JIF 2022: Cyber Criminals Shift to Softer Targets And Reputation Threats

Photo credit: Don Pollard

Cyber criminals continued to shift their tactics and adapt their techniques in 2022, according to experts speaking at the Triple-I Joint Industry Forum (JIF) last week.

Ransomware as a business model” remains alive and well, said Michael Menapace, an insurance attorney with the law firm Wiggin and Dana LLP and a Triple-I Non-resident Scholar. What has changed in recent years is that “where the bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets – in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Theresa Le, Chief Claims Officer for Cowbell Cyber, concurred with Menapace’s assessment, noting an increased tendency of cyber criminals to contact organizations’ customers or leaders as “a pressure point” for the organization to pay the ransom in order to avoid reputational harm.  

“Threat actors are focusing on the quality of the data that they can extract while they’re ‘in the house’,” Le said, “so it’s not just stealing Social Security numbers or other information they can sell on the Dark Web, as it was a few years ago. It’s really much more thoughtful and focused.”

Scott Shackelford, professor of Business Law and Ethics at Indiana University’s Kelley School of Business, reinforced Menapace’s and Le’s observations about the increased sophistication and adaptability of cyber criminals by talking about state-sponsored incursions.

“It’s not just the North Koreas of the world,” he said, adding that “a growing cadre of nation-states” are launching attacks “not just on large corporations but increasingly small and medium-sized businesses, even local governments.”

“We founded a cyber security clinic two years ago,” Schackelford said, “and the number one request we get from local government and small utilities has to do with insurance coverage. There’s a lot of need out there for better information.”

Shackelford emphasized the continuing evolution of the Internet of Things (IoT) as an “attack surface.” In the new pandemic-driven work-from-home environment, he said, “What counts as a covered computer device for some of these policies has led to litigation and remains a big vulnerability that we’ve only just begun to wrap our minds around.”

The conversation, moderated by Frank Tomasello, executive director for The Institutes Griffith Insurance Education Foundation, ranged across topics that included:

  • Deep-fake technology;
  • The importance aligning insurance pricing with the risk – and educating policyholders on how to get a better price by becoming a better risk;
  • How threats differ for different-sized organizations and for individuals; and
  • The need for better data and information sharing around cyberattacks and trends.

Learn More:

Triple-I “State of Cyber Risk” Issues Brief

JIF 2022: Leaning Forward into a Changed World

By Deena Snell, Director of Research Operations & Membership, Triple-I

Insurance industry decision makers and thought leaders gathered yesterday for the day-long Triple-I Joint Industry Forum (JIF) in New York City to discuss opportunities and challenges across the insurance landscape.

“The world is getting more risky,” Triple-I CEO Sean Kevelighan said in his opening remarks, “and when the world gets more risky people want answers and solutions.”

A recurring theme throughout the event – which featured panels on climate and cyber risk; legal system abuse; diversity, equity, and inclusion; and the impact of current economic conditions on insurers and policyholders – was the importance of moving from a focus on assessing and repairing damage to one of predicting and preventing losses and promoting policyholder resilience.

Kevelighan and State Farm CEO Michael Tipsord had a one-on-one conversation about how the events of recent years – from the COVID-19 pandemic and subsequent supply-chain disruptions to international conflict and inflation levels not seen since the 1970s – have contributed to shifting customer and employee behavior and expectations.

Watch this space next week for blogs featuring the panel discussions.

Insurers Can Support Progress Toward Sustainable Development Goals

Insurers Can Support Progress Toward Sustainable Development Goals

The UN Sustainable Development Goals (SDGs) are a group of 17 global goals aimed at reducing poverty and protecting the planet for the future. The SDGs were born at the United Nations Conference on Sustainable Development in 2012 and are linked to the 2030 Agenda for Sustainable Development, adopted by 193 countries. While the SDGs describe some of the greatest challenges for governments across the world, achieving them will require collective action including governments, civil society, the private sector, and individuals and communities.

