods to get the same information for less. Aerial imagery will soon be a viable alternative to exterior inspections, but if you need an internal inspection to complement an aerial image, how can you accomplish that without sending someone to the property? With smartphones.”

Verisk is currently developing mobile inspection applications designed to help insurance carriers connect with their customers and attract new customers. Such an innovation could also enable insurers to rate more accurately and help control fraud, Cantwell says.

We should mention that the easy-to-use I.I.I. home inventory app, Know Your Stuff – Home Inventory, has a feature that allows you to upload a photo of your property and possessions.

Other mobile apps harnessing pictures and insurance are sure to follow.