Tag Archives: cyber insurance

10 Tips for Moving Online in COVID World

In the retail industry, O2O “online-to-offline” signifies an online trigger, such as an ad, that prompts consumers to go to a physical location to complete their purchases, but it can also occur in the opposite order.

In the insurance sector, over 100,000 independent agents in the U.S. depend on high-value networking, customer references and direct carrier relationships. For insurance professionals, interacting with customers face-to-face has been vital.  But in the wake of the coronavirus, it is critical to move insurance agencies from an offline to an online model, O2O, where almost all tasks that agents were accustomed to on a day-to-day basis need to be done completely remotely.

This change can offer considerable benefits if executed correctly: higher productivity, greater scale and a high degree of accuracy that allows agents to continue to build trusted relationships. As risk management advisers, agents are responsible now more than ever for equipping policyholders with unbeatable risk transfer strategies. As cyberattacks on small to mid-size businesses (SMBs) continue to escalate, cyber insurance presents an opportunity to rebuild an agency book of business when done right. 

Here are 10 tips on jumpstarting your O2O transformation:

1. Focus your efforts on insurance lines with growth opportunity

Cyber insurance is relatively new, with substantial opportunities for adoption in the SMBs market as cybercriminals exploit people’s vulnerabilities using sophisticated social engineering attacks during COVID-19. In fact, phishing has increased by over 600% since the end of February, according to security provider Barracuda Networks.

2. Prioritize industries for which cyber insurance is vital

Organizations have begun using SaaS applications and operations in an effort to digitize online but will likely be left vulnerable to cyber incidents. Recognize which industries are either required to obtain cyber insurance or are paving the way for digital transformation.

See also: Will COVID-19 Be Digital Tipping Point?

3. Select partners that operate exclusively online

Now is the perfect time to reassess the insurance carriers and programs that you’re working with for capacity to shift online. Today’s technology allows businesses to deliver a vertically integrated insurance solution that ties together insurance requests, risk assessment, underwriting and policy and claims management in one system enabled by a common, relevant dataset. 

4. Search for admitted, standalone programs

This is directly related to your carrier of choice. The shift toward standalone cyber insurance programs is occurring because cyber insurance provided as an endorsement to other intricate coverages only creates more complexity. Standalone cyber programs outline what incidents are and are not covered, and the policy’s aggregate limit and sub-limits for each coverage, along with precise cyber criteria. 

5. Align risk to coverage, as your go-to sales pitch 

Cybersecurity aims to safeguard a business’ use of technology and the web. Each business uses different applications and operates in its own way. In turn, each business has drastically different risks that should be recognized by policies. Policyholders must be able to account for the coverages, aggregate limit, sub-limits and deductibles that best fit their risk assessment. 

6. Learn as much as the customer about the risk, if not more

Cyber risk exposures and attacks are constantly evolving. Evaluating an organization for cyber risk yearly is a risky and obsolete cyber strategy. Being able to regularly reevaluate risks and coverage on a continuing basis is necessary for cyber and shields all parties from coverage gaps.

7. Collaborate with carriers on prospecting

Transform your website to a producing site, not just a lead generation platform. API integration of your website into the carrier’s quoting and underwriting platform is instrumental in delivering a constant stream of potential cyber insurance consumers.

8. Educate policyholders on claims experience and loss control

Your customers should be equipped with security awareness training, generally administered by the carrier. Phishing simulation and basic InfoSec training are key education tools. Regular updates to policyholders on providing their risk insights and remediation guidance provide effective risk mitigation and loss control.

9. Educate yourself on what events activate which coverage

Outline for your policyholders what exactly is covered by the carrier’s insurance program by sharing your claim scenarios. Demand a list of cases for each incident that would activate specific coverage paired with concrete use cases.

See also: COVID-19: Implications for Business Models  

10. Don’t spend more than a few minutes on a submission, application or binding

Moving to an online operation can feel unsettling at first but, if done correctly, will produce real results:

  • Faster and more precise applications
  • Quicker turnaround time on quote and bind when working with a program that is also deployed online
  • Ability to offer additional services to policyholders as part of the online experience – risk assessment, training, notification of critical updates. Consistent communication online boosts customer satisfaction and opens the door to lasting relationships

New Enhancements for Cyber Coverage

Cyber insurance is probably the single most rapidly evolving insurance product on the market, and understandably so. It’s still a fairly young product, and cyber criminals are constantly changing their tactics. As a result, insurers are constantly adapting their policy forms. With constant changes, it can be difficult to know what coverages, you (as a policyholder or broker) may be missing out on. Here are some of the newer enhancements we’re regularly seeing from insurers.

  • Utility Fraud Coverage: Sometimes the damages related to cyber-attacks can be entirely unexpected, like a hefty electric bill. Cyber criminals are now employing two newer hacks that can significantly affect a company’s utility costs. The first such attack is crypto-jacking, in which hackers fraudulently use computer systems to mine crypto-assets. For those unaware of what “mining” means, for every bitcoin transaction a verification is required and a ledger is added to the blockchain. Those processing these transactions can earn cryptocurrency in return. To maximize that return, however, cyber criminals are now taking over the computers systems of others, to process large blocks of transactions. This results in computer systems running at near full capacity, which can generate a significant increase in electricity costs for the victims. Despite the fact that many may be unfamiliar with this type of attack, they are extremely popular and growing. Last year, IBM reported that many hackers had actually abandoned ransomware attacks in favor of crypto-jacking, with an increase of 450% from the prior year. The other utility-related fraud is telecom fraud, in which cyber criminals access VOIP systems to route long-distance calls, often on a large scale. Trend Micro has a nice illustration here of exactly how those frauds are carried out. In response, many insurers have begun providing “utility fraud endorsements,” which provide coverage for any resulting increase in utility costs stemming from these unauthorized acts. 
  • Bricking Coverage: Almost all cyber insurance policies contain broad bodily injury and property damage exclusions. These can be particularly problematic for companies operating in certain sectors. They can also be problematic for specific claims, such as those attacks that effectively cripple (also known as “bricking”) a company’s computer systems. Crypto-jacking attacks can not only result in significant utility costs but can overwhelm a company’s computer network, effectively destroying any affected computers. Imagine a mid-sized company with 150 affected computers, having to replace each system at a cost of $2,000. That’s a cyber-attack with a $300,000 price tag. Luckily, many carriers today now provide “bricking coverage endorsements,” which specifically cover the costs to repair or replace computer systems that may be destroyed from cyber attacks. 
  • System Failure Coverage: Generally speaking, if computer system failures are caused by cyber intrusions, coverage for any resulting lost income would be triggered under the “lost income” insuring agreement within a cyber policy. Many companies today have taken this coverage one step further by including specific “system failure endorsements” that provide coverage for lost income resulting from any unintentional/unplanned system failures. The broadest versions of these endorsements also often extend coverage to include lost income resulting from system failures that affect dependent third parties.

See also: Coronavirus Boosts Cyber Risk

  • Coverage for Reputational Loss: Cyber intrusions can generate considerable media attention and inflict significant reputational harm. Almost all cyber policies include some form of crisis management coverage for the costs associated with hiring a PR firm to minimize reputational harm, but coverage for any resulting lost income is often absent. In an effort to mitigate the risk of lost income stemming from negative PR following a cyber event, policyholders should ensure their policies contain an appropriate endorsement for “reputational loss.” It’s also important that insureds review these endorsements carefully – coverage can often be severely sub-limited, and more restrictive endorsements may specify that the loss must be the direct result of a publication. Because such a direct relationship will likely be difficult to establish, insureds should favor endorsements that have no “direct” requirement to trigger coverage. 
  • Coverage for GDPR/CCPA Violations: The passage of recent privacy regulations such as GDPR and CCPA now subject companies and their directors to regulatory scrutiny (and hefty fines) for privacy-related violations. To complicate matters, many companies are unfamiliar with their compliance requirements and obligations. While the majority of insurers already include regulatory coverage within their cyber policies, there are often considerable gaps in those insuring agreements. To broaden policy terms and clarify the scope of coverage for violations of these regulations, some companies have begun to include specific GDPR and CCPA endorsements that provide coverage for costs associated with violations of these laws, stemming from “privacy wrongful acts” such as: misuse of protected information, improper collection of protected information, failure to correctly safeguard or manage protected information or failure to inform individuals regarding the collection of protection of information. 
  • Bodily Injury and Property Damage Carve-Backs: As briefly mentioned above, almost all insurers include broad bodily injury and property damage exclusions within their policy forms. The intent is to push those claims to respective general liability policies, where they belong. However, insureds are left without coverage in circumstances where the cyber intrusion itself results in bodily injury or property damage (a topic we visited in depth in our prior article). This coverage gap is often identified when working with an experienced cyber broker, who will attempt to negotiate improved wording at the time of purchase. However, it appears a growing number of insurers are slowly realizing the need for improved policy language and automatically including appropriate carve-backs, which will preserve coverage for such claims. 

How CAT Models Are Extending to Cyber

The insurance industry relies heavily on catastrophe modeling to set capital adequacy, adhere and respond to evolving regulatory requirements and stress test portfolios. The same is now increasingly true of the cyber catastrophe sphere, in which key areas of focus include how models can help with capital allocation, stress testing and informing development of underwriting guidelines and insurance products. Parallels can be drawn from the cyber catastrophe and natural catastrophe risk management sectors when modeling these risks.

The introduction of models provided critical insight into the potential for catastrophic claims for all risk policies or policies without clear exclusionary language. Historical events such as the April 1906 San Francisco earthquake (leading to unanticipated claims for fire policies), 2005 Hurricane Katrina flooding (resulting in unanticipated claims for homeowners wind policies) or the 9/11 U.S. terrorist attacks (experiencing unanticipated war exclusion interpretation and definition of a single event), and the current unfolding of the coronavirus pandemic crisis highlight the criticality of understanding the triggers and correlation of potential loss due to a single event.

In many cases, insurers paid losses to avert “reputational risk” and have since used models to provide insight into realistic structuring of policy, reinsurance and other risk transfer vehicles. Clear exclusionary language, endorsements and coverage-specific terms evolved over the decades in concert with evolving scientific knowledge of the risks and modeled loss potential. 

Today, we are seeing the same evolution with respect to insuring cyber risk, but over a highly compressed period, without the decades of experience of systemic insured loss events. Many cyber catastrophe risk managers attempt to apply the same lens of current natural catastrophe model availability of data resolution, data quality, catastrophic event knowledge and model validation expectations. But by embracing the commonality of lessons learned from the evolution of the property catastrophe insurance market, we can prepare for an event considered to be a case of not “if” but “when.”

The role of data in models

A first common theme is to recognize that the understanding and availability of information for a rapidly evolving risk means that there is value in aggregate data in the absence of detailed data. This has been and is still the case for property catastrophes and is also the case for cyber catastrophe risk models. Confidentiality obligations in portfolio data as well as the lack of high-quality data is an issue for all models. However, new sources of data as well as sophisticated data science and artificial intelligence analytics are being incorporated into models that provide an increased confidence in assessing the potential risk to an individual company or entity. 

See also: Coronavirus Boosts Cyber Risk

A second related common theme is the ability of catastrophe risk models to augment lack of risk-specific data capture at the time of underwriting. This is where all catastrophe risk models add significant value, where context for what should be captured as well as what can be captured is provided. In the case of cyber, this can include access to both inside-out (behind the firewall) and outside-in (outside the firewall) data. Inside-out data refers to aggregate data for segments of the economy, measuring the anonymized trends of security behaviors (such as frequency of software patching). Outside-in data is made up of specific signals that can be identified from outside an organization and that give indications of overall cybersecurity maturity (such as the use of unsupported end-of-life products). 

A third commonality is the value in extrapolating the impact of past events into the future given evolving available data on the changing causes of frequency and severity of cyber events. The property catastrophe arena is grappling with very similar issues relative to the rapid and uncertain evolution of climate models. For cyber risks, history is not a predictor of the future in terms of modeling threat actors, the methods they deploy and the vulnerabilities they exploit. However, it is possible to examine historic data and the types of cyber incidents that have occurred while addressing the challenges in the way that information is collected, curated and used. This historic data is used against the backdrop of a near-term threat actor and technological trends to understand future potential systemic losses due to large-scale attacks on bigger and more interconnected entities. 

The role of probabilistic models

At the enterprise level, the market is struggling with how to assess potential aggregations within and across business lines. Event clash due to a single event causing multiple loss triggers to policies and reinsurance treaties is a key concern across all lines of business. Use of common cyber and other catastrophe risk loss metrics that can be combined across perils and lines of business are being explored. In addition, regulatory groups are considering requirements similar to property catastrophe risk to address solvency requirements relative to cyber risk. 

In this environment, consistent and structured definitions of risk measures are critical for assessing and communicating potential systemic catastrophic loss. Both deterministic cyber scenario event analyses as well as probabilistic stochastic cyber event analyses are required. Given this context, cyber catastrophe risk models that can withstand validation scrutiny similar to property catastrophe risk models require the same level of rigorous attention to transparency in communication of model methodology.

Similarities… but some differences

There are some key differences between the systemic risks of natural disasters and cyber events. One material contrast is that cyber perils manifest with active adversaries seeking to cause malicious damage to individuals and companies globally. The factors affecting modeling include the changing nature of geopolitical threats, the dramatic increase in the use of digital means for criminal enterprises, the hyperconnectivity of developed economies and an ever-increasing reliance on networked technologies. Cyber event scenarios are developed to represent a range of potential systemic events in which technological dependencies affect individual insured companies, due to a common vulnerability or a “single point of failure.” Examples include common cloud service providers, payment systems, mobile phone networks, operating systems and other connected technologies. 

See also: Risks, Opportunities in the Next Wave  

There are limitations in any model relating to cyber risk, given the inherent uncertainties. Nevertheless, these models provide valuable insights to better decision-making relating to capital planning, reinsurance and addressing regulatory issues. By learning from previous insurance shocks, we can support a more stable and resilient cyber risk insurance market.

Why Small Firms Need Cyber Cover

The biggest data breaches, the ones hitting big businesses such as Target, Facebook and Marriott International, generate the headlines. But what surprises many is that small businesses are more likely to suffer data breaches than are the globe’s biggest companies.

So, cyber liability insurance is a must-have not just for giant corporations but also for small businesses. Insurers, then, need to promote this protection to the owners of medical offices, financial planning firms, hardware stores, grocery stores and any other small businesses in their communities. 

The numbers make the case

According to Verizon’s 2019 Data Breach Investigations Report, 43% of cyber attacks target small businesses. This makes small businesses the most common target of these cyber crimes, according to Verizon. 

A survey released in October 2019 by the National Cyber Security Alliance found that 28% of small businesses experienced a data breach during the prior 12 months.

Even more worrying, the survey found that these data breaches can be devastating to small business owners. The alliance reported that 69% of small businesses suffering a data breach went offline for a time, while 37% experienced a financial loss. And in the worst cases? The Cyber Security Alliance found that 25% of small businesses had to file for bankruptcy protection after a data breach and that 10% went out of business. 

Those are serious numbers. 

See also: Why Buy Cyber and Privacy Liability. . .  