Insurers can tap into new opportunities as both risk underwriters and as investors to support the UN SDGs, a set of globally shared social and economic expectations, which are increasingly being used by both insurers and corporations across a wide range of sectors as a guiding compass for developing their Environmental, Social, and Governance (ESG) strategies. However, insurance’s potential role in achieving SDGs and advancing ESG more broadly has been underestimated, particularly for broader climate and sustainability initiatives.

The Insurance Information Institute recently collaborated with Non-Resident Scholar, Susan Holliday, and her partners at The World Bank Group on a report, Insurance’s Role in the Sustainable Development Goals, which discusses how the insurance industry can support governments and corporations achieving progress toward the SDGs.

Although the SDGs only mention insurance once, the sector has an important role to play, especially in the areas of climate, safe cities, health, and reducing inequality. However, to develop this fully the sector must be more involved in high level working groups on how to make progress towards the SDGs and collaborate to produce consistent global data to demonstrate the role insurance can play.

Click here for the Insurance’s Role in the Sustainable Development Goals report download.

Education Can Overcome Doubts on Credit-Based Insurance Scores,
IRC Survey Suggests

Consumer skepticism about the connection between credit history and future insurance claims appears to decline when the predictive power of credit-based insurance scores is explained to them, a recent study by the Insurance Research Council (IRC) suggests.

This is just one of the IRC’s encouraging findings.  Others include:

  • Consumers are generally knowledgeable about credit, credit histories, and credit scores.
  • Nearly all believe it’s important to maintain good credit history, and most believe it would be easy to improve their credit score.
  • Among nearly all demographic groups, paying for auto insurance is not considered a burden for most households.

Concerns have been raised about the use of credit-based scores and certain other metrics in setting home and car insurance premium rates. Critics say it can lead to “proxy discrimination,” with people of color – who are more likely to have less-than-stellar credit histories – sometimes being charged more than their neighbors for the same coverage.

Confusion around insurance rating is understandable, given the complex models used to assess and price risk, and insurers are well aware of the history of unfair discrimination in financial services. To navigate this complexity, they hire teams of actuaries and data scientists to quantify and differentiate among a range of risk variables while avoiding unfair discrimination.

As the chart below shows, insurance claims tend to decline as credit scores improve. The fact that race frequently correlates with lower credit scores highlights societal problems that must be addressed through public policy, including financial literacy education. If anything, apparent racial disparities in insurance availability or affordability related to credit quality lend force to arguments for policy change. 

In a study published last year, nearly half of respondents said financial literacy education would have helped them manage their money better through the pandemic. The study, which surveyed 1,047 U.S. adults, found that 21 percent felt insurance was the subject they understood least. 

While the IRC study found non-Hispanic Black respondents were more likely than other groups to say their credit scores were below average and that it was important to improve their scores and would be easy to do so, they also were less likely to believe credit is a reliable indicator of paying bills or filing claims. Similarly, they were less likely to say it was okay to use credit history in lending, renting, or insurance settings.

All ethnic and racial groups, however, agreed that a person who has maintained good credit should benefit in the form of lower insurance rates.

“Many studies have shown that credit-based insurance scores are predictive of claims behavior,” the IRC report says, adding that recent studies using driving data from telematics devices “show a link between specific driving behaviors, such as hard braking, and variations in credit-based insurance scores.”

Any rating factor that can predict losses and claims helps insurers fairly price insurance by charging individual drivers rates that closely align with their risk. In the absence of these factors, less risky drivers would pay higher rates to subsidize the insurance of more risky drivers.

Learn More

Triple-I Issues Brief: Risk-Based Pricing of Insurance

Triple-I Issues Brief: Race and Insurance Pricing

Ian, Personal Auto, Inflation, Geopolitics Driving Worst P&C Underwriting Results Since 2011

The property/casualty insurance industry’s underwriting profitability is forecast to have worsened in 2022 relative to 2021, driven by losses from Hurricane Ian and significant deterioration in the personal auto line, making it the worst year for the P&C industry since 2011, actuaries at Triple-I and Milliman – an independent risk-management, benefits, and technology firm – reported today.

The quarterly report, presented at a members-only webinar, also found that workers compensation continued its multi-year profitability trend and general liability is forecast to earn a small underwriting profit, with premium growth remaining strong due to the hard market.

