Tag Archives: anderson

5 Ransomware Ideas, or You’ll WannaCry

A massive cyberattack involving a ransomware software program called Wanna Decryptor, also known as “WannaCry,” recently swept the globe, freezing computer systems and causing major disruptions. The attack — which is the largest ransomware infestation ever — affected tens of thousands of organizations across the globe and a wide range of industry sectors, including the U.K.’s National Health Service (NHS), Spanish telecom giant Telefonica, French car maker Renault, Portugal’s Telecom and U.S. delivery company FedEx, among many others. The attack reportedly affected nearly 150 countries.

Ransomware (a combination of the terms “malware” and “ransom”) has become an increasingly common form of cyber extortion. It often involves extortionists taking control of a computer system and locking files and data on the system by encryption, thereby rendering them inaccessible and useless, until a demand for payment, typically in Bitcoin, is satisfied. A typical form of ransomware, WannaCry does the following: 1) locks all data on the victims’ computer systems; 2) informs victims that their files have been encrypted; 3) warns that those files will be deleted unless payment in Bitcoin is received; and 4) provides instructions for executing and sending the payment.

Ransomware has become frighteningly pervasive and increasingly serious and expensive. Ransomware attacks quadrupled from 2015 through 2016, to an estimated 4,000 per day according to the U.S. Department of Justice and, as punctuated by WannaCry, are projected to double yet again in 2017. These types of cyberattacks can, and do, cause significant operational disruption, often halting a business in its tracks, damage reputations and create other types of losses and exposures. Every industry sector is seeing an increasing threat, with the healthcare and education sectors particularly targeted. Other forms of cyberextortion — including threats to obtain or release protected information, such as personally identifiable customer data, protected health information and confidential corporate information, or to discharge denial-of-service attacks that disrupt an organization’s networks, causing business interruption — also entail significant potential exposure to organizations.

See also: The Growing Problem of Ransomware

Here we offer five insurance and other considerations for organizations to consider in the face of an enormous uptick in increasingly severe ransomware attacks and other forms of cyberextortion:

1. Consider purchasing “cyberextortion” insurance. No firewall is unbreachable, and no security system impenetrable. In the context of this reality, insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against the legal and other exposures flowing from serious cybersecurity, privacy and data protection-related incidents. Importantly, almost all stand-alone so-called “cyber” insurance policies offer coverage for ransomware and other forms of cyberextortion. This type of coverage is specifically designed to cover losses and expenses that an organization incurs in the wake of a cyberextortion incident like the WannaCry software virus, together with myriad other forms of first and third-party cybersecurity and data privacy-related exposures, including coverage for crisis management (such as notification to potentially affected individuals, credit monitoring and call center services), data breach and network security-related claims and liability, including regulatory liability, business income loss, and digital asset loss. Cyberextortion coverage can be extremely valuable as a way for organizations to address and mitigate losses arising from mounting extortion threats, and many organizations now purchase this coverage as part of their cyberinsurance programs.

2. Closely review cyberextortion insurance terms and conditions. It is clear that cyberinsurance can be extremely valuable, but obtaining the right insurance product presents significant challenges. There is a diverse and growing array of cyberinsurance products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer — and even between cyberinsurance policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different organizations within those sectors, are far-reaching and diverse. For these reasons, organizations purchasing cyberinsurance, and the cyberextortion components of that insurance, are well advised to closely review the terms and conditions of the coverage to ensure that the organization’s cyber extortion risk will be covered, without a protracted battle with the insurer, in the wake of an attack. Among other things, organizations are advised to consider the following:

  • Scope of coverage. Cyberextortion coverage should be written to cover as broad a range of potential attacks, and potential exposure outcomes, as possible. The coverage should include any threat to harm, impair access to or engage in unauthorized access to, relevant computer systems and the applications, files and data residing on those systems, together with any threat to access or divulge any sensitive information in the organization’s possession or control.
  • Key definitions. Key definitions must be sufficiently broad to match the reality of risk faced by the insured organization. By way of example, in addition to definitions that define the scope of coverage, definitions governing the types of losses and expenses that are covered should be carefully reviewed. The policy should cover reasonable and necessary expenses incurred by the insured organization resulting from a covered threat, including the costs of investigating and assessing a threat (even if no ransom is paid), should expressly cover payment of cryptocurrencies (including Bitcoin), as well as, preferably, any other consideration or action that may be demanded by the extortionists, and should cover reasonable and necessary expenses incurred to mitigate or reduce other covered expenses.
  • Conditions. Organizations are advised to pay close attention to policy conditions, including notice and consent provisions, proof of loss provisions, allocation provisions, alternative dispute resolution provisions and any requirements that the organization notify law enforcement of the incident at issue. The importance of notice provisions is addressed in further detail below. Consent provisions may be favorably amended to state that an insurer’s consent to satisfying the extortion demand “shall not be unreasonably withheld.” Other provisions, such as the requirement of involving authorities, may be deleted. As discussed more below, cyberinsurance policies are highly negotiable, and very favorable amendments can often be made for no additional premium charge.
  • Exclusions. It also is critical that organizations be aware of any insurance policy exclusions that may vitiate the coverage that the policy was intended to cover. By way of example, cyberinsurance policies typically contain a “bodily injury” exclusion. Such an exclusion may pose a particular problem for hospitals and other healthcare providers, which rely on access to patients’ medical records to provide appropriate care and treatment. As with other exclusions, it may be possible to significantly curtail or delete bodily injury exclusions. Many other types of exclusions can be curtailed or deleted — often for no additional policy premium.
  • Sublimits and retentions. It is clearly important that a cyberinsurance sublimit of liability (a ceiling on the amount of coverage available to cover a specific type of loss at issue) be sufficient to cover the organization’s potential exposure. Like other facets of cyberinsurance coverage, including coverage for losses associated with regulatory action and PCI DSS-related liabilities, cyberextortion coverage may be written subject to a relatively low sublimit, such that, for example, a $10 million limit primary policy may provide only $250,000 or $500,000 for cyberextortion losses. In addition to policy limits, organizations are advised to pay attention to self-insurance features, such as policy retentions or deductibles, which typically range from $0 to in excess of $5 million. As with the case of other cyberinsurance terms and conditions, sublimits and retentions usually are negotiable. On a related point, as discussed further below, what starts with an extortion threat can end up triggering many different modular aspects of cyberinsurance coverage. It, therefore, is important that the policy contain a provision stating that an extortion threat, together with any other first- or third-party covered events that trigger different coverage sections of a policy, are subject only to a single retention, and that any lower retention amount applicable to a particular coverage section, such as a cyber extortion section, is met when that lower retention amount is satisfied by payment of loss under that coverage section.

Although placing coverage in this dynamic space presents a challenge, it also presents substantial opportunity. The cyberinsurance market is competitive, and cyberinsurance policies are highly negotiable. This means that the terms of the insurers’ off-the-shelf policy forms often can be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium. Before an attack occurs, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

3. Provide notice and comply with other policy conditions. Insurance policies typically contain notification provisions stating that the insured organization must provide notice within a certain time frame, often “as soon as practicable,” even “immediately,” after the organization becomes aware of an incident. Although providing notice to an insurer may not be top of mind in a cyberattack, particularly where the demand is far below the policy retention or deductible, it is important for an organization to reasonably comply with notice provisions (and other policy conditions, including consent provisions) to not jeopardize, or delay, coverage. In the context of providing notice, moreover, it is important for organizations to recognize that what begins as a relatively low cyberextortion demand may quickly evolve into an incident or series of related events that triggers other first-party coverage sections of the insurance policy, such as the business income loss coverage (an extortion event may result in a significant loss of business income), extra expense coverage, digital asset loss recover/restoration coverage and crisis management coverage and, to the extent personally identifiable information or protected health information may have been compromised, for example, the third-party claim coverage sections of the policy, including coverage for data breach-related lawsuits and regulatory liability. Indeed, a ransom demand may be deployed as a purposeful diversion from a different, principal goal, such as stealing sensitive records. Recognizing this reality, it is important that the organization be aware of, and reasonably comply with, notice provisions to avoid a coverage defense based on purported late notice. In addition, providing notification can provide the insured organization with valuable coverage for costs related to the extortion threat, such as a forensics investigation, which may reveal other malware on the computer system, stop the intrusion and block future extortion attempts, a consultant to utilize decryption keys or to recreate the files and data at issue, and, where appropriate, legal counsel. The bottom line: In the event of a cyberextortion demand, organizations are advised to provide notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

4. Maximize coverage across the entire insurance program. Although cyberextortion coverage is an obvious place to look for coverage in the wake of a ransomware attack or other cyberextortion incident, organizations are advised to consider all potentially applicable insurance policies and coverages. As noted above, a cyberextortion incident may trigger various other coverages under the organization’s cyberinsurance program, and also may trigger other insurance policies and programs, such as computer crime policies and kidnap and ransom policies. The various types of insurance policies that may be triggered by a cyberattack likely carry different insurance limits, deductibles, retentions and other self- insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursuing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio. Absent a compelling reason, notice should be provided under all policies that potentially provide coverage.

5. Exercise business continuity and improve computer security. Insurance aside, the best protection against a ransomware attack is to have all files and data securely backed up, in a separate physical location, or at least on a separate system, so that no business-critical information that is not recoverable may be permanently deleted by extortionists. It also is important to reflect on how these types of attacks occur. Cyberextortionists must download malicious software onto a system, or a connected device, and this often is achieved through tricking employees to click on attachments or links in phishing emails, which increasingly look convincing. Therefore, improving computer security, including through antivirus programs, spam filters, firewalls, installation of software updates and security patches (early reports indicate that WannaCry appears to exploit a vulnerability in Windows that Microsoft patched on March 14, which would have automatically protected those computers with Windows Update enabled), disabling of macro scripts and using application whitelists, which only allow approved files to execute, is essential. Likewise, training employees about how to recognize and avoid social engineering exploits such as phishing emails, is key in negating or minimizing ransomware threats. Organizations also are advised to consider incorporating ransomware attack scenarios into their incident response planning.

See also: Ransomware: Your Money or Your Data!

A well-negotiated insurance program, together with solid business continuity planning and comprehensive, active cybersecurity policies and procedures, will position an organization to be resilient in the face of the serious and escalating threat posed by cyberextortion.

This article originally appeared on Law 360.

Lessons From New Telematics Firm

The insurance industry has been abuzz with the announcement by Allstate CEO Tom Wilson that he has created a stand-alone business unit with the express purpose of monetizing telematics data that the firm has been collecting for at least the last six years.

The new company, called Arity, will provide data and analytics products to the insurer’s brands, as well as to third parties.

This is not a surprising move for Allstate.

I have been watching Allstate for the last couple of years. They have had an active research and development department. You can be assured other insurance companies are exploring similar options that will help them increase revenue in arenas beyond insurance policies..

Allstate has provided hints of its intentions for the last couple of years. In the 2015 SEC 10-K filing, the insurance company — for the first time — identified how changing technology is increasing the risk of its ability to continue to generate revenue from insurance products. Specifically, the company said:

“We are also investing in telematics and broadening the value proposition for the connected consumer. If we are not effective in anticipating the impact on our business of changing technology, including automotive technology, our ability to successfully operate may be impaired. Also, telematics devices used have been identified as a potential means for an unauthorized person to connect with a vehicle’s computer system resulting in theft or damage, which could affect our ability to successfully use these technologies.

Other potential technological changes, such as driverless cars or technologies that facilitate ride or home sharing, could disrupt the demand for our products from current customers, create coverage issues or [affect] the frequency or severity of losses, and we may not be able to respond effectively.”

Allstate identified the new risk it faced. In response, the company has been aggressively researching, developing and testing new ideas for how to use the data collected to create new types of insurance policy coverages and rating models.

See also: 6 Key Ways to Drive Innovation  

Innovation Encouraged

The company was granted 28 patents in 2015. So far in 2016, it has been awarded 15 patents. The company has also submitted 16 patent applications. Following is a small sampling of the patents:

Insurance System Related to a Vehicle to Vehicle Communication System(#9,390,451) – System and methods are disclosed for determining, through vehicle-to-vehicle communication, whether vehicles are involved in autonomous droning. Vehicle driving data and other information may be used to calculate a autonomous droning reward amount. In addition, vehicle involved in a drafting relationship in addition to, or apart from, an autonomous droning relationship may be financially rewarded. Moreover, aspects of the disclosure related to determining ruminative rewards and/or aspects of vehicle insurance procurement/underwriting.

Motor Vehicle Operating Data Collection and Analysis (#9,189,895) — A method and apparatus for collecting and evaluating powered vehicle operation utilizing on-board diagnostic components and location determining components or systems. The invention creates one or more databases whereby identifiable behavior or evaluative characteristics can be analyzed or categorized. The evaluation can include predicting likely future events. The database can be correlated or evaluated with other databases for a wide variety of uses.

Route Risk Mitigation (Utility Patent Application (A1)) – A method is disclosed for mitigating the risks associated with driving by assigning risk values to road segments and using those risk values to select less risky travel routes. Various approaches to helping users mitigate risk are presented. A computing device is configured to generate a database of risk values. That device may receive accident information, geographic information, vehicle information, and other information from one or more data sources and calculate a risk value for the associated road segment. Subsequently, the computing device may provide the associated risk value to other devices. Furthermore, a personal navigation device may receive travel route information and use that information to retrieve risk values for the road segments in the travel route. An insurance company may use this information to determine whether to adjust a quote or premium of an insurance policy. This and other aspects relating to using geographically encoded information to promote and reward risk mitigation are disclosed.

Data is king

Allstate has been granted about 43 patents in the last 18 months. A high percentage are related to data, telematics and how to use the data collected to more effectively understand driving behavior. Data and more specifically data analytics is rapidly becoming the key to unlocking new revenue sources. Data is king.

Allstate CEO Wilson was quoted in the Chicago Daily Herald saying that Arity can “incorporate new data sources and enhance analytical capabilities in ways that we weren’t able to do when it was embedded in the insurance company. It’s a big enough platform today with the Allstate customers in it, and that will continue to grow, but we’d like it to grow even faster with a broader set of customers.”

See also: Data Science: Methods Matter (Part 4)  

One option for bringing innovation to a conservative company is to spin off the innovations into a separate company. It appears that the telematics business unit just simply couldn’t operate effectively within the confines of a highly regulated and conservative company.

“The biggest risk is not taking any risk… In a world that is changing really quickly, the only strategy that is guaranteed to fail is not taking risks.” ― Mark Zuckerberg

Lessons to be Learned?

So what are the lessons to be learned?

  • Invest in research and development – finding new ways to enhance the customer experience and at the same time generate additional revenue will be key to being prepared for the uncertainty ahead.
  • Define “successful failures” — you can be assured that not everything the Allstate staff tried worked. The key to innovation is being able to learn from your failures. This is particularly challenging in a larger company where risk-taking is punished.
  • Embrace the changing nature of risk – Risk management departments are told to reduce a company’s exposure to all types of risk. To be able to respond to the rapidly changing nature of risk, you will need to increase your exposure to risk.
  • Embrace the risk dilemma –  How do you encourage innovation (taking risks) without putting the company in jeopardy? Every type of organization faces this dilemma.

What do you think? What other lessons can be learned? Is this a smart move by Allstate, or risky adventure? Leave a comment below.

This article was originally published on LinkedIn. It is reprinted with permission of Steve Anderson.

Medical Liability Insurance (Video)

Healthcare Matters sits down with Dr. Richard Anderson, chairman and CEO of the Doctors Company. In part 7 of our State of Defensive Medicine series, we asked Dr. Anderson how the medical liability insurance landscape has changed over the last 15 years.

 

How to Stop Unneeded Medical Tests (Video)

Healthcare Matters sits down with Dr. Richard Anderson, chairman and CEO of the Doctors Company. In part 2 of this series, we discuss how physicians should address patient requests for unneeded medical tests, which are unnecessary or excessive.

Perils of ‘Defensive Medicine’ (Video)

Healthcare Matters sits down with Dr. Richard Anderson, chairman and CEO of the Doctors Company. In Part 1 of the series, he helps us define what “defensive medicine” is, the economic costs associated with it and why he believes it’s a clear violation of the doctor/patient relationship.