It’s not just outside attacks, either

Customer information isn’t always stolen by outside hackers. Sometimes, employees make mistakes that expose financial or personal data.

How do workers cause breaches? Employees might accidentally send the financial information of a business’ customers to an incorrect email address. Another might lose a cell phone or laptop that contains the personal information of clients. A glitch in a company’s computer systems might leave customers’ information exposed.

This is important information for insurance professionals to share when they are making the case for cyber liability insurance. Otherwise, it becomes too easy for owners to think they can do without this insurance protection.

Costs matter

The cost of another annual premium is no inconsequential matter for owners. Running a small business is no easy task. Owners face intense competition for dollars, often from bigger rivals with larger budgets. They also must adapt to fickle customers who are constantly changing the way they shop. The rise of e-commerce has put a dent in the profits of many small businesses. The task of hiring employees who will remain loyal to the business and of following all local business regulations and permitting requirements can be costly challenges, too. 

Because of these financial challenges, owners are constantly looking for ways to trim their expenses.  

Fortunately, the cost of cyber liability insurance remains relatively affordable. A report by AdvisorSmith Solutions in 2019 said that the average yearly cost of cyber liability insurance for businesses in the U.S. came in at $1,501. This figure was for a business with a moderate risk of suffering a data breach that was paying for $1 million in liability coverage with a deductible of $10,000.   

Such small businesses in Michigan paid an average of $1,233 for a year of cyber liability insurance while those in California paid an average of $1,594.

The costs, then, of a cyber liability policy aren’t inconsequential. But they’re not high enough to outweigh the benefits businesses receive when investing in these policies.  

Selling the benefits

What are the main benefits that business owners get when investing in this insurance?  

The Insurance Information Institute says one of the most important is liability insurance. If a hacker breaks into a business’ computer systems and steals the personal and financial information of its customers, these customers might file lawsuits. Cyber liability insurance will cover the costs that businesses incur when defending themselves.  

The costs of repairing damaged computer systems and recovering lost data can be high, too. 

Traveler’s Insurance points to the costs of notifying customers that their information might have been stolen. Traveler’s cyber liability insurance will reimburse businesses for this cost and for any other costs they might incur in answering consumers’ questions regarding a breach. 

See also: How Data Breaches Affect More Than Cyberliability  

Nationwide offers three types of cyber insurance coverages, including coverage that reimburses businesses that pay for credit-monitoring services for consumers whose information has been exposed. This is an important coverage: Consumers today increasingly expect businesses to offer them this additional protection, and credit-monitoring services don’t come free. 

What if a business must shut temporarily while recovering from a breach? Chubb Commercial Insurance advertises that its cyber liability policies provide business interruption protection, a payout to make up for the loss of income the business suffers if a breach should shut it down for several weeks or months.

A data breach can also cause serious damage to the reputation of a small business. Repairing that reputation, and making sure that customers come back, can be expensive. The Hartford advertises that its cyber liability insurance will help cover the costs that businesses incur when they hire a public relations team after a data breach. 

It’s clear that data breaches aren’t going away. It’s equally clear that even small businesses need protection from this threat.

How Machine Learning Halts Data Breaches

Although we hear a lot about major cybersecurity breaches in non-insurance organizations – Target, Experian, the IRS, etc. – there have been breaches in the insurance industry, too, albeit less publicized. Nationwide faces a $5 million fine from a breach back in 2012. Horizon Blue Cross Blue Shield is still the defendant in a class action suit over a 2013 breach that affected 800,000 of its insured. 

As hard as organizations try to secure their data and systems, hackers continue to become more sophisticated in their methods of breaching. This is why innovation in risk management and insurance is so important.

Can Machine Learning Improve Cybersecurity (and Vice Versa)?