The industry’s combined ratio – a measure of underwriting profitability in which a number below 100 represents a profit and one above 100 represents a loss – worsened by 6.1 points, from 99.5 in 2021 to 105.6 in 2022.

Rising rates, geopolitical risk

Dr. Michel Léonard, Triple-I’s chief economist and data scientist, discussed key macroeconomic trends impacting the property/casualty industry, including inflation, replacement costs, geopolitical risk, and cyber.

“Rising interest rates will have a chilling impact on underlying growth across P&C lines, from residential to commercial property and auto,” he said, adding that 2023 “is gearing up to be yet another year of historical volatility. Stubbornly high inflation, the threat of a recession, and increases in unemployment top our list of economic risks.”

Léonard also noted the scale of geopolitical risk, saying, “The threat of a large cyber-attack on U.S. infrastructure tops our list of tail risks.”

“Tail risk” refers to the chance of a loss occurring due to a rare event, as predicted by a probability distribution.

“Russia’s weaponization of gas supplies to Europe, China’s ongoing military exercises threatening Taiwan, and the potential for electoral disturbances in the U.S. contribute to making geopolitical risk the highest in decades,” Léonard said.

Cats drive underwriting losses

Dale Porfilio, Triple-I’s Chief insurance officer, discussed the overall P&C industry underwriting projections and exposure growth, noting that the 2022 catastrophe losses are forecast to be comparable to 2017.

“We forecast premium growth to increase 8.8 percent in 2022 and 8.9 percent in 2023, primarily due to hard market conditions,” Porfilio said. “We estimate catastrophe losses from Hurricane Ian will push up the homeowners combined ratio to 115.4 percent, the highest since 2011.” 

For commercial multi-peril line, Jason B. Kurtz, a principal and consulting actuary at Milliman – a global consulting and actuarial firm – said another year of underwriting losses is likely.

“Underwriting losses are expected to continue as more rate increases are needed to offset catastrophe and economic and social inflation loss pressures,” Kurtz said.

For the commercial property line, Kurtz noted that Hurricane Ian will threaten underwriting profitability, but that the line has benefited from significant premium growth. “We forecast premium growth of 14.5 percent in 2022, following 17.4 percent growth in 2021.”

Regarding commercial auto, Dave Moore, president of Moore Actuarial Consulting, said the 2022 combined ratio for that line is nearly 6 points worse than 2021.

“We are forecasting underwriting losses for 2023 through 2024 due to inflation, both social inflation and economic inflation, loss pressure, and prior year adverse loss development,” he said. “Premium growth is expected to remain elevated due to hard market conditions.”

“After a sharp drop to 47.5 percent in 2Q 2020, quarterly direct loss ratios resumed their upward trend, averaging 74.2 percent over the most recent four quarters,” Porfilio said. “Low miles driven in the first year of the pandemic contributed to favorable loss experience.” 

Since then, Porfilio continued, “Miles driven have largely returned to 2019 levels, but with riskier driving behaviors, such as distracted driving, and higher inflation. Supply-chain disruption, labor shortages, and costlier replacements parts are all contributing to current and future loss pressures.”

Overall, loss pressures from inflation, risky driving behavior, increasing catastrophe losses, and geopolitical turmoil are leading to the need for rate increases to restore underwriting profits.

Insurance Is Human

Almost a year ago, I felt impelled to bust the cliché that insurance is boring. In that blog post, I called out the idea that any industry that touches every imaginable peril individuals, families, businesses, and communities face could reasonably be considered dull.

Today – as I dig back into work after spending two days at the Society of Insurance Research (SIR) annual conference in Las Vegas – I feel similarly impelled to take on a different myth: That, because of its focus on statistical analysis and the dollars-and-cents aspects of risk, the insurance industry is out of touch with day-to-day human concerns.

I get it. I’m no one’s quant. Until becoming immersed in this big-numbers industry, I probably shared this perspective. I might even slip back into it from time to time, when the conversations become a bit too actuarial for my all-too-verbal nature.

