Close

(704) 997-3238 info@techassure.com

Archive for category: Cyberliability

by

Cyber Attacks and Bodily Injury

Today’s cyber attack (still working it’s way through networks, at the time of this post) on the UK’s NHS has resulted in many hospitals and doctors’ offices remaining closed, as they cannot access the networks and IT systems they rely upon to provide care. This will undoubtedly result in patient injuries (being exacerbated and causing further harm) and possibly death. BBC reporters have cited sources saying:

“Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.

“Had a patient that needed urgent neurosurgery referred, but unable to look at scans – stroke care is absolutely dependent on IT systems and joined up systems.”

This type of attack appears to be ransomware related to the NSA’s leaked toolkit from last month’s breach. While ransomware is a growing nuisance, many companies have yet to protect themselves from these types of hackings. Even still, even the best IT security standards can be penetrated by smart cyber criminals using social engineering. Further, most companies have still yet to include cyber insurance in their portfolio of risk management policies.

So, will a cyber attack resulting in bodily injury caused by ransomware or social engineering be covered by cyber insurance? The devil is in the details, unfortunately. Many cyber policies do not cover ransomeware or claims generated from social engineering incidents. Other policies, like Crime and General Liability, may offer minimal coverage at best, but most have been written to exclude cyber-caused incidents. To further complicate the situation, bodily injury (which is typically covered by General Liability) is often excluded explicitly under cyber policies.

The solution is to make sure you buy the right cyber insurance policy to begin with. If you have an exposure to bodily injury, make certain you have placed coverage with a carrier that offers this on their cyber policies (there are a few). Your broker can also make sure the cyber policy “dovetails” with your General Liability policy to ensure that you’re not duplicating coverage, but you’re also covering the gaps as well.

Find a broker that knows how to 1) access your cyber risk to determine what coverage is necessary and 2) design a program that addresses your cyber risks. As a bonus, most cyber insurance policies include a variety of risk management services, like breach coaches and access to cyber professionals to help you – if and when you get hit with an attack.

by

Cyber Insurance: Not just for consumer-facing businesses

Post originally published by TechAssure-member: Plexus Groupe

The wide range of cyber risk faced by businesses continues to be in the news.

In a story published recently, The Wall Street Journal reported that a growing number of manufacturers have begun to secure cyber insurance.

According to the Journal, manufacturers paid about $37 million in cyber coverage premiums last year, per data from Advisen, an increase of 89 percent from 2015. Also, per BusinessInsurance.com, cyber threats were a top concern of more than 90 percent of the top 100 publically traded manufacturing firms in 2016, according to findings from accounting firm BDO USA LLP.
Read More

by

Guest Post: Two New Cyber-Focused Crime Endorsements

Data-Breach31One of the challenges in designing a comprehensive cyber insurance program lies in the fact that cyber risks are not easily contained within the insurance industry’s pre-defined “boxes.” Cyber risks can affect virtually all lines of insurance, and, yet, most of these insurance policies were never designed to cover such risks. There can often be a sizable grey-area between insurance policies when trying to piece them together. One area that is particularly fraught with peril (pun intended) is cyber crime.

Theft of money has historically been addressed by a crime insurance policy. However, crime policies have historically not offered any coverage for certain cyber crimes. Two new (ISO) endorsements are now available (as of Nov 2015) and seek to address some of these issues. 

We would like to thank Stuart Powell and the IIANC for allowing us to duplicate their post on these new endorsements. 

*********************************************************************

 

Internet crime is not just about data breach losses. While data breach losses are significant and can result in considerable financial damage to businesses and individuals, the internet can be used to commit old fashioned crimes such as the theft of money. Two new ISO Crime Insurance endorsements became available in November of 2015 of which agents should take note.

Fraudulent Impersonation – CR 04 17 11 15 is designed to be used with the Commercial Crime Coverage Policy or Form. (It can also be used with the Government Crime Coverage Policy or Form.) It fills a gap between the traditional crime coverages and newer cyber or data breach coverages.

Traditional crime insurance coverages have not had an Insuring Agreement that would recognize this exposure. The endorsement addresses two groups of people who could be fraudulently impersonated, i.e., “employees” and/or “customers” and “vendors.” The exposure, however, is the same. There would be coverage if the “named insured” receives, in good faith, an instruction to transfer “money”, “securities” or “other property” from a scheduled persons described above ‘but which “transfer instruction” proves to have been fraudulently issued by an imposter without the knowledge or consent’ of the scheduled person(s).

An example of this exposure would be an email purporting to be from the scheduled person authorizing a transfer of money. The transfer is made and, later it is discovered that the email was not from the person from whom it purported to be. The endorsement is not media specific so the “transfer instruction” could be in any form, electronic or otherwise.

One obvious loss control for this type of exposure is “verification.” This would entail a confirmation of the instruction before the transfer would be made. The endorsement has three options that may be selected.

  1. Verification is Required For All “Transfer Instructions”
  2. Verification is Required For All “Transfer Instructions” in Excess of a Specific Dollar Amount
  3. Verification Of “Transfer Instructions” Is Not Required

The degree of verification would have an impact on underwriting and pricing.

It is not difficult to see the value that this coverage could have to a business. Not only would it provide indemnification in the event of a loss, it highlights the value of verification and the potential for loss avoidance.

Include Virtual Currency as Money – CR 25 45 11 15 is designed to incorporate virtual money into the definition of “money” for coverage purposes. This endorsement is also designed to be used with the Commercial Crime Coverage Policy or Form. (It can also be used with the Government Crime Coverage Policy or Form.)

The current ISO Crime Insurance Coverage Policy or Form has an exclusion for virtual money. This endorsement amends the exclusion to except, and therefore provide coverage for, virtual currency to the extent scheduled on the endorsement. The endorsement schedule provided the option to select Employee Theft and/or Computer and Funds Transfer Fraud Insuring Agreement. It provides for a sublimit of insurance for each of the insuring agreements and requires a declaration of the name of the virtual currency and the exchange on which the virtual money is negotiable.

The endorsement describes virtual currency to include, but is not limited to, digital currency, crypto currency, or any type of electronic currency. An example of this type of currency would be “bitcoin.” Wikipedic refers to bitcoin as a “digital asset.” It is a peer-to-peer internet exchange of value. It does not require a governmental medium of exchange such as a central bank currency. Some use the term crypto currency. Bitcoin is a unit of value held in an account which can also be used to purchase item much like a debit card.

Since the value of a bitcoin is not backed by a governmental central bank, the determination of its value is not the subