Tag Archives: cyber

ITL FOCUS: Cyber

MAY 2021 FOCUS OF THE MONTH
Cyber


FROM THE EDITOR

When I was in high school, a friend of mine had a poster on his wall that read, “Just because you’re paranoid doesn’t mean they aren’t out to get you.”

That pretty well summarizes how the world of cybersecurity and insurance works. Companies may feel paranoid for looking over their shoulder all the time, expecting something back to happen, but we all know that there are plenty of bad guys out to find all the victims they can.

Ransomware, in particular, has become an enormous problem. A few years ago, hackers would make limited strikes and hit a few computers at a company, then demand $10,000 or maybe $20,000 to unlock them. Now, though, hackers have figured out ways to combine their specialized skills and make a much broader attack that includes finding and locking up the backup servers — which means the hackers have pretty much shut a company down and can make any ransom demand they want. Demands of $500,000 or more are common, and some reach into the many millions of dollars.


Insurance is surely part of the solution for most companies, but paranoia plays a role, too. Companies need to spend much more time focusing on how to prevent the cyber attacks in the first place, and the best insurance companies are using their expertise to help clients with that effort. New tools and techniques offer considerable hope.


Within that effort at prevention, there is room for an awful lot more cooperation. Law enforcement can work with insurers and company clients to educate them on trends and offer advice, and insurers and their clients can work together to share information on vulnerabilities and on potential solutions. As long as the bad guys are working together, the good guys need to, too.


– Paul Carroll, ITL’s Editor-in-Chief



WHAT TO WATCH

The Alarming Surge in Ransomware Attacks

Insurers can help clients protect themselves – but preventive approaches aren’t yet widely implemented, leaving the door open for unscrupulous hackers. Join Michael Palotay, Chief Underwriting Officer for Tokio Marine HCC – Cyber & Professional Lines, and Paul Carroll as they continue their discussion on ransomware, cyber attacks, and how businesses can protect themselves.


WHAT TO READ

CISOs, Risk Managers: Better Together

In most large firms, risk managers buy cyber insurance–but are rarely expert in network security and may not fully understand the risk profile.

 

Ransomware Grows More Pernicious

The emergence of the Maze variant creates a new threat, that stolen information will be released to the public on the internet.

 

How to Fight Rise in Cyber Criminals

IT security standards have sometimes been lowered or suspended for work at home in the pandemic, resulting in cyber security exposures.

 

New Enhancements for Cyber Coverage

Cyber insurance is probably the most rapidly evolving product on the market. Here are some of the newer enhancements.

 

How CAT Models Are Extending to Cyber

The approach to models used for natural catastrophes is being applied to cyber, leading to a quick maturation in understanding the risks.

 

How Machine Learning Halts Data Breaches

There are four main types of data breaches that advances in machine learning can help thwart.

 


WHO TO KNOW

Get to know this month’s FOCUS article authors:


Evan Bundschuh


Kelly Castriotta


Laurel Di Silvestro


Mark Greisiger


Charles Pruzinsky


Erica Sunarjo


Learn More about ITL Focus


Interested in sponsoring ITL Focus or learning about other promotional opportunities? Contact us


How to Combat the Surge in Ransomware

The threat of a cyber-attack is far more dangerous now than it has been in the past, yet knowledge of the threat prevention systems necessary to protect oneself remain widely unknown. 

Ransomware, in particular, has exploded as a problem. The frequency of such attacks is up almost 200% in the past two years. Severity is up, too — the average ransom demand has surged from roughly $10,000 to well north of $100,000. Combine those two issues, and ransomware is many times as big a problem for clients and insurers as it was two years ago. 

Unless companies create more sophisticated protection systems, the problem will become even worse. Hackers are more astute, increasingly have access to inexpensive tools and have greatly expanded how and what they attack. There are even ransomware developers who sell or lease their ransomware, offering Ransomware-as-a-Service (RaaS).

In the past, attacks were relatively limited. When an employee clicked on an attachment that included a virus, the attack would encrypt the computer. There was minimal ability to spread to other computers, and individual computers were oftentimes backed up. This meant ransomware was frequently seen as just an inconvenience for a company and wasn’t as significant an issue for insurers as it is today.

Now, attackers use their initial entry into a computer as the starting point to work their way into a potentially huge network. The hackers lay traps and can generally find how and where the system’s sensitive information and backup server are located. With this information, the hacker can ensure that paying the ransom is the only way for a company to recover. An attack is often so devastating that the hackers can — and will — ask for exorbitant ransoms.

Tools for hackers are now inexpensive on the dark web, and hacker groups often coordinate. Perhaps one individual finds some credentials that allow a path into a system but isn’t sure how to exploit it. The person might sell the credentials on the dark web or hire some hacker known to be especially good at exploring and exploiting that kind of system; this is RaaS.

While some industries were considered to be relatively low-risk, that’s no longer the case. For instance, a few years ago, manufacturers were considered a target class for cyber insurance carriers because they were unlikely to store personal information, like credit card records. But now, they’re getting hit the hardest: Manufacturers are typically large companies with underdeveloped cyber security capabilities. Hackers would use this to their advantage and exploit these companies, which weren’t prepared for the onslaught of ransomware attacks. 

Within the Tokio Marine HCC – Cyber & Professional Lines Group, we’ve been working with thousands of policyholders to better prepare them for attacks, and people understand the problem conceptually. Cyber is a serious consideration at the executive level and mandatory for business continuity and disaster recovery planning. The recent SolarWinds attack has reminded us all that even the best-protected government and business systems are vulnerable. 

Based on simulations of attacks, we know that approximately 30% of those who receive a phishing email will click on a link that infects their system. Thorough training of staff on awareness and best practices reduces the number who fall for a phishing attack. With proper training, we’ve seen a reduction in exposure, whereby only 10% of employees fall for the trick when a hacker attacks; but that can still be enough for a catastrophe to happen, like the SolarWinds incident.  

Training should be mandatory, but it shouldn’t be the only layer of defense for the network. Perimeter defense, secure backups and patch management are all critical. At present, Tokio Marine HCC provides a vulnerability scanning service for policyholders, which provides insights on vulnerable points of entry for hackers, including security vulnerabilities in policyholders’ perimeter and out-of-date software, to help the insured avoid becoming a victim. 

To combat weak passwords, many companies are starting to require multi-factor authentication to safeguard access to their system. A person must use an alternate means to authenticate themselves through a code texted to a smartphone, provide biometric evidence of their identity through something such as an iris scan or verify their identity via another secondary means. This dramatically reduces the risk that a compromised password leads to a devastating attack.

Companies are moving toward a “zero trust” model to protect their systems. The idea behind this emerging model is to have virtual “hall monitors” to challenge every actor in the system and force that actor to revalidate itself before going into an additional “room.” In the past, companies would use a firewall to keep hackers out, but once hackers get past the wall they virtually have access to any “hall” in the network. 

Companies should also be thinking about their outsourcing arrangements. Outsourcing can be cost-efficient, but if you have a 1,000-person company and only have three full-time people in IT, you’re likely to be using outside contractors. Issues may arise with disagreements regarding who is responsible patching systems or monitoring the network for suspicious activity. Furthermore, Managed Service Providers (MSPs) are being targeted by hackers and, if the hackers gain unauthorized access, are being used to launch ransomware attacks against their clients.

At Tokio Marine HCC – Cyber & Professional Lines Group, we apply our expertise and use our scale to make deals on behalf of clients to create a package of security services from leading providers. These packages involve, for instance, CrowdStrike, which provides endpoint detection security; Cisco’s Duo, a leading service provider of multi-factor authentication; and many others. We provide the bundling of these services at a discount off the market price, as well as with a discount on premiums, because, based on our data, we’re confident that our clients are less vulnerable with solutions such as these. 

However achieved, reducing vulnerability helps both our company and our clients. We view this as a mutual relationship. If we can keep our claims costs as low as possible, our premiums can be as low as possible. However, it is critical for our insureds to focus on cyber security, so they are not an easy target for hackers. Whether a company has insurance or not, an attack is hugely disruptive, and, although we can transfer some of the financial costs, we can’t transfer everything. For instance, companies oftentimes still have to deal with being shut down for a stretch of time, while they hopefully recover their data and ramp back up.

