Category Archives: Cyber Risk

Emerging cyber terrorism threats and the Federal Terrorism Risk Insurance Act

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

On December 20, 2019, President Trump signed a federal funding package that includes a seven-year extension of the Terrorism Risk Insurance Act (TRIA). TRIA provides for a federal loss-sharing program for certain insured losses resulting from a certified act of terrorism.

Passage of the act was met with resounding approval by the insurance industry. You can read more about it here.

A critical mandate of the TRIA extension is for the Government Accountability Office (GAO) to make recommendations to Congress about how to amend the statute to address emerging cyberthreats. Triple-I recently hosted an exclusive members-only webinar featuring Jason Schupp of the Centers for Better Insurance, who discussed issues likely to be addressed by the GAO report.

Schupp said the report will likely serve as a starting point for a discussion about cyber threats and how the insurance industry can better meet the needs of businesses, nonprofits and local governments for cyber insurance. It will address:

  • Vulnerabilities and potential costs of cyber-attacks to the United States;
  • Whether adequate coverage is available for cyber terrorism;
  • Whether cyber terrorism coverage can be adequately priced by the private market;
  • Whether TRIA’s current structure is appropriate for cyber terrorism events; and
  • Recommendations on how Congress could amend TRIA to meet the next generation of cyber threats.

Cyber terrorism is already covered under TRIA, but such acts don’t fit neatly into the TRIA framework. Because cyber limits and conditions are already narrow, TRIA’s current make available requirement has not been effective in providing coverage for cyber-terrorism events at the same limits and conditions as non-cyber events.

Schupp proposes that the requirement be amended so the coverage doesn’t exclude insured losses specific to the loss of use, corruption or destruction of electronic data or the unauthorized disclosure of or access to nonpublic information.

But expanding the requirement carries considerable risk. If insurers are required to make more coverage available for cyber events than they are comfortable with the result could be a pullback in property and liability insurance generally – not just for cyber events. Any expansion must be balanced with the terms of the backstop.

Schupp concluded that the GAO’s investigation and report (which is required to be completed by June 2020) is likely to kick off a multi-year debate that could substantially redefine U.S. cyber insurance markets. Insurers, policyholders and other stakeholders should engage accordingly.

To learn about how to become a member of Triple-I visit iiimembership.org.

Ransomware payments doubled in fourth quarter 2019

The average ransomware payment increased by a whopping 104 percent in the fourth quarter of 2019, spiking to $84,116 from $41,198 in Q3, according to a report from Coveware, a security vendor.

Ransomware, also known as cyber extortion, involves the use of malicious software designed to block access to a computer system until a sum of money is paid. The 4Q increase reflects the diversity of the cyber criminals attacking companies.

Some ransomware variants are focusing on large companies where they can attempt to extort the organizations for seven-figure payouts. Small businesses, on the other hand, are bombarded with ransomware variants with demands as low as $1,500.

The total cost of a ransomware attack depends on its severity and duration and includes the costs of the ransom payment (if one is made), as well as remediation costs, lost revenue, and potential brand damage.

In Q4, ransomware actors also began exfiltrating data from victims and threatening to release it. In addition to remediation and containment costs, this complication adds to the potential costs of third-party claims.

Other key takeaways from the report include:

  • 98 percent of companies that paid the ransom received a working decryption tool in Q4 2019, unchanged from Q3.
  • Victims who paid for a decryptor successfully decrypted 97 percent of their data, a slight increase from Q3.
  • Average downtime increased to 16.2 days, from 12.1 days in Q3 of 2019. The was driven by a higher prevalence of attacks against larger enterprises, which often spend weeks fixing their systems.
  • Cyber criminals demand Bitcoin almost exclusively now in all forms of cyber extortion because it’s easier to swap extortion proceeds into a privacy coin after they collect, than to require a victim to purchase a less liquid type of digital currency.
  • Less sophisticated and well-financed attackers will target small companies with small IT budgets.
  • Public sector organizations continued to account for a high percentage of ransomware attacks in Q4. The attacks are expected to continue until these organizations are able to increase their security budgets.

 

JIF Insights: Cowbell CEO On Simplifying Cyber
For Smaller Firms

At Triple-I’s Joint Industry Forum last week, I had the opportunity to meet with Jack Kudale, CEO and founder of Cowbell Cyber, and learn more about how the startup aims to simplify and demystify cyber insurance for small and medium enterprises.

Cowbell CEO Jack Kudale’s background includes 25 years in enterprise software and five in cyber security. He led three startups before founding Cowbell.

Cyber remains a tough sell among smaller companies. As previously reported by Triple-I, many believe their risk profiles don’t warrant the cost of the coverage, and some complain the policies contain too many exclusions. A 2019 Advisen survey of brokers and underwriters – all involved in cyber insurance – found “not understanding exposures” (73 percent), “not understanding coverage” (63 percent), and “cost” (46 percent) to be the top three obstacles to writing and issuing cyber.

‘We eliminate the application’

Cowbell this morning announced the launch of Cowbell Prime 100 – the company’s A.I.-powered platform that promises to assess customers’ cyber exposures in real time and match them with the most relevant coverage for their business – all in about five minutes.

“Basically, we eliminate the application,” Kudale said. “The coverage is highly individualized for each specific business.“

And, if that isn’t enough, instead of an annual process of underwriting and renewal, Cowbell Prime 100 will continuously monitor customers’ exposures and recommend coverage changes in real time.

“For smaller companies, the concern is about speed and simplicity,” Kudale said. “Do I have to fill out long forms or answer intrusive questions? We remove all that friction and provide coverage tailored to their exposure.”

Larger companies, Kudale said, “are more interested in insights. Our continuous underwriting will help them better understand their cyber risks and how the recommended coverage addresses them.”

“The more customized the policy,” he continued, “the less concern there is about excessive exclusions.”

Cowbell Factors

The platform’s proprietary “Cowbell Factors” assess:

  • Projected loss costs based on hundreds of thousands of cyber cases,
  • Risk signals from internet-exposed infrastructure,
  • The customer’s cyber security practices,
  • “Dark web” intelligence,
  • Industry-specific business-interruption data, and
  • Regulatory compliance data.

Kudale’s background includes 25 years in enterprise software and five in cyber security. He led three startups before founding Cowbell with partners from the insurance and tech worlds.

Cowbell Prime 100 offers an A.M. Best ‘A’-rated admitted policy backed by Boost Insurance and prominent reinsurance partners, including Markel Global Reinsurance Company, Renaissance Re Holdings, and Nephila Capital. The company currently is appointing brokers and agents in California, Colorado, Arizona, Illinois, Oregon and Nevada.

Cyber Claims Get Paid; 
Why Do Many Businesses
Believe They Don’t?

There’s a road in my town that’s widely regarded as a speed trap. We all know drivers who say they were unfairly stopped and ticketed on it. I’ve never been and, come to think of it, neither has anyone I talk to about it.  Maybe it’s because we live in town and “everyone knows” about the trap.

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

Sure, people get ticketed. The road is straight and wide, and I guess some feel they should be able to drive faster than the clearly posted speed limit. Or maybe they think the “real” limit is somewhat north of the number posted.

Is that really a “speed trap”?

I think of this road when I hear people say they don’t buy cyber insurance because “everyone knows” cyber claims don’t get paid.

Poster child for “cyber” denial

The example on everyone’s lips when this topic comes up is Mondelez International, the food and beverage giant hit by the NotPetya ransomware attack in 2017. Mondelez incurred losses exceeding $100 million, and its insurer denied coverage based on a war exclusion.

The irony? The policy in question covered property, not cyber. One can argue – as Mondelez does in a lawsuit –  that the war exclusion is being unfairly applied, but businesses aren’t ceasing to buy property insurance on account of it!

Cyber claims data are hard to come by, but for nine years NetDiligence has published a Cyber Claims Study analyzing paid claims. The 2019 study looks at more than 2,000 such claims aggregated in over 20 ways, including types and amounts of losses, incident causes, data types exposed, business sectors affected, revenue size of claimants, and financial impact.

Verisk, whose cyber products help insurers write coverage based on their policyholders’ risk characteristics, doesn’t publish claims data but aggregates and incorporates them into its analytics.

NetDiligence publishes an annual Cyber Claims Study. Verisk aggregates and incorporates claims data into its analytics. Why do so many believe cyber claims don’t get paid?
Why the perception/reality gap?

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure. Indeed, in a recent survey by J.D. Power and the Insurance Information Institute, small-business owners named “too many exclusions” among the top reasons they don’t buy cyber coverage.

Claims are often denied because of exclusions policyholders might not have known about or understood. Some insurers, for example, include “failure to follow” exclusions for claims arising from inadequate security standards.

Everyone’s responsibility

If insurers want businesses to buy cyber policies and not be hit with unpleasant surprises at claims time, they need to be aggressively transparent about what’s included and excluded. Relegating this to fine print is not a good strategy.

