The House Financial Services Committee on October 31 approved an amended version of the Terrorism Risk Insurance Program Reauthorization Act of 2019 that would require the Government Accountability Office (GAO) to report on cyberterrorism risks and the Department of Treasury to issue a biennial report that includes “disaggregated data on places of worship.”
The Terrorism Risk Insurance Act of 2002 (TRIA), approved after the 9/11 terrorist attacks in New York City and Washington, D.C., provided a backstop to encourage insurers to resume writing terrorism policies. After 9/11, primary insurers sought to explicitly exclude terrorism coverage from their commercial policies, and reinsurers became unwilling to assume risks in urban areas perceived as vulnerable to attack.
TRIA created the Terrorism Risk Insurance Program(TRIP), a federal loss-sharing program for certain insured losses resulting from a certified act of terrorism. TRIP provides a backstop for insurers and has to be periodically reauthorized. It is currently due to expire at the end of 2020.
In addition to the reporting requirements mentioned above, the amended legislation shortens the extension period from 10 years.
The bill says the cyber report should analyze the general vulnerabilities and potential costs of cyberattacks on the nation’s infrastructure and reach conclusions about whether cyberrisk, particularly cyberliabilities, under property/casualty insurance, can be sufficiently covered and adequately priced.
The insurance industry has praised the progress of the extension as well as the proposed studies of cyber exposures. The next step toward TRIA reauthorization is a floor vote in the House of Representatives.
Follow the conversation about the federal terrorism backstop here.
Panelists recalled how, in the early days of cyber, insurers often sought more information to write policies than clients could (or wanted to) provide. So, they started asking for less.
Most attendees remembered the “old days.” Many nodded. They understood.
The awkwardness came when one audience member observed that insurers “still chase market share” despite lacking complete policyholder risk information. “That sounds a lot like mortgage-backed securities before the financial crisis!”
Are cyber insurers falling down on the job, as many say lenders, regulators, rating agencies, and investors did before the 2008 financial crisis and subsequent recession?
The analogy may sound fair, but it falls apart on examination.
Mortgages and the financial crisis
In the early 2000s, it was easy to get a mortgage. Lenders would bundle loans to be sold as mortgage-backed securities. The theory: Few people would stop making payments and risk losing their homes. The rest would pay, and the security would deliver a fair return.
This made sense when lenders did their job. But too many abandoned their standards. Because they could sell them, lenders had no stake in whether the mortgages were paid.
Regulators and rating agencies, it has been argued, didn’t ask enough questions about the securities the loans supported. This gave investors more confidence than the investments warranted. When loans that should never have been made in the first place defaulted, the resulting dislocation of the homebuying and financial markets ushered in the Great Recession.
Where the analogy breaks down
Cyber insurers understand the risks they’re taking and price their policies accordingly. In fact, a recent I.I.I./J.D. Power survey found two of the top four reasons small companies choose not to buy cyber coverage are that it costs too much and contains too many exclusions.
Unlike the lenders and borrowers and investment banks in the early oughts, insurers have skin in the game. If they write bad business, they can’t simply pass it along to some naïve investor.
They also have a stake in customer relationships. They aren’t pushing policies, pricing them to sell, and hoping for the best. They’re working with clients to understand and address the clients’ vulnerabilities.
Cyber insurers understand the risks they’re taking and price their policies accordingly…. They also have a stake in customer relationships.
Seventy percent of small companies that bought cyber said their insurer helps with risk mitigation (up from 65 percent last year), according to the I.I.I./J.D. Power survey. At the Advisen event, I heard insurers and policyholders discussing how they can address these perils. Policyholders clearly wanted insurers to do more than write policies and pay claims, and the insurers were listening.
Conversations like these, and the spirit of transparency and shared responsibility they reflect and promote, are essential to staving off and mitigating the impact of cyberattacks. Insurers and insureds, together, are visibly seeking solutions to a real and growing problem.
The people behind the financial crisis quietly created problems in pursuit of opportunities, studiously unmindful of the collateral damage they were generating.
Smaller businesses seem to be getting the message that cyber risk isn’t just something for big companies to worry about; nevertheless, many still balk at buying cyber insurance, according to a new survey from the Insurance Information Institute (I.I.I.) and J.D. Power.
The 2019 Small-Business Cyber Insurance and Security Spotlight found that 12 percent of survey respondents experienced at least one cyber incident in the past year, up from 10 percent in 2018. Nearly 71 percent said they are “very concerned” about cyber incidents, up from 59 percent, and 75% said they believe the risk of being attacked is growing at an alarming rate, up from 70 percent last year.
Two of the top four reasons cited for not buying cyber coverage are within insurers’ control.
Respondents with cyber insurance increased this year, to 35 percent from 31 percent; but of the 44 percent who said they don’t have cyber coverage and the 21 percent who didn’t know if they do, 64 percent said they don’t plan to buy it in the next 12 months.
Why the hesitation?
Why are many smaller firms so reluctant to insure against a threat they recognize to be real and growing?
The top two reasons given were: cost (42 percent) and the belief that the companies’ risk profiles don’t warrant coverage (35 percent). Twenty-seven percent said they believe they handle cyber risk sufficiently well internally, and 17 percent cited “too many exclusions” as a reason for not buying coverage. For the non-insurers in the audience, “exclusions” are provisions in an insurance agreement that limit the scope of coverage.
So, in other words, two of the top four reasons cited by insureds for not buying cyber coverage – cost and exclusions – are within insurers’ control.
As David Pieffer, head of J.D. Power’s property and casualty insurance practice, put it:
“Given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.”
Risk-mitigation support may help
Closely related to cost is the question of value. What do insureds get for their premium dollar?
Among the respondents with cyber coverage, 70 percent said their insurer helps with cyberrisk mitigation, up from 65 percent in 2018. Fifty-one percent said their insurer offers contingency planning for data breaches, up from 40 percent, and 53 percent said their insurer will assess their vulnerability to data breaches, up from 51 percent.
“We’re seeing more insurers work with commercial customers to mitigate risks – in particular, with small and mid-size businesses,” said Sean Kevelighan, I.I.I. president and CEO. “We know many of the large cyber incidents can be sourced back to a smaller business or vendor, and, thus, it’s increasingly critical to assist in loss prevention measures that can make the customer more resilient, while also reducing claims and damages.”
It’s hard to say based on the data, but perhaps such insurer involvement plays as significant a role in small companies’ increased adoption of cyber insurance as does their growing anxiety about cyber perils. As companies increasingly see cyber insurers as trusted risk-management partners – not just writers of policies and payers of claims – perhaps take up rates will accelerate.
Underwriting cyberrisk is beyond difficult. It’s a newer peril, and the nature of the threat is constantly changing – one day, the biggest worry is identity theft or compromise of personal data. Then, suddenly it seems, everyone is concerned about ransomware bringing their businesses to a standstill.
Now it’s cryptojacking and voice hacking – and all I feel confident saying about the next new risk is that it will be scarier in its own way than everything that has come before.
This is because, unlike most insured risks, these threats are designed. They’re intentional, unconstrained by geography or cost. They’re opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment. Cheap to develop and deploy, they adapt quickly to our efforts to defend ourselves.
“The nature of cyberwarfare is that it is asymmetric,” wrote Tarah Wheeler last year in a chillingly titled Foreign Policy article, In Cyber Wars, There Are No Rules. “Single combatants can find and exploit small holes in the massive defenses of countries and country-sized companies. It won’t be cutting-edge cyberattacks that cause the much-feared cyber-Pearl Harbor in the United States or elsewhere. Instead, it will likely be mundane strikes against industrial control systems, transportation networks, and health care providers — because their infrastructure is out of date, poorly maintained, ill-understood, and often unpatchable.”
This is the world the cyber underwriter inhabits – the rare business case in which a military analogy isn’t hyperbole.
We all need data — you share first
In an asymmetric scenario – where the enemy could as easily be a government operative as a teenager in his parents’ basement – the primary challenge is to have enough data of sufficiently high quality to understand the threat you face. Catastrophe-modeling firm AIR aptly described the problem cyber insurers face in a 2017 paper that still rings true:
“Before a contract is signed, there is a delicate balance between collecting enough appropriate information on the potential insured’s risk profile and requesting too much information about cyber vulnerabilities that the insured is unwilling or unable to divulge…. Unlike property risk, there is still no standard set of exposure data that is collected at the point of underwriting.”
Everyone wants more, better data; no one wants to be the first to share it.
As a result, the AIR paper continues, “cyber underwriting and pricing today tend to be more art than science, relying on many subjective measures to differentiate risk.”
Anonymity is an incentive
To help bridge this data gap, Verisk – parent of both AIR and insurance data and analytics provider ISO – yesterday announced the launch of Verisk Cyber Data Exchange. Participating insurers contribute their data to the exchange, which ISO manages – aggregating, summarizing, and developing business intelligence that it provides to those companies via interactive dashboards.
Anonymity is designed into the exchange, Verisk says, with all data aggregated so it can’t be traced back to a specific insurer. The hope is that, by creating an incentive for cyber insurers to share data, Verisk can provide insights that will help them quantify this evolving risk for strategic, model calibration, and underwriting purposes.
