Cyber insurance market sees steady growth as awareness increases

By Modestus Anaesoronye | Business Day

Cyber attacks were once again in the spotlight in 2017, with increasing frequency and severity, offering plentiful opportunities for growth of insurance, especially in small and medium-sized companies, according to A.M Best report.

The WannaCry and NotPetya ransomware attacks and the Equifax data breach received significant media attention and affected millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks. Also, in October 2017, Yahoo! updated its 2013 data breach tally from one billion to three billion of its accounts, potentially making this the most substantial, most extensive cyber breach ever recorded.

These events highlight the vital need for cyber insurance, but the market is bifurcated. On the one hand, national accounts and Fortune 500 companies seem to be embracing the need to partner with insurers and brokers as a way to counter cyber risks.

Financial institutions and healthcare companies are acutely aware of their cyber exposures and are increasing their coverage. Average policy limits are rising, with some of the largest companies’ coverage towers above the half-billion dollar mark.

On the other hand, the take-up rate for small to medium-sized enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth.

In 2017, cyber packaged policies in force increased 28 per cent, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but this is still something of a fledgeling business, and an increase of this magnitude, while material, does minimal to close the protection gap. However, interest from SMEs does seem to be gaining traction, and capacity from insurers is ample.

In the short term, despite the inherent challenges in managing aggregations and pricing, we believe the cyber insurance market presents a favourable opportunity for insurers. Demand is expected to grow due to the accelerating adoption of technology and the increasing awareness of cyber risks, especially among SMEs. Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the overall exposure of the property and casualty industry.

However, as insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to ensure that these exposures remain aligned with the company’s risk tolerances and appetites.

The extent to which an insurer grows its cyber business should also lend to a broader understanding of this relatively new risk and a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a crucial factor when insurers provide information to regulators, other stakeholders.

Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks, under two assumptions: that hackers target only more prominent businesses such as Target or Home Depot or that they already have coverage under another policy when they might not. However, this sentiment and tepid interest in cyber insurance among SMEs may be changing, in light of the near daily reminders of cyber-threats, attacks, and breaches feeding social media.

Pricing is another factor, as more business owners see the cost benefits and also realize their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers.

A data breach is only one factor in cyber risk, however many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much higher, as they may not be as resilient or diverse as national account clients.

Source: Business Day By Modestus Anaesoronye
Edited for ILSTV

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

DUAL Canada, will specialise in creating simple insurance solutions for small and mid-sized Canadian markets.

Read more

Connected And Protected: Insuring Your Business Against Cyber Breaches

Article by Imran Ahmad

It was not long ago that a company’s cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.

Who Connects to You?

Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else’s system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.

What Connects to You?

The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using “privacy by design” principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.

How Can You Protect Your Business?

Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:

  • Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
  • Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
  • Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company’s reputation in the wake of a cyber breach.

Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it’s important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.

The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.

If you’re unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Cyber Cross-Jurisdictional Risks And The Impact Of GDPR: Europe

Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn

Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.

An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.

Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.

Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.

Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.

Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Making a point: Aon says airlines, retailers need to criminal proof loyalty points

By David Paddon

THE CANADIAN PRESS

TORONTO _ A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.

The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.

The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.

“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.

If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.

However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy _ a newer but increasingly common insurance.

“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.

The multinational advisory firm said in its 2018 cybersecurity report that many industries _ including those with points programs _ will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.

In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.

“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”

So-called bug bounties  a way to reward ethical hackers who find bugs so they can be exterminated have been used to good effect by tech companies.

Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences following the lead of tech companies and financial services providers.

Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet and for good reason:  “I think there’s bugs in the bug bounty program.”

One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.

“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”

Page 1 of 41234

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest