Cyber liability is a significant concern for everyone who uses the Internet.
Many businesses may think they are too insignificant or inconsequential to need cyber liability coverage but that is a major mistake. Hackers know that small and medium-size company websites are more vulnerable and are easier targets. This is especially true with hackers who see the potential of using these companies as portals to gain access to larger websites. Security is vital but appropriate coverage is too.
Speaking of small to medium-size companies, have you reviewed your own cyber liability coverage? Your agency's computer system contains a great deal of valuable and confidential material. A cyber-attack on your computer system could ruin your agency and the trust you have spent years to establish.
ADDRESSING CYBER RISK: ADVICE FOR AGENTS AND BROKERS
Experts identify strategies to safeguard data and systems
By Dave Willis
Agents and brokers are finding increased customer demand for cyber liability insurance and risk management advice on dealing with cyber exposures. While it's important to take care of client and prospect exposures, it's equally important-perhaps more so-to make sure the agency is up to speed on the latest threats and ways to address them.
The cyber landscape continues to change. "Exposures continue to evolve," says Jim Whetstone, professions practice leader at Hiscox. "And they will continue to do so for the foreseeable future. We'll see changes in everything from the methods used by hackers to some of the newer exposures, such as those presented by BYOD-bring your own device to work-to the consumer protection and other regulations that impact entities after a breach or privacy event takes place."
According to David Gerlach, director of information security at Applied Systems, one of the newest cyber security threats faced by businesses, including insurance agencies and brokerages, involves what's called 'ransom ware.' "This type of cyber-attack is a virus that infects a computer and holds data hostage through a form of strong encryption," he explains. "With this encryption, data is scrambled and made unusable. The attackers then ask for money in exchange for the key to unlock the data."
Nephi Williams, CISA, CISSP, corporate information security compliance manager at Vertafore, notes that as technology constantly evolves, so do threats to vendors that provide technology and software to agencies and brokerages. "Over the past few months," he says, "there have been several instances of third-party software vulnerabilities that had the potential of significant security impact if not addressed." One example is the OpenSSL Heartbleed vulnerability that was announced in April of this year.
A number of other exposures exist. Gerlach points out that unpatched software and phishing attacks are threats to agencies and brokerages, as is the use of unauthorized-and often infected and/or malicious-software. Common cyber-related risks Williams sees among agencies and brokerages include employees visiting sites that have been compromised and clicking on attachments in malicious emails.
Adds Whetstone, "There are both internal and external cyber-related risks. Lost laptops, smart phones or other devices, and the improper disposal of paper files, are a few of the ways companies find themselves subject to breach notification laws and subsequent regulatory investigations and consumer class actions."
"As the amount of digital data continues to grow at an exponential rate, there are strategies agencies and brokerages can employ to protect against cyber-related risks," Gerlach notes. "For example, as unpatched software is
highly exploitable, agencies and brokerages must implement a solid patch management process to reduce risks of cyber-attack."
Whetstone encourages agencies and brokerages to treat information security-both on- and off-line-as what he calls, "a business enabler. Having an individual at the agency or brokerage who is responsible for information security is a good first step for most. Too often, it seems, small and medium-sized businesses spread the responsibility among several individuals, which often means no one takes ownership."
Implementing strong security policies and delivering employee security awareness training are important steps Williams recommends that agencies take. "These can be critical in helping agency and brokerage employees understand the risks of, for example, going to sites that may not comply with company Internet policies," he explains. "Employees should avoid these sites."
He also says employees must be trained on when to open and read email attachments. "Vertafore has found that security awareness training has helped our employees identify 'phishing' emails that appear in the form of e-business confirmations," Williams notes. "Employees have become more proactive in bringing these to the attention of our information security team."
Whetstone concurs. "Employee awareness programs are important to mitigate internal risk," he notes. "Investment in information security is probably the next most important step following assigning responsibility to an individual." He points to a 2013 Ponemon Institute survey which shows that more than 40% of small and medium-sized businesses don't have an adequate IT security budget. "It's no wonder they are breached more often than larger companies," he remarks.
Gerlach stresses the importance of leveraging an updated antivirus solution and ensuring that all software is adequately patched. "Additionally," he says, "agencies and brokerages should have a backup solution that is run at least once a day to protect their data and ensure it can be restored if needed."
He encourages agencies and brokerages to make sure that employees avoid downloading free software from unknown or pirated websites. "This can lead to hidden software downloads in the form of Trojan horse programs, which allow attackers to install software to compromise the computer," he says.
