Tag Archives: Cyber Risks

Will cyber insurance cover the Meltdown and Specter bugs?

Last week news broke of two security flaws in computer processors that affect virtually all computers, smartphones and smart devices such as televisions and refrigerators.

The first flaw, nicknamed “Meltdown,” applies specifically to Intel chips. The second flaw called “Spectre,” is more difficult for an attacker to exploit but has no available patches yet and lets attackers access the memory of devices running Intel, AMD, and ARM chips.

This article from Woodruff Sawyer & Co., an insurance and risk management company, considers the cyber insurance underwriting implications of these flaws. The article states that once a bug becomes known and a patch or solution is available, the burden shifts to the device owner to download the patch and update their device. Cyber underwriters will want to know if business owners have patched all vulnerable devices, and how long it took to do that after the patches became available.

Another area of underwriting focus will be device obsolescence. Intel has stated that the patches released to address the vulnerability will focus on devices introduced in the last five years. Since manufacturers are not motivated to keep updating old equipment, and it may be difficult for companies to ensure that their entire network is free of the vulnerability if they don’t migrate to newer machines.

The article concludes that companies that are proactive in dealing with the chip vulnerabilities will improve their cyber security – and their ability to secure good cyber insurance.

I.I.I. Market Report Webinar: Protecting Small Business Against #cyberfail”

“Small businesses are an easy target,” said Steve Clarke, Vice President, Government Relations, ISO. Clarke was one of several experts describing the cyber threat small business owners face in an Insurance Information Institute webinar Dec. 11, “Protect Your Business from #cyberfail.”

Many of these enterprises are data-rich businesses, Clarke continued, pointing to how a recent study estimated 28 percent of cyber thefts occur at health care companies while another 17 percent came at financial services firms.

Other issues which arose—

Cutting down the time between when a cyber breach takes place, and when the victim notices it has happened, also known as the ‘dwell time.’

The importance of educating employees about cyber risks, and how many cyber breaches occur because a company’s employees unknowingly open emails which are part of phishing operations aimed at gaining access to a company’s computer network.

The U.S. Small Business Administration has materials on cybersecurity on its website.

Watch this webinar now.

Presentation Date
Monday, December 11, 2017


Introduction: James Lynch, Chief Actuary, Insurance Information Institute

Moderator: Marty Frappolli, Senior Director of Knowledge Resources, The Institutes

• Steve Clarke, Vice President, Government Relations, ISO
• Nick Graf, Ethical Hacker, CNA Insurance
• Donald Smith, Director of the Office of Entrepreneurship Education, Small Business Administration
• Michael Rohrs, Associate Director of Global Cyber Practice, Control Risks


On-demand Webinar, December 11

America’s 28 million small businesses have virtually the same exposure to hackers and other cyberthreats as America’s largest companies. While the billion-account hacks get most of the attention, what small businesses might not realize is that they are far more likely to be crippled or put out of business in the wake of a cyberattack.

On Monday, December 11, the Insurance Information Institute (I.I.I.) will host its I.I.I. Market Report Webinar: Protecting Small Business Against #cyberfail. Leading experts from CNA Insurance, Control Risks, The Institutes, the Small Business Administration and Verisk will join the I.I.I. to discuss the current commercial cyberrisk landscape, how small business leaders can use insurance products effectively, and how they may best employ risk management best practices and other tactics to protect their firms.

Webinar Details
Monday, December 11, 2017

2pm – 3 PM EST

Register here

Introduction: James Lynch, Chief Actuary, Insurance Information Institute
Moderator: Marty Frappolli, Senior Director of Knowledge Resources, The Institutes

  • Steve Clarke, Vice President, Government Relations, ISO
  • Nick Graf, Certified Ethical Hacker, CNA Insurance
  • Michael Rohrs, Associate Director of Global Cyber Practice, Control Risks
  • Donald Smith, Director of the Office of Entrepreneurship Education, Small Business Administration


What cybersecurity measures do businesses have in place?

In the third week of National Cyber Security Awareness Month, Insurtech Insights newsletter by CB Insights gives a timely update on the cyber insurance market, and where startups are playing in this growing industry.

It notes the “tremendous opportunity” to sell cyber insurance to small businesses.

A recent Better Business Bureau study estimates that 15 percent of small businesses have cyber insurance. BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance.

Fortunately, about nine out of 10 businesses reported to the BBB they have some cybersecurity measures in place, with the most common ones: antivirus; firewall; and employee education:

A first look at the Equifax cyber loss

$125 million. That’s the first estimate of the insurance industry loss due to the Equifax cyber breach published by Property Claim Services (PCS).

Per Artemis blog:

“PCS’ initial estimate of the insurance market impact due to the Equifax hack attack is $125 million, however the firm said that the economic impact to the credit giant is expected to be much larger.

“PCS noted that there are outstanding coverage issues which could reduce the likelihood of the Equifax cyber insurance loss reaching the $125 million estimate, so it could be revised down it would appear.”

Equifax’s specific cyber insurance policy could provide as much as $150 million of coverage, according to Artemis.

Launched in early September, the PCS Global Cyber service provides industry loss estimates for cyber risk loss events of at least $20 million worldwide. The Equifax hack was its first designated event and PCS has since designated its second global cyber loss event, the impact of the Petya/non-Petya malware attack on pharmaceutical giant Merck & Co in June.

A smart fish tank leaves a casino’s data exposed to hackers

The cyber savvy have heard of phishing – sending thousands of malware-laden emails hoping for one unsuspecting click – but the Internet of Things introduced a new kind of fishing. It involved actual fish.

