Tag Archives: cyber risks

COVID-19 Boosts Cyber Risks in U.S.

In the past 18 months, COVID-19 has affected nearly every aspect of our lives, with the most severe impact having been the tragic death and sickness of so many. COVID-19 also has affected where we work, who we see and when we go out. Yet, one of the most understated but outsized effects of the pandemic has been on individuals’ cyber risks.  

According to Chubb’s 2021 Personal Cyber Risk Survey, which examines Americans’ new cyber concerns and their overall behavior, most individuals have not taken the necessary action needed to protect themselves against cyber-attacks. 

For a copy of the full Executive Summary, click here. Survey key findings and further details are below.

Staying Connected

To stay connected during the quarantine, individuals quickly shifted to life online, often with a new electronic device. According to the survey, 86% of Americans have either purchased or been given a new device in the past year. Regardless of the device, those who did not properly secure their devices within a timely manner could have exposed themselves to cyber risks.  

Furthermore, 83% of respondents say they access the internet several times a day, with 30% of individuals estimating they share their data at least 10 times a day. Being “plugged in” means understanding what data we are sharing and how we are protecting our information. For example, sharing personal information, (e.g., birthdate, pet names, favorite TV shows) and then using that information to build passwords, can allow bad actors to “guess” log-in credentials to access accounts. 

Cyber Vulnerabilities at Home

During the COVID-19 pandemic, many individuals were able to work from home. Forty-four percent of respondents chose to relocate to work at a remote location. However, the ease of remote work often comes with cyber vulnerabilities. For example, connecting to an unsecure, public network or with out-of-date software while changing locations due to remote working can put individuals at risk. 

Small Businesses and Entrepreneurs

With many Americans expecting to work remotely throughout the rest of 2021, it’s important for businesses and entrepreneurs to implement best practices for employee and company security against bad actors. 

In fact, small businesses are frequently targeted, as they have fewer resources to protect themselves against a cyber-attack. According to the Chubb Cyber Claims Index, global cyber incidents have grown by 981% for small businesses with revenues under $25 million. 

See also: Cyber Risk Impact of Working From Home

Cyber Vulnerability of Medical Data

Nowadays, one’s COVID-19 vaccination status has been top-of-mind for many individuals. Most individuals (63%) feel as though people should share their vaccination status, while a similar majority (57%) are concerned with having to share their vaccination status with others.

Although survey respondents show apprehension about the privacy of their vaccination status, only 24% of them are concerned with the cyber vulnerability of other medical data, which is alarming because medical records often contain extremely sensitive information. 

Protecting Data

Despite broad cyber exposure, just 12% of Americans have purchased a personal cyber insurance policy. The good news is that there are ways for individuals to protect themselves from cyber threats such as changing passwords regularly, keeping software up-to-date, using a private VPN, and purchasing cyber insurance.  

Big Data in Insurance: A Glimpse Into 2015

Bernard Marr is one of the big voices to pay attention to on the subject of big data. His recent piece “Big Data: The Predictions for 2015” is bold and thought-provoking. As a P&C actuary, I tend to look at everything through my insurance-colored glasses. So, of course, I immediately started thinking about the impact on insurance if Marr’s predictions come to pass this year.

As I share my thoughts below, be aware that the section headers are taken from his article; the rest of the content are my thoughts and interpretations of the impact to the insurance industry.

The value of the big data economy will reach $125 billion

That’s a really big number, Mr. Marr. I think I know how to answer my son the next time he comes to me looking for advice on a college major.

But what does this huge number mean for insurance? There’s a potential time bomb here for commercial lines because this $125 billion means we’re going to see new commerce (and new risks) that are not currently reflected in loss history – and therefore not reflected in rates.

Maybe premiums will go up as exposures increase with the new commerce – but that raises a new question: What’s the right exposure base for aggregating and analyzing big data? Is it revenue? Data observation count? Megaflops? We don’t know the answer to this yet. Unfortunately, it’s not until we start seeing losses that we’ll know for sure.

The Internet of Things will go mainstream

We already have some limited integration of “the Internet of Things” into our insurance world. Witness UBI (usage-based insurance), which can tie auto insurance premiums to not only miles driven, but also driving quality.

Google’s Nest thermostat keeps track of when you’re home and away, whether you’re heating or cooling, and communicates this information back to a data store. Could that data be used in more accurate pricing of homeowners insurance? If so, it would be like UBI for the house.

The Internet of Things can extend to healthcare and medical insurance, as well. We already have health plans offering a discount for attending the gym 12 times a month. We all have “a friend” who sometimes checks in at the gym to meet the quota and get the discount. With the proliferation of worn biometric devices (FitBit, Nike Fuel and so on), it would be trivial for the carrier to offer a UBI discount based on the quantity and quality of the workout. Of course, the insurer would need to get the policyholder’s permission to use that data, but, if the discount is big enough, we’ll buy it.

Machines will get better at making decisions

As I talk with carriers about predictive analytics, this concept is one of the most disruptive to underwriters and actuaries. There is a fundamental worry that the model is going to replace them.