Gerlach also warns about the hazards of using peer-to-peer file-sharing software. "Not only can installing this software create the potential for data leakage-information leaving the company's possession without its consent-but it also leaves the computer exposed to the Internet at large," he explains. "It's like locking your car doors but leaving the windows down while parking on a city street. Eventually someone will crawl in."
He encourages agencies and brokerages to inventory all software in use. "This includes all operating systems and any third-party software your computers run," he says. "If software is no longer needed or supported by the manufacturer, we recommend that our customers remove this software to avoid possible attacks."
Additionally, he says, agencies and brokerages must develop a strategy to ensure regular software updates, particularly after vendors release a security patch, and run application-blocking software to eliminate accidental downloads of unwanted or malicious software.
Williams stresses the importance of monitoring potential threats. "When you see news articles related to significant vulnerabilities and have questions about how your vendors are responding and protecting your data, contact them to determine the potential risk," he advises. "When the Heartbleed situation unfolded in April, for example, we performed an internal investigation for vulnerability, determined that our SaaS offerings weren't affected, and shared that information with our customers."
"Be vigilant and consistent in educating your staff on security awareness," Williams advises. "Work to expand the number of individuals within the organization that are aware of potential cyber-related exposures. When leaders empower other members of the organization to watch for threats, staff members begin to take pride in identifying news articles and suspicious emails. This helps in reporting and escalating suspicious system responses."
Says Gerlach: "Protecting client information is critical to our business strategy and something we take seriously. We advise our customers to educate themselves on cyber-security strategies and include potential cyber-attacks when evaluating business risks. By properly protecting data against cyber-attacks, agencies and brokerages can remain proactive and vigilant against future threats."
Whetstone cites data from the Verizon 2013 Data Breach Investigations Report that shows small and medium-sized businesses suffer data breaches more often than larger firms. "The report states, and I agree, that the 'I'm too small to be a target' argument doesn't hold water," he says.
"Remain diligent," Whetstone adds. "Information security is a continuous process. Implement programs that constantly remind your employees about security best practices, just as you constantly update your security software. And be sure to keep all security up to date, so you are not the low-hanging fruit."
NO TIME LIKE THE PRESENT
Rising risk presents opportunities for agents and brokers
By Dave Willis
Cyber-related incidents are on the rise. So is recognition among business owners of the exposures they face. These factors provide opportunities-in fact, one could argue, an obligation-for agents and brokers to learn about the issues and offer protection for clients and prospects.
According to Oliver Brew, vice president, Professional Privacy & Technology Liability at Liberty International Underwriters, two main areas of network risk are on the rise. "The growth of complex malware and 'ransom-ware' is of particular concern," he explains. "Many standard network protection technologies aren't sophisticated enough to protect against this, and threats often are triggered by phishing attacks, meaning employees enable much of the malware."
Also, Brew notes, "The growth in mobile connectedness increases the potential of losing devices with personal information, as well as those devices being vulnerable to hacking attacks."
Leah Montgomery, assistant vice president and cyber security specialist, Chubb Group of Insurance Companies, concurs. "Both cyber terrorism and social engineering fraud should be on the radar screen for businesses of any size," she says. She describes cyber terrorism as disruptive computer acts intended to cause destruction or harm to achieve personal objectives. "These acts can result in the theft of an organization's own intellectual property, denial of service attacks or electronic extortion threats," she adds.
Social engineering fraud is the act of manipulating an employee so he or she gives up confidential information, money or securities, Montgomery notes. "The fraudsters generally pose as trusted vendors, suppliers, senior executives or customers, which makes the scheme hard to detect."
Toby Levy, vice president of technology insurance at The Hanover Insurance Group, sees vulnerabilities growing out of business relationships. "An outside vendor could potentially be the enabling cause of a breach," he explains. "This can have serious consequences if the business isn't properly insured. While more firms seek to protect themselves from outside sources, sometimes their greatest risks are permissive users inside their firewall."
Reza Khan, CPCU, executive vice president at Ryan Specialty Group's ThinkRisk Underwriting Agency, is seeing an uptick in claims on a number of fronts. "We're seeing an increase in the frequency of lost laptops and rogue employees," he comments. "There's also a greater frequency of 'cyber-lock' extortion claims. People are unknowingly picking up malware, which lets thieves take control of their laptops and servers, and then extort them for money."
Such events aren't limited to large firms. "Thieves are targeting small businesses, too," he notes. "The extortion amounts typically are less for small businesses, but they're still significant-often in the four- and five-digit range."
Jason Glasgow, CyberRisk product manager for Travelers Bond & Financial Products, says that these extortion events may unintentionally drive a data breach. "While extortion isn't new, when bad actors go in to install malware and disrupt a company, they can accidentally cause a data breach, because they gain access to personal information," he explains. "Their goal is disruption-to get money and go on their way-but the company has to deal with it as a data breach."
"Bring Your Own Device" policies, in which employees use their own mobile device for company business, while generally cost-effective, can cause problems. "These policies boost productivity and support better customer service, because employees can respond to client needs more quickly," Glasgow remarks. "But there are downfalls. Companies have much less control over how or where personal devices are used, and they lack the oversight that exists with in-office technology."
Adds Anthony Dagostino, vice president, ACE Professional Risk, "If an employee loses his or her personal mobile device, corporate information could be at risk. Some companies use encryption technology. Also, software exists that lets companies delineate corporate versus personal information, and protect it accordingly-even wiping data remotely."
Cloud computing poses risks, too. "Using the cloud can reduce costs," he notes, "and sometimes the security is better in the cloud. But there also are risks. A big issue is that contracts tend to be strict, and terms and conditions usually benefit the cloud provider. You also have a loss of control when data is being housed in the cloud."
Increased and changing regulation poses other challenges. "California, for example, recently changed its definition of personally identifiable information," Dagostino notes. "It always included account numbers, Social Security numbers and birth dates. Now it includes things like email addresses and passwords. This shift should be a concern for policyholders."
Other challenges exist. "In addition to criminal activity," says Glasgow, "we see the potential for increases in the number of state-sponsored incidents, as well as 'hacktivism,' where the goal of the cyber-attack is to make a statement."
Perhaps the biggest issue is the risk not yet fully understood. "The biggest thing we're really concerned with is what tomorrow will bring-the unknown," Dagostino remarks. "Technology is changing unbelievably fast. The bad actors are getting smarter and have more resources. Plus, you're seeing organized crime get more involved."
According to Glasgow, cyber-insurance policies vary based on a number of factors. "It could depend on a company's size and the industry in which it operates," he explains, "and how much data it has and what the company already does to secure the data."
Among the expenses a policy might cover, he says, are the cost of conducting forensic investigations and litigation expenses associated with breaches. "Coverages may also include regulatory defense expenses and any associated fines, and expenses associated with crisis management, business interruption, and cyber extortion," he notes.
As the market matures, policies are evolving. "We've seen some notable improvements to cyber risk products and services," Brew observes. "First, coverage is now available relating to the misuse of personal data, not just the breach or disclosure of that data. Second, risk management support services are more broadly available to help clients mitigate risks." This includes, for example, pre-claim assistance to help identify whether a threat or incident constitutes a data breach.
"We're seeing a change in the breach response services," Dagostino comments. "For example, our data breach team includes vendors we work with to provide services after a breach happens. Every breach is unique and each has its own challenges and facts. You need the right response to mitigate any third-party claim that might come in."
Montgomery has seen a number of changes in cyber policies. "One evolving coverage is contingent business interruption," she says. "This covers direct financial loss a company sustains due to fraudulent access or cyber-attack against a third-party service provider that leads to an impairment of their operations."
She's also witnessed an evolution in system failure protection. "This covers direct financial loss stemming from an unintentional and unplanned outage or failure that leads to an impairment or denial of operations," Montgomery notes.
Change sometimes drives confusion. "One problem is that coverage can differ materially from market to market," explains Khan. "Confusion also comes from different definitions and policy terminology. For instance, business interruption has gotten more 'buzz' in the cyber marketplace, but sometimes for the wrong reasons.
"We still get questions from brokers about how our business interruption coverage would respond following natural disaster or power outage," he explains. "Unfortunately, many brokers and their clients don't realize that cyber business interruption has different coverage 'triggers' than traditional property business interruption coverage."
He adds, "People sometimes think cyber business interruption will protect against anything that happens to their computers or networks that prevents them from accessing their data or systems-even events that are wholly unrelated to a system infection or penetration."
The addition of first-party crime coverage to cyber policies can lead to confusion, too. "This can be a real trap," Khan says, "because the crime peril covered under some cyber policies is limited. In those instances, businesses that rely solely on their cyber policy for crime exposures are in for a real surprise. They're not covering their true crime exposure, such as mysterious disappearance and employee dishonesty losses. Businesses need to buy stand-alone crime coverage to properly address those traditional exposures.