“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”
When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.
I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!
Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”
Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.
From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.
“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.
“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”
Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”
Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young. It hasn’t been long since researchers demonstrated that they could remotely do everything from altering a big rig’s instrument panel to triggering unintended acceleration or disabling brakes.
“These trucks carry hazardous chemicals and large loads,” Bill Hass, one of the researchers from the University of Michigan’s Transportation Research Institute, told Wired. “If you can cause them to have unintended acceleration…I don’t think it’s too hard to figure out how many bad things could happen with this.”
J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”
According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”
This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!
Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.
But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk. As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?
By Loretta Worters, Vice President, Media Relations, Insurance Information Institute
Despite a never-ending cycle of cyber breach headlines, individuals continue to be underprepared for even the most common cyber exposures. According to Chubb’s third annual Cyber Risk Survey, which examined individuals’ comprehension of cyberrisk and the steps they are taking to protect themselves, complacency seems to have taken hold: eight-in-10 Americans continue to be concerned about a cyber breach, yet only 41 percent use cybersecurity software and only 31 percent regularly change their passwords. These numbers are virtually unchanged from 2018.
According to Chubb’s survey, individuals don’t recognize the value of individual pieces of personal data. For example, just 18 percent of respondents are concerned about their email addresses being compromised. Similarly, only 27 percent of respondents cite concern about their medical records being breached.
The UK’s National Cyber Security Centre (NCSC), which analyzed passwords belonging to accounts worldwide that had been breached bares the Chubb survey out. The NCSC notes that several combinations of numbers made up the top 10, while “blink182” was the most popular musical artist and “superman” the most common fictional character. But “123456” was the most common password, with 23.2 million accounts using the easy-to-decipher code. “123456789” was used by 7.7 million, while “qwerty” and “password” were each used by more than 3 million accounts.
Chubb survey results indicate that a consistently large portion of older respondents employ better cyber practices than younger generations. Per the survey, 77 percent of those 55 years and older delete suspicious emails, compared to half (55 percent) of respondents between 35 to 54 and just a third (36 percent) of respondents from 18 to 34. Similar patterns arise when looking at those enrolled in cybersecurity monitoring services, where 53 percent of respondents over 55 are enrolled in a cybersecurity monitoring service. But this same service is used by only 1 percent of respondents between 35 to 54 and just 29 percent between 18 and 34.
More concerning is that the behavior of younger generations appears to be getting worse, the Chubb report noted. For example, 76 percent and 74 percent of adults over 55 regularly deleted suspicious emails in 2017 and 2018, respectively, as compared to just 47 percent and 40 percent of adults between 18 and 34 during the same time period.
In most narratives, it’s the younger generation teaching older generations about the latest internet trends. When it comes to cyber safety, however, it’s clear that the tables have turned. The first lesson older generations should impart? The importance of talking with an independent agent and broker about coverage for a cyber-related incident.
Without it, and in the event of a hack or breach which leads to a financial loss, individuals could be left without a safety net in place. In some cases, policies will also cover incident response expenses, including legal services, reputation management, and mental and emotional pain diagnosed by a physician.
October is National Cybersecurity Awareness Month, (NCSAM), a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. This year’s NCSAM will emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and ecommerce security.
This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.
The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.
Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.
“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”
The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”
The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”
As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.
Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.
Fans of Game of Thrones are getting ready to learn the fate of their favorite characters when the final season of the show starts airing on HBO on April 14th. At the same time, security experts are warning that cyber-crooks are ready to take advantage of the show’s popularity to attack people’s computers.
The huge popularity of the show makes illegal download sites, where users can view episodes without the required subscriptions, popular distributions point for malware. In 2018 Game of Thrones accounted for 17 percent of all infected pirated content, according to Kaspersky Labs, even though no new episodes aired on TV over that time. This suggests that the coming premiere could be the most dangerous time to be downloading the torrents.
According to Kaspersky, the most popular kind of attack via pirated content was a trojan, a piece of software that is installed on a computer and allows the hacker to take control of that device.
The good news is that, overall, the prevalence of TV show-related malware has been declining. In 2018, the total number of users who encountered this kind of malware was 126,340, a third less than it was the year before. The number of total attempts dropped by 22 percent, to 451,636. Kaspersky said that drop was in line with a reduction in the number of security threats across the internet. But it might also be linked to a drop in the number of people using torrents, as interest in the technology declines.
And sure, that all might come to pass someday. Very smart people are working on blockchain applications. But right now it seems like the hype bubble is bursting, at least in the public mind.
