By James Ballot, Senior Advisor, Strategic Messaging, Insurance Information Institute
Many of us are still trying to make sense of how our data were affected by a massive data-scraping operation by the research firm of Cambridge Analytica that allegedly misused personal information of 50 million Facebook users. One expert with a “big picture” view of this scandal is Yonatan Zunger, a former engineer/privacy expert at Google, who sees the Facebook/Cambridge Analytica affair as further evidence that computer science needs to have its “A-Bomb” moment.
What Zunger means by this is that the fields comprising computer science have to “come to terms with the responsibility that comes with building things which so profoundly affect people’s lives.” And, relatedly, when (or if) there is an “enlightenment” movement, will it empower programmers, data engineers, and others in the field to fight the “weaponization of their work,” or will hackers and other cybercrooks simply redouble efforts and build better mice to defeat better mousetraps?
At the heart of this moment of reckoning are topics of keen interest to insurers. Concerns about big data analytics in insurance are being raised on several fronts. The Geneva Association recently published a report highlighting the concerns regarding privacy, discrimination and competition that big data analytics present to the insurance industry. And this recent article by R.J. Lehmann warns that “The more complex predictive modeling grows and the more attenuated from the sorts of relatively straightforward risk factors that both consumers and regulators can easily understand, the greater the odds of a backlash.”
Digital transformation refers to the integration of technology into all areas of a business resulting in profound changes in how the business operates and interacts with customers.
A recent McKinsey and Company blog post points out that successful companies do not just focus on a digital strategy but instead devise a strategy for the digital age — “a complex, many-tiered undertaking that is made more challenging by continuously shortened development cycles.”
The post explores a few of the digital transformation lessons insurance companies learned in 2017 and questions CEOs should be asking in 2018.
Lessons learned in 2017 include:
- Focusing on the big picture
- Understanding value drivers
- Prioritizing technological literacy
Key questions for 2018 are:
- How should we approach investing in digital?
- What is our ecosystem strategy?
- Are we seeing enough value from data and analytics?
- Is IT effectively partnering with the business?
Last week news broke of two security flaws in computer processors that affect virtually all computers, smartphones and smart devices such as televisions and refrigerators.
The first flaw, nicknamed “Meltdown,” applies specifically to Intel chips. The second flaw called “Spectre,” is more difficult for an attacker to exploit but has no available patches yet and lets attackers access the memory of devices running Intel, AMD, and ARM chips.
This article from Woodruff Sawyer & Co., an insurance and risk management company, considers the cyber insurance underwriting implications of these flaws. The article states that once a bug becomes known and a patch or solution is available, the burden shifts to the device owner to download the patch and update their device. Cyber underwriters will want to know if business owners have patched all vulnerable devices, and how long it took to do that after the patches became available.
Another area of underwriting focus will be device obsolescence. Intel has stated that the patches released to address the vulnerability will focus on devices introduced in the last five years. Since manufacturers are not motivated to keep updating old equipment, and it may be difficult for companies to ensure that their entire network is free of the vulnerability if they don’t migrate to newer machines.
The article concludes that companies that are proactive in dealing with the chip vulnerabilities will improve their cyber security – and their ability to secure good cyber insurance.
Identity theft is the biggest threat consumers face when shopping online, according to security expert Dr. Yair Levy. Before venturing online for Cyber Monday deals, here are some tips from Dr. Levy which appeared in a recent Sun Sentinel article:
- Use a dedicated credit card for online purchases and a separate card for to pay bills, buy gas, groceries, etc. If the card is compromised, it’s easy to cancel the account.
- When making purchases, verify a secured connection by looking for a little padlock or by making sure the Web address starts with “https://” (the “s” stands for secured).
- Don’t use free wi-fi on your mobile device.
Phishing scams are becoming more frequent and more sophisticated, so be wary of emails or texts claiming to be from your favorite retailer. The best defense is not to click on links in a message or give out any personal information. If the message is legitimate, you can always go directly to the retailer’s website.
For more on identity theft and cybercrime, visit our Facts & Stats page.
Cyberattacks from other countries are now seen as a major threat to the U.S. by 72 percent of Americans, according to a national survey from the Pew Research Center.
This view has changed little in recent years, apparently. But what has changed is public opinions about other global threats.
Take climate change—now viewed as a major threat by 58 percent of Americans, up 7 points since January, and the highest share since 2009.
The survey was conducted October 25-30 among 1,504 adults.
