Sponsored Content by The Hartford

A Coordinated Defense to Cyber Risk

It’s time to start thinking about cyber risk in a coordinated, cohesive fashion.
By: | May 1, 2017 • 6 min read

Cyber risk is an amorphous threat that demands a coordinated defense from companies, their insurance carriers, and security and privacy professionals.

The exposure is multifaceted, varies from business to business, and continues to evolve. In addition to purchasing cyber insurance, companies can bolster their defenses against this risk by conducting targeted risk assessments and implementing appropriate security controls — but the challenge lies in identifying which security programs and controls an organization needs most, and which vendors provide the best service.

All companies, but especially small- to medium-sized businesses with more limited resources, want to see improvement of their risk profiles translate into discounted insurance premiums.

However, lack of alignment between IT security vendors and underwriters can make that connection difficult to attain, minimizing the value of loss control services. Current underwriting processes typically don’t allow underwriters the opportunity to ask insureds many questions about their security and privacy improvements, and vendors often view insurance as a separate offering, if not an afterthought.

“Part of the challenge has been that you have two different industries — IT security and insurance — working in siloes to address a singular risk challenge. Naturally, security professionals think about risk and control mechanisms differently than insurance professionals, and speak different languages,” said Tom Kang, enterprise cyber underwriting & product lead at The Hartford.

“We believe aligning the solutions — between security and insurance — and providing the right incentives to our clients can make a real difference. A fully integrated solution, with discounts for the service and the insurance, can offer something compelling and help improve cyber risk for our clients.”

It’s time to start thinking about cyber risk in a coordinated, cohesive fashion.

“We believe aligning the solutions – between security and insurance – and providing the right incentives to our clients can make a real difference.”
— Tom Kang, enterprise cyber underwriting & product lead, The Hartford

Connecting Risk Control and Underwriting

“Because cyber risk was emerging so quickly, insureds were often on their own when it came to risk control, underwriters were evaluating an emerging risk and hoping they got it right, and then claims were their own animal,” said Tim Marlin, head of cyber underwriting at Hartford Financial Products.

“But now that the risk is more mature, our views need to mature as well. As we gather more claims data, the industry needs to implement a better, more coordinated strategy than the ad hoc approach that often prevails. Risk control, underwriting and claim response should be thought of as parts of a continuum.”

Insurers play a key role in driving best practices and can help clients align every part of their cyber risk strategy. By thinking through their risk holistically, insurers can help buyers identify their key exposures, establish internal risk mitigation, transfer the risk through cyber insurance, and respond to a breach.

“Insurers themselves have a marketwide view of the risk from underwriting and claims data and benchmarking,” Kang said. “They can help insureds understand whether they are doing the right thing when it comes to identifying and securing their critical assets, complying with a dizzying array of regulations in this space, and direct them to the right resources.”

Many insurers make recommendations on well-vetted service providers, but traditionally there has not been a high rate of engagement because insureds could not see how those services impact their cost of insurance.

“Most insureds and brokers want to see their investment in these services have some kind of impact on premium, and historically insurers have not had much of a response,” Marlin said. “Some provide value-added services packaged with the policy. But including those services doesn’t generally move the premium or risk mitigation needle in any material way for organizations, whether they are mid-sized or large.”

The Hartford goes a step further beyond just finding the best vendors in the business. If clients use approved service providers and services, they can report it to The Hartford’s underwriters, who will factor the risk controls into calculations of the insurance premium.

“These are vendors we trust to help our clients get better at managing cyber risk,” Marlin said. “If they are strengthening their security, it feeds directly into our underwriting process and results in a premium incentive.”

By connecting the use of risk control services to insurance cost savings, The Hartford incentivizes clients to implement best practices in cyber risk mitigation and reduce their exposure to loss.

“An insurance policy should help you get better. Not just on the front end before there’s a claim, but after a claim as well.”
— Tim Marlin, head of cyber underwriting, Hartford Financial Products

From Coverage to Breach Response

Carriers can also work more closely with brokers and insureds to help them determine what the most appropriate coverage is for their particular business. An organization’s size and function both influence what type of coverage is required.

