Tag Archives: Cyber Risks

Cyber Insurance Becomes ‘Must Have’ Product

The percentage of companies buying cyber liability insurance is increasing substantially, according to an annual survey jointly produced by Advisen and Zurich.

For the first time in the three years that the survey has been administered, more than half of respondents claim to purchase cyber liability insurance.

In response to the question “Does your organization purchase cyber liability insurance?† some 52 percent responded yes, compared to 44 percent in 2012, and 35 percent in 2011.

Only 38 percent said their organization did not purchase this protection, down from 50 percent in 2012 and 60 percent in 2011.

Of those companies that do purchase coverage, some 72 percent have done so for more than three years. This represents a 10-point increase from 2012 suggesting that when organizations purchase the coverage they see enough value to renew it year after year.

Even those companies that have not bought cyber coverage are thinking about it.

Half (53 percent) of survey respondents that do not currently buy cyber insurance are considering purchasing it in the next year – a 28 percentage point increase from 2012.

Advisen notes:

This is an indication of the continued shift in the cyber insurance marketplace, from a product that was interesting but not a necessity to one that is becoming a must have.†

Check out a recent I.I.I. paper on cyber risks.

Adobe Data Breach Highlights Security Risk

The impact of a data breach at software maker Adobe appears to be worsening. When it first announced the breach on October 3, Adobe said that cyber attackers had compromised accounts and passwords of nearly 3 million users. Now that number has jumped to at least 38 million users.

What’s more a blog post at PCWorld indicates that a further 150 million usernames and hashed passwords were taken from Adobe. While Adobe says these could include inactive IDs, test accounts and IDs with invalid passwords, the company is still investigating.

PCWorld also reports that the hackers stole source code for flagship Adobe products such as Photoshop, Acrobat, and Reader.

It cites a blog post by Hold Security that suggests the source code theft could have far-reaching security implications.

Here’s the direct quote from the Hold Security blog post:

While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits.†

Despite the major news headlines about cybercriminals, it’s worth remembering that mistakes made by people and systems actually cause the majority of data breaches.

The 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec, found that negligence and system glitches together accounted for 64 percent of data breaches last year. Such incidents include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

However, U.S. companies represented in this study are apparently continuing to improve their preparation for and response to a data breach.

Both the organizational cost of data breach and the cost per lost or stolen record declined last year, with the organizational cost declining from $5.5 million to $5.4 million and the cost per record from $194 to $188.

Ponemon and Symantec attribute this to more organizations using data loss prevention technologies, fewer records being lost in the breaches and less customer churn.

Marsh: Cyber Risks Are Not Just About Data Breaches

Supply chain and operational disruptions from cyber attacks may be a more severe potential threat to businesses than data and privacy exposures, according to a new report from Marsh.

In its latest risk management research briefing, Marsh notes that technology outages and software failures resulting in supply chain and operational disruptions can cause significant loss of income, increase operating expenses, and damage an organization’s reputation.

Marsh  suggests businesses may be overlooking this threat and says the  risk of an IT outage or software failure needs to be managed and addressed not just with insurance, but in a well-planned and effective risk management program.

The good news is that although cyber insurance policies have historically been triggered primarily by data breaches and hacking attacks, many now provide coverage for a broad range of technology failures and outages.

But Marsh adds that the purchase of cyber insurance should be just one part of a well-planned and effective risk management program that also includes policies and protocols to prevent and mitigate technology risks.

If unplanned, information technology (IT) outages are the most debilitating source of supply chain disruption, affecting 52 percent of companies responding to the Business Continuity Institute’s Supply Chain Resilience 2012 report.

In fact, IT outages outpaced all other sources of supply chain disruption, including severe weather events, transportation disruptions, and product contamination.

Business Insurance has more on this story.

Many Companies See Value in Cyber Insurance

Weighing up the cost of risk against the cost of coverage seems to be the perpetual dilemma of some insurance buyers.

In the case of cyber insurance, it would appear that concerns about the cost of coverage diminish once companies make the decision to purchase a policy. And the longer that policy has been held, the greater the satisfaction.

According to a recently released Ponemon study, only 31 percent of risk management professionals at companies surveyed say they have a cyber security insurance policy. However, among those companies that don’t have a policy, 57 percent say they plan to purchase one in future.

Companies with no plans to purchase this coverage (43 percent of respondents) say that it’s because of cost and too many exclusions, restrictions and uninsurable risks.

Yet among those who do buy cyber insurance, 62 percent believe the premiums are fair given the nature of the risk.

Satisfaction with policies also runs high. Some 44 percent of survey respondents say they would be extremely likely to recommend their insurance provider to a colleague or friend.

Furthermore, most companies (62 percent) believe the insurance has made them better prepared to deal with security threats.

So how do cyber security risks compare to other insurable risks? Some 41 percent of respondents believe cyber security risks are greater than other insurable business risks such as natural disasters, business interruption and fires.

Ponemon notes that the average financial impact to companies for one or more security or data breach incidents is $9.4 million, while the average cost for each lost or stolen record was $188 in 2012.

As the study says, a cyber insurance policy can be one way for companies to protect themselves against future losses.

CFO Journal has more on this story.

Check out the I.I.I. paper Cyber Risks – The Growing Threat.

Cyber Risks and the Fortune 500

Most U.S. listed Fortune 500 firms recognize that a cyber attack would cause serious harm or adversely impact their business, but many may be overlooking critical exposures, according to a new report by Willis North America.

For example, only one out of five firms mention cyber-terror (20 percent) as a factor, despite heightened emphasis on cyber-terror by the U.S. government.

And only six percent of companies mentioned that they purchase insurance to cover cyber risks, even though recent market surveys suggest significantly higher take-up rates.