Minimizing exposure to an attack is possible, but a company must invest in layers of network defenses, training and maintenance to stay ahead. Having the right insurance policy can protect you from the financial burden, but the reputational harm or missed opportunities that result from a cyber-attack can be very costly.  

If you are unable to reduce your vulnerability, the problem could spiral out of control. Insurers will need to keep raising rates rapidly or will simply drop out of the market — supply is already dwindling. Clients may find rates so high that they will self-insure — at great risk.  

At Tokio Marine HCC – Cyber & Professional Lines Group, we’re committed to the market, and demand for the insurance has never been greater. Our focus is staying on top of loss trends so we can help our clients continue to reduce risks and keep the problem manageable for all.

For more information about the Cyber & Professional Lines Group, please visit www.tmhcc.com/pro

CISOs, Risk Managers: Better Together

Not so long ago, many chief information security officers (CISO) and other information-security professionals were offended by suggestions that their organizations should buy cyber insurance. After all, CISOs reasoned, if they did their jobs well, insurance would be unnecessary.

Fast forward to 2021. There probably isn’t a single CISO who believes that their organization is immune to potentially devastating cyberattacks. Recent news of alleged Russian penetration of well-protected government agencies and major corporations is one more reminder that any and every organization is vulnerable. Still, many CISOs are skeptical of insurance’s benefits and often are only tangentially involved in cyber insurance decisions.

CISOs are often concerned about perceived gaps in insurance coverage, about underwriting criteria that are misaligned with an organization’s security policies and procedures and about the willingness of insurers to pay claims. Some concerns are valid. For example, if an organization’s hardware is damaged by a malware attack, not every policy provides “bricking coverage,” which pays to replace impaired equipment. However, many CISOs’ concerns are based on now-outdated policy language and underwriting and claims practices. As cyber insurance has matured, underwriters are offering broader coverage with less burdensome underwriting requirements. Rather than avoiding claims, insurers are often trusted partners in responding to cyber events and managing their consequences.

Cyber insurance coverage may be more expansive now, but insurance buyers must still ensure that the protection they purchase is adequate and appropriate for their organization and its specific risk profile. In most large organizations, the risk manager buys cyber insurance. However, risk managers are rarely experts in network security and may not fully understand their organization’s cyber risk profile and control environment. This may result in purchasing insurance that does not adequately cover significant exposures, while over-insuring low-priority or well-managed risks. To ensure that cyber insurance aligns with the organization’s risk management needs, risk managers need to work with a broker who specializes in this type of coverage offering. Additionally, the risk manager and the broker need to include the CISO in the buying process. 

CISOs and risk managers have a common mission — to protect the assets of their organization. In many organizations, they haven’t effectively collaborated — along with their broker and carrier partners — to achieve their common goals. Even when insurance is recognized as an essential part of the overall cyber risk management strategy, organizational silos, the lack of a common risk vocabulary and differences in risk management frameworks can impede cooperation.

According to a SANS Institute report, Bridging the Insurance/Infosec Gap, “InfoSec and insurance professionals acknowledge they do not speak the same language when defining and quantifying risk, leading to different expectations, actions and justification for outcomes.”

The SANS Institute does not offer a one-size-fits-all solution for closing the gap. Within an organization, successful coordination and cooperation depend on corporate culture, institutional obstacles and how motivated CISOs and risk managers are to cooperate on their common goal.

See also: How Risk Managers Must Adapt to COVID

A coordinated approach is more essential today than ever before. With so many employees working from home during the COVID-19 pandemic, using their personal networks and often their own equipment, IT departments and security professionals struggle to ensure network security. A survey of 250 CISOs by Resilience (named Arceo at the time of the study) found that cloud usage, personal devices usage and unvetted apps or platforms posed the most significant threats during this period of increased telework. 

With so many factors outside the direct control of IT and information-security professionals, insurance becomes essential. But cyber insurance policies can materially vary, and not all insurers offer enough of the right coverage to satisfy an organization’s risk-transfer requirements. Once the corporate risk management and information-security functions are aligned, a broker can help navigate the universe of cyber insurance and help the client understand nuances in policy language to satisfy the organization’s risk-transfer requirements.