Brokers and agents need to educate themselves about their clients’ needs and be fastidious in aligning coverage recommendations with those needs.

And insurance buyers – those with most at stake – need to understand cyber perils and insurance. For example, insurers require a cyber hygiene self-assessment from applicants. If, after an incident, that assessment proves inaccurate – say, if encryption practices were misrepresented – coverage can be denied.

Insurance isn’t a replacement for cyber diligence. But it can complement it as part of a well-planned risk management program.

Life & Death:
Cyberattacks Interrupt More Than Business

Cyberattacks on hospitals can lead to increased death rates among heart patients, recent research suggests. This research emerges as attacks on health facilities are reported to have increased 60 percent in 2019.

Researchers at Vanderbilt University‘s Owen Graduate School of Management drilled down into Department of Health and Human Services records on data breaches from more than 3,000 Medicare-certified hospitals. They found that, for facilities that experienced a breach, the time for suspected heart attack patients to receive an electrocardiogram (ECG) increased by more than two minutes.

Health care is the seventh-most targeted industry, but attacks on this sector are on the rise.
When seconds count

The study focused on the impact of remediation efforts on health care outcomes following a data breach.  It found that common remediation approaches, such as additional verification layers during system sign-on, can “delay the access to patient data and may lead to inefficiencies or delays in care.”

Common remediation approaches, such as additional verification during system sign-on, can delay access to patient data and lead to delays in care.

“Especially in the case of a patient with chest pain,” the report says, “any delay in registering the patient and accessing the patient’s record will lead to delay in ordering and executing an ECG.”

The researchers found that “a data breach was associated with a 2.7-minute increase in time to ECG three years after the breach.”

A bit over two minutes may not seem like much – but during a coronary or a stroke it can be the difference between life and death.

Increasingly targeted

Vanderbilt’s research was based on data collected before ransomware attacks against health care facilities became common. The authors caution that such attacks – in which systems or data are held hostage until a ransom can be paid – “are considered more disruptive to hospital operations than the breaches considered in this study.”

The medical sector is the seventh-most targeted industry, according to a report by internet security firm Malwarebytes, based on data gathered between October 2018 and September 2019. But Malwarebytes warns that attacks on this sector are on the rise.

“Threat detections have increased for this vertical,” the report says, “from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45 percent.”

Comparing all of 2018 against the first three quarters of 2019, Malwarebytes said it has observed a 60 percent increase in such attempted intrusions.

“If the trend continues,” Malwarebytes reports, “we expect to see even higher gains in a full year-over-year analysis.”

 

House Panel Approves Terrorism Insurance Backstop Reauthorization

“Ground Zero,Lower Manhattan,NYC.”

The House Financial Services Committee on October 31 approved an amended version of the Terrorism Risk Insurance Program Reauthorization Act of 2019 that would require the Government Accountability Office (GAO) to report on cyberterrorism risks and the Department of Treasury to issue a biennial report that includes “disaggregated data on places of worship.”

The Terrorism Risk Insurance Act of 2002 (TRIA), approved after the 9/11 terrorist attacks in New York City and Washington, D.C., provided a backstop to encourage insurers to resume writing terrorism policies. After 9/11, primary insurers sought to explicitly exclude terrorism coverage from their commercial policies, and reinsurers became unwilling to assume risks in urban areas perceived as vulnerable to attack.

TRIA created the Terrorism Risk Insurance Program (TRIP), a federal loss-sharing program for certain insured losses resulting from a certified act of terrorism. TRIP provides a backstop for insurers and has to be periodically reauthorized. It is currently due to expire at the end of 2020.

In addition to the reporting requirements mentioned above, the amended legislation shortens the extension period from 10 years.

The bill says the cyber report should analyze the general vulnerabilities and potential costs of cyberattacks on the nation’s infrastructure and reach conclusions about whether cyberrisk, particularly cyberliabilities, under property/casualty insurance, can be sufficiently covered and adequately priced.

The insurance industry has praised the progress of the extension as well as the proposed studies of cyber exposures. The next step toward TRIA reauthorization is a floor vote in the House of Representatives.

Follow the conversation about the federal terrorism backstop here.

Are Cyberrisk Insurers This Decade’s Mortgage-Securities Investors?

An awkward moment during  Advisen’s Cyber Risk Insights 2019 conference last week:

Are cyber insurers falling down on the job, as many say lenders, regulators, and rating agencies did before the 2008 financial crisis?

Panelists recalled how, in the early days of cyber, insurers often sought more information to write policies than clients could (or wanted to) provide. So, they started asking for less.

Most attendees remembered the “old days.” Many nodded. They understood.

The awkwardness came when one audience member observed that insurers “still chase market share” despite lacking complete policyholder risk information. “That sounds a lot like mortgage-backed securities before the financial crisis!”

Are cyber insurers falling down on the job, as many say lenders, regulators, rating agencies, and investors did before the 2008 financial crisis and subsequent recession?

The analogy may sound fair, but it falls apart on examination.

Mortgages and the financial crisis

In the early 2000s, it was easy to get a mortgage. Lenders would bundle loans to be sold as mortgage-backed securities. The theory: Few people would stop making payments and risk losing their homes. The rest would pay, and the security would deliver a fair return.

This made sense when lenders did their job. But too many abandoned their standards. Because they could sell them, lenders had no stake in whether the mortgages were paid.

Regulators and rating agencies, it has been argued, didn’t ask enough questions about the securities the loans supported. This gave investors more confidence than the investments warranted. When loans that should never have been made in the first place defaulted, the resulting dislocation of the homebuying and financial markets ushered in the Great Recession.

Where the analogy breaks down

Cyber insurers understand the risks they’re taking and price their policies accordingly. In fact, a recent I.I.I./J.D. Power survey found two of the top four reasons small companies choose not to buy cyber coverage are that it costs too much and contains too many exclusions.

Unlike the lenders and borrowers and investment banks in the early oughts, insurers have skin in the game. If they write bad business, they can’t simply pass it along to some naïve investor.

They also have a stake in customer relationships. They aren’t pushing policies, pricing them to sell, and hoping for the best. They’re working with clients to understand and address the clients’ vulnerabilities.

Cyber insurers understand the risks they’re taking and price their policies accordingly…. They also have a stake in customer relationships.

Seventy percent of small companies that bought cyber said their insurer helps with risk mitigation (up from 65 percent last year), according to the I.I.I./J.D. Power survey.  At the Advisen event, I heard insurers and policyholders discussing how they can address these perils. Policyholders clearly wanted insurers to do more than write policies and pay claims, and the insurers were listening.

Conversations like these, and the spirit of transparency and shared responsibility they reflect and promote, are essential to staving off and mitigating the impact of cyberattacks. Insurers and insureds, together, are visibly seeking solutions to a real and growing problem.

The people behind the financial crisis quietly created problems in pursuit of opportunities, studiously unmindful of the collateral damage they were generating.

Cyber Insurance: Why Do Small Firms Do Without?

Small-business owners know cyber risk threatens them – but many still are dubious about cyber insurance. Why?

Smaller businesses seem to be getting the message that cyber risk isn’t just something for big companies to worry about; nevertheless, many still balk at buying cyber insurance, according to a new survey from the Insurance Information Institute (I.I.I.) and J.D. Power.

The 2019 Small-Business Cyber Insurance and Security Spotlight found that 12 percent of survey respondents experienced at least one cyber incident in the past year, up from 10 percent in 2018.  Nearly 71 percent said they are “very concerned” about cyber incidents, up from 59 percent, and 75% said they believe the risk of being attacked is growing at an alarming rate, up from 70 percent last year.

Two of the top four reasons cited for not buying cyber coverage are within insurers’ control.

Respondents with cyber insurance increased this year, to 35 percent from 31 percent; but of the 44 percent who said they don’t have cyber coverage and the 21 percent who didn’t know if they do, 64 percent said they don’t plan to buy it in the next 12 months.

Why the hesitation?

Why are many smaller firms so reluctant to insure against a threat they recognize to be real and growing?

The top two reasons given were: cost (42 percent) and the belief that the companies’ risk profiles don’t warrant coverage (35 percent). Twenty-seven percent said they believe they handle cyber risk sufficiently well internally, and 17 percent cited “too many exclusions” as a reason for not buying coverage. For the non-insurers in the audience, “exclusions” are provisions in an insurance agreement that limit the scope of coverage.

So, in other words, two of the top four reasons cited by insureds for not buying cyber coverage – cost and exclusions – are within insurers’ control.

As David Pieffer, head of J.D. Power’s property and casualty insurance practice, put it:

“Given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.”

Risk-mitigation support may help

Closely related to cost is the question of value. What do insureds get for their premium dollar?

Among the respondents with cyber coverage, 70 percent said their insurer helps with cyberrisk mitigation, up from 65 percent in 2018. Fifty-one percent said their insurer offers contingency planning for data breaches, up from 40 percent, and 53 percent said their insurer will assess their vulnerability to data breaches, up from 51 percent.

“We’re seeing more insurers work with commercial customers to mitigate risks – in particular, with small and mid-size businesses,” said Sean Kevelighan, I.I.I. president and CEO. “We know many of the large cyber incidents can be sourced back to a smaller business or vendor, and, thus, it’s increasingly critical to assist in loss prevention measures that can make the customer more resilient, while also reducing claims and damages.”

It’s hard to say based on the data, but perhaps such insurer involvement plays as significant a role in small companies’ increased adoption of cyber insurance as does their growing anxiety about cyber perils. As companies increasingly see cyber insurers as trusted risk-management partners – not just writers of policies and payers of claims – perhaps take up rates will accelerate.

Bridging the Cyber Insurance Data Gap

 

 

Cyber risks are opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.

Underwriting cyberrisk is beyond difficult. It’s a newer peril, and the nature of the threat is constantly changing – one day, the biggest worry is identity theft or compromise of personal data. Then, suddenly it seems, everyone is concerned about ransomware bringing their businesses to a standstill.

Now it’s cryptojacking and voice hacking – and all I feel confident saying about the next new risk is that it will be scarier in its own way than everything that has come before.

This is because, unlike most insured risks, these threats are designed. They’re intentional, unconstrained by geography or cost. They’re opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.  Cheap to develop and deploy, they adapt quickly to our efforts to defend ourselves.

“The nature of cyberwarfare is that it is asymmetric,” wrote Tarah Wheeler last year in a chillingly titled Foreign Policy article, In Cyber Wars, There Are No Rules.  “Single combatants can find and exploit small holes in the massive defenses of countries and country-sized companies. It won’t be cutting-edge cyberattacks that cause the much-feared cyber-Pearl Harbor in the United States or elsewhere. Instead, it will likely be mundane strikes against industrial control systems, transportation networks, and health care providers — because their infrastructure is out of date, poorly maintained, ill-understood, and often unpatchable.”

This is the world the cyber underwriter inhabits – the rare business case in which a military analogy isn’t hyperbole.

We all need data — you share first

In an asymmetric scenario – where the enemy could as easily be a government operative as a teenager in his parents’ basement – the primary challenge is to have enough data of sufficiently high quality to understand the threat you face. Catastrophe-modeling firm AIR aptly described the problem cyber insurers face in a 2017 paper that still rings true:

“Before a contract is signed, there is a delicate balance between collecting enough appropriate information on the potential insured’s risk profile and requesting too much information about cyber vulnerabilities that the insured is unwilling or unable to divulge…. Unlike property risk, there is still no standard set of exposure data that is collected at the point of underwriting.”

Everyone wants more, better data; no one wants to be the first to share it.

As a result, the AIR paper continues, “cyber underwriting and pricing today tend to be more art than science, relying on many subjective measures to differentiate risk.”

Anonymity is an incentive

To help bridge this data gap, Verisk – parent of both AIR and insurance data and analytics provider ISOyesterday announced the launch of Verisk Cyber Data Exchange.  Participating insurers contribute their data to the exchange, which ISO manages – aggregating, summarizing, and developing business intelligence that it provides to those companies via interactive dashboards.

Anonymity is designed into the exchange, Verisk says, with all data aggregated so it can’t be traced back to a specific insurer.  The hope is that, by creating an incentive for cyber insurers to share data, Verisk can provide insights that will help them quantify this evolving risk for strategic, model calibration, and underwriting purposes.

Wedding Big Rigs to IoT: What Could Possibly Go Wrong?

“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”

Transportation and logistics companies are now among the top-targeted industries by computer hackers

When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.

I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!

Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”

Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.

From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.

“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.

Who doesn’t love fuel efficiency?

And then I read an article in Today’s Trucking that began:

“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”

Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”

Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young.  It hasn’t been long since researchers demonstrated that they could remotely do everything from altering a big rig’s  instrument panel to triggering unintended acceleration or disabling brakes.

“These trucks carry hazardous chemicals and large loads,”  Bill Hass, one of the researchers from the University of Michigan’s Transportation Research Institute, told Wired. “If you can cause them to have unintended acceleration…I don’t think it’s too hard to figure out how many bad things could happen with this.”

J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”

According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”

This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!

Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.

But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk.  As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?