Here are Google searches for “blockchain” over the past five years in the “finance” category:
Here is the search for “cryptocurrency”:
And just for fun, here’s the valuation of bitcoin:
I’m not the first person to notice this, of course. The Gartner “Hype Cycle for Emerging Technologies” 2018 report put “blockchains” on the cusp of the dreaded “trough of disillusionment”.
Trough of disillusionment. Sounds ominous.
Why the cool down about blockchains? The short answer: expectations have begun to re-align with reality.
There are several reasons why.
Earlier this year I wrote an article for the Actuarial Review about blockchains – and how they might be solutions in search of a problem. In the article, I cited Stephen J. Mildenhall from the School of Risk Management of St. John’s University, who compared a blockchain to a military tank. In theory you could drive your kids to school in a tank. But why would you? Tanks are extremely expensive, slow and inefficient (plus, I’m not sure they’re road-legal). A minivan would be a better solution. Like a minivan, a simple SQL database could probably do most jobs that a blockchain could do, except much more cheaply, quickly and efficiently.
Another big sell of blockchains was that they were theoretically unhackable. As I wrote last year, that’s only kinda-sorta the case. Blockchains themselves might be unhackable (depending on their governance structures), but for a lot of applications they need to connect to that extremely hackable thing called The Internet. Which is why you’re regularly reading about massive cryptocurrency heists.
But just because we’re in the trough of disillusionment (sorry, I just love that phrase), doesn’t spell the end for blockchains. This is a normal process for emerging technologies: a new technology is developed, everyone gets extremely excited, then reality kicks in and the hard (and underreported) work begins of perfecting the technology for real-world use.
I wouldn’t be surprised if blockchains quietly become ubiquitous for some applications in the near future – but how they’re integrated and what kind of real impact they’ll have are anyone’s guess.
In the meantime: beware the hype about any emerging technology.
You can’t talk about workers’ compensation insurance these days without mentioning “telemedicine” at least once. It should therefore come as no surprise that telemedicine was given its own panel discussion at the 2019 Workers’ Compensation Research Institute’s (WCRI) Annual Issues and Research Conference.
(In case you don’t know, the American Telemedicine Association (ATA) defines telemedicine as the “remote delivery of health care services and clinical information using telecommunications technology.” Think of an app that lets you video chat with a doctor, for example.)
The potential benefits of telemedicine to patients, providers, and employers could be immense. Improved access to healthcare services. Fast, personalized care. Treatment efficiencies. Reduced costs. Dr. Stephen Dawkins of Caduceus USA put it this way: “It’s crystal clear, as a provider, that telemedicine is a tsunami that will change the paradigm of medical care.”
Indeed, as Dr. David Deitz of Deitz & Associates noted, telemedicine is almost the perfect storm of improved healthcare services – and is already experiencing exponential growth in the commercial health sector. Citing the ATA, he noted that there were an estimated 1.25 million telehealth visits in 2016 alone – and that some sources estimate that over 400 million of U.S. medical visits could have been telemedicine encounters.
But has telemedicine made inroads into workers’ compensation?
Dr. Deitz pointed out that there is “essentially no quantitative data on [telemedicine] use in workers’ compensation.” Furthermore, he argued that there are several open questions when it comes to telemedicine: what are the appropriate regulations and reimbursement models? Is there a quality trade-off for telemedicine versus in-person encounters? Are there any privacy or cybersecurity concerns?
Kurt Leisure, vice president of risk services for The Cheesecake Factory, offered some preliminary answers when describing his company’s new telemedicine program for worker injuries, implemented in February 2018.
According to Leisure, the program basically works as follows. An injury occurs. If urgent, the injured worker proceeds directly to urgent care or the emergency room. If it’s non-urgent, the worker calls the company’s nurse triage system for preliminary care. If the phone call isn’t enough, the worker has the option of being escalated to a telemedicine program on their smartphone.
What have been the results so far? Generally positive, with the program leading to $153,000 in hard dollar savings in 2018. But Leisure did note that there are still wrinkles that need to be ironed out. Identification of telemedicine candidates during the triage phase needs improvement. Employee trust in the program could also improve.
But the injured workers seem to approve of the program. “Overall, I’m really excited, there’s a lot of upside potential just in our initial program,” Leisure said. “I think it will explode over time.” One particular benefit of telemedicine could be keeping workers and employers out of the courtroom. “We think the litigation rate is going to drop significantly” with widespread and effective telemedicine, said Leisure.
Indeed, despite some open questions about workers’ compensation adoption of telemedicine, the panel agreed that the industry would benefit tremendously. “Telemedicine basically gives you a conduit through which you can achieve better case management,” said Dr. Dawkins.