Tag Archives: U.S. Government

The Costs of Inaction on Encryption

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance.

Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers.

With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured.

See also: Best Practices in Cyber Security

Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight.

To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data.

From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim’s computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector.

From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers.

To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone’s security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor.

However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption.

See also: Paradigm Shift on Cyber Security

Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself.

The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE.

Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data.

In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible.

It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor.

The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

Cyber Risk: The Expanding Threat

Summary

— Interest in cyber insurance and risk has grown beyond expectations in 2014 and 2015 as a result of high-profile data breaches, including a massive data breach at health insurer Anthem that exposed data on 78.8 million customers and employees and another at Premera Blue Cross that compromised the records of 11 million customers. The U.S. government has also been targeted by hackers in two separate attacks in May 2015 that compromised personnel records on as many as 14 million current and former civilian government employees. A state-sponsored attack against Sony Pictures Entertainment, allegedly by North Korea, made headlines in late 2014.

— Cyber attacks and breaches have grown in frequency, and loss costs are on the rise. In 2014, the number of U.S. data breaches tracked hit a record 783, with 85.6 million records exposed. In the first half of 2015, some 400 data breach events have been publicly disclosed as of June 30, with 117.6 million records exposed. These figures do not include the many attacks that go unreported. In addition, many attacks go undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and CSIS estimated the likely cost to the global economy from cyber crime is $445 billion a year, with a range of between $375 billion and $575 billion.

–Insurers are issuing an increasing number of cyber insurance policies and becoming more skilled and experienced at underwriting and pricing this rapidly evolving risk. More than 60 carriers now offer stand-alone cyber insurance policies and insurance broker Marsh estimates the U.S. cyber insurance market was worth more than $2 billion in gross written premiums in 2014, with some estimates suggesting it has the potential to grow to $5 billion by 2018 and $7.5 billion by 2020. Industry experts indicate rates are rising, especially in business segments hit hard by breaches over the past two years.

— Some observers believe that cyber exposure is greater than the insurance industry’s ability to adequately underwrite the risk. Cyberattacks have the potential to be massive and wide-ranging because of the connected nature of this risk, which can make it difficult for insurers to assess the likely severity. Several insurers have warned that the scope of the exposures is too broad to be covered by the private sector alone, and a few observers see a need for government coverage akin to the terrorism risk insurance programs in place in several countries.

See the full white paper here.

It’s Time to Rethink Flood Coverage

“The boat is safer anchored at the port; but that’s not the aim of boats.” — Paulo Coelho

The scenes are now all too familiar. Waters rising, dams breached, cars drifting away, homes and properties inundated with water. As of this writing, 13 people have died in the Carolinas as the “one in a 1,000 years” flood continues to ravage the area. Losses should easily exceed $1 billion.

If all of that was not bad enough, what’s worse is that you and I will be paying for this.

Unfortunately, the song remains the same after all these years:

  1. Property insurance policies exclude flood coverage
  2. Property owners either believe they have coverage or choose not to purchase it
  3. The biblical rains arrive, causing damage, and property owners seek help from the largest wallet available and willing to help…the U.S. government
  4. (Alternatively, and unfortunately, property owners may buy flood coverage, but, because the coverage was mispriced, the National Flood Program will not have the funds to pay the claims and will need to borrow from us taxpayers).

The system is a mess, and my criticism lies directly with the insurance industry. We can solve this problem. These floods are insurable events. We are flush with capital, and each week it seems another technology firm is releasing a flood model to help us manage this risk.

But that sound you hear is crickets. We are not making much progress at all.

The solution cannot be separate, private, flood coverage. That is a nice start but is not the solution, because it’s more of the same, just with a different wallet writing the check.

What we need is to “loosen the exclusion.” Flood needs to become a standard component in the homeowners policy. Just as fire, wind, lightning, theft, vandalism and liability are all standard components of a homeowners insurance package, flood needs to be included as that form of standard coverage.

The advantage to homeowners is true peace of mind.

  • Every homeowner has some ground water risk, and we can eliminate this coverage concern once and for all.
  • We can eliminate policy juggling, with one single policy.
  • A single claims adjuster can determine any losses without needing superhuman insights to know whether water or wind caused the damage.

The enterprising insurer gets to differentiate its personal lines business with a non-correlated premium source. The insurer eliminates the headache of defending flood exclusions and the bad publicity and court judgments around those issues.

Some insurers will be rightly concerned about the increased risks. But isn’t this the business we are in? It may feel safe to exclude coverage, but our role in society is not to exclude coverage. Our role is to find a way to profitably make our capital available for these type of events.

We have all the tools and capital we need to make this happen. Do we have the will?

Cyber Risk: Is It Worth All the Pain?

With an onslaught of bad recent cyber news, is cyber risk worth the trouble, and how should corporate directors be looking at this issue? The recent news is the high-profile breach of 4 million employee records at the U.S. Office of Personnel Management by alleged Chinese hackers and the news that even the security experts are getting hacked, with Kaspersky Labs reporting a breach supposedly committed by a nation state.

President Obama also made cyber security an emphasis of his G7 talks in Germany, commenting that the U.S. government needs to be more “nimble, aggressive and well-resourced” to combat this threat. He also urged the U.S. Congress to pass the 2015 Cybersecurity Information Sharing Act, a first step in a coordinated and systemic public/private response to cyber risks.

The attacks show no signs of slowing. PwC’s 2015 Global State of Information Security Survey indicates a compound annual growth rate of 66% for cyber incidents since 2009. The 10,000 respondents to the survey reported almost 43 million detected incidents during 2014 alone—or 117,339 incoming attacks every day of the year.

Is cyber security risk worth it? Yes, but with a caveat. Without a doubt, the many innovations currently taking place with today’s information technologies open up many new vulnerabilities. Risks are now difficult to isolate, and a protect-and-defend model is not effective against the systemic risks inherent across any corporate ecosystem.

Attacks can also come from a growing list of sources, including hacktivists, foreign and domestic nation-states, customers, employees, partners, consultants, competitors, organized crime and the bored neighbor kid living in the basement and surviving on a diet of Cheetos, Red Bull and your weak IT security infrastructure. The direct and indirect costs of mounting an effective cyber security defense are only getting more expensive, and the risks are only increasing.

Despite this, these technologies also have an upside—a significant one as they are now competitive table stakes, as new business tools always are. These tools are changing market dynamics and customer preferences, and the technologies embody distinct economic advantages such as the lowering of transaction and engagement costs. Business models and competitive advantages are changing as a result of these tools.

These tools are shaping and defining business success, but the risks are holding many companies back. Which takes us to the caveat. The upside of these technologies outweighs the downside.

Cyber is worth the risk, but boards, directors and managers need to be looking to exploit the business advantages of these tools, while at the same time mounting a “a nimble, aggressive and well-resourced” approach to mitigating these incessant risks.

This is easier said than done; 89% of companies listed on the Fortune 500 in 1955 are no longer on the list. Business cannibalizes the companies that can’t capitalize on the opportunities presented by changing market conditions, including new technologies.

Directors need to be diligent in overseeing cyber risk as part of a comprehensive IT governance and enterprise risk governance approach. But they also need to be on top of governing cyber opportunity—that’s the only way that they can make cyber security risk worth it.