Machines are getting better at making decisions, but within most of insurance, and certainly within commercial lines, the machines should be seen as an enabling technology that helps the underwriter to make better decisions, or the actuary to make more accurate rates. Expert systems can do well on risks that fit neatly into a standard underwriting box, but anything outside of that box is going to need some human intervention.

Textual analysis will become more widely used

A recurring theme I hear in talking to carriers is a desire to do claims analysis, fraud detection or claims triage using analysis of text in the claims adjusters’ files. There are early adopters in the industry doing this, and there have emerged several consultants and vendors offering bespoke solutions. I think that 2015 could be the year that we see some standardized, off-the-shelf solutions emerge that offer predictive analytics using textual analysis.

Data visualization tools will dominate the market

This is spot-on in insurance, too. Data visualization and exploration tools are emerging quickly in the insurance space. The lines between “reporting tool” and “data analysis tool” are blurring. Companies are realizing that they can combine key performance indicators (KPIs) and metrics from multiple data streams into single dashboard views. This leads to insights that were never before possible using single-dimension, standard reporting.

There is so much data present in so many dimensions that it no longer makes sense to look at a fixed set of static exhibits when managing insurance operations. Good performance metrics don’t necessarily lead to answers, but instead to better questions – and answering these new questions demands a dynamic data visualization environment.

Matt Mosher, senior vice president of rating services at A.M. Best, will be talking to this point in March at the Valen Analytics Summit and exploring how companies embracing analytics are finding ways to leverage their data-driven approach across the entire enterprise. This ultimately leads to significant benefits for these firms, both in portfolio profitability and in overall financial strength.

There will be a big scare over privacy

Here we are back in the realm of new risks again. P&C underwriters have long been aware of “cyber” risks and control these through specialized forms and policy exclusions.

With big data, however, comes new levels of risk. What happens, for example, when the insurance company knows something about the policyholder that the policyholder hasn’t revealed? (As a thought experiment, imagine what Google knows of your political affiliations or marital status, even though you’ve probably never formally given Google this information.) If the insurance company uses that information in underwriting or pricing, does this raise privacy issues?

Companies and organizations will struggle to find data talent

If this is a huge issue for big data, in general, then it’s a really, really big deal for insurance.

I can understand that college freshmen aren’t necessarily dreaming of a career as a “data analyst” when they graduate. So now put “insurance data analyst” up as a career choice, and we’re even lower on the list. If we’re going to attract the right data talent in the coming decade, the insurance industry has to do something to make this stuff look sexy, starting right now.

Big data will provide the key to the mysteries of the universe

Now, it seems, Mr. Marr has the upper hand. For the life of me, I can’t figure out how to spin prognostication about the Large Hadron Collider into an insurance angle. Well played.

Those of us in the insurance industry have long joked that this industry is one of the last to adopt new methods and technology. I feel we’ve continued the trend with big data and predictive analytics – at least, we certainly weren’t the first to the party. However, there was a tremendous amount of movement in 2013, and again in 2014. Insurance is ready for big data. And just in time, because I agree with Mr. Marr – 2015 is going to be a big year.

Cyber Challenges Under NIST's Framework

On Feb. 12, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity together with a companion Roadmap for Improving Critical Infrastructure Cybersecurity.The framework is issued in accordance with President Obama’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0., which gave NIST the task of developing a cost-effective framework “to reduce cyber risks to critical infrastructure.” The companion roadmap discusses NIST’s next steps with the framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.

The framework applies to organizations in critical infrastructure. But, given the pervasiveness of cybersecurity incidents, and the ever-present, increasing and evolving cyber risk threat, all organizations should consider whether their current cybersecurity risk management practices would pass muster under the framework. In addition, although the framework is “voluntary”—at least so far—organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the framework provides a de facto standard for cybersecurity and risk management even for noncritical infrastructure organizations. One thing that companies should consider as they review the framework is what “tier” of cybersecurity risk management they wish to achieve. The tiers—which range from “informal, reactive” responses to “agile and risk-informed” are addressed below, together with an overview of the framework and additional detail regarding certain of its key aspects.

Overview

At a high level, as its name indicates, the framework provides a structure for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed to progress toward a desired target state of cybersecurity risk management and to internally and externally communicate efficiently about cybersecurity and risk management.

Building from global standards, guidelines and practices, the framework provides a common taxonomy and mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.
NIST has emphasized that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” In addition, NIST properly notes that the framework “is not a one-size-fits-all approach” to managing cybersecurity risk, given that organizations” have unique risks—different threats, different vulnerabilities, different risk tolerances.

In releasing the framework, NIST explained that it provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs and “a common language to address and manage cyber risk in a cost-effective way” based on business needs, without placing additional regulatory requirements on businesses.” NIST also notes that organizations can use the framework “to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity.” Moreover, because it refers to globally recognized standards for cybersecurity, the framework can also be used by organizations located outside the U.S. and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.

Although applying to organizations in critical infrastructure, the framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk.