Risk management services are an important way cyber insurance adds value for small businesses, according to a new I.I.I. paper.
In Protecting Against #Cyberfail: Small Business and Cyber Insurance, I.I.I. co-authors James Lynch and Claire Wilkinson say:
“The provision of these types of services is considered a growth area in the cyber market for SMBs, where price may be a barrier to insurance coverage in the first place. For larger companies, cyber-related risk management services may be offered at a discount or for free.
“For SMBs in particular, offering a risk management or training solution where they can learn more and keep themselves up-to-date on current threats is perhaps most valuable.”
Also heard at the Advisen Cyber Risk Insights Conference in NYC last week: part of the value proposition for SMBs is that cyber policies offer solutions, not just coverage.
Andy Lea, vice president underwriting for E&O, Cyber and Media, CNA, told the conference: “The value proposition is more prominent with SME and middle market companies that just don’t have resources available in-house to manage risks. This is an opportunity for brokers and carriers to add value.”
In the third week of National Cyber Security Awareness Month, Insurtech Insights newsletter by CB Insights gives a timely update on the cyber insurance market, and where startups are playing in this growing industry.
It notes the “tremendous opportunity” to sell cyber insurance to small businesses.
A recent Better Business Bureau study estimates that 15 percent of small businesses have cyber insurance. BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance.
Fortunately, about nine out of 10 businesses reported to the BBB they have some cybersecurity measures in place, with the most common ones: antivirus; firewall; and employee education:
$125 million. That’s the first estimate of the insurance industry loss due to the Equifax cyber breach published by Property Claim Services (PCS).
Per Artemis blog:
“PCS’ initial estimate of the insurance market impact due to the Equifax hack attack is $125 million, however the firm said that the economic impact to the credit giant is expected to be much larger.
“PCS noted that there are outstanding coverage issues which could reduce the likelihood of the Equifax cyber insurance loss reaching the $125 million estimate, so it could be revised down it would appear.”
Equifax’s specific cyber insurance policy could provide as much as $150 million of coverage, according to Artemis.
Launched in early September, the PCS Global Cyber service provides industry loss estimates for cyber risk loss events of at least $20 million worldwide. The Equifax hack was its first designated event and PCS has since designated its second global cyber loss event, the impact of the Petya/non-Petya malware attack on pharmaceutical giant Merck & Co in June.
Whether you’re an InsurTech startup with new ideas or an incumbent concerned about protecting your book of business, the greatest risk you can take may be to resist collaboration, according to a post on Willis Towers Watson Wire.
In Threat vs Opportunity? InsurTech is largely a matter of perspective, Andrew Newman, president and global head of casualty at Willis Re, says while it’s understandable that many insurers have perceived InsurTech as a threat to the value chain, the biggest threat lies not in technology itself, but in competitors of any description leveraging these innovations to gain advantage by reducing risk and lowering costs.
“The plain fact is that the vast majority of InsurTech companies aren’t interested in going to war with incumbents. Their focus is on creating value within the insurance value chain – not collapsing it. So if incumbents embrace ‘disruption’, rather than concentrating on defending themselves by keeping these opportunities at arm’s length, then they will find that the available technology is largely complementary to most of the current processes in the industry.”
Download the presentation Insurance: Leading Through Disruption by Insurance Information Institute president and CEO Sean Kevelighan to find out more about how the industry is poised to lead through disruption.
The cyber savvy have heard of phishing – sending thousands of malware-laden emails hoping for one unsuspecting click – but the Internet of Things introduced a new kind of fishing. It involved actual fish.
An internet-connected fish tank in a North American casino was used as an initial entry point into the casino’s network. This is one of nine examples of unusual attack vectors listed in a recent report from the security firm Darktrace. This report contains nine real-world examples where sophisticated methods, advanced technologies, or unusual strategies were employed.
The report warns that “…we are seeing new areas of vulnerability arise as modern companies embrace the ‘Internet of Things’. The proliferation of new connected objects multiplies the inroads to critical networks and data, yet organizations often have remarkably poor visibility of these hidden outposts of their networks. ”
In addition to the threat posed by “things”, the increasing digitization of everyday work processes means that legitimate network users can (accidentally) expose data and systems to significant vulnerabilities.
Another growing security concern is that the automation of malware production means that attackers can spread malicious software at lightning speed, outpacing the efforts of human security teams to identify and block new variants of threats.