[PDF]market feature - Rackcdn.comb776141bb4b7592b6152-dbef5d8ae260c3bb21474ba0e94bcba6.r94.cf2.rackcdn.co...
1 downloads
185 Views
2MB Size
ILLUSTRATION BY PATRICK FARICY
MARKET FEATURE
20
| JANUARY 2018 | NATIONAL UNDERWRITER
PROPERTYCASUALTY360.COM
A RT S QUAL P ND CAN E S R E T OFF UNT A M A R K E T H R E AT S M O L I O , G A P S Y T I L I O . AB CYBER P O RT F BER LI E V O LV E THE CY ND PERIL. AS ENTIRE RISK NTINUES TO CO SE A ED’S PROMI T AN INSUR S COVERAGE I M PA C S S E S S E D A AN BE A MOYINH MUST SHAWN BY
W
hen it comes to cyber threats and how they continue to evolve, Adam Cottini, managing director of Gallagher’s Cyber Liability practice, offers a chilling assessment: “You have the known, and the massive unknown.” The potential damages are at once serious and extensive: Physical loss. Financial loss, in myriad forms. Reputational loss. All of these perils are woven into a threat from which no insured is truly safe, regardless of their size or the industry in which they operate. As the digital frontier expands, every single client, to a greater or lesser degree, is exposed. Acknowledging the intersection of Cyber Liability, Business Interruption and Property policies is particularly important when determining how clients may — or may not — be covered for a cyber-related loss, and just which policy is triggered depending upon how the incident occurred. As Laura Rieben, director of privacy for Independence Blue Cross’ internal audit division, stated during a panel at ALM’s CyberSecure conference in New York City last month, “The devil’s in the sublimits.” Steve Anderson, vice president and product executive in Privacy & Network Security at QBE North America, points out that 2017 saw seven of the top 20 all-time largest breaches in terms of the number of records exposed worldwide. He notes that many Cyber Liability forms now have PROPERTYCASUALTY360.COM
property elements that weren’t there a year ago; insureds are now asking for carriers to specifically include protections for commercial property in their Cyber policies. Similarly, he adds, Property policies in many cases used to contain exclusions for digital threats; that’s no longer the case. Coverage for Cyber-based physical damage can be added as an endorsement to a Property policy, but depending on the extent of the client’s needs, more comprehensive limits might be available through a well-crafted standalone Cyber policy. Otherwise, the client — and the insurer — would be relying on what’s referred to as “silent” cyber coverage (in which such losses are not explicitly excluded as part of a Property policy, for example), as opposed to affirmative, distinctly stated protections. As is often the case with Cyber coverage, one size does not fit all. It’s become incumbent on brokers to ensure clients that all cyber-related potential losses are either covered by a specially tailored Cyber policy, or not specifically excluded in their other suite of policies — and even in the case of the latter, that the sublimits are adequate. “Concurrent causes of loss may exist, but the direct cause is what triggers the policy,” notes Shiraz Saeed, Starr Companies’ practice leader, Cyber Risk. “You need to look at the wording.” NATIONAL UNDERWRITER | JANUARY 2018 |
21
WHERE PROPERTY MEETS CYBERSPACE While perhaps not immediately apparent to some, the cyber-based threat to physical assets cannot be underestimated. Consider pharmaceutical giant Merck, which was dealt a serious blow by the Petya/NotPetya malware cyber attack in June 2017. (NotPetya was a virus that spread across computer networks and encrypted hard drives so that machines could not run.) With its computer networks frozen, the drug manufacturer was unable to produce vaccines and medications in normal volumes while its production facilities were affected, and its delivery and distribution, back-office, research and sales operations also took a hit. When reporting its third-quarter financial results, Merck said its sales were down by $240 million after it had to borrow that amount of stores of its star HPV vaccine, Gardasil, from the Center for Disease Control’s stockpile just to fulfill orders. Merck reported an additional $135 million in lost sales
that it claims related to the attack. The result? An estimated $275 million hit for its insurers — and that’s just for the insured portion of Merck’s larger loss. “Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement in October. Yet a client doesn’t have to be a major drug company to suffer a crippling physical loss; the remote manipulation of a sprinkler system, for example, could destroy a manufacturer’s inventory. Temperature controls could be compromised and set high enough to ruin the entire in-house stock of a food company. A rogue nation could hack into a utility company and shut down electricity or cause a power surge that fries a transmission line, or open up a dam and put a community under water. Although there haven’t been a great number of such cases reported in the U.S. yet, Cottini says that engenders a sense
of complacency: “We’re sitting on a precipice of the next concern. We need to align policies to make sure the client is covered.” The insured’s General Liability or Property coverage might not respond in such cases. Some in the industry thought Property underwriters would add appropriate limits to meet cyber threats, but the aforementioned major ransomware events have made them seriously reconsider, says Cottini: “Now, the Property market is looking at whether they want to provide current limits with regard to cyber, tailor it back, or not offer it at all.” “The Property market has a major problem in that it carries a silent cyber exposure,” says Michael Palotay, chief underwriting officer for NAS Insurance Services in Encino, Calif. Clients, he notes, are “very concerned about what their potential loss is in the event of a [cyber] attack that causes property damage.” Currently, insurers can offer property damage in the event of an attack, and “the cyber market is better equipped to manage the aggregates of
IF CYBERSECURITY IS‘BROKEN,’
ISCOALITIONTHEFIX?
