2222222222

Sponsored Content by Nationwide

Cyber Risk Is Evolving. How Will Coverage Keep Pace?

As the cyber risk evolution continues, coverage gaps will only grow without innovative solutions.
By: | May 2, 2018 • 6 min read

Cyber risk is never the same two days in a row.

Interconnected technology, sophisticated hackers and the speed of new attacks make cyber security an ongoing and exhausting challenge. The various types of breaches — denial of service, ransomware, social engineering and outright theft of private data, among others — infiltrate systems in different ways and make it difficult for risk managers to determine whether or where they have coverage.

Traditional cyber policies primarily cover network security and privacy breaches. After a handful of high-profile security incidences, many companies have grown familiar with the consequences of such a breach, including notification, forensic investigation, credit monitoring and system security enhancement expenses.

“Cyber risk is evolving so quickly that it’s difficult to adjust and build new solutions to keep pace,” said Tim Nunziata, director and division head of Commercial E&O/Cyber, Management Liability and Specialty at Nationwide. “We are often still resolving issues from a previous attack, implementing security patches and shoring up vulnerabilities, while bad actors are already on to something new. As cyber threats take on new forms, companies may find themselves bearing related expenses not covered under any of their insurance policies.”

Addressing coverage gaps will take a concerted effort to improve network defenses, broaden cyber policies and better align them with other products.

“We are now seeing a more organized approach to cyber risk to address all potential causes of system failure,” Nunziata said.

Evolving Risks Create Coverage Gaps

Tim Nunziata, Director and Division Head of Commercial E&O/Cyber, Management Liability and Specialty

Exposures now include other forms of technology failure that could incur business interruption and property losses not typically covered by stand-alone cyber policies. Overlap with other policies or the presence of “silent” cyber coverage (non-traditional sources of cyber exposure coverage found in property and liability insurance policies by virtue of policy wording not implicitly including or excluding cyber risks) may yield some indemnification, but gaps and gray areas abound.

System failure can come in many forms and result in varied consequences depending on the type of business. Global attacks like WannaCry and NotPetya may grab headlines, but a far more common — and commonly overlooked — cyber threat is accidental system failure triggered by a negligent employee.

“I’m talking about the worker who trips over a cord in the hallway, accidentally unplugs something, or pushes the wrong button and inadvertently shuts the whole network down,” Nunziata said. “If the problem is not identified and resolved quickly, there will be a business interruption impact and it could affect the business of third parties as well.”

A typical cyber policy may respond if the incident potentially exposes confidential information, but it may not pick up extra expenses associated with business interruption. An E&O policy, however, could potentially respond if it includes coverage for employee negligence.

Similar overlaps occur between cyber and crime policies in the case of social engineering scams, which involve no network breach but amount to a theft via network channels.

“If there has been no unauthorized access to your system and an employee is tricked into willingly transferring funds, that may not be a cyber claim,” Nunziata said. “But a crime or a professional liability policy could come into play.”

Interplay between cyber and physical property exposures presents similar challenges.

“If a refrigerated truck is carrying a load of produce and someone hacks into the main system and raises the temperature in the truck by five degrees, causing everything to spoil, is that a property claim or a cyber claim?” Nunziata said. “There are many areas where overlap with other exposures creates risks that are not covered by a standard cyber policy.”

As the risk continues to evolve, coverage gaps will only grow without innovative solutions. Two coverage strategies are emerging as options to bridge those gaps.

Extending Coverage Up and Out to Fill the Gaps

Broadening language in existing cyber policies can bring business interruption and other expenses related to system failure — regardless of the cause — under the umbrella of affirmative cyber insurance. In other words, the focus is on building up the cyber vertical, rather than spreading it outward.

“Existing cyber products can be extended or amended to include those E&O exposures, broader system failure, business interruption, contingent business interruption,” Nunziata said. “These will become standard extensions on many network security and privacy policies over the next few years.”

But as cyber risk seeps into every facet of a business’s operations and overlaps with more traditional property/casualty exposures, the most robust defense may be tacking affirmative cyber coverage onto those traditional policies.

“Cyber coverage is its own vertical, but the market is starting to realize that coverage can also potentially run horizontally throughout,” Nunziata said. “In the past we were trying to find answers within the cyber policy, but I think the answer is going to be pushing cyber extensions into other property/casualty coverages. That presents the best way to underwrite specifically to the wide varying types of cyber risks, charge appropriate premium and clarify language, so there are better opportunities to seal gaps and eliminate overlaps.”

