Tag Archives: cyber risk

Coronavirus Boosts Cyber Risk

Concern about the spread of the coronavirus has triggered the largest “work-from-home” mobilization in history. Here are practical steps that organizations can take to remain cyber resilient amid the crisis.

The outbreak of COVID-19 has caused significant disruption to businesses and a degree of panic within the employee community. Companies across Asia have activated contingency and business continuity plans and have allowed or instructed employees to work from home to limit the spread of the virus. In a new reality where millions of people are working remotely, secure networks are now more critical than ever. To remain operational and secure, Aon recommends that companies take the following steps:

Defend Against the Phishing Wave

Malicious actors will leverage the intense focus placed on the virus and the fear and panic it creates. Security researchers have already observed phishing emails posing as alerts regarding COVID-19. These emails will typically contain attachments that purport to offer information about the outbreak or updates on how recipients may stay safe. In an environment where people are stressed and hungry for more information, there is a lack of commitment to security best practices.

This is the time for organizations to remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources. Running a simulated spear phishing campaign can also demonstrate the level of resilience to these attacks. At a more technical level, up-to-date antivirus and monitoring tools can limit the effectiveness of successful spear phishing attacks.

Test System Preparedness

Organizations will be experiencing an unprecedent amount of traffic accessing the network remotely. Companies with an agile workforce have been preparing for this contingency for some time and will be well-equipped to maintain network integrity through the use of sophisticated virtual private networks (VPNs) and multi-factor authentication. Enterprise security teams are recommended to increase monitoring for attacker activities deriving from work-from-home users, as employees’ personal computers are a weak point that attackers will leverage to gain access to corporate resources.

For those less prepared, COVID-19 presents a challenge. There is a risk that the increased volume of network traffic will strain IT systems and personnel and that employees will be accessing sensitive data and systems via unsecure networks or devices. We recommend that these organizations migrate as quickly as possible to remote working and bring-your-own-device (BYOD) standards. Virtual private networks (VPNs) should be patched regularly (for example, a vulnerability in the Pulse Secure VPN was patched in April 2019, but companies that failed to update were falling victim to ransomware in December), and networks should be load-tested to ensure that the increased traffic can be handled.

See also: Coronavirus: What Should Insurers Do?  

Brace for Disruption

A remote workforce can make it more difficult for IT staff to monitor and contain threats to network security. In an office environment, when a threat is detected, IT can immediately quarantine the device, disconnecting the endpoint (i.e., the compromised computer) from the corporate network while conducting investigations. Where users are working remotely, organizations should ensure that, to the extent possible, IT and security colleagues are readily contactable and ideally able to physically address a compromise at its source. Sophisticated endpoint detection and response (EDR) software can also be used to quarantine workstations remotely, limiting the potential for malicious actors to move through the network.

As this risk moves beyond the technical, companies should adopt
an enterprise risk approach. This can include rehearsing business continuity plans (BCP) and senior management response through tabletop crisis simulations that focus on cyber scenarios as well as how pandemics and other similarly disruptive events are likely to affect automation, connectivity and cyber resilience.

Companies can also safeguard against the increased risk of disruption through a robust cyber insurance policy that, in the event of a digital disruption to systems, can provide cover for business interruption losses, as well as the costs of engaging forensic experts to investigate and remediate a breach.

COVID-19 presents a range of challenges to businesses across Asia, but developments in technology since the SARS outbreak mean companies can remain operational and nimble in the face of uncertainty. Keeping one eye on the pervasive cyber threat in the midst of this crisis is critical to ensuring continuing success.

4 Ways to Boost Cybersecurity

Cybersecurity threats faced by insurance companies are growing and evolving at an alarming rate. This has been spurred by many factors, including the internet of things (IoT). While the IoT presents opportunities for insurers, it also exposes security gaps. The severity and frequency of cyber-attacks are likely to increase.

Insurers must commit to protecting sensitive customer information in a compliant and reliable way. The cybersecurity threat is huge. It is time for insurance companies to reboot their approaches to cybersecurity.

Common cybersecurity threats facing the insurance industry


Cyber extortion is increasingly becoming a common problem. Some types of ransomware attacks are so effective that victims may be forced to meet the attacker’s demands and pay a hefty bribe to get their systems running again.

Automated threats

Credential cracking, vulnerability scanning, bad bots, credential stuffing and denial of service can potentially shut down a company’s systems quickly.

Identity theft and loss of confidential data

Identity theft may result from system vulnerabilities to data breaches. For instance, files stored on a firm’s local servers may not be protected adequately. Insurers collect and store sensitive personal client information. This information can be particularly valuable for attackers to sell in black markets. They can use it as a tool for fraud, extortion, unauthorized borrowing and many other financial crimes.

Business disruption and reputation damage

Cyber-attacks can seriously disrupt business. For instance, a cyber-attack on Sony Pictures erased its computer infrastructure, including telephone directories, emails, voicemails and business records like contract templates. A malicious attack like this on an insurer could disrupt operations for months.

See also: Cybersecurity for the Insurance Industry

The foundation of any insurance business is policyholder trust. If an insurance company were to suffer a data breach exposing policyholder information or a cyber-attack that renders it unable to conduct normal operations, that trust would be shaken. This, in turn, can lead to reputation damage that may hurt the confidence of investors, consumers, policyholders and rating agencies.

Four tips for boosting security

1. Assess your defense capabilities realistically

Pressure-testing the company’s defenses can determine whether they can repel targeted, high-impact attacks, whether external or internal. The testing includes vulnerability assessment, testing programs, penetration tests and scenario-based testing. Consider hiring a cyber-security firm to test your defenses.

2. Invest in early detection

Insurers need to continually invest and innovate to thwart potential attackers. Early detection is crucial. Otherwise, a cyber-attack can sit undetected for weeks.

Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent and cause. Then, the threat can be neutralized before damage is done. Insurers need to invest in technology. There is a wide range of software solutions that provide near-real-time threat detection.

3. Making cybersecurity everyone’s job

While implementing sophisticated systems will reduce external threats, insurers tend to neglect internal threats such as human error, which could include revealing customer data in response to a convincing phishing email. Cybersecurity awareness among employees can significantly decrease the risk of cyber-attacks resulting from human error.

Alert employees can provide early detection. An Accenture survey found that up to 98% of security breaches that are not detected by a firm’s security team are discovered by employees.

4. Learn from the past and evolve

Effective cybersecurity requires insurers to learn from previous cyber incidents and use the learning to improve planning and technology investments. Solutions include:

  • Upgrading systems: Using last-generation or unpatched security software provides easy fodder for cyber attackers. Speak to your IT consultant about upgrading your systems.
  • Migrating systems to the cloud: The cloud provides users a wide range of compliant and secure storage solutions. Choose a cloud provider that offers the highest possible security.
  • Implementing appropriate security software, protocols, and appliances: This will effectively shield data and systems from automated threats.
  • Establishing a disaster recovery plan: Despite all efforts, systems can be breached. Have a detailed up-to-date plan so that you can respond effectively to any problem, major or minor.

See also: Global Trend Map No. 12: Cybersecurity  

Cyber-crooks are relentless and determined. Security is an continuing battle. You can’t afford to let down your guard a second. Staying one step ahead of hackers takes constant effort.

Clarity of History Can Reduce Cyber Risk

Indemnity, through the use of insurance, has a long pedigree. However, insurance as we know it today did not really start until the end of the 17th century. It was at that point that insurance companies started to be formed to combat one of the oldest enemies of civilization: untamed fire. Moreover, fire insurance companies understood their enemy well and worked swiftly to combat it; those efforts ultimately gave rise to our present day in which millions of people around the world live largely free from the threat of a fire destroying a neighborhood or city. That pedigree sired all the forms of insurance that we know today, whether it be general liability or cyber liability. However, the landscape, as it relates to cyber liability and technology E&O, does not show the responsible insurance traits that such thorough breeding would be expected to produce, and we need to review three prominent examples of where cyber liability and technology E&O insurers are not only giving their enemy, hackers, the upper hand but are also endangering their own existence.

Perhaps one of the most recent blatant examples of how insurers are failing their lineal forebearers occurred toward the end of 2018 when an insurer created a partnership with one of the world’s largest e-commerce merchants to provide physical cyber tools to policyholders to help “protect” homes. All the available evidence suggests that the cyber tools were championed by the insurer without the organization having done considerable research on, and testing, the physical devices to ensure that they were highly resistant to being hacked. None of the products the insurer recommended were rated as “secure” by any respected independent testing lab. In fact, none of the products were rated “secure” on the manufacturer’s website. For a cyber liability insurer that also offers homeowners and renters insurance, the championing of such products directly undermined the insurer’s cybersecurity credibility and sullied its pedigree, all for marginally increasing its bottom line.

See also: Breaking Down Silos on Cyber Risk  

Another timely and alarming example of an unfortunate mistake of cyber liability insurers is the recent creation of the Global Cyber Alliance and the Cybersecurity Tech Accord. The effort of both is to create a cooperative atmosphere in the private sector to combat cybersecurity threats while also working to provide responsible cyber products. There are many respectable companies that belong to each organization, but not one cyber liability or technology E&O insurer can be found among the members of either organization. When we read in the news that company ABC suffered a $40 million data breach, that means, assuming the organization had a cyber liability policy, that millions of dollars are being lost by the cyber liability insurer. Due to the current and highly competitive cyber market, the premiums of cyber liability policies are not typically commensurate with the amount of risk and financial loss to appropriately offset the millions of dollars the insurers pay out in such a breach. Thus, insurers mistakenly are not advocating or supporting the very organizations, like the Cyber Tech Accord, that are indirectly trying to help them reduce their losses and those of their clients.

Illustrative of a mistake by cyber liability insurers in this matter is something that insurers say. It is not uncommon to read in a cyber liability brochure that the insurer is not going to restore a client to a better state than the one the policyholder had prior to a cyber breach. On its face, the logic is reasonable and even is in the pedigree of fire insurance companies. After all, fire insurance companies would not build a person a five-bedroom, four-bath home with a four-car garage when a person’s two-bedroom, one-bath home with no garage burned down.

However, fire insurance also followed the principle of indemnity, and that principle clearly states that an insured is to be restored to her original condition after a fire. Cyber liability insurance policies DO NOT FOLLOW the principle of indemnity, and that distinction matters considerably.

There is no reasonable way to calculate how much a cyber liability breach will cost an insured or her cyber liability insurer. After all, laws across the U.S., let alone the world, vary in their intent and letter as to what needs to be done after a cyber breach. Not only that, but the size of a company, how a company was breached, when it was breached, what was stolen, if anything, what was done with what was stolen and a number of other important factors inextricably but subjectively determine the impact a breach will have on a client. That those factors are subjective in their cost means that all insurers have no accurate way of determining the cost of a breach. When a $500,000 home burned down, an insurer could reasonably expect the cost of replacing that home to be within a certain percentage of $500,000. When a major retailer suffered a cyber breach in 2013, the annual report the following year specifically stated that it did not know what the true cost of the breach would be, but it was expecting the cost to increase beyond the initial amount. If such a policyholder was unable to determine the true cost of the breach, then how could the insurers of its cyber liability policy know, either?

One of the major tools that fire insurance companies used in the past to combat fires was to understand how susceptible a building material was to being damaged by fires. However, to this date cyber liability insurers have not founded an institute funded by themselves and created for the express purpose of determining the quality of products that have a direct impact on policyholders’ ability to resist attack. This in turn creates an inextricable link to a policyholder’s sense of cyber security safety. Cyber liability organizations sometimes use the services of a cybersecurity firm to determine, prior to underwriting a policy, if an applicant’s network exhibits any signs of unusual network activity that could be suggestive of a cyber breach. However, that is an inadequate way of providing a policyholder with any meaningful comfort, let alone allowing an insurer to have a solid basis to believe a risk is worth underwriting. In fact, the closest organizations that exist for the express purpose of determining a product’s cybersecurity strength is Cyber ITL (Independent Testing Lab) and the NIST (National Institute of Standards and Technology). However, neither of those firms was created by insurance companies, and neither has the vested interest that insurers have in protecting their policyholders and guaranteeing cyber liability remains profitable to underwrite. Therefore, it is time for all cyber liability insurers to either join with an organization like Cyber ITL or to create their own like-kind organization. The browser application, the version number of a browser application, what operating system is used, what kind of router a computer is connected to, what kind of firewall is in place and numerous other factors all play a part in increasing or decreasing the strength of users’ cybersecurity. However, until cyber liability insurers measure and rate everything that pertains to cybersecurity, they and a vast majority of their clients will be allowing hackers to gain an undeserved advantage.

