Tag Archives: Cyber Risks

People Get Hacked. Insurance Can Help.

get protected.

It’s October – and that means it’s National Cybersecurity Awareness Month.

The National Cyber Security Alliance has dedicated the first week to making homes safe from hacking. And for good reason. Families are increasingly living connected lives: on social media, in video games, and through “smart” home technology like connected thermostats or burglar alarms.

So-called “smart tech” (otherwise known as the Internet of Things) is only getting more popular: three out of five Americans have connected technology in their homes, according to a recent Insurance Information Institute and J.D. Power 2018 Consumer Cyber Insurance and Security Spotlight SurveySM.

Smart tech is convenient and efficient. Why not buy a thermostat that can automatically adjust the temperature to save you money?

Your smart tech can be hacked. But convenience can be costly. Hackers are getting more sophisticated. Your smart security system might discourage burglars – but not hackers. Hackers can use your smart thermostat to attack major websites, which is what happened in several major hacks.

Nearly a third of the smart tech owners surveyed said they have been identity theft victims.

People aren’t covered for cyberrisk. More than four out of five American consumers who own connected devices either lack insurance to protect them from cyberthreats or do not know if they are covered – and over 75 percent said they don’t plan to pay more for cyberrisks coverages.

That’s not great. Cyberrisk coverages are usually fairly inexpensive, sometimes as low as $30 per year. For that low price consumers can often get help for a range of cyber threats, including identity theft, cyberbullying, and ransomware (depending on the individual policy).

Education about cyberrisks is crucial. It’s a simple problem: People often don’t have cyberrisks coverage because they don’t know much about cyberrisks. Which also explains why many cyber-attacks are essentially “user error” – for example, a hacker sends a disguised email and a user clicks on a link, downloading malicious code onto their computer. Or someone buys a smart tech device and doesn’t change the factory password.

Getting educated about the risks of hacking is the first step to protecting your data. The next step is to use security tools. One such tool is insurance.

Insurance helps. Insurers need to make that clear. Whether as an add-on coverage to a homeowners policy or as a stand-alone policy, cyberrisks insurance can help protect you if you’re hacked. But the I.I.I/J.D. Power survey found that many people don’t know about this kind of insurance.

Insurers need to help educate their customers about the cyberrisks they face. Then they can help their customers understand why insurance can be a low-cost tool to protect their identities and assets.

Cybersecurity insurance growth continues

Cyber insurance remained a fast-growing line in 2017, with package policy premium almost tripling, while standalone premium grew 7 percent*, NAIC data indicate.

Packaged cybersecurity policies as measured in quantified and estimated direct premiums written grew from $416.8 million in 2016 to $1.1 billion in 2017. The number of packaged claims made and occurrence policies in-force increased by 71 percent.

Standalone cybersecurity policies did not fare as well, with a 7 percent increase in direct premiums written from $920.7 million in 2016 to $985.6 million in 2017. The number of standalone occurrence policies in force fell by 12 percent, and the number of standalone cybersecurity claims-made policies fell by 33.3 percent. The loss ratio for 2017 standalone cybersecurity insurance was just 30 percent.

Over the past year, headline grabbing cyber incident such as the Equifax breach ensured that companies remained aware of the enormous potential losses cybersecurity threats pose to their businesses. Cyber incidents ranked second on Allianz’s 2018 list of top business risks (five years ago, it ranked 15th.).

A recent PwC report cautioned that given the increasingly frequent and severe nature of cyberattacks, it’s still unclear whether cyberrisks are adequately priced.

“The inevitable market-turning event will separate carriers that have sufficient risk management, underwriting processes and capital in place from ones that do not,” said the report.

Click to enlarge

*NAIC data sourced from S&P Market Intelligence on April 27, 2018.

 

Will cyber insurance cover the Meltdown and Specter bugs?

Last week news broke of two security flaws in computer processors that affect virtually all computers, smartphones and smart devices such as televisions and refrigerators.

The first flaw, nicknamed “Meltdown,” applies specifically to Intel chips. The second flaw called “Spectre,” is more difficult for an attacker to exploit but has no available patches yet and lets attackers access the memory of devices running Intel, AMD, and ARM chips.