In his opening remarks, Mike Meyers, SIR president and lead competitive analyst at USAA, used a phrase that the cynic in me thought a bit hokey. He referred to the conference – the first major in-person event for SIR since the pandemic – as a “family reunion.” As the event proceeded, though, it really did feel that way. This was my first in-person SIR event, but it quickly became clear that wasn’t the case for most of the attendees.  The warmth and familiarity among the 200-plus participants was palpable.

Now, this was a gathering of insurance industry researchers, so, of course, there was going to be a lot of “numbers talk” and discussion about “leveraging technology to improve loss experience,” and so forth. But the human dimension was never far from any of the panels or one-on-one conversations. Whether the topic was online life and health insurance shopping; the challenges of researching diversity, equity and inclusion (DEI) in insurance; or how COVID-19 has affected the risk profiles of small businesses, nothing was abstract or soulless about these conversations.

Two bits that particularly struck me:

  • In a discussion of automobile safety data, a correlation was drawn between driving-safety and fuel-consumption stats. It was just one chart underscoring the fact that safer drivers use less fuel, which, in turn, has a positive impact on the environment. It’s not a big jump from there to the fact that automobile telematics technology – which helps insurers more accurately price coverage and creates financial incentives to drive more safely – also helps reduce emissions. Who doesn’t want to save money AND the planet?
  • If you’ve ever had to replace an entire ceiling (I have!) because of a long, slow, undetected leak upstairs, the presentation on smart plumbing would have excited you as much as it did me. More inspiring, though, was the win-win strategy implemented by the insurer, which provides the easy-to-use technology to the policyholder for free and pays for a plumbing inspection if the diagnostic app flags a possible leak. Future big claim deterred for the insurer, massive headaches prevented for the homeowner!

I may not be an actuary or a data scientist or an economist – or possess any of the extraordinary quantitative skills insurance is known for – but I’m glad the industry marshals and rigorously applies these resources to such homey challenges, at scale.

Remote Work Can Impede Escape From Abuse; Financial Literacy Can Remove Roadblocks

By Loretta L. Worters, Vice President, Media Relations, Triple-I

Remote work, while providing a respite to many from long commutes and surging gas prices, can increase the vulnerability of domestic violence victims. Heightened risks involve not only emotional and physical but also financial abuse – often one of the main reasons victims are unable to leave or have to return to the abusive relationship.

Domestic violence cases increased between 25 percent to 35 percent globally with the start of the pandemic in 2020 and show few signs of abating, according to the American Journal of Emergency Medicine.  Financial dependency is a common tool abusers use to gain power and control in a relationship. Victims continue to be isolated, exploited, and prevented from developing the resilience needed to break free and achieve independence.

Without financial or insurance literacy, renting an apartment or purchasing a car to escape an abuser can be almost impossible for victims – particularly for Black women, who are disproportionately affected. 

In support of Domestic Violence Awareness Month, Triple-I offers five financial strategies victims can use to protect themselves financially before and after leaving an abusive relationship:

  • Securing financial records, including insurance policies;
  • Knowing where the victim stands financially;
  • Building a financial safety net;
  • Making necessary changes to insurance policies; and
  • Maintaining good credit, which can also affect access to insurance.

Credit-based insurance scores are confidential numerical ratings based, in whole or in part, on a consumer’s credit information. Many insurers use these scores – in conjunction with other factors – to help underwrite and price policies, especially for homeowners’ and personal automobile insurance. Actuarial studies find a strong correlation between how people manage their financial affairs and the likelihood of their submitting insurance claims.

Abuse victims often have bad credit for a variety of reasons. The National Coalition Against Domestic Violence (NCADV) reports that victims of intimate partner violence lose a total of 8.0 million days of paid work each year, with a cost exceeding $8.3 billion annually. As many as 60 percent of victims lose their jobs for reasons stemming from the abuse, and how much abuse women will endure correlates statistically with their degree of economic dependence.