The outcome is an integrated program where insurance from secure and knowledgeable carriers is fully aligned with the organization’s risk profile and information-security strategy.

11 Insurtech Predictions for 2021

Despite what we all feared in March, insurtech has continued to flourish, with lots of capital supporting the sector in public and private markets, closer integration between incumbents and startups and promising solutions for longtime needs in SME and cyber. Keeping up the annual tradition, here are my 11 predictions for the insurtech market in 2021.

1. Do you want insurance with that? Insurance will be embedded in every financial and retail transaction

Because no one loves shopping for it, we will see more insurance being sold as part of another transaction, where the user has a high intention to buy. “Embedded” has been a buzzword in fintech for several years, best illustrated by Buy Now Pay Later (BNPL) players like Affirm and Klarna. Embedded insurance started with travel insurance and extended warranties sold at point of sale, like Square Trade and Assurion. Branch Insurance now sells home and auto as part of the mortgage process, and Matic is embedding with mortgage servicers. 2021 will bring opportunities to embed insurance into transactions, with the goal being delivering a seamless experience of product plus protection.

2. 2021 will be the year for Plaid for Insurance

The original Plaid provides infrastructure to connect banks to financial apps like Venmo, which need access to a consumer’s bank account, so the user can take money from a bank and send it via Venmo, to the recipient’s bank. The explosion of financial apps drove dramatic growth at Plaid. Yes, the Department of Justice has sued to block the acquisition of Plaid by Visa. Worst case: Plaid is forced to go public at a valuation way above the $5.3 billion offered by Visa. In 2020, at least seven “Plaid for Human Resources” were funded. Data connections and enablement are critical across life, health and P&C insurance. In 2021, we will only see more pitches for Plaid for Insurance, and some of those pitches will be winners.

3. The robotic uprising: Automation will take over routine processes and improve customer experience

Automation will be used to support and empower the humans who are still in the process, starting with claims. Startups will accelerate the sale of automation to incumbent insurers, leading to improved customer satisfaction. Who wants to call an insurer to check whether the policy includes glass coverage? Consumers prefer to use their cell phones to text or speak, submit the claim and schedule the windshield replacement service. To show how quickly this change is happening: In 2019, State Farm ran ads mocking Lemonade’s bot; in 2020, State Farm led a venture investment in Replicant, which provides Voice AI to support human call centers. Faster, better customer service, which is cheaper for the carrier: Automation is a win-win with unstoppable momentum.

4. Playing for keeps: Deeper partnerships between incumbents and startups, accelerated by the pandemic

At the beginning of the insurtech phenomenon, way back in 2015, insurers responded by creating innovation groups and adding innovation KPIs to employee reviews. Following the law of unintended consequences, the result was incumbents starting a lot of experiments and proofs of concept with startups. It was frustrating all around, and many of those experiments failed. Now, insurers have moved the decision making back to the operating teams, and those teams are choosing partners to last. The pandemic has focused the efforts of incumbents. That focus will only get stronger going forward, as incumbents understand that they depend on startups to deliver the organization’s goals.

5. More startups will go full stack

Insurtechs will continue to take off their MGA training wheels. Following the high-profile IPOs of Lemonade and Root, 2021 will see full-stack carriers multiply. While the managing general agent model has the advantage of being capital-light and enables a startup to get to market quickly, structuring as full stack gives the startup maximum control over its product and customer experience. Capital is available to build a carrier, coming from multiple sources, as evidenced by sizeable fundraises by Pie, Kin, Hippo and several life insurance startups.

6. SME market will finally get the solutions it needs

At the end of 2019, I swore it was the last time I would predict the success of insurance solutions for SME. But there are finally some serious signs of success and traction in this market. Embroker, Vouch and Next Insurance continue to grow. And Bold Penguin has integrated with the flow of existing insurers, delivering value where incumbents could not. Finally, SME will have some good choices in protecting their businesses, thanks to persistent insurtechs!

See also: Has Pandemic Shifted Arc of Insurtech?