“We’re in the middle of an industrial paradigm shift,” says Joshua Motta, CEO and co-founder of Coalition — a brandnew cybersecurity firm/insurer that launched Dec. 5. “Given the competitive benefits, it’s unthinkable for a business not to digitize everything. However, this puts them in a precarious position. Now they’ve got troves of data to protect and myriad new risks they must defend against.” Still, technological solutions are available to mitigate such risks, are they not? Motta says … not entirely. “Cybersecurity is broken,” he says. But what does that mean? Digital threats, Motta explains, are so pervasive that technology can be an “illusory solution” in the sense that that no amount of technology will save an organization from a perpetrator bent on compromising its security. That thinking, he notes, has to change, particularly from an insurance standpoint, for a perpetrator need only be right once. Cyber risk, he says, is “not a technology problem; it’s a risk management problem. There’s a human being at work, a
22
| JANUARY 2018 | NATIONAL UNDERWRITER
PROPERTYCASUALTY360.COM
What Cyber coverages are NEW and RENEWAL buyers most interested in purchasing? PartnerRe and Advisen surveyed 270 brokers/agents and 125 underwriters who are directly involved in Cyber insurance business. Interestingly, respondents said requests for cyber-related bodily injury/property damage were relatively low. 70% 60% 50% 40% 30% 20% 10% 0%
Data breach
Cyber-related BI
Cyber extortion
Funds transfer fraud/social engineering
Cyber-related dependent BI
System failure coverage
Regulatory fines/penalties
Data restoration
Internet media liability
Cyber-related bodily injury and/or property damage
Other
SOURCE: Advisen 2017 Survey of Cyber Insurance Market Trends
that exposure,” Palotay explains. He’s concerned, however, that there hasn’t been a major event to make the threat of property damage “real” to insureds. “There hasn’t been a lot of cyber aggregation until recently,” Palotay notes, referencing Petya and the worldwide May 2017 WannaCry ransomware attack. “Those events added fuel to the fire about how we’re going
to manage aggregated risks.” BUSINESS INTERRUPTION AHEAD Shiraz Saeed, Practice Leader, Cyber Risk for Starr Companies, says that when most people hear the phrase “cyber attack,” they think of thieves trying to steal information. But cyber events go far beyond that, and more often than not they mean a hard stop
criminal, who’s the perpetrator. We wanted to rethink how we solve that risk.” And Motta’s company is looking to put its risk selection where its mouth is. Backed by Swiss Re Corporate Solutions and Argo Group, Coalition possesses a deep bench of expertise: Motta was instrumental in the founding and growth of Cloudflare, a privately held $2B security company where he was the CXO and Head of Special Projects; he’s worked for the CIA, Honeywell, Sprint and Microsoft, the latter of which he went to work for at age 14. Coalition co-founder John Hering is the founder and executive chairman of Lookout, a Silicon Valley-based global leader in cybersecurity technology that’s been recognized as a Technology Pioneer by the World Economic Forum and serves over 75 million users globally. But here’s the key differentiator. Coalition possesses a power that could make other cyber writers green with envy: the ability for brokers to quote a Cyber policy and have it bound in minutes. After the broker submits the application, Coalition checks the client’s cyber exposures and vulnerabilities, running the prospect through an application programming interface (API) against a variety of online databases to gather data “in the background” on the potential insured’s e-mail systems, prior breaches and other vital
PROPERTYCASUALTY360.COM
for an organization’s business. “People think it’s about data,” he says, and the business-interruption aspect can get short shrift — yet the BI part is the most critical to small to midsize businesses, which can’t afford to have their operations shut down for a week. Attention to the risks posed by ransomware becomes critical for these