“Manipulating money and other economic resources is one of the most prominent forms of coercive control and yet many victims don’t even realize they are being controlled,” said Ruth Glenn, president and CEO of the NCADV and author of the memoir, Everything I Never Dreamed, which chronicles her battle against abuse, violence, and attempted murder.  “That’s why it’s so important for victims to keep their checks, bank cards, and insurance policies in a safe spot that only they know – and, when leaving that abusive relationship, that they take precautions to keep themselves protected through an address confidentiality program.”

Those in crisis and needing immediate assistance, please call 1-800-799-SAFE (7233). 

“The financial education provided by the Insurance Information Institute can be life-saving and will make a real difference for many, many people,” Glenn said.

Other insurance industry resources for victims of domestic violence are The Insurance Industry Charitable Foundation – which has volunteered services at Mosaic House, a shelter for women and children fleeing domestic violence and human trafficking in North Texas, and provided grants to organizations like Dawn Rising, Human Options, the Joe Torre Safe At Home Foundation, the Philadelphia Children’s Alliance , the Center for Safety and Change, Women Rising, the WINGS Program, and Sarah’s Inn – and The Allstate Foundation’s relationship abuse program, which is the longest-running national program focused on ending domestic violence through financial empowerment services for survivors.

CISA releases long-awaited plan for national cyber resilience

The federal Cybersecurity and Infrastructure Security Agency (CISA) in September released its 2023-2025 Strategic Plan, a response to the increasing vulnerability of U.S. infrastructure to cyberattacks. 

Key Takeaways

  • The plan proposes a framework for defining and managing the federal government’s role in mitigating cyber threats to national security. 
  • CISA aims to foster a cross-agency and “whole-of-nation” approach to risk management and resilience.  
  •  Implementation and outcomes can have implications for cyber insurance markets. 
  •  Two federal engagement requests have been issued to get feedback on creating a regulatory path forward. 

Cyber resilience in the current digital ecosystem requires a new mindset.

CISA’s plan arrives in a rapidly transforming threat landscape in which the cybersecurity mindset is duly shifting from “Are we vulnerable to attack?” to “When a breach happens, how can we spot it, contain the damage, and recover as fast as possible?”  

Businesses across all sectors have seen a rise in the frequency of breaches. Hackers are using sophisticated tactics to expand the reach of ransomware to third or fourth parties, such as supply-chain partners. Estimates of organizations attacked in the last year range from 60 percent to as high as 86 percent, probably because dormant ransomware can remain undetected for a while and many organizations are hesitant to publicize or div incidents. 

Organizations involved in critical infrastructure–such as the military, hospitals, financial institutions, and the supply chains providers–can be enticing targets for bad actors. The 2021 Internet Crime Report from the FBI reveals at least one organization in 14 of 16 critical infrastructure sectors experienced a ransomware attack that year. Data indicates that cyberattacks against US ports and terminals are increasing. 

In response to the rising threats, CISA Director Jen Easterly announced earlier this year, “We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim.”  

The “whole of nation” strategy – the agency’s first plan since its creation in 2018 – proposes a unity of effort framework, while drawing upon the CISA Strategic Intent from August 2019, to lay a foundation for the agency’s work ahead and incorporate four core goals:  

  • “Cyber defense against threats to National Critical Functions;  
  • Risk reduction and resilience; 
  • Operational collaboration using a “whole-of-nation” approach; and 
  • Agency unification.” 

Loss ratios for cyber insurance are down, but challenges are still mounting

Cost-effectiveness remains elusive, despite the growing demand for cyber risk coverage. Data from S&P Global indicates that after three years of steady climb, loss ratios decreased from 75% in 2020 to 65% in 2021. However, contributing factors continue to wreak havoc, including increased frequency and severity of cyber-attacks, rising associated breach costs and liabilities, and the lack of historical incident data necessary to assess and price risk. As liability coverage for critical infrastructure sectors poses further challenges to risk mitigation, some insurers opt out of providing coverage to these entities. 

To build a foundation for risk assessment, CISA aims to create a regulatory path for the data collection mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The legislation prescribes reporting of major cybersecurity incidents (within 72 hours) and ransomware payments (within 24 hours of payment). However, not every organization in a critical sector will automatically be required to report, and a formal enforcement framework for those expected to comply appears to be yet undefined.  