An internet-connected fish tank in a North American casino was used as an initial entry point into the casino’s network. This is one of nine examples of unusual attack vectors listed in a recent report from the security firm Darktrace. This report contains nine real-world examples where sophisticated methods, advanced technologies, or unusual strategies were employed.

The report warns that “…we are seeing new areas of vulnerability arise as modern companies embrace the ‘Internet of Things’. The proliferation of new connected objects multiplies the inroads to critical networks and data, yet organizations often have remarkably poor visibility of these hidden outposts of their networks. ”

In addition to the threat posed by “things”, the increasing digitization of everyday work processes means that legitimate network users can (accidentally) expose data and systems to significant vulnerabilities.

Another growing security concern is that the automation of malware production means that attackers can spread malicious software at lightning speed, outpacing the efforts of human security teams to identify and block new variants of threats.

Cyber protection gap akin to nat cat

FedEx Corp has disclosed in a securities filing that its international delivery business, TNT Express BV, was significantly affected by the June 27 Petya cyberattack.

Apparently, the courier company did not have cyber insurance or any other insurance that would cover losses from Petya, according to this report by The Wall Street Journal, via the I.I.I. Daily.

A new emerging risk report from Lloyd’s and risk modeling firm Cyence notes that cyberattacks have the potential to trigger billions of dollars of insured losses, yet there is a massive underinsurance gap.

Take its first modeled scenario: a cloud service provider hack. The event produced a range of insured losses from $620 million for a large loss to $8.1 billion for an extreme loss (overall losses ranged from $4.6 billion to $53 billion).

This left an insurance protection gap of between $4 billion (large loss) and $45 billion (extreme loss), so between 87 percent and 83 percent of the overall losses respectively were uninsured.

In another modeled scenario, the mass vulnerability attack, the underinsurance gap is between $9 billion for a large loss and $26 billion for an extreme loss, meaning that just 7 percent of economic losses are covered by insurance.

From the report:

“In some ways, the cyber insurance market can be considered in the same light as underinsurance in the natural catastrophe space – risks are growing and insurance penetration figures are low.”

Demand For Commercial Insurance Up Slightly

Demand for commercial insurance continued to follow a slight upward trend in the first three months of 2017, according to the latest Council of Insurance Agents & Brokers’ Commercial P/C Market Survey.

A large number of brokers reported an increase in demand for cyber coverage as clients became more familiar with the product and more interested in purchasing stand-alone policies.

The majority of brokers, 68.5 percent, reported that demand for commercial insurance products stayed the same in the first quarter of 2017, compared to the fourth quarter of 2016.

Nearly 30 percent of broker responses saw an increase in demand, while only 2.2 percent saw a decrease.

As for pricing, the soft market continued in Q1 2017, with the average rate decline across all commercial P/C accounts at 2.5 percent, compared to 3.3 percent in Q4 2016.

This is the ninth straight quarter that commercial rates have declined across small, medium and large accounts, The Council said.

Additional I.I.I. facts and statistics on the commercial lines insurance market are available here.

Ransomware: Does Cyber Insurance Make Sense?

As organizations look to recover from the disruption caused by Friday’s massive global ransomware cyberattack, the value of cyber insurance, and other cybersecurity tools, just multiplied exponentially.

Security researchers at Kaspersky Lab recorded more than 45,000 attacks in 74 countries including the UK, Russia, Ukraine, India, China and Italy, the Guardian reports.

The UK’s National Health Service, French car manufacturer Renault, and Spain’s telecommunications giant Telefonica were among those hit by the so-called WannaCry ransomware, which locks up computer systems until the victims pay a ransom.

Cyber risk modeling firm Cyence estimates the average individual ransom cost from the attacks at $300, and the total economic costs from interruption to business at $4 billion, according to this Reuters report.

Kevin Kalinich, global head of Aon’s cyber risk practice, told Reuters:

“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send a package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware.”

Insurance coverage for ransomware (see earlier post), and other forms of extortion, is available under cyber insurance policies, or other types of policies that specifically cover cyber extortion.

An insured’s ransom payment following an attack is typically covered, subject to individual policy terms and conditions, according to this I.I.I. white paper.

Cyber policies also provide coverage for the costs of forensic investigation, restoring lost or corrupted data, legal expenses and business interruption.

Here are some of the considerations that go into the decision to purchase coverage.

Ransomware: Is Cyber Insurance On Your Radar?

Hotel guests locked out of their rooms at a four-star hotel in the Austrian Alps? Washington DC’s CCTV system disrupted days before Donald Trump’s inauguration? Libraries in St Louis brought to a standstill? Eight years of digital evidence lost by a Texas police department?

Ransomware is not just grabbing headlines, it’s now the favorite method of cyberattack used against businesses, particularly in North America and Europe, according to this Malwarebytes report.

In the fourth quarter of 2016 alone, Malawarebytes catalogued nearly 400 variants of ransomware, and 81 percent of ransomware detected in corporate environments occurred in North America.

Lloyd’s insurer Beazley saw ransomware attacks quadruple in 2016 and projects them to double again in 2017.

“Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the most valuable files unencrypted.”

In its white paper Cyberrisk: Threat and Opportunity, the Insurance Information Institute reports that insurers are issuing an increasing number of cyber insurance policies and coverage for cyber extortion, including payment of a ransom following a ransomware attack, is available.

According to the FBI, ransomware attacks are on the up, particularly targeting organizations because the payoffs are higher.