Tag Archives: Marissa Mayer

4 Keys on Cyber-Risk Accumulation

As the sale of cyber policies grows and other types of policies are extended to include cyber coverage, the industry is taking on a massive amount of new risk. Although it is true that auto, workers compensation, environmental policies and so many others were all new offerings at one time, there are some things about cyber that make it more unusual, more uncertain and more potentially dangerous for the insurance industry than new offerings of the past.

Simultaneity

It is entirely possible for hackers to plan and launch simultaneous attacks on a large number of targets. Those targets may be corporations, infrastructure such as power plants, government bodies, hospitals, or any other type of entity.

If a successful, very harmful simultaneous attack, whether ransomware, malware, or any other type of IT weaponry, was to be made on a sizeable number of entities, the losses occurring at one point in time could create serious liquidity pressures and even jeopardize solvency for an insurer.

See also: Urgent Need on ‘Silent’ Cyber Risks  

Individual insurers are modeling their aggregate exposures, but are they doing it comprehensively enough? Analysis must take into account not only the limits and reinsurance on their cyber policies (including such add-ons as contingent business interruption or other enhancements) but also what level of coverage is afforded in existing casualty and property policies as well as any other policies that may be triggered (such as D&O, E&O, reputation, etc.). In addition, correlated risks that have nothing to do with claims liabilities per se should also be considered. For example, what will they do if their contracted vendor networks, which are supposed to help insureds after a breach, are not resourced sufficiently to handle simultaneous attacks.

Ubiquity

Given the global nature of the internet, attacks may be not only simultaneous but ubiquitous. The entities affected may be all over the world. An insurer that relies on geographic diversity to protect its capital can lose the benefit of diversification when it comes to cyber.

A global event or series of events could have significant capital implications for insurers that have considered their cyber portfolio in part rather than in whole.

Unpredictability

There is scant history upon which to base underwriting and pricing decisions when it comes to cyber. The earliest policies were geared toward system failures, not cyber attacks. More recent policies were focused on data breaches and stolen data and the actual cover involved handling some of the expertise needs and certain expenses post breach. Now, cyber policies are dealing with ransomware attacks and cover business interruption and other loss. This is heady stuff when there are no historical patterns to use in predicting frequency and severity as there is with property or workers compensation. Ransomware attacks continue to escalate at a rapid pace. Who knows how much faster or greater this trend line will grow.

Some cyber attacks have been targeted while others are random. In either case, they test the ability of insurers to make predictions. This, in turn, makes it difficult for actuaries to price the product appropriately. How much business should an insurer write of a particular kind until it can be sure the business is priced correctly for the exposure?

A random attack might seem to better fit the principle of insuring against fortuitous events, however, it does mean that an insurer that relies on customer segment diversity to protect its capital can lose the benefit of such diversification. This is similar to the situation mentioned above in connection with geography.

A targeted attack will likely strike an entity (or entities) with the most money, records or other treasure worth capturing or destroying. Hence, the losses generated will be greater.

Initial attacks were focused mostly on retailers with hospitality and with banking and healthcare following. The great fear is that power and infrastructure will be next. The impact from attacks on power and infrastructure could be catastrophic in the extreme.

The flexibility to strike randomly or with fixed intent leaves underwriters in a quandary about which classes of business are riskier than others. How, then, can they manage their customer mix as do with other lines of business?

See also: What if You Had a Cyber Risk Score?  

Sponsorship

Hackers can work alone or in groups. They can also be actors for foreign governments. When Marissa Mayer spoke about the Yahoo attack, she commented on the unevenness between a company’s attempts at IT security versus an attack potentially perpetrated by a nation state. This phenomenon is something insurers must consider when parsing the words in their contracts. To what extent should there be exclusions, as there are in terrorism policies or other policies that exclude acts of war? To what extent is a future federal backstop needed?

Conclusion

This is not to say that cyber insurance should not be offered. Society has a protection need, and insurers have been answering that need since the first handshake at Lloyds. In addition, this line of business has been streaming new revenues into an industry that, in recent years, has had excess capacity. Rather, it is to say that insurers must put robust and innovative solutions in place to manage aggregation risk.

Are Passwords Finally Becoming Passé?

It looks like 2017 is continuing right where 2016 left off—with news of a massive data leak and thousands of passwords being exposed on the internet and cached by search engines.

This refers to the gaping security flaw recently discovered in the widely used Cloudflare service. It goes without saying that you should immediately change all your passwords, given how deeply embedded into the internet Cloudflare is. You also should seriously consider using a multifactor step-up capability to access your more sensitive websites and services.

Related article: Cloudflare bug spills passwords in plaintext

Your identity has become a “currency,” and criminals are able to sell it like other data. Unfortunately, many organizations are dragging their feet in adopting more advanced and secure methods for allowing customers to connect with their services. For the near term at least, passwords are here and will be here for the next few years.

See also: The 7 Keys to Strong Passwords  

In terms of security and availability, passwords are the lowest common denominator. They are cheap to deploy, users understand how to interact with them, and the risks associated with the username and password paradigm—while not fully understood—are accepted. But, there are three key factors converging that will replace these username and passwords in the future.

Many more savvy about security

First, policy- and decision-makers are becoming more sophisticated in their understanding of the risks and security profile that simple reliance on passwords presents. Recent announcements from Yahoo CEO Marissa Mayer and General Counsel Ronald Bell should be a bellwether in this regard. Following YAYB (Yet Another Yahoo Breach), Bell resigned without severance pay, and Mayer lost her annual cash bonus and equity award—which some reports estimate to be worth upward of $14 million.

Governmental regulations—such as the revised payment services directive (PSD2) in Europe—are requiring more stringent authentication requirements for financial institutions while the National Institute of Standards and Technology in the U.S. no longer recommends one-time passwords (OTPs) being delivered via SMS in its Digital Authentication Guideline. Password reliance and its associated pain is a global problem.

Advances in biometrics, other alternatives

Second, viable alternatives to the password are gaining widespread acceptance. Since the release of the fingerprint scanner on the Apple iPhone 5S, biometrics have exploded as an alternative to PINs and passwords.

Related article: China embraces FIDO Alliance standards

The FIDO Alliance has grown as an industrywide organization popularizing a set of specifications that increase privacy, increase security and increase usability while at the same time allowing the multitude of players from the authentication marketplace to ensure interoperability. Adoption of such alternatives is moving along at a solid clip with millions of users worldwide already using this technology.

Consumers demand more

Finally, users are fed up. They have learned of breach after breach after breach. The added features that complicate a password are not actually making it more secure, but they do make passwords significantly more difficult to input on the small touchscreens that are becoming our primary computing devices.

As these three forces continue to converge, passwords will be replaced in greater and greater numbers.

As a society, we need to overcome password pain and look to the future. Using a fingerprint or other biometric authentication measure helps users look beyond the failed username and password infrastructure. In time, the public will understand how flawed traditional password usage is. It’s both inconvenient and insecure.

See also: How to Make Smart Devices More Secure  

In 2017, we will see more companies erring on the side of security, removing passwords and implementing modern authentication strategies that eliminate the opportunity for large-scale password leaks and theft.

This post originally appeared on ThirdCertainty. It was written by Phil Dunkelberger. 

Why To-Do Lists Don’t Work

Do you really think Richard Branson and Bill Gates write a long to-do list with prioritized items as A1, A2, B1, B2, C1 and on and on?

In my research into time management and productivity best practices, I’ve interviewed more than 200 billionaires, Olympians, straight-A students and entrepreneurs. I always ask them to give me their best time management and productivity advice. And none of them has ever mentioned a to-do list.

There are three big problems with to-do lists:

First, a to-do list doesn’t account for time. When we have a long list of tasks, we tend to tackle those that can be completed quickly, leaving the longer items left undone. Research from the company iDoneThis indicates that 41% of all to-do list items are never completed!

Second, a to-do list doesn’t distinguish between urgent and important. Once again, our impulse is to fight the urgent and ignore the important. (Are you overdue for your next colonoscopy or mammogram?)

Third, to-do lists contribute to stress. In what’s known in psychology as the Zeigarnik effect, unfinished tasks contribute to intrusive, uncontrolled thoughts. It’s no wonder we feel so overwhelmed in the day but fight insomnia at night.

In all my research, there is one consistent theme that keeps coming up:

Ultra-productive people don’t work from a to-do list, but they do live and work from their calendar.

Shannon Miller won seven Olympic medals as a member of the 1992 and 1996 U.S. Olympic gymnastics team, and today she is a busy entrepreneur and author of It’s Not About Perfect. In a recent interview, she told me:

“During training, I balanced family time, chores, schoolwork, Olympic training, appearances and other obligations by outlining a very specific schedule. I was forced to prioritize…To this day, I keep a schedule that is almost minute-by-minute.”

Dave Kerpen is the cofounder of two successful start-ups and a New York Times-best-selling author. When I asked him to reveal his secrets for getting things done, he replied:

“If it’s not in my calendar, it won’t get done. But if it is in my calendar, it will get done. I schedule out every 15 minutes of every day to conduct meetings, review materials, write and do any activities I need to get done. And while I take meetings with just about anyone who wants to meet with me, I reserve just one hour a week for these ‘office hours.'”

Chris Ducker successfully juggles multiple roles as an entrepreneur, best-selling author and host of the New Business Podcast. What did he tell me his secret was?

“I simply put everything on my schedule. That’s it. Everything I do on a day-to-day basis gets put on my schedule. Thirty minutes of social media–on the schedule. Forty-five minutes of email management–on the schedule. Catching up with my virtual team–on the schedule…Bottom line, if it doesn’t get scheduled, it doesn’t get done.”

There are several key concepts to managing your life using your calendar instead of a to-do list:

First, make the default event duration in your calendar only 15 minutes. If you use Google Calendar or the calendar in Outlook, it’s likely that when you add an event to your calendar it is automatically scheduled for 30 or even 60 minutes. Ultra-productive people only spend as much time as is necessary for each task. Yahoo CEO Marissa Mayer is notorious for conducting meetings with colleagues in as little as five minutes. When your default setting is 15 minutes, you’ll automatically discover that you can fit more tasks into each day.

Second, time-block the most important things in your life, first. Don’t let your calendar fill up randomly by accepting every request that comes your way. You should first get clear on your life and career priorities and pre-schedule sacred time-blocks for these items. That might include two hours each morning to work on the strategic plan your boss asked you for. But your calendar should also include time blocks for things like exercise, date night or other items that align with your core life values.

Third, schedule everything. Instead of checking email every few minutes, schedule three times a day to process it. Instead of writing “Call back my sister” on your to-do list, go ahead and put it on your calendar or even better establish a recurring time block each afternoon to “return phone calls.”

That which is scheduled actually gets done.

How much less stress would you feel, and more productive would you be, if you could rip up your to-do list and work from your calendar instead?