2222222222

Sponsored: XL Catlin

These Five Emerging Cyber Threats May Be Creating Gaps in Your Coverage

As cyber risks intertwine with property, fidelity, professional liability and reputation exposures, comprehensive insurance coverage and services become paramount.
By: | July 30, 2018 • 7 min read

Cyber risk continues to be the amorphous and seemingly indefensible threat facing businesses of all types and sizes, and insurers are continually tailoring their policies to respond to the changing environment. Making the challenge more difficult is the fact that cyber no longer is constrained to breaches of network security that imperil private information.

Cyber threats now intermingle with other types of exposure, like employee theft and professional liability, and can cause a broader spectrum of loss including property and reputation damage.

“We’re seeing a change now where the malicious actors aren’t just hacking networks to steal information; they’re reaching out from the digital world to cause different types of damage,” said Elissa Doroff, vice president, underwriting and product manager, XL Catlin.

As cyber becomes the root case of various types of tangible damage, it raises questions around what policies will be triggered by an event involving both digital and physical damage, and raises the potential for both gaps and overlaps in coverage.

Here are the top five ways cyber risk is evolving to create gray areas in existing insurance coverages:

1. Infiltration of Industrial Systems Leads to Property Damage

Hackers’ ability to breach a corporate network through various channels is nothing new. But when the intent is to cause physical harm rather than steal data, they can find their way into the industrial controls that operate a facility and wreak havoc.

In 2014, cyber criminals sent a German steel mill up in flames by speeding up the machinery until it became too hot and eventually exploded. The following year, bad actors brought down the Ukrainian power grid through similar methods.

A property policy responds to the resulting physical damages from such an incident, regardless of the cause. But the physical damages are just one piece of the attack.

The targeted organization will also have to investigate how the hackers gained access to their systems and whether they stole or altered any data in the process. The costs of a forensic investigation, restoration of data, notification and any other third-party liability exposures would not be covered under a property policy.

“A cyber policy would respond to network issues like theft of PII or use of transient malware that causes damage to a third party,” Doroff said. “And it would include the first-party coverages to remediate the network breach itself.”

Without a cyber policy, any incident of physical property damage caused by a cyber event would only be partially covered.

2. IoT and Bitcoin Amplify Ransom Risk

Elissa Doroff, Vice President, Underwriting and Product Manager, XL Catlin.

When ransomware attacks first emerged, they weren’t significant enough to warrant large-limit cyber liability policies.

“On average, the claims didn’t exceed $50,000. You paid the ransom if you needed to. More sophisticated organizations with good backups knew that they would be safe without paying, so they could just wait for the hacker to go away,” Doroff said.

But the problem is no longer that easy to solve. The explosion of devices connected via the Internet of Things has created more access points to corporate networks.

“When workers connect with their phones outside of a VPN, it may not be bifurcated from the corporate network that has a higher level of security,” she said. “It opens the door for new strains of malware.”

The rise of bitcoin also drives up the ransom amounts sought by hackers. More thieves are asking for their payment in cryptocurrency, which continues to rise in value. This is why having a cyber insurance policy with access to the right breach response vendors is critical.

Since bitcoin is not readily ascertainable on the open market, insureds need access to forensics vendors that maintain a bitcoin wallet. When a ransom is demanded in bitcoin, the vendor can quickly respond to facilitate the transaction and the insured back to business as soon as possible.

“Cyber extortion claims are not $50,000 anymore. With the increase in bitcoin’s ubiquity and value, the cost of a ransomware attacks today can double or triple that amount,” Doroff said.

Where coverage for cyber extortion was once considered a throw-on to a cyber policy, it’s now a critical must-have. Cyber liability insurance without coverage for extortion could leave targets with insurmountable losses after an attack.

3. Social Engineering Expands Definition of Theft

Hackers have become adept at mimicking professional emails to request fraudulent transfers of funds, posing as a client or vendor, or sometimes as a senior manager making a request of a subordinate. Often, the employee tricked into sending the cash doesn’t realize the mistake until it’s too late, and both the thief and the money are long gone.

“That type of theft has created a gap in the insurance market when it comes to treatment of financial fraud,” Doroff said.

A fidelity and crime policy typically would not cover a loss stemming from a social engineering scheme because the funds ultimately were willingly transferred away, even if the employee that did so was deceived. Crime policies may only extend coverage to outright theft of money or securities.

“There has been a push in the marketplace to offer coverage for social engineering fraud within cyber policies, but most of the coverage that exists now is offered on a sub-limited basis,” Doroff said.

As cyber thieves find new ways to bilk businesses, a cyber policy with coverage for social engineering fraud in combination with a crime and fidelity policy closes the coverage gap for emerging types of theft.

4. Data Breaches Threaten Company Reputations

Plenty of high-profile breaches demonstrate how a cyber attack can cause the public to lose faith in an organization they trusted with their personal information. Target, Equifax, Yahoo and Uber are just a few examples.

“Adverse publicity will cause a loss of brand trust that negatively impacts sales, but measuring that impact is the difficult part of designing coverage,” Doroff said. Quantifying exposure is the barrier to developing coverages that adequately address the reputation risk of cyber breaches — but a few methods are emerging.