Three-Part Approach

The framework adopts a risk-based approach composed of three parts: the core, the profile and implementation tiers.
Framework Core

The framework relies on existing global cybersecurity standards, guidelines and practices as a basis to build or enhance an organization’s cybersecurity risk management practices.

The framework core presents five high-level “functions,” which, as stated by NIST, “organize basic cybersecurity activities at their highest level.” The five functions are: (1) identify, (2) protect, (3) detect, (4) respond and (5) recover. NIST explains that these five high-level functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk” and will provide “a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines and practices.”

For each of the five functions, the framework core identifies underlying key categories and subcategories of cybersecurity outcomes, then matches those outcomes with “informative references” that will assist organizations in achieving the outcomes, such as existing cybersecurity standards, guidelines, and practices. By way of example, categories within the “protect” function include access control, awareness and training, data security, information protection processes and procedures and protective technology. Subcategories under the “access control” category within the protect function include “identities and credentials are managed for authorized devices and users” and “[n]etwork integrity is protected, incorporating network segregation where appropriate.” “Informative references” for “identities and credentials are managed for authorized devices and users” include:

  • CCS CSC 16
  • COBIT 5 DSS05.04, DSS06.03
  • ISA 62443-2-1:2009 4.3.3.5.1
  • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
  • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
  • NIST SP 800-53 Rev. 4 AC-2, IA Family20

Figure 1 from the framework depicts the core:

NIST explains that the core “presents industry standards, guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”

Implementation Tiers

The implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The tiers range from partial (tier 1) to adaptive (tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and “the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” By way of example, considering the risk management aspect, at tier 1, “[o]rganizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.” At tier 2, “[r]isk management practices are approved by management but may not be established as organizational-wide policy.” At tier 3, “[t]he organization’s risk management practices are formally approved and expressed as policy” and “[o]rganizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.” At tier 4, “[t]he organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities” and “[t]hrough a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.”

Profile

In essence, the framework profile assists organizations to progress from a current level of cybersecurity sophistication to a target improved state that meets the organization’s business needs. As stated by NIST, a profile is used to “identify opportunities for improving cybersecurity posture by comparing a current profile (the “as is” state) with a target profile (the “to be” state).” Comparison of profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. NIST states that the framework profile “can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario.”
Framework Implementation

The framework is voluntary—at least for now. NIST also has explained that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” Organizations can use the framework as a reference to establish a cybersecurity program, or leverage the framework to “identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.” The framework recognizes that “[o]rganizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.”

Importantly, the framework can be used as a means to communicate an organization’s required cybersecurity standards to business partners. As stated by NIST, “[t]he framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure services,” such as the use of a target profile to “express cybersecurity risk management requirements to an external service provider (e.g., a cloud provider to which it is exporting data).” This is significant, because the cybersecurity shortcomings of “cloud” and other providers can have a profound impact on supply chains. As noted by NIST in the roadmap:

All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge and fragmented standards and best practices.

Incentives—and Cybersecurity Insurance

As-of-yet-unspecified governmental incentives will be offered to organizations that adopt the framework. The executive order directs the secretary of Homeland Security, in coordination with sector-specific agencies, to “establish a voluntary program to support the adoption of the framework by owners and operators of critical infrastructure and any other interested entities,” and to “coordinate establishment of a set of incentives designed to promote participation in the program.”

On Aug. 6, 2013, the White House previewed a list of possible incentives, including cybersecurity insurance at the top of the list. If cybersecurity insurance is adopted as an incentive, organizations that participate in the program may, for example, enjoy more streamlined underwriting and reduced cyber insurance premiums. As stated by Michael Daniel, special assistant to the president and cybersecurity coordinator, agencies have “suggested that the insurance industry be engaged when developing the standards, procedures and other measures that [make up] the framework and the program” and that “[t]he goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.” Mr. Daniel states that NIST “is taking steps to engage the insurance industry in further discussion on the framework.”

The placement of cybersecurity insurance at the top of a list of possible incentives underscores the important role that insurance can play in an organization’s overall strategy to manage and mitigate cybersecurity risk, including supply chain disruption. Adam Sedgewick, senior information technology policy advisor at NIST, stated that NIST views “the insurance industry as a major stakeholder [in] helping organizations manage their cyber risk.” All of this is consistent with the SEC’s guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage” for cybersecurity risks.

Going Forward

The framework is a “living document,” which states that it “will continue to be updated and improved as industry provides feedback on implementation.” As the framework is put into practice, lessons learned will be integrated into future versions to ensure it is “meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks and solutions.” NIST will receive and consider comments about the framework informally until it issues a formal notice of revision to version 1.0, at which point it will specify a focus for comments and specific deadlines that will allow it to develop and publish proposed revisions. In addition, NIST intends to hold at least one workshop to provide a forum for stakeholders to share experiences in using the framework, and will hold one or more workshops and focused meetings on specific areas for development, alignment and collaboration. Therefore, organizations will continue to have the opportunity to potentially shape the final framework.