7. Achieving scale with coretech

Incumbents are yearning for alternatives to existing core systems, with an average age over 15 years, antiquated programming languages and vendor implementations measured in years. Two trends are providing hope here: no code/low code and coretech, delivering cloud-native core capabilities. The challenges of 2020 encouraged more incumbents and insurers to start limited implementations of no code and coretech. In 2021, we will start seeing a few insurers adopt these new approaches at scale.

8. Cyber insurance will lead the market in delivering dynamic risk protection

There have been many startups in cyber insurance, covering one of the existential threats for companies. Some startups have struggled by aiming at companies that are too small to afford the premium; others have chosen the wrong threat assessment partner and taken unwarranted risk. The whole market continues innovating and growing, which is good news, because cyber threats are also increasing. By combining real-time threat assessment with insurance, startup cyber insurers will deliver dynamic risk protection, enabling their customers to reduce risks as soon as they are identified. That may be a model for future real-time risk coverage in other business lines.

9. Parametric coverage will surge

Insurtechs will tackle claims costs and delays by eliminating the claims process, via parametric solutions. Defining a loss by reference to a standard objective index like rainfall in a specific geography is no longer reserved for markets like drought risk in developing countries. Now, insurtechs are delivering parametric cover for a range of risks, including earthquake, wind and cyber outages in developed countries. One driver is the user experience, where the insured no longer needs to trust the insurer to pay an indemnity claim promptly. Look for more kinds of risks to be covered by parametric solutions in 2021.

10. Record support for insurtechs at all stages

The pace of both early- and later-stage investments in insurtechs proves that investors remain enthusiastic about the market. Valuable business models built in fintech will serve as examples to its younger sibling, insurtech. There is still plenty of insurtech innovation to go around, and abundant capital to support it. We will see new launches and a record amount of capital raised across insurtech in 2021.

11. More big exits

The public market in 2020 has been the story of hot money looking for a home, and eager to pay up for future growth. Insurtech carriers Lemonade and Root went public via IPO, and Hippo is expected to become public either via initial public offering (IPO) or special purpose acquisition company (SPAC). Metromile became the first insurtech carrier to be acquired by an SPAC. These successful exits will drive continued investment in insurtechs that are taking big swings, and we will see more public exits. We can also expect more insurtechs buying insurtechs, like Bold Penguin’s acquisition of Risk Genius and Next Insurance’s purchase of Juniper Labs. The target will be filling a specific strategic need for the acquirer, and buying is faster than building.

In addition to going public, insurtechs will find other options, including strategic exits. Prudential’s 2019 acquisition of Assurance IQ created a lot of hope, but insurers have not yet shown a broad willingness to pay startup valuations. Brokers, always ready to spot the main chance, have made a couple of acquisitions and can be counted on to find deals that deliver focused value to their existing clients. Verisk, Duck Creek, Guidewire all have public currency, and at least the latter two have created long lists of partnerships with startups. There will be multiple insurtech exits in 2021, ranging from additive deals between insurtechs all the way to more IPOs.

6 Questions for Stephen Applebaum

As part of this month’s ITL FOCUS on commercial insurance, we spoke with Stephen Applebaum, managing partner, Insurance Solutions Group, about the future impacts of technology in commercial lines.


What is the biggest change you expect to see in commercial lines in the next 12 months?

COVID-19 related claims, notably first-party property business interruption and third-party liability, will proliferate and create new distractions in commercial insurance once the complete extent of losses is tallied in 2021 and beyond, attracting growing attention from media, regulators and other public watchdog groups, further complicating commercial policy renewals and new business and challenging actuaries, underwriters, agents and brokers. Adoption of policy process automation, including automated underwriting workstations, will accelerate as carriers struggle to regain operating efficiency while managing risk more accurately.

Connected auto, home and business insurance models will begin to see meaningful adoption. Telematics program adoption, featuring innovative partnerships will explode in commercial auto insurance for fleets, especially small business, offering more compelling value propositions focused on driver safety/behavior modification, rewards and fleet and asset management benefits. Commercial property will follow this trend.

In the next five years?