“We’ll look at a company’s sales over a six-month period after an incident and compare that to the previous year, which provides a snapshot of how much revenue they’ve lost that’s likely attributable to the cyber event,” Doroff said.

But, she added, quantifying the loss is not an exact science. Along with a comparison of sales and revenue, a more thorough financial audit conducted by forensic accountants may be needed. Each carrier will have their own preferred method for measuring reputation exposure.

Because most cyber policies on the market today don’t address this exposure at all, it’s best to work directly with underwriters up front to determine whether there is coverage for financial losses from reputation damage, and how those losses will be accounted for.

5. Storage of Sensitive Data Increases Professional Liability Risk

While theft of PII has always posed a significant threat to financial institutions, hospitals, and other organizations that house large amounts of customers’ private data, some firms previously less concerned with cyber risk are finding that they may have targets on their backs as well.

“This comes up often with professional services firms like attorneys’ offices or financial consultants,” Doroff said. “They have a duty to keep clients’ sensitive information secure. If there’s some third-party incident whereby their clients’ information gets out, they could face costly lawsuits.”

While a professional liability policy likely covers those legal expenses, it won’t cover the first-party losses related to the breach itself, including the investigation, notification and remediation expenses.  For more and more firms, “It’s not sufficient to rely on your E&O coverage,” Doroff said.

Staying Ahead of the Coverage Curve

As cyber risks and responding coverages continue to evolve, companies are best served by working with a carrier at the forefront of cyber underwriting. XL Catlin’s cyber and technology liability policy addresses the varying ways in which malicious hackers can infiltrate systems or otherwise cause harm.

“We built this policy based on all the endorsement requests we received from brokers, which meant changing some definitions, removing certain exclusions or broadening some insuring agreements,” Doroff said. “The result is a policy with very broad terms and conditions that is a market leader in terms of what brokers and insureds are looking for.”

Along with the policy, companies gain access to XL Catlin’s breach preparedness services and vendor response panel.

“Our services include everything from training articles and videos to tabletop exercises, testing of employees’ response to phishing emails, and an 800-number manned by our claims team,” Doroff said. “Our broad vendor panel also offers several options for law, public relations and forensic firms, to help insureds recover quickly from a cyber incident — whatever shape it takes.”

To learn more, visit https://xlcatlin.com/insurance/insurance-coverage/professional-insurance/cyber-and-technology.

SponsoredContent
BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with XL Catlin. The editorial staff of Risk & Insurance had no role in its preparation.





Advertisement

XL Catlin. From insurance to reinsurance, a changing world needs new answers. We’re here to find them. With an incredible blend of people, products, services and technology, we have the power to find innovative, creative solutions to your risks — from the most familiar to the most complex.

More from Risk & Insurance

More from Risk & Insurance

Black Swans

Black Swans: Yes, It Can Happen Here

In this year's Black Swan coverage, we focus on two events: An Atlantic mega-tsunami which would wipe out the East Coast and a killer global pandemic.
By: | July 30, 2018 • 2 min read

One of the most difficult phrases to digest without becoming frustrated or judgmental is the oft-repeated, “I never thought that could happen here.”

Advertisement




Most painfully, we hear it time and time again in the aftermath of the mass school shootings that terrorize this country. Shocked parents and neighbors, viewing the carnage, voice that they can’t believe this happened in their neighborhood.

Not to be mean, but why couldn’t it happen in your neighborhood?

So it is with Black Swans, a phrase describing unforeseen events, made famous by the former trader and acerbic critic of academia Nassim Nicholas Taleb.

We at Risk & Insurance® define these events in insurance terms by saying that they are highly infrequent, yet could cause massive damages. This year, for our annual Black Swan issue, we present two very different scenarios, both of which would leave mass devastation in their wake.

A Mega-Tsunami Is Coming; Can the East Coast Even Prepare?, written by staff writer Autumn Heisler, profiles an Atlantic mega-tsunami, which would wipe out lives and commerce along the East Coast.

On the topic of whether the volcanic island of La Palma, the most northwestern of the Canary Islands, could erupt, split and trigger an Atlantic mega-tsunami, scientists are divided.

Researchers Steven Ward, a geophysicist at UC Santa Cruz, and Simon Day of University College London, say such a thing could happen. Other scientists say Day and Ward are dead wrong; it’s an impossibility.

One of the counter-arguments is backed up by the statement that there has never been an Atlantic mega-tsunami. It’s never happened before and thus, could never happen here. See exhibit “A” above, re: mass school shootings.

Viral Fear: How a Global Pandemic Kills an Economy, written by associate editor Katie Dwyer, depicts a killer global pandemic the likes of which hasn’t been seen in a century.

Tens of millions of people died during the Spanish Flu outbreak of 1918.

Why it could happen again includes the fact that it’s happened before. The science on influenzas, which are constantly mutating, also supports just how dangerous a threat they pose to millions of people beyond the reach of antibiotics.

Should a mutating avian flu, for example, spread widely, we could see a 10 percent drop in GDP, mostly from non-physical business interruption.

As always here, the purpose is to do exactly what insurance modelers and underwriters do; no matter how massive the event, we create scenarios, quantify possible losses and discuss risk mitigation strategies. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]