This article from Woodruff Sawyer & Co., an insurance and risk management company, considers the cyber insurance underwriting implications of these flaws. The article states that once a bug becomes known and a patch or solution is available, the burden shifts to the device owner to download the patch and update their device. Cyber underwriters will want to know if business owners have patched all vulnerable devices, and how long it took to do that after the patches became available.

Another area of underwriting focus will be device obsolescence. Intel has stated that the patches released to address the vulnerability will focus on devices introduced in the last five years. Since manufacturers are not motivated to keep updating old equipment, and it may be difficult for companies to ensure that their entire network is free of the vulnerability if they don’t migrate to newer machines.

The article concludes that companies that are proactive in dealing with the chip vulnerabilities will improve their cyber security – and their ability to secure good cyber insurance.

I.I.I. Market Report Webinar: Protecting Small Business Against #cyberfail”

“Small businesses are an easy target,” said Steve Clarke, Vice President, Government Relations, ISO. Clarke was one of several experts describing the cyber threat small business owners face in an Insurance Information Institute webinar Dec. 11, “Protect Your Business from #cyberfail.”

Many of these enterprises are data-rich businesses, Clarke continued, pointing to how a recent study estimated 28 percent of cyber thefts occur at health care companies while another 17 percent came at financial services firms.

Other issues which arose—

Cutting down the time between when a cyber breach takes place, and when the victim notices it has happened, also known as the ‘dwell time.’

The importance of educating employees about cyber risks, and how many cyber breaches occur because a company’s employees unknowingly open emails which are part of phishing operations aimed at gaining access to a company’s computer network.

The U.S. Small Business Administration has materials on cybersecurity on its website.

Watch this webinar now.

Presentation Date
Monday, December 11, 2017

Speakers

Introduction: James Lynch, Chief Actuary, Insurance Information Institute

Moderator: Marty Frappolli, Senior Director of Knowledge Resources, The Institutes

Panelists:
• Steve Clarke, Vice President, Government Relations, ISO
• Nick Graf, Ethical Hacker, CNA Insurance
• Donald Smith, Director of the Office of Entrepreneurship Education, Small Business Administration
• Michael Rohrs, Associate Director of Global Cyber Practice, Control Risks

JOIN US FOR THE I.I.I. MARKET REPORT WEBINAR: PROTECTING SMALL BUSINESS AGAINST #CYBERFAIL

On-demand Webinar, December 11

America’s 28 million small businesses have virtually the same exposure to hackers and other cyberthreats as America’s largest companies. While the billion-account hacks get most of the attention, what small businesses might not realize is that they are far more likely to be crippled or put out of business in the wake of a cyberattack.

On Monday, December 11, the Insurance Information Institute (I.I.I.) will host its I.I.I. Market Report Webinar: Protecting Small Business Against #cyberfail. Leading experts from CNA Insurance, Control Risks, The Institutes, the Small Business Administration and Verisk will join the I.I.I. to discuss the current commercial cyberrisk landscape, how small business leaders can use insurance products effectively, and how they may best employ risk management best practices and other tactics to protect their firms.

Webinar Details
Monday, December 11, 2017

2pm – 3 PM EST

Register here


Speakers
Introduction: James Lynch, Chief Actuary, Insurance Information Institute
Moderator: Marty Frappolli, Senior Director of Knowledge Resources, The Institutes

  • Steve Clarke, Vice President, Government Relations, ISO
  • Nick Graf, Certified Ethical Hacker, CNA Insurance
  • Michael Rohrs, Associate Director of Global Cyber Practice, Control Risks
  • Donald Smith, Director of the Office of Entrepreneurship Education, Small Business Administration

 

What cybersecurity measures do businesses have in place?

In the third week of National Cyber Security Awareness Month, Insurtech Insights newsletter by CB Insights gives a timely update on the cyber insurance market, and where startups are playing in this growing industry.

It notes the “tremendous opportunity” to sell cyber insurance to small businesses.

A recent Better Business Bureau study estimates that 15 percent of small businesses have cyber insurance. BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance.