Distribution channels will change and multiply dramatically. Changing customer expectations and behavior will drive insurers to develop more robust multi-channel distribution. New and increasing competition will push insurers to develop new digital models and partnerships designed to make the insurance selection and purchase process fully seamless. While agency writers still hold a ~70% commercial P&C market share, the number of independent agencies will continue to decline as new direct distribution channels and channel consolidation grows, both fueled by expanding private equity and venture capital investment. Many exclusive and captive agencies will convert to independent agencies. Also, carriers and brokers will pursue more cross-border and geographic expansion through M&A and partnerships to drive scale.

An increasing percentage of work will be performed by artificial intelligence technologies, including machine learning and robotics process automation. Consequently, concern and public debate will ensue concerning the issues of bias and ethics in the design and use of AI, and governing standards will begin to emerge.

The demand for commercial cyber risk and liability insurance will continue to grow as digitization and mobility further penetrate communications. Insurers will adopt a variety of  growth strategies, including innovative partnerships, alliances and collaborations, new products and enhancements, as well as M&A to achieve growth and presence in the cyber insurance market. The global cyber insurance market size is projected by industry experts to grow by at least 20% annually from $8 billion in 2020 to well over $20 billion by 2025.

In the next decade?

Consolidation of the North American agent and broker channel, will continue unabated as private equity investors seek attractive returns through deployment of historically high levels of “dry powder” as investment fund sizes continue to break records.

Technology will continue to enable innovation and process transformation through 2030, including;

  • completely digital quoting processes for retail agents and brokers
  • deployment of e-signature solutions that will satisfy all compliance concerns and create a standardized process across all lines of business
  • connected vehicle technologies that will alter the commercial auto insurance landscape and give auto makers an important role in insurance sales, distribution and claims
  • connected home and business technologies that will similarly transform the commercial property landscape
  • the commercial insurance claims process will evolve much as did personal lines claims; claims ecosystems and platforms will form that enable much shorter claims cycle times, better outcomes for carriers and customers and greater visibility into claims vendor performance. 

What are the three technologies you think will play the biggest role in driving change — perhaps one for each of the three time periods?

Technologies driving change over the pre-defined time periods:

NEXT 12 MONTHS

  • Cross-enterprise digitization
  • AI-enabled process automation
  • Emergence of platforms and open ecosystems

 

NEXT 5 YEARS

  • Cross-enterprise digitization
  • AI-enabled process automation
  • Emergence of platforms and open ecosystems
  • Connected sensors/devices in workplaces and buildings enabling risk management and ultimately risk avoidance

 

NEXT DECADE

  • AI-enabled process automation
  • Emergence of platforms and open ecosystems
  • Connected sensors/devices in workplaces and buildings enabling risk management and ultimately risk avoidance
  • Virtualization of everything; workforce, external/internal communications, healthcare, claims reporting and claims management

 

Please pick a technology mentioned and describe in a bit of detail how that will play out.

Digitization will fuel virtualization much like the conversion of data from analog to digital form enabled all of the many information management solutions. As digitization continues to expand across each operating segment of the insurance enterprise, it will spawn innovation of virtual processes to improve upon and replace formerly manual, stubbornly long, costly, complex and inefficient ones. Ultimately, the commercial insurance industry will sell more profitable, lower-cost, innovative protection products and services such as hyper-personal, parametric and variable interval insurance through seamless, direct-to-customer distribution channels. 

Through these technologies, the industry’s primary selling proposition will pivot from insurance products, risk and claims management to protection services, risk and claims avoidance.

What is the one trend you see people talking about today that you think WON’T pan out, at least within a reasonable period?

Expectations for 100% automated and touchless processes without any human involvement will go unrealized well into the future. A subset of non-routine and catastrophic claims will continue to call for expert human, empathetic handling. However, numerous repetitive processes not requiring human support or judgment will be automated using AI technologies, eliminating a significant number of industry positions – but many of the individuals impacted will be offered retraining and upskilling by their employers –  thereby improving their job satisfaction and compensation levels.


We would like to thank Stephen Applebaum for participating in our ITL FOCUS interview series. To learn more about Stephen and read more of his articles, click here.

This interview is a part of the January 2021 ITL FOCUS: Commercial Insurance article. View the full piece here.