The Willis Fortune 500 Cyber Disclosure Report, 2013, tracked organizations’ response to SEC Guidance issued in October 2011, asking U.S. listed companies to provide extensive disclosure on their cyber exposures.

The report found that some 88 percent of the Fortune 500 are following SEC Guidelines as of April 2013 and providing “some level† of disclosure regarding cyber exposures. Some 36 percent disclosed that the risk was “material† or “serious†.

However, some companies within particular industries that would seem to have exposures, were silent, Willis said.

Top three cyber risks identified by the Fortune 500 include:

1. Loss of theft of confidential information (65 percent)
2. Loss of reputation (50 percent)
3. Direct loss from malicious acts (hackers, virus) (48 percent)

Business Insurance has more on this story.

For additional information on the  cyber terrorism threat, check out  a just-published  I.I.I. paper on terrorism risk.

As Cyber Threat Grows, So Does Need for Protection

Despite a growing awareness of the risks, six in 10 companies lack cyber liability insurance, according to an annual survey by Towers Watson.

The increasing number of cyber attacks, along with breaches in security and privacy, are forcing corporate risk managers to reconsider how they protect their company’s data and proprietary business information.

Towers Watson’s Risk and Finance Manager Survey found that the average policy limits purchased for network security/privacy liability policies were $18.1 million – a significant 46 percent increase year over year.

In addition, nearly two-fifths (39 percent) of respondents purchased network security/privacy liability policies, up 11 percentage points from last year.

When asked why they had not purchased a policy, some 31 percent (a 10 percentage point decrease from last year) said their internal IT department/controls were adequate.

Towers Watson warned that the financial and reputational costs companies face could be enormous if they don’t develop comprehensive risk strategies to thwart cyber attacks.

Towers Watson’s findings are in line  with a new report from the Insurance Information Institute (I.I.I.) that notes that despite broad awareness that cyber risks and cyber security are a serious threat, a majority of companies today still do not purchase cyber risk insurance.

However, this is changing, according to the I.I.I. Recent industry analysis suggests that more companies are now purchasing cyber coverage and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks in future.

Download Cyber Risks – The Growing Threat.

Cyber Attack and Security Concerns Rise

A national survey has found that the majority of Americans fear that cyber warfare is imminent and that the country will attack or be attacked in the next decade.

Despite the threat, Americans also believe both the government and private sector networks are ill prepared for a surge in cyber conflict.

An overwhelming 93 percent of respondents to the survey, conducted by Tenable Network Security, believe that U.S. corporations and businesses are at least somewhat vulnerable to state-sponsored attacks. And 95 percent believe U.S. government agencies themselves are at least somewhat, to very, vulnerable to cyber attacks.

Some 94 percent of survey respondents also say they support the President having the same level of authority to react to cyber attacks as he has to respond to physical attacks on the country.

One key takeaway: the survey revealed conflicting results about whether the public or private sector should be held accountable for protecting corporate networks.

Some 66 percent of respondents believe corporations should be held responsible for cyber breaches when they occur. But an almost equal number of Americans, 62 percent – say government should be responsible for protecting U.S. businesses from cyber attacks.

The survey results come just days after President Barack Obama issued an executive order on sharing cyber threat information.

Check out I.I.I. facts and statistics on cyber security here.

The Dangers Of Celebrity Cyberspace

As fans of “Project Runway† know, one day you’re in, the next day you’re out.

This year Heidi Klum’s in and Cameron Diaz is out – at least if you’re looking at the list of the most dangerous celebrities in cyberspace, just-released by Internet security firm McAfee.

Klum, the former Victoria’s Secret model and current producer of “Project Runway† moved up from No. 10 on last year’s list to No. 1 today, replacing Diaz as the most dangerous celebrity in cyberspace. Searching for Klum results in a nearly one in 10 chance of landing on a risky site, McAfee said.

Fans searching for Klum screensavers, pictures and downloads are at risk of running into online threats such as viruses and malware designed to steal their personal information.

Cameron Diaz fell to second place this year, followed by Piers Morgan – a new addition to the top 10 list and the most dangerous male celebrity in cyberspace.

While slightly safer than last year, searching for top celebrities continues to generate risky results, as Paula Greve, director of Web security research at McAfee says:

Consumers should be particularly aware of malicious content hiding in ‘tiny’ places like shortened URLs that can spread virally in social networking sites, or through e-mails and text messages from friends.†

Movie stars and models top the most dangerous list this year, while singers and sports stars are among the safest.

Check out I.I.I.  facts and stats  on identity theft and cyber security.

Nasdaq Security Breach Highlights Cyber Threat

The company that owns the Nasdaq Stock Market over the weekend confirmed that its computer network had been hacked, according to a report in today’s Wall Street Journal.

An application called Directors Desk that allows corporate board members to share confidential documents was targeted. Nasdaq OMX issued a statement on the breach here.

According to the WSJ, the security issues with Nasdaq have triggered broader concerns:

People familiar with the Nasdaq case say that while the specifics of that hacking aren’t particularly egregious in a world where corporate networks are attacked daily, the case has raised alarms in the government because of the potential implications of compromising Nasdaq, which runs one of the world’s most-important exchanges.†

The incident highlights the fact that  network security  breaches remain a top threat facing businesses.

In its recently published Global Risks Report 2011, the World Economic Forum (WEF) identified cyber-security as one of the top five risks to watch.

The WEF warned that the complexity of cyber security issues is still not well understood and its risks could be underestimated:

Cyber security encompasses online data and information security and critical information infrastructure breakdown, and ranges from petty online theft by disenfranchised youths to government-led provocations with potentially catastrophic consequences.†

All of this reminds us of the potentially enormous liability facing businesses when a data breach occurs. Specialized cyber risk insurance coverage is a key purchase to help businesses manage this risk.