Small and mid-sized companies with limited resources, for example, may be less inclined to purchase a mono-line cyber product than to embed coverage within a different policy, like General Liability or E&O — where cyber coverage originated.

“When you think about the risk holistically, you can more thoughtfully plan what risk you will retain, mitigate or transfer. Part of thinking about the risk holistically also includes developing a robust cyber incident response plan, and thinking carefully about recovery and necessary improvements,” Kang said.

Beyond the traditional response services that are often included in cyber insurance policies and the claims process, policyholders should think about remediating the privacy or security issue that led to the claim.

That’s why The Hartford offers a cyber security expense fund as an additional endorsement on its CyberChoice First ResponseSM product. While the policy will help cover the costs of an incident response, the fund will help to cover the costs of remediation after the claim.

“Coverage typically stops at the claim. But we wanted to go a step further. Similar to pre-breach services, the fund can be used to strengthen those vulnerabilities that were targeted in the event,” Marlin said. “Perhaps more than pre-breach services, we believe engaging the insured after a claim is the best time to help them get better. They have had a loss and they understand very specifically what vulnerabilities they have and the impact of the exploit. No one else in the market offers a coverage like this.

“An insurance policy should help you get better. Not just on the front end before there’s a claim, but after a claim as well. We help clients get stronger through every part of the cyber risk management continuum.”

FOR PRODUCERS ONLY. CyberChoice First Response is offered on a SURPLUS LINES* basis. This material is not to be used for solicitation purposes. The Hartford has arranged for data risk management services for our policyholders at a discount from some third-party service providers. Such service providers are independent contractors and not agents of The Hartford. The Hartford does not warrant the performance of third-party service providers even if paid for as part of the policy coverage, and disclaims all liability with respect to use of or reliance on such third-party service providers.

*Eligibility for surplus insurance coverage is subject to state regulation and requires the use of a licensed surplus lines broker. Surplus lines insurance policies are generally not protected by state guaranty funds. Policies should be examined carefully for suitability and to identify all exclusions, limitations, and other terms and conditions. Surplus lines coverage is underwritten by Pacific Ins. Co. Ltd (except in CT and HI) and The Hartford Ins. Co. of Illinois in CT and HI. The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries. Its headquarters is in Hartford, CT. All rights reserved.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with The Hartford. The editorial staff of Risk & Insurance had no role in its preparation.




The Hartford is a leader in property and casualty insurance, group benefits and mutual funds. With more than 200 years of expertise, The Hartford is widely recognized for its service excellence, sustainability practices, trust and integrity.

More from Risk & Insurance

More from Risk & Insurance

Robotics Risk

Rise of the Cobots

Collaborative robots, known as cobots, are rapidly expanding in the workforce due to their versatility. But they bring with them liability concerns.
By: | May 2, 2017 • 5 min read

When the Stanford Shopping Center in Palo Alto hired mobile collaborative robots to bolster security patrols, the goal was to improve costs and safety.

Once the autonomous robotic guards took up their beats — bedecked with alarms, motion sensors, live video streaming and forensics capabilities — no one imagined what would happen next.

Advertisement




For some reason,  a cobots’ sensors didn’t pick up the movement of a toddler on the sidewalk who was trying to play with the 5-foot-tall, egg-shaped figure.

The 300-pound robot was programmed to stop for shoppers, but it knocked down the child and then ran over his feet while his parents helplessly watched.

Engaged to help, this cobot instead did harm, yet the use of cobots is growing rapidly.

Cobots are the fastest growing segment of the robotics industry, which is projected to hit $135.4 billion in 2019, according to tech research firm IDC.

“Robots are embedding themselves more and more into our lives every day,” said Morgan Kyte, a senior vice president at Marsh.

“Collaborative robots have taken the robotics industry by storm over the past several years,” said Bob Doyle, director of communications at the Robotic Industries Association (RIA).

When traditional robots joined the U.S. workforce in the 1960s, they were often assigned one specific task and put to work safely away from humans in a fenced area.

Today, they are rapidly being deployed in the automotive, plastics, electronics assembly, machine tooling and health care industries due to their ability to function in tandem with human co-workers.

More than 24,000 robots valued at $1.3 billion were ordered from North American companies last year, according to the RIA.

Cobots Rapidly Gain Popularity

Cobots are cheaper, more versatile and lighter, and often have a faster return on investment compared to traditional robots. Some cobots even employ artificial intelligence (AI) so they can adapt to their environment, learn new tasks and improve on their skills.

Bob Doyle, director of communications, Robotic Industry Association

Their software is simple to program, so companies don’t need a computer programmer, called a robotic integrator, to come on site to tweak duties. Most employees can learn how to program them.

While the introduction of cobots into the workplace can bring great productivity gains, it also introduces risk mitigation challenges.

“Where does the problem lie when accidents happen and which insurance covers it?” asked attorney Garry Mathiason, co-chair of the robotics, AI and automation industry group at the law firm Littler Mendelson PC in San Francisco.

“Cobots are still machines and things can go awry in many ways,” Marsh’s Kyte said.

“The robot can fail. A subcomponent can fail. It can draw the wrong conclusions.”

If something goes amiss, exposure may fall to many different parties:  the manufacturer of the cobot, the software developer and/or the purchaser of the cobot, to name a few.

Is it a product defect? Was it an issue in the base code or in the design? Was something done in the cobot’s training? Was it user error?

“Cobots are still machines and things can go awry in many ways.” — Morgan Kyte, senior vice president, Marsh

Is it a workers’ compensation case or a liability issue?

“If you get injured in the workplace, there’s no debate as to liability,” Mathiason said.

But if the employee attributes the injury to a poorly designed or programmed machine and sues the manufacturer of the equipment, that’s not limited by workers’ comp, he added.

Garry Mathiason, co-chair, robotics, AI and automation industry group, Littler Mendelson PC

In the case of a worker killed by a cobot in Grand Rapids, Mich., in 2015, the worker’s spouse filed suit against five of the companies responsible for manufacturing the machine.

“It’s going to be unique each time,” Kyte said.

“The issue that keeps me awake at night is that people are so impressed with what a cobot can do, and so they ask it to do a task that it wasn’t meant to perform,” Mathiason said.

Privacy is another consideration.

If the cobot records what is happening around it, takes pictures of its environment and the people in it, an employee or customer might claim a privacy violation.

A public sign disclosing the cobot’s ability to record video or take pictures may be a simple solution. And yet, it is often overlooked, Mathiason said.

Growing Pains in the Industry

There are going to be growing pains as the industry blossoms in advance of any legal and regulatory systems, Mathiason said.

He suggests companies take several mitigation steps before introducing cobots to the workplace.

First, conduct a safety audit that specifically covers robotics. Make sure to properly investigate the use of the technology and consider all options. Run a pilot program to test it out.

Most importantly, he said, assign someone in the organization to get up to speed on the technology and then continuously follow it for updates and new uses.

The Robotics Industry Association has been working with the government to set up safety standards. One employee can join a cobot member association to receive the latest information on regulations.

“I think there’s a lot of confusion about this technology and people see so many things that could go wrong,” Mathiason said.

Advertisement




“But if you handle it properly with the safety audit, the robotics audit, and pay attention to what the standards are, it’s going to be the opposite; there will be fewer problems.

“And you might even see in your experience rating that you are going to [get] a better price to the policy,” he added.

Without forethought, coverage may slip through the cracks. General liability, E&O, business interruption, personal injury, cyber and privacy claims can all be involved.

AIG’s Lexington Insurance introduced an insurance product in 2015 to address the gray areas cobots and robots create. The coverage brings together general and products liability, robotics errors and omissions, and risk management services, all three of which are tailored for the robotics industry. Minimum premium is $25,000.

Insurers are using lessons learned from the creation of cyber liability policies and are applying it to robotics coverage, Kyte said.

“The robotics industry has been very safe for the last 30 years,” RIA’s Doyle said. “It really does have a good track record and we want that to continue.” &

Juliann Walsh is a staff writer at Risk & Insurance. She can be reached at [email protected]