Tag Archives: Cyber

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

People Get Hacked. Insurance Can Help.

get protected.

It’s October – and that means it’s National Cybersecurity Awareness Month.

The National Cyber Security Alliance has dedicated the first week to making homes safe from hacking. And for good reason. Families are increasingly living connected lives: on social media, in video games, and through “smart” home technology like connected thermostats or burglar alarms.

So-called “smart tech” (otherwise known as the Internet of Things) is only getting more popular: three out of five Americans have connected technology in their homes, according to a recent Insurance Information Institute and J.D. Power 2018 Consumer Cyber Insurance and Security Spotlight SurveySM.

Smart tech is convenient and efficient. Why not buy a thermostat that can automatically adjust the temperature to save you money?

Your smart tech can be hacked. But convenience can be costly. Hackers are getting more sophisticated. Your smart security system might discourage burglars – but not hackers. Hackers can use your smart thermostat to attack major websites, which is what happened in several major hacks.

Nearly a third of the smart tech owners surveyed said they have been identity theft victims.

People aren’t covered for cyberrisk. More than four out of five American consumers who own connected devices either lack insurance to protect them from cyberthreats or do not know if they are covered – and over 75 percent said they don’t plan to pay more for cyberrisks coverages.

That’s not great. Cyberrisk coverages are usually fairly inexpensive, sometimes as low as $30 per year. For that low price consumers can often get help for a range of cyber threats, including identity theft, cyberbullying, and ransomware (depending on the individual policy).

Education about cyberrisks is crucial. It’s a simple problem: People often don’t have cyberrisks coverage because they don’t know much about cyberrisks. Which also explains why many cyber-attacks are essentially “user error” – for example, a hacker sends a disguised email and a user clicks on a link, downloading malicious code onto their computer. Or someone buys a smart tech device and doesn’t change the factory password.

Getting educated about the risks of hacking is the first step to protecting your data. The next step is to use security tools. One such tool is insurance.

Insurance helps. Insurers need to make that clear. Whether as an add-on coverage to a homeowners policy or as a stand-alone policy, cyberrisks insurance can help protect you if you’re hacked. But the I.I.I/J.D. Power survey found that many people don’t know about this kind of insurance.

Insurers need to help educate their customers about the cyberrisks they face. Then they can help their customers understand why insurance can be a low-cost tool to protect their identities and assets.

Americans view cyberattacks, climate change as major threats

Cyberattacks from other countries are now seen as a major threat to the U.S. by 72 percent of Americans, according to a national survey from the Pew Research Center.

This view has changed little in recent years, apparently. But what has changed is public opinions about other global threats.

Take climate change—now viewed as a major threat by 58 percent of Americans, up 7 points since January, and the highest share since 2009.

The survey was conducted October 25-30 among 1,504 adults.

Small business and cyber insurance

Risk management services are an important way cyber insurance adds value for small businesses, according to a new I.I.I. paper.

In Protecting Against #Cyberfail: Small Business and Cyber Insurance, I.I.I. co-authors James Lynch and Claire Wilkinson say:

“The provision of these types of services is considered a growth area in the cyber market for SMBs, where price may be a barrier to insurance coverage in the first place. For larger companies, cyber-related risk management services may be offered at a discount or for free.

“For SMBs in particular, offering a risk management or training solution where they can learn more and keep themselves up-to-date on current threats is perhaps most valuable.”

Also heard at the Advisen Cyber Risk Insights Conference in NYC last week: part of the value proposition for SMBs is that cyber policies offer solutions, not just coverage.

Andy Lea, vice president underwriting for E&O, Cyber and Media, CNA, told the conference: “The value proposition is more prominent with SME and middle market companies that just don’t have resources available in-house to manage risks. This is an opportunity for brokers and carriers to add value.”