The short answer is yes. Because machine learning can collect and process huge amounts of data, the technology can analyze historical cyber-attacks, predict types that may occur and set up defenses against them

Here is a very simple example:

An on-site employee has decided to use his computer to access some shopping sites during his lunch break. One of those sites has elements that alert the machine of a potential security threat. The security team is notified immediately. It is then possible to block access permission from that computer to any data that could be useful to hackers until a full investigation can be completed. 

See also: How Machine Learning and AI Reduce Risk  

This may be a rather far-fetched example because most organizations limit private use of their computers in advance. But consider the Horizon breach – two laptops were stolen from a facility, and access was obtained. Or the case of Target, where a third-party contractor did not have appropriate security in place, and hackers were able to access the company’s systems through this third-party. Machine learning can help to reduce these threats through a proper alert system, and remote shutdowns can then occur.

Common Types of Data Breaches that ML Can Help Thwart

1. Spear Phishing

Company employees receive emails every day, in their company inboxes. Some of these, from sources that may not be known, can include malicious links. 

There are now ML algorithms that can identify and classify language patterns – email subject lines, links, body content/communication patterns, phrases and even punctuation patterns. Anomalies can be flagged, and security analysts can investigate, even catching the emails before they are opened, if the system is set up correctly. Some of these emails, for example, may be very poor translations from foreign languages, certainly not professional translations from services like The Word Point. Poor translations will alert machines that spear phishing is a possibility.

2. Ransomware

Most everyone is familiar with this security threat. Users’ files are “kidnapped” and locked. Users must then pay up to get an encryption key that will unlock those files. Often, these files house critical client data, other proprietary information or system files that are necessary for business operations. The other type of ransomware attack will simply lock a user’s computer and not allow access until the demanded amount is paid.

To train a machine to identify potential ransomware requires some pretty deep learning. Data sets of historical ransomware files must be loaded, along with even larger sets of clean files, so the machine can learn to distinguish between the two. Again, so-called micro-behaviors (e.g., language patterns) are then classified as “dirty” or “clean,” and models are developed. A ransom file can then be checked against these models, and necessary action taken before files are encrypted or computer access locked.

3. Watering Hole

Employees, especially insurance agents who are out in the field, may have their favorite spots for coffee or lunch breaks. Or, suppose, a group of employees have favorite food joints from which they frequently order food for delivery or takeout. Whether they are using the Wi-Fi in that watering hole or accessing that business’s website to place an order, there is far less security and an ideal place for hackers to enter a user’s access/credentials through that backdoor. 

Sometimes this is called “remote exploitation” and can include a situation like what occurred with Target – a third party is used as the “door” to get in.

ML algorithms can be developed that will track and analyze the path traversals of an external website that employees may be accessing on devices they are using either on- or off-site. Users can be directed to malicious sites while they are “traveling” to a destination site, and this is what ML can detect.

See also: How Machine Learning Transforms Insurance

4. Webshell

A Webshell is nothing more than a small piece of code. It is loaded into a website so that a hacker can get in and make changes to the server directory. The hacker then gains access to that system’s database. Most often, hackers look to take banking and credit card information of customers/clients, and this type of attack occurs most often with e-commerce websites. However, medical practices and insurance companies are certainly at risk, too, because they house lots of personal data. When the insured set up automatic payments from their bank accounts, the activity is even more attractive to these hackers. Payments are simply routed somewhere else.

Machines can be trained to recognize normal patterns of behavior and to flag those that are not normal. Machines can also be used to identify webshells preemptively and then prevent them from exploiting a system.

The Requirement? Machines and Humans Must Work Together

Will machines ultimately eliminate the need for in-house or contracted cybersecurity experts? Highly unlikely. At this point, machines cannot engage in the deeper investigations that analysts perform once they are aware of potential breaches or once aberrant behaviors have been detected. But innovation in risk management and insurance should certainly include machine learning. Humans simply cannot gather and analyze data as fast as machine algorithms can. Incorporating ML as a solid part of cybersecurity just makes sense.