Beyond the need for an independent testing lab there are other measures that insurers need to take, and these measures have been previously proposed. However, it is extremely unfortunate that insurers have yet to rally to the cause of their clientele by implementing the following strategies.

In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing, lending and other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills, whether they be in coding, design or writing. By establishing such a competition and working with educators, worldwide insurers and other companies can give pre-college students the ability to demonstrate, on a world stage, the ingenuity and adaptive reasoning that bright young people often possess. However, the benefit of the competition is not only for the students; it absolutely benefits the corporate sponsors of the international competition. For insurers, it allows them to persuade students that the insurance realm is a viable and worthwhile place in which to work. It also allows insurers to gain the opportunity to create a list of candidates from which to recruit when the winners of the international competition graduate from university. The same list of students that insurers create can also be used for their clients when they need to hire a software engineer or a laureate. If insurers have some of the brightest and most talented young people working for them, they can create more efficient internal systems and more advanced lines of insurance coverage, and they can also provide better methods for ensuring that their policyholders have the right tools with which to mitigate cybersecurity risk.

Additionally, it is not profitable or reasonable to believe that cyber liability follows the principle of indemnity, because believing that hurts the insurer and, to a greater extent, the insured. If an insured uses the same computer, router, browser and other items after a breach has been fixed that were used prior to the breach, then there is nothing to stop another breach from occurring. In the near term, to reduce the number of clients suffering recurring breaches, an insurer should pay for one year of monitoring by a respectable cybersecurity firm. It would also be useful to conduct an on-site visit by an auditor three to six months after the original breach has been fixed to see what steps the insured has taken to prevent future ones. In time, if an independent testing lab is established, an insurer could even offer a policyholder an improved router and firewall to further protect the client. The less susceptible any client is to an attack, the less likely a claim will arise, and fewer claims means more underwriting profit.

See also: How Insurtech Boosts Cyber Risk  

However, technology E&O insurers also bear a responsibility for helping to prevent cyber breaches. After all, how well a software engineer or an electrical engineer professional writes software code or builds physical products is the basic element that will later determine, to a high degree, whether a breach occurs or not. Technology E&O insurers need to work with universities to establish teaching standards that are uniform across the globe and engineering standards in the work place that establish the highest minimum standard possible. In the January 2016 edition of the PLUS Journal, it was also demonstrated that technology E&O policies can be written to encourage more responsible software engineering practices to further minimize claims. If the above practices are put into place, then perhaps lives lost to faulty software, like those in the recent two plane crashes of a U.S.-based commercial jet manufacturer, need not happen in the future.

The closest fire insurance companies had to a dynamic enemy were arsonists who were few and far between. Despite the general absence of an active enemy, those organizations spent about 200 years directly influencing the development of urban landscapes whether through building codes or the layout of a city. Today, their efforts have largely paid off because they acknowledged the challenges they faced and met them with courage and creativity. They did not accept that they could do nothing to make their clients safe or secure their profitability. However, today beyond a few web portals that insurers or third parties have created that can provide minor tools to a policyholder, and beyond creating semi-close relationships with some members of the cybersecurity community, cyber liability and technology E&O insurers have spent a significant part of the 21st century accepting losses, writing checks and never acknowledging that hackers and poorly crafted technology products are their mortal enemies. Hackers are costing the global economy tens of billions of dollars, if not more, every year, and
businesses are closing or suffering severe financial loss because of cyber breaches. How many more people must die and how much insecurity must exist in this world before insurers acknowledge that the war is here, and the enemy is at the doors of organized civilized societies? When will insurers take the prudent course and glean from history and their forebearers all the lessons they offer, and in so doing prove that they are worthy of their trust?

The New Cyber Insurance Paradigm

Across industries, many mature organizations have become acutely aware that their industrial-based business models, which strive for control, efficiency and scale, are not designed for speed, innovation or individualized customer experiences. Corporate leaders have no option but to consider using cloud-based platforms, but that introduces new vulnerabilities.

Finding an appropriate balance between cybersecurity and privacy strategy while allowing for innovation is of fundamental importance.