CISA and FIO solicits feedback on forging a path towards national cyber resilience. 

To foster collaboration between the government and private sectors while facilitating the implementation of CIRCIA, CISA recently issued a Request for Information. The list of reporting parameters up for public commentary includes how organizations may be defined as a “covered entity” (thus required to report incidents) and constraints and best practices around sharing of incident information.  

Another example of the cross-agency and “whole-of-nation” effort outlined in CISA’s plan can be seen in a request for comment recently issued by the Department of the Treasury’s Federal Insurance Office (FIO). This public engagement sprang from a June 2022 GAO report recommendation. The FIO is asking for feedback on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” The agency welcomes information on gaps in other federal cyber risk initiatives, such as the SEC’s proposed cyber incident reporting rules, the Terrorism Risk Insurance Program (TRIP), and the CISA’s cyber incident reporting RFI. 

Triple-I remains committed to advancing Cyber Awareness and supporting conversation about pertinent insurance trends and issues. For further reading, see our Issues Brief and stay tuned to our blog. 

“A.I. Take the Wheel!” Drivers Put Too Much Faith in Assist Features, IIHS Survey Suggests

Too many car owners are too comfortable leaving their vehicles’ driver-assist features in charge, potentially putting themselves and others at risk, according to the Insurance Institute for Highway Safety (IIHS).

IIHS said a survey of about 600 regular users of General Motors Super Cruise, Nissan/Infiniti ProPILOT Assist, and Tesla Autopilot found they were “more likely to perform non-driving-related activities like eating or texting while using their partial automation systems than while driving unassisted.”

“The big-picture message here is that the early adopters of these systems still have a poor understanding of the technology’s limits,” said IIHS President David Harkey.

The study reports that 53 percent of Super Cruise users, 42 percent of Tesla Autopilot users, and 12 percent of Nissan’s ProPilot Assist users were comfortable letting the system drive without watching what was happening on the road. Some even described being comfortable letting the vehicle drive during inclement weather.

These systems combine adaptive cruise control and lane-keeping systems, primarily to keep a car in a lane and following traffic on the highway. All require an attentive human driver to monitor the road and take full control when called for.

“None of the current systems is designed to replace a human driver or to make it safe for a driver to perform other activities that take their focus away from the road,” IIHS said in announcing the results of its survey.

While all three automakers caution drivers about the systems’ limits, confusion remains. Tesla’s driver-assist system, which it calls “full self-driving” has received much scrutiny over the years as auto safety experts say the name is misleading and risks worsening road safety.

The U.S.government has set no standards for these features, which are some of the newest technologies on vehicles today. A patchwork of state laws and voluntary federal guidelines is attempting to cover the testing and eventual deployment of autonomous vehicles in the United States. 

Learn More:

Background on: Self-driving cars and insurance

IICF Starts Ian Relief Fund

The insurance industry’s efforts on behalf of people struggling in the wake of disasters doesn’t end with paying policyholder claims.

The nonprofit Insurance Industry Charitable Foundation (IICF) has launched the IICF Hurricane Ian Relief Fund to support those in need in the wake of Hurricane Ian. Funds will benefit Team Rubicon, a nonprofit providing emergency response and relief throughout affected areas, and SW FL Emergency Relief Fund, which provides critical support to nonprofits and people in areas experiencing immediate need.

Through these nonprofits, IICF will provide funds for recovery support, temporary shelter and basic necessities, along with non-perishable food, toiletry items and diapers for children impacted by the storm.

“The insurance industry is rooted in helping others at their time of need,” said Bill Ross, CEO of IICF. “As tens of thousands of Floridians struggle to recover from the devastation of Hurricane Ian, we as an industry are moved to support those impacted through charitable giving.”

With the help of the insurance industry, IICF has been able to raise $2.3 million over the past few years to benefit nonprofits responding to disaster and pandemic needs across the United States and the United Kingdom. To donate to the current effort, please visit https://give.iicf.org/campaigns/23664-iicf-hurricane-ian-relief-fund.

Latest research and analysis