"Similarly, a lot of cyber markets don't offer full policy limit notification and credit monitoring coverage," Khan says. "Some just offer the full policy limit for third-party claims, which would protect businesses if they actually get sued after a breach. However, the real 'meat and potatoes' of today's cyber/privacy coverage are the first-party forensics, notification and credit monitoring. That's where the majority of the exposure has been for small to middle market businesses."
Another coverage deficiency in cyber products is policies with a reimbursement trigger. "This requires the insured to notify their carrier following a breach, but then requires the policyholder to pay for the loss 'out of pocket' and then submit a proof of loss in order to get reimbursed for the claim," he explains. "This could really be disastrous for businesses that buy these types of policies, as they may not be able to financially absorb the outlay of significant funds from their operating budgets."
Making the sale
Coverage isn't the only thing that's evolving. "We've seen a heightened awareness of the exposure, especially those presented by subcontractors and vendors," says Levy. This spells opportunity for agents.
"Early on we saw tech, financial and health care companies buying cyber insurance," Glasgow observes. "That continues, but in the last several years, more retail and manufacturing firms have been buying it. Now we're seeing small and middle market firms making the purchase, too."
There's good reason for that. "While many cyber crime headlines focus on attacks at large firms, the Ponemon Institute's '2014 Cost of Data Breach Study: United States' found that a company with fewer than 10,000 records is more likely to be hacked than one with more than 100,000 records," he notes. That can be a strong selling point with local businesses.
Glasgow also points to Symantec's "2013 Internet Security Threat Report", which documents a 42% year-over-year increase in the number of data breaches and cyber-attacks. Levy encourages agents to stress that all companies have this exposure, whether it's employee information or customer information or both.
"Also," Levy says, "remind clients and prospects that exposures extend well beyond just the exotic ones that make the news. More often, losses arise from the more mundane, everyday exposures like stolen laptops or a misplaced box of paper records."
Brew encourages agents and brokers to remind businesses that cyber risk isn't covered by typical insurance policies. "Also," he says, "it's a mistake to assume that only particular types of companies are exposed to cyber risk. We all rely on technology and are connected all the time, so the risks to personal information are high."
He adds that increased regulation and litigation mean that the consequences of a data breach are becoming more serious. "Dealing with the aftermath of a breach is very challenging without the support of experienced professionals," Brew explains. "That's where insurers can help; they have been through it before and can provide expert claims service to resolve the situation."
Levy suggests tapping carrier resources before a claim occurs. "We recommend that agents partner with carriers that provide superior risk management services, product and underwriting expertise that can help agents effectively serve and protect their customer base," he says.
Dagostino adds, "Use your carrier to arm you with data you need to help sell the coverage. We have experience and see activity across all industries, and we really push our trading partners to come to us for claims scenarios, statistics and education that will help them sell."
Cost is another issue that agents and brokers should address. "In our opinion, cyber coverage hasn't been more affordable than it is right now," Khan comments. "With so many unknowns, every business should at least take the step to obtain some coverage proposals and seriously consider getting the coverage soon."
Acknowledging that cyber is still for the most part a discretionary buy, Dagostino encourages agents and brokers to focus on the buy cycle. "What works well is talking to the business about the coverage this year, giving them a rough idea of what the premium will be, and even going through the application process," he says. "Hopefully, the client or prospect can budget for it in the next insurance cycle." A side benefit is that the application is a great tool for businesses to learn what needs to be done and identify where deficiencies exist.
"Don't just talk to IT people," Dagostino says. "Information security is important across all media. Only a quarter of the claim activity is driven by outside hackers. Get other parties involved, because it's really an enterprise-wide risk. It's lost or stolen laptops, rogue employees, human error and, again, it's not just cyber."
Montgomery points out that for many businesses an incident isn't a matter of "if" but "when." "If an organization stores, collects or transmits personal or proprietary information, it could fall victim to a data breach," she says. "The law requires companies to respond. Initial breach response can include costs associated with forensic investigations, legal advice, drafting/printing/mailing of notification letters, call center costs to field breach inquiries, debit/credit card reissuance costs, as well as credit monitoring/identity theft remediation or health care monitoring."
"All industries are vulnerable to a data breach or cyber-attack, including health care, education, financial services, nonprofits, professional services, manufacturing, hospitality and retail sectors," Glasgow says. Adds Khan, "Every business is at risk."
Dave Willis is a New Hampshire-based freelance insurance writer and regular Rough Notes magazine contributor.