As all businesses will become “data companies” in the digital networked world, the cyber insurance industry needs to adapt to effectively underwrite and manage the most dynamic risk in the world. Everyone wants a piece of the action, as there are more than 70 U.S. carriers and 30 U.K. carriers that offer cyber insurance, and the supply will continue to grow rapidly.

There is, however, one fundamental flaw – there is absolutely no standardization! We don’t capture the same data points, conforming to an industry data classification, so there is no gold standard for coverage.

See also: New Approach to Cyber Insurance  

How can the industry appropriately underwrite, analyze and manage the most connected risk in the world if carriers don’t capture the same data points in their underwriting application and there is no common data classification to map toward? Each insurer is analyzing different data.

Perhaps even a greater issue is that the data is captured at a point in time, typically via checkboxes on a paper application. The data quickly becomes outdated. Unless a vulnerability assessment is mandated for some of the larger enterprises to obtain coverage, there is no true validation of the prospects’ security posture.

Insurers are not capturing contextual data to validate their insureds’ policies and controls that ultimately represent the risk. Is it enough to ask, “Do you educate or train users on information security and privacy?”, or would it help to know whether one insured does training once a year during lunch while another insured holds quarterly training meetings with randomly scheduled, unannounced phishing simulations throughout the year?

Cyber insurance needs context and validity; the industry is deficient in both!

In direct, online-to-bind insurance, some carriers only require four to six data points to underwrite the risk and present a quote in a matter of minutes. Is a company’s industry, revenue, address, number of records and a question on any previous claims I’ve had really enough to understand the risk? I understand that we need a seamless customer experience to ensure we don’t lose new business, but requiring so little data looks more like a reckless arms race to see who can capture the most SMB business more than anything else.

There is no validation of the actual inputs from the insured (major issue!) and, in terms of customer experience, we should focus on strategically important issues such as integrating cyber risk mitigation with cyber insurance under the umbrella of an organization’s cyber risk management. Customers need a holistic solution evaluating risk mitigation and risk transfer.

Anyone who has gone through risk and compliance assessments at the enterprise level will agree that they need to be streamlined, with a centralized solution that collects and analyzes information about the cyber program and that quickly reacts to identified vulnerabilities and regulatory requirements. The traditional, siloed approach, where a company completes assessments in confusing, overly detailed Excel documents specific to a regulation (i.e. PCI, HIPPA, NIST, ISO, etc.), keeps resources tied down and focuses on completing each actual assessment rather than truly understanding broad exposure. The approach unfortunately shifts the focus to defense, in complying with regulations, instead of determining actionable insights that enhance cyber maturity.

This manual, labor-intensive process does nothing to solve the snapshot problem, and a company’s cyber exposure or cyber maturity is not nearly the same on Jan. 15, 2018, as it will be on Jan. 15, 2019. Continuous, standardized insight into a company’s cyber risk is required to appropriately assess risk.

Insurers are spending thousands on isolated solutions, such as SecurityScorecard and Bitsight, yet they are only viewing cyber risk through a small prism, as these solutions only provide a snapshot of risk from what’s available on the internet and open-source databases.

What most insurers don’t realize is that successful cyber insurance underwriting comes at the intersection of insurtech and regtech. Insurers need to shift toward a digital platform that standardizes the data capture, has the data immediately available for analysis and is continuously analyzing an insured’s risk throughout the policy period. Both insurers and clients need a standardized assessment that automates the manual processes of traditional risk assessments and allows companies to automate and streamline the IT and vendor audit process by mapping to several security standards, such as NIST, ISO, HIPPA, PCI and the NY DFS Regulation, through one assessment.

In responding to market needs, companies like Cyberfense will prevail. In stealth mode for the last year, Cyberfense is now working with two of the largest cyber insurers to streamline the underwriting process while providing continuous insight into a company’s cyber maturity and mapping a company’s cyber risk to most national and global security standards. Cyberfense helps insurers manage cyber risk by analyzing an insured’s exposure and detailing recommended solutions so the client easily understands how to fill security and compliance gaps.

See also: Promise, Pitfalls of Cyber Insurance  

The eRisk hub that many insurers offer now does not provide any added value as it is simply a list of vendors that a client could Google itself. Insurers need to guide their clients with appropriate solutions as early as possible and in a manner that is not too invasive. With standardization and automation, you will then create a brokerage force that can finally understand cyber insurance and is more willing to sell the coverage and act as an adviser to their client.

This is how we effectively underwrite and manage cyber risk.

4 Keys on Cyber-Risk Accumulation

As the sale of cyber policies grows and other types of policies are extended to include cyber coverage, the industry is taking on a massive amount of new risk. Although it is true that auto, workers compensation, environmental policies and so many others were all new offerings at one time, there are some things about cyber that make it more unusual, more uncertain and more potentially dangerous for the insurance industry than new offerings of the past.


It is entirely possible for hackers to plan and launch simultaneous attacks on a large number of targets. Those targets may be corporations, infrastructure such as power plants, government bodies, hospitals, or any other type of entity.

If a successful, very harmful simultaneous attack, whether ransomware, malware, or any other type of IT weaponry, was to be made on a sizeable number of entities, the losses occurring at one point in time could create serious liquidity pressures and even jeopardize solvency for an insurer.

See also: Urgent Need on ‘Silent’ Cyber Risks  

Individual insurers are modeling their aggregate exposures, but are they doing it comprehensively enough? Analysis must take into account not only the limits and reinsurance on their cyber policies (including such add-ons as contingent business interruption or other enhancements) but also what level of coverage is afforded in existing casualty and property policies as well as any other policies that may be triggered (such as D&O, E&O, reputation, etc.). In addition, correlated risks that have nothing to do with claims liabilities per se should also be considered. For example, what will they do if their contracted vendor networks, which are supposed to help insureds after a breach, are not resourced sufficiently to handle simultaneous attacks.


Given the global nature of the internet, attacks may be not only simultaneous but ubiquitous. The entities affected may be all over the world. An insurer that relies on geographic diversity to protect its capital can lose the benefit of diversification when it comes to cyber.

A global event or series of events could have significant capital implications for insurers that have considered their cyber portfolio in part rather than in whole.


There is scant history upon which to base underwriting and pricing decisions when it comes to cyber. The earliest policies were geared toward system failures, not cyber attacks. More recent policies were focused on data breaches and stolen data and the actual cover involved handling some of the expertise needs and certain expenses post breach. Now, cyber policies are dealing with ransomware attacks and cover business interruption and other loss. This is heady stuff when there are no historical patterns to use in predicting frequency and severity as there is with property or workers compensation. Ransomware attacks continue to escalate at a rapid pace. Who knows how much faster or greater this trend line will grow.

Some cyber attacks have been targeted while others are random. In either case, they test the ability of insurers to make predictions. This, in turn, makes it difficult for actuaries to price the product appropriately. How much business should an insurer write of a particular kind until it can be sure the business is priced correctly for the exposure?

A random attack might seem to better fit the principle of insuring against fortuitous events, however, it does mean that an insurer that relies on customer segment diversity to protect its capital can lose the benefit of such diversification. This is similar to the situation mentioned above in connection with geography.

A targeted attack will likely strike an entity (or entities) with the most money, records or other treasure worth capturing or destroying. Hence, the losses generated will be greater.

Initial attacks were focused mostly on retailers with hospitality and with banking and healthcare following. The great fear is that power and infrastructure will be next. The impact from attacks on power and infrastructure could be catastrophic in the extreme.

The flexibility to strike randomly or with fixed intent leaves underwriters in a quandary about which classes of business are riskier than others. How, then, can they manage their customer mix as do with other lines of business?

See also: What if You Had a Cyber Risk Score?  


Hackers can work alone or in groups. They can also be actors for foreign governments. When Marissa Mayer spoke about the Yahoo attack, she commented on the unevenness between a company’s attempts at IT security versus an attack potentially perpetrated by a nation state. This phenomenon is something insurers must consider when parsing the words in their contracts. To what extent should there be exclusions, as there are in terrorism policies or other policies that exclude acts of war? To what extent is a future federal backstop needed?


This is not to say that cyber insurance should not be offered. Society has a protection need, and insurers have been answering that need since the first handshake at Lloyds. In addition, this line of business has been streaming new revenues into an industry that, in recent years, has had excess capacity. Rather, it is to say that insurers must put robust and innovative solutions in place to manage aggregation risk.