Cyber endorsements and insuring agreements could introduce affirmative cyber coverage to professional liability, property, crime and even personal lines policies. This would go a long way towards reducing the guesswork around the root cause of a system failure and how to classify the resulting losses for coverage purposes.

Those other products, however, have the benefit of multi-decade claims histories and court precedents that have helped to standardize language, or at least create precedent regarding, contract interpretation.

This is where the enforcement of new data protection and network security standards may help.

New rules, including Europe’s General Data Protection Regulation (“GDPR”) and the New York Department of Financial Services’ cybersecurity regulations, represent a first step toward a more holistic approach to combatting cyber risk, as they will aid organizations and insurers in gathering information around cyber incidents consistently and on a broader scale. They will also raise risk management standards and hold companies accountable for protecting their networks and data.

“These regulations will require clients to be prepared, and the first step of preparation is gathering information. The more information we can collect, the better products we can build,” Nunziata said.

A Long-Term Approach Built to Evolve with the Risk

No matter how ironclad a company’s network defenses may be and no matter how well-versed they are in breach response, the ever-evolving nature of the risk means a debilitating cyber incident is not a question of if, but when. Even the best risk management cannot supply clear, comprehensive coverage.

“Despite this fact, overcoming a cyber breach is possible,” said Nunziata. “There are solutions, and we work with clients to craft what they need.”

“Our cyber underwriters are partnering with other divisions within Nationwide to push affirmative coverage out to more traditional commercial policies, leveraging our multiline expertise across products. We’re looking to build out existing products through innovative structures, endorsements and new insuring agreements.”

A strategy of gradual and consistent growth within the cyber market has enabled the carrier to closely track and respond to evolving exposure thoughtfully, without rapidly raising rates or tightening terms and conditions.

“We’re going to dictate our strategy around the problem. We’ve seen markets come and go over the last five or six years, but our approach has not changed. It’s expanded and grown, but it’s been consistent,” Nunziata said.

To learn about Nationwide’s Cyber and Professional Liability services visit https://mls.nationwideexcessandsurplus.com/fs/products/cyber-and-professional-liability/ or contact Tim Nunziata, director, at 212-329-6915 or [email protected].

Speak with your agent about specific policy details and coverages. Consult your policy’s terms and conditions for specific coverage information.

 SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.




Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A+ by both A.M. Best and Standard & Poor’s.

Risk Report: Manufacturing

More Robots Enter Into Manufacturing Industry

With more jobs utilizing technology advancements, manufacturing turns to cobots to help ease talent gaps.
By: | May 1, 2018 • 6 min read

The U.S. manufacturing industry is at a crossroads.

Faced with a shortfall of as many as two million workers between now and 2025, the sector needs to either reinvent itself by making it a more attractive career choice for college and high school graduates or face extinction. It also needs to shed its image as a dull, unfashionable place to work, where employees are stuck in dead-end repetitive jobs.

Advertisement




Added to that are the multiple risks caused by the increasing use of automation, sensors and collaborative robots (cobots) in the manufacturing process, including product defects and worker injuries. That’s not to mention the increased exposure to cyber attacks as manufacturers and their facilities become more globally interconnected through the use of smart technology.

If the industry wishes to continue to move forward at its current rapid pace, then manufacturers need to work with schools, governments and the community to provide educational outreach and apprenticeship programs. They must change the perception of the industry and attract new talent. They also need to understand and to mitigate the risks presented by the increased use of technology in the manufacturing process.

“Loss of knowledge due to movement of experienced workers, negative perception of the manufacturing industry and shortages of STEM (science, technology, engineering and math) and skilled production workers are driving the talent gap,” said Ben Dollar, principal, Deloitte Consulting.

“The risks associated with this are broad and span the entire value chain — [including]  limitations to innovation, product development, meeting production goals, developing suppliers, meeting customer demand and quality.”

The Talent Gap

Manufacturing companies are rapidly expanding. With too few skilled workers coming in to fill newly created positions, the talent gap is widening. That has been exacerbated by the gradual drain of knowledge and expertise as baby boomers retire and a decline in technical education programs in public high schools.

Ben Dollar, principal, Deloitte Consulting

“Most of the millennials want to work for an Amazon, Google or Yahoo, because they seem like fun places to work and there’s a real sense of community involvement,” said Dan Holden, manager of corporate risk and insurance, Daimler Trucks North America. “In contrast, the manufacturing industry represents the ‘old school’ where your father and grandfather used to work.