information, checking them against vulnerability databases to see just how severe their risk profile is: Have any documents been lost by this company? Is their information being traded? Those algorithms determine what a hacker would see, what cybersecurity controls a company has in place, and ultimately the expected probable loss. “We believe you have to take a novel approach — underwrite it like an adversary would view that company,” says Motta. Coalition provides a suite of cybersecurity products for small to midsize businesses (SMBs) and comprehensive cyber and technology E&O insurance of up to $10 million in coverage. One of the challenges in selling to this sector, Motta says, is that “small to medium-sized businesses don’t know what to ask for. There are a not a lot of policies that are both comprehensive and modular, where you can pick what you want.” Clients, Motta added, need to be able to select the coverage they want and need; he joked about how Cyber insurance needs to move away from what he called the “Henry Ford approach,” where you could have any color you want, as long as it’s black. “You have to let people break away from that,” he said. “You have to let people select their own limits. You have to let people choose the coverage they need.”
NATIONAL UNDERWRITER | JANUARY 2018 |
23
HACKING
“THINKABOUT & WHERE IT CAN GO — LET
IMAGINATION
YOUR RUN WILD. BECAUSE IT’S ALL POSSIBLE.” — Shiraz Saeed, Practice Leader, Cyber Risk for Starr Companies
types of clients. Greg Vernaci, head of Cyber, U.S. & Canada, for AIG, says ransomware attacks (in which one’s systems are held for ransom by a perpetrator) have been trending steadily in last year or two. This includes cyber extortion, which from a claims-handling standpoint often gets tangled up with business interruption, he says, because the insured can’t access their assets and can suffer a business-income loss. “No industry is immune to it.” What many insureds — and brokers — may not immediately know is that unless your business is interrupted for at least 10-12 hours, you might not have a claim; that threshold of time is different for different insurers, but in some cases cyber losses covered under a Property policy can’t be triggered until 24 hours’ worth of interruption. (Again, analyzing one’s terms here becomes critical if you’re a policyholder.) Matt Prevost, senior vice president
of Financial Lines at Chubb, agrees that small business is and should be focused on business interruption, versus data breach exposure. Regardless of industry, he says, all have recognized the importance of security — and that creates positive momentum around clients wanting to make themselves better risks. “Those conversations are happening all over, which is a good sign,” he adds. “Those small business owners understand that to spend $5K to $10K on a $1 million policy is a smart move for them,” says Anderson. “That’s the space that has the largest potential for growth, and carriers are starting to give them applications that aren’t 20 pages long.” In terms of the risk-management services offered, he adds, “it’s a no-brainer.” Vernaci adds, “Just because you’re small doesn’t mean that you’re not going to be targeted. You are.”
SOCIAL ENGINEERING COMES OF AGE Meanwhile, social engineering or “phishing” attacks continue to grow not just in number but also in polish. Palotay notes how perpetrators will now not simply hack into a company’s e-mail system and try to convince a subordinate to wire money to their boss, for example, but rather, first monitor that boss’ e-mails to better copy their writing style in order to make the eventual request far more believable. When in doubt, experts say, if it looks fishy, it’s probably phishing. “Information is the new gold at all types of companies, and employees need to understand what that means,” says Christina Terplan, a partner at Clyde & Co. who practices in the areas of technology, intellectual property and privacy law, representing insurers in issues ranging from coverage evaluations
What are the biggest obstacles to writing/selling this coverage? In PartnerRe/Advisen’s survey of 270 brokers/agents and 125 underwriters who are directly involved in Cyber insurance business, news of cyber-related losses by others was the largest factor in product sales.
90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
24
Not understanding exposures
Not understanding coverage
| JANUARY 2018 | NATIONAL UNDERWRITER
Cost
Different policy forms/coverages in market
Application process
Scope of coverage
Lack of value Capacity added products/ constraints in services market SOURCE: Advisen 2017 Survey of Cyber Insurance Market Trends PROPERTYCASUALTY360.COM
Cyberattacks by industry, 2010-2016 Finance and insurance 17%
Other 54%
Healthcare and social assistance 16%
Professional, scientific and technical services 12%
Data as of August 1, 2017
SOURCE: Insurance Information Institute
and disputes to litigation management. Terplan says she’s seeing a huge uptick in social engineering fraud and an increase in the level of sophistication in those attacks: “It’s scary now, how much they know about their targets.” Law firms can be penetrated, their settlement funds wired to a different entity. In real estate transactions, one of the parties involved in the deal’s closing can be compromised and the money disappears. “The best way to avoid litigation is to make sure you don’t have an incident, which boils down to practices and procedures,” says Terplan. In many cases, she adds, someone who ends up being negligent in unwittingly aiding a phishing scam could have saved a lot of heartache by simply calling the person requesting a funds transfer to verify the request. “In those cases,” she says, “oldfashioned modes of verification work the best.” Palotay says that many hackers have moved from trying to steal private information to cyber extortion for two reasons: The payoffs are bigger, and the price of personal payment information has gone down on the black market with the advent of chip technology and more sophisticated encryption. Credit card information now has a shorter shelf life than in recent years. Previously, social engineering losses were in some cases considered a crime loss; now it could be a financial loss, depending on the insurer’s terms & conditions. Again, carriers are looking PROPERTYCASUALTY360.COM
to make sure these gaps are being covered, or at least explicitly excluded. In any case, Vernaci says in the event of a loss, policyholders should not wait to notify their carriers: “These types of incidents don’t age well, and it’s better to address them right away.” “The fact that social engineering losses are common doesn’t change the level of damage that can be done,” Palotay adds. “If you’re looking down the barrel of a million-dollar loss when you’ve got only $5 million in total revenues, you’re really going to have a problem.” ADVICE FOR BROKERS “The broker with a team to actually dissect forms and not just beat someone else on price is the type that insurers want to work with,” says Saeed at Starr. Delving into the details of forms that can become highly complicated is a must for brokers wanting to do business in this sector. “One of the difficulties we have in our space is that the policies can be very confusing,” says Anderson. “With Cyber, we can have anywhere from two to 21 insuring agreements, broken down to first- and third-party liability risks.” It helps, he says, that insurers now do a much better job of offering risk management services on the front end — assessments, tools and other assistance to make sure guideposts are in place prior to a breach. The entire approach has become less reactionary and more proactive. Midsize businesses in particular can be sold on the value of pre-inci-
dent services and education, such as employee-awareness training for no additional cost. Those services help to drive the sales conversation and articulate the insurer’s value proposition. “Something as straightforward as a password manager is still foreign to [small businesses],” says Prevost. “Culturally, we do need to take this very seriously, but there are people out there still using ‘PASSWORD’ for their password. What are the best-in-class controls, and what mistakes have been made that we can learn from?” He adds that brokers need to focus more on the impact of cyber risk across the client’s entire portfolio — how it crosses other coverage areas — “instead of focusing on one policy in their relationship.” AIG’s Vernaci says that for new clients, “it needs to be an open-ended question. What does the client consider their greatest risk? Ask them what they believe their key exposure is. How do the client’s existing P&C policies respond to it? Are they silent, or affirmative?” From there, he adds, a standalone Cyber policy can be thoughtfully crafted. In terms of who’s driving the buy for Cyber coverage, Anderson says that pattern has shifted. Three to five years ago, he explains, “it was a trickle-up from the broker to the risk manager to the CFO to the CEO, then to the board. Now, that’s reversed. Now, the board is asking companies how well they’re protected.” Vernaci also sees an increasing trend for the C Suite to be involved. When making the case for cyber protections to an organization’s top management, brokers can stress the availability of pre-incident services, which offer the client “far more value than just a risk-transfer solution.” Cottini says that ultimately, it’s a question of how much revenue the client is willing to risk losing in a cyber incident versus what they think they could or should pay. At the end of the day, “recognize your client’s risk and understand their exposures,” adds Saeed. “Think about hacking and where it can go — let your imagination run wild. Because it’s all possible.” NATIONAL UNDERWRITER | JANUARY 2018 |
25
