Category Archives: Specialty Coverage

Small businesses need cyber insurance – just like everyone else.

Used to be, hackers would spend most of their time hitting big companies with deep pockets and troves of customer data.  

But the times have changed. Launching a hack is as cheap and as easy as never before. Because of this, lots of hackers are playing small-ball by going after small businesses.  

Their calculations make sense. A ransomware payout might only be a few hundred dollars, but if hackers can hit hundreds of businesses simultaneously, their ill-gotten loot adds up pretty quickly.  

Small businesses know they’re at risk. According to a recent Insurance Information Institute (I.I.I.) and J.D. Power 2018 Small Business Cyber Insurance and Security Spotlight Survey, 70 percent of surveyed businesses said that the risk of being victimized by a cyberattack is growing at an alarming rate.  

But only a minority have cyber insurance. Only 31 percent said they have cyber insurance – and 70 percent said they don’t have plans to purchase a policy. (Commercial cyber insurance varies across policies but will usually cover expenses incurred from a data breach, like lost revenue, legal costs, and crisis-management.) 

Meanwhile, we found that 10 percent of respondents said they have experienced at least one cyber incident in the prior year. To give you some perspective, that’s about the same rate as drivers get into auto accidents.  

Imagine getting into an accident and not having auto insurance. It’s an expensive proposition. The same goes for cyberattacks – we found that the average small business cyber losses for the past year were $188,400. That’s a lot of money for a small company to absorb.   

As hackers continue to get nimbler, the need for small businesses to have cyber insurance will grow. It’s incumbent on insurers to educate their business clients about the value of cyber coverage.  

And the value is there to see: 97 percent of our survey respondents who had cyber insurance and were hacked said that their coverage was good enough to make them whole again.  

Insurance plays critical role in World Cup

Soccer fans are eagerly anticipating the 2018 World Cup to commence in Russia on June 14.  The monthlong competition presents significant risks ranging from kidnapping, to cyberattack, to event cancellation, and without insurance it’s unlikely an event such as this could take place.

The London insurer Beazley, estimates that construction related risks are insured for $2.5 billion, event cancellation, including loss of TV rights and sponsorship, for $1.6 billion and terrorism and acts of violence for $1.3 billion. Star players are insured for injury for up to $200 million each.

“Without insurance there would be no World Cup, no Olympics or little organized competitive sport”,

said Michael Furtschegger, head of entertainment international at insurer Allianz Global Corporate & Specialty.

Marijuana in the Workplace: What Happens When Business Managers in Legal-Use States “Just Say ‘No’”?

By James Ballot, I.I.I. senior advisor, special content projects

The conversation about marijuana use has evolved. Once, in the not too distant past, we (meaning our appointed civic leaders, parents and other authority figures) had the luxury of taking an absolutist stance about weed. Fast-forward to today, and the discussion is mostly a constructive exchange between or among parties invested in positive outcomes, and willing to embrace wide-ranging points of view.

Marijuana users—particularly persons permitted lawful therapeutic use of cannabis—are both empowered and motivated to pursue legal protection from discrimination potentially caused by employer “zero tolerance” policies.

So, what’s an employer to do? In “Marijuana, the Workplace and EPLI – Clearing the Haze,” Mindy Pollack, J.D., Product Specialist and Vice President in Gen Re’s Treaty department, lays out a few hypotheticals to clarify the situation (i.e., legal use of cannabis by new hires and employees). She also identifies solutions like EPLI policies that offer coverage against claims, as well as guidance for how employers can tailor conduct bylaws to better fit the new realities as legal marijuana use becomes the norm.

In short, the courts are split on discrimination claims related to marijuana use. That leaves employers with no single answer when the marijuana question comes up. Add to that the variations in state laws and workplace scenarios, and you have even less clarity.

Small business and cyber insurance

Risk management services are an important way cyber insurance adds value for small businesses, according to a new I.I.I. paper.

In Protecting Against #Cyberfail: Small Business and Cyber Insurance, I.I.I. co-authors James Lynch and Claire Wilkinson say:

“The provision of these types of services is considered a growth area in the cyber market for SMBs, where price may be a barrier to insurance coverage in the first place. For larger companies, cyber-related risk management services may be offered at a discount or for free.

“For SMBs in particular, offering a risk management or training solution where they can learn more and keep themselves up-to-date on current threats is perhaps most valuable.”

Also heard at the Advisen Cyber Risk Insights Conference in NYC last week: part of the value proposition for SMBs is that cyber policies offer solutions, not just coverage.

Andy Lea, vice president underwriting for E&O, Cyber and Media, CNA, told the conference: “The value proposition is more prominent with SME and middle market companies that just don’t have resources available in-house to manage risks. This is an opportunity for brokers and carriers to add value.”

What cybersecurity measures do businesses have in place?

In the third week of National Cyber Security Awareness Month, Insurtech Insights newsletter by CB Insights gives a timely update on the cyber insurance market, and where startups are playing in this growing industry.

It notes the “tremendous opportunity” to sell cyber insurance to small businesses.

A recent Better Business Bureau study estimates that 15 percent of small businesses have cyber insurance. BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance.

Fortunately, about nine out of 10 businesses reported to the BBB they have some cybersecurity measures in place, with the most common ones: antivirus; firewall; and employee education:

How to protect employees against harassment

What are companies doing to protect employees against harassment? This question has added weight after the October 8 firing of Harvey Weinstein by the board of Weinstein Co. following reports of sexual harassment complaints against him. Earlier firings at Fox News and Uber have also brought the issue into focus.

From MarketWatch: “Companies are increasingly buying insurance, including employment practices insurance to cover costs associated with employment lawsuits,” said David Yamada, a professor of law and the director of the New Workplace Institute at Suffolk University.”

Some insurers are also providing training materials for companies to teach their employees about sexual harassment in hope of avoiding it, Yamada added.

Per this 2016 Betterley report, more insurers are partnering with vendors to offer risk management services, such as training and education, consultation and outreach to insureds:

“EPLI value-added services remain an important part of the product when done right, offering employers access to tools that can truly make a difference in the frequency and the severity of claims—as well as the bad feelings that accompany employee/ employer disputes.”

Gross written premium for employment practices liability insurance (EPLI) increased to $2.1 billion in 2015, according to MarketStance data.

I.I.I. information on EPLI coverage is available here.

A first look at the Equifax cyber loss

$125 million. That’s the first estimate of the insurance industry loss due to the Equifax cyber breach published by Property Claim Services (PCS).

Per Artemis blog:

“PCS’ initial estimate of the insurance market impact due to the Equifax hack attack is $125 million, however the firm said that the economic impact to the credit giant is expected to be much larger.

“PCS noted that there are outstanding coverage issues which could reduce the likelihood of the Equifax cyber insurance loss reaching the $125 million estimate, so it could be revised down it would appear.”

Equifax’s specific cyber insurance policy could provide as much as $150 million of coverage, according to Artemis.

Launched in early September, the PCS Global Cyber service provides industry loss estimates for cyber risk loss events of at least $20 million worldwide. The Equifax hack was its first designated event and PCS has since designated its second global cyber loss event, the impact of the Petya/non-Petya malware attack on pharmaceutical giant Merck & Co in June.

Why music festivals are among the hardest risks to insure

Headed to a music festival this summer? It’s the insurance for these events, rather than the music, that is drawing the headlines.

From Bloomberg, via Claims Journal:

“Big events, those the caliber of Coachella and Bonnaroo, typically take on at least five kinds of insurance policies: cancellation, including terrorism coverage, general liability, umbrella policies, workers’ compensation, and business auto coverage.”

FiveThirtyEight asks: what’s the typical cost of cancellation insurance for a music festival? Bloomberg has the answer:

“Cancellation insurance will typically cost 1 percent to 1.5 percent of the overall cost of an event, as much as $150,000 for a $10 million festival.”

Unpredictable weather, the threat of terrorism, and the demographics of festival attendees, are some of the factors that make music festivals one of the hardest risks to insure.

From the Argo Global blog, a post by David Boyle, contingency class underwriter, offers this perspective on why: Without intervention, festivals are likely to disappear from insurers’ books:

“Festivals, which sometimes include dozens of acts, can’t often be rescheduled in the event of inclement weather unlike concerts or other live performances.”

And:

“Threats to festivals are not isolated to the increasingly unpredictable weather. Terrorism is now a very real threat to high profile events which often lack the security procedures of more permanent crowded places.”

Key takeaway:

“In our view, if the festival insurance market is to return to profitability, then intervention will have to come in the form of significantly increased pricing and, particularly for smaller events, improved risk mitigation processes.”

How do ransomware attacks impact cyber insurance loss ratios?

Another global ransomware attack, dubbed Petya, has disrupted operations at major firms across Europe and the United States.

More than 100 companies and organizations across various industries were affected, including shipping and transport firm AP Moller-Maersk, advertising firm WPP, law firm DLA Piper, Russian steel and oil firms Evraz and Rosneft, French construction materials company Saint-Gobain, food company Mondelez, drug giant Merck & Co, and Pennsylvania healthcare systems provider Heritage Valley Health System.

Today’s Insurance Information Institute Daily, via The Wall Street Journal, reports that the attack has exposed previously unknown weaknesses in computer systems widely used in the West.

The U.S. cyber insurance market grew by 35 percent from 2015 to 2016, based on recent reports.

From A.M. Best: U.S. property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016.

Overall, cyber insurance for the majority of companies was profitable and the direct loss ratio decreased by 4.5 percentage points to 46.9 percent in 2016, from 51.4 percent in 2015.

Ransomware attacks are part of the reason for the decline in the loss ratio, A.M. Best explains:

“The decline in direct loss ratio for 2016 is partially attributed to the majority of reported cyber-attacks being related to ransomware heists. In almost all ransomware cases, the losses were well below the deductible and a simple backup recovery resolved and remedied any negative long-term effect of the attacks.”

Read our earlier post on insurance for ransomware attacks.

Ransomware: Does Cyber Insurance Make Sense?

As organizations look to recover from the disruption caused by Friday’s massive global ransomware cyberattack, the value of cyber insurance, and other cybersecurity tools, just multiplied exponentially.

Security researchers at Kaspersky Lab recorded more than 45,000 attacks in 74 countries including the UK, Russia, Ukraine, India, China and Italy, the Guardian reports.

The UK’s National Health Service, French car manufacturer Renault, and Spain’s telecommunications giant Telefonica were among those hit by the so-called WannaCry ransomware, which locks up computer systems until the victims pay a ransom.

Cyber risk modeling firm Cyence estimates the average individual ransom cost from the attacks at $300, and the total economic costs from interruption to business at $4 billion, according to this Reuters report.

Kevin Kalinich, global head of Aon’s cyber risk practice, told Reuters:

“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send a package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware.”

Insurance coverage for ransomware (see earlier post), and other forms of extortion, is available under cyber insurance policies, or other types of policies that specifically cover cyber extortion.

An insured’s ransom payment following an attack is typically covered, subject to individual policy terms and conditions, according to this I.I.I. white paper.

Cyber policies also provide coverage for the costs of forensic investigation, restoring lost or corrupted data, legal expenses and business interruption.

Here are some of the considerations that go into the decision to purchase coverage.