“But nothing could be further from the truth: We offer almost limitless opportunities in engineering and IT, working in fields such as electric cars and autonomous driving.”

To dispel this myth, Holden said Daimler’s Educational Outreach Program assists qualified organizations that support public high school educational programs in STEM, CTE (career technical education) and skilled trades’ career development.

It also runs weeklong technology schools in its manufacturing facilities to encourage students to consider manufacturing as a vocation, he said.

“It’s all essentially a way of introducing ourselves to the younger generation and to present them with an alternative and rewarding career choice,” he said. “It also gives us the opportunity to get across the message that just because we make heavy duty equipment doesn’t mean we can’t be a fun and educational place to work.”

Rise of the Cobot

Automation undoubtedly helps manufacturers increase output and improve efficiency by streamlining production lines. But it’s fraught with its own set of risks, including technical failure, a compromised manufacturing process or worse — shutting down entire assembly lines.

Advertisement




More technologically advanced machines also require more skilled workers to operate and maintain them. Their absence can in turn hinder the development of new manufacturing products and processes.

Christina Villena, vice president of risk solutions, The Hanover Insurance Group, said the main risk of using cobots is bodily injury to their human coworkers. These cobots are robots that share a physical workspace and interact with humans. To overcome the problem of potential injury, Villena said, cobots are placed in safety cages or use force-limited technology to prevent hazardous contact.

“With advancements in technology, such as the Cloud, there are going to be a host of cyber and other risks associated with them.” — David Carlson, U.S. manufacturing and automobile practice leader, Marsh

“Technology must be in place to prevent cobots from exerting excessive force against a human or exposing them to hazardous tools or chemicals,” she said. “Traditional robots operate within a safety cage to prevent dangerous contact. Failure or absence of these guards has led to injuries and even fatalities.”

The increasing use of interconnected devices and the Cloud to control and collect data from industrial control systems can also leave manufacturers exposed to hacking, said David Carlson, Marsh’s U.S. manufacturing and automobile practice leader. Given the relatively new nature of cyber as a risk, however, he said coverage is still a gray area that must be assessed further.

“With advancements in technology, such as the Cloud, there are going to be a host of cyber and other risks associated with them,” he said. “Therefore, companies need to think beyond the traditional risks, such as workers’ compensation and product liability.”

Another threat, said Bill Spiers, vice president, risk control consulting practice leader, Lockton Companies, is any malfunction of the software used to operate cobots. Then there is the machine not being able to cope with the increased workload when production is ramped up, he said.

“If your software goes wrong, it can stop the machine working or indeed the whole manufacturing process,” he said. “[Or] you might have a worker who is paid by how much they can produce in an hour who decides to turn up the dial, causing the machine to go into overdrive and malfunction.”

Potential Solutions

Spiers said risk managers need to produce a heatmap of their potential exposures in the workplace attached to the use of cobots in the manufacturing process, including safety and business interruption. This can also extend to cyber liability, he said.

“You need to understand the risk, if it’s controllable and, indeed, if it’s insurable,” he said. “By carrying out a full risk assessment, you can determine all of the relevant issues and prioritize them accordingly.”

By using collective learning to understand these issues, Joseph Mayo, president, JW Mayo Consulting, said companies can improve their safety and manufacturing processes.

“Companies need to work collaboratively as an industry to understand this new technology and the problems associated with it.” — Joseph Mayo, president, JW Mayo Consulting

“Companies need to work collaboratively as an industry to understand this new technology and the problems associated with it,” Mayo said. “They can also use detective controls to anticipate these issues and react accordingly by ensuring they have the appropriate controls and coverage in place to deal with them.”

Advertisement




Manufacturing risks today extend beyond traditional coverage, like workers’ compensation, property, equipment breakdown, automobile, general liability and business interruption, to new risks, such as cyber liability.

It’s key to use a specialized broker and carrier with extensive knowledge and experience of the industry’s unique risks.

Stacie Graham, senior vice president and general manager, Liberty Mutual’s national insurance central division, said there are five key steps companies need to take to protect themselves and their employees against these risks. They include teaching them how to use the equipment properly, maintaining the same high quality of product and having a back-up location, as well as having the right contractual insurance policy language in place and plugging any potential coverage gaps.

“Risk managers need to work closely with their broker and carrier to make sure that they have the right contractual controls in place,” she said. “Secondly, they need to carry out on-site visits to make sure that they have the right safety practices and to identify the potential claims that they need to mitigate against.” &

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]