Fortunately, about nine out of 10 businesses reported to the BBB they have some cybersecurity measures in place, with the most common ones: antivirus; firewall; and employee education:

A first look at the Equifax cyber loss

$125 million. That’s the first estimate of the insurance industry loss due to the Equifax cyber breach published by Property Claim Services (PCS).

Per Artemis blog:

“PCS’ initial estimate of the insurance market impact due to the Equifax hack attack is $125 million, however the firm said that the economic impact to the credit giant is expected to be much larger.

“PCS noted that there are outstanding coverage issues which could reduce the likelihood of the Equifax cyber insurance loss reaching the $125 million estimate, so it could be revised down it would appear.”

Equifax’s specific cyber insurance policy could provide as much as $150 million of coverage, according to Artemis.

Launched in early September, the PCS Global Cyber service provides industry loss estimates for cyber risk loss events of at least $20 million worldwide. The Equifax hack was its first designated event and PCS has since designated its second global cyber loss event, the impact of the Petya/non-Petya malware attack on pharmaceutical giant Merck & Co in June.

A smart fish tank leaves a casino’s data exposed to hackers

The cyber savvy have heard of phishing – sending thousands of malware-laden emails hoping for one unsuspecting click – but the Internet of Things introduced a new kind of fishing. It involved actual fish.

An internet-connected fish tank in a North American casino was used as an initial entry point into the casino’s network. This is one of nine examples of unusual attack vectors listed in a recent report from the security firm Darktrace. This report contains nine real-world examples where sophisticated methods, advanced technologies, or unusual strategies were employed.

The report warns that “…we are seeing new areas of vulnerability arise as modern companies embrace the ‘Internet of Things’. The proliferation of new connected objects multiplies the inroads to critical networks and data, yet organizations often have remarkably poor visibility of these hidden outposts of their networks. ”

In addition to the threat posed by “things”, the increasing digitization of everyday work processes means that legitimate network users can (accidentally) expose data and systems to significant vulnerabilities.

Another growing security concern is that the automation of malware production means that attackers can spread malicious software at lightning speed, outpacing the efforts of human security teams to identify and block new variants of threats.

Cyber protection gap akin to nat cat

FedEx Corp has disclosed in a securities filing that its international delivery business, TNT Express BV, was significantly affected by the June 27 Petya cyberattack.

Apparently, the courier company did not have cyber insurance or any other insurance that would cover losses from Petya, according to this report by The Wall Street Journal, via the I.I.I. Daily.

A new emerging risk report from Lloyd’s and risk modeling firm Cyence notes that cyberattacks have the potential to trigger billions of dollars of insured losses, yet there is a massive underinsurance gap.

Take its first modeled scenario: a cloud service provider hack. The event produced a range of insured losses from $620 million for a large loss to $8.1 billion for an extreme loss (overall losses ranged from $4.6 billion to $53 billion).

This left an insurance protection gap of between $4 billion (large loss) and $45 billion (extreme loss), so between 87 percent and 83 percent of the overall losses respectively were uninsured.

In another modeled scenario, the mass vulnerability attack, the underinsurance gap is between $9 billion for a large loss and $26 billion for an extreme loss, meaning that just 7 percent of economic losses are covered by insurance.

From the report:

“In some ways, the cyber insurance market can be considered in the same light as underinsurance in the natural catastrophe space – risks are growing and insurance penetration figures are low.”

Demand For Commercial Insurance Up Slightly

Demand for commercial insurance continued to follow a slight upward trend in the first three months of 2017, according to the latest Council of Insurance Agents & Brokers’ Commercial P/C Market Survey.

A large number of brokers reported an increase in demand for cyber coverage as clients became more familiar with the product and more interested in purchasing stand-alone policies.

The majority of brokers, 68.5 percent, reported that demand for commercial insurance products stayed the same in the first quarter of 2017, compared to the fourth quarter of 2016.

Nearly 30 percent of broker responses saw an increase in demand, while only 2.2 percent saw a decrease.

As for pricing, the soft market continued in Q1 2017, with the average rate decline across all commercial P/C accounts at 2.5 percent, compared to 3.3 percent in Q4 2016.

This is the ninth straight quarter that commercial rates have declined across small, medium and large accounts, The Council said.

Additional I.I.I. facts and statistics on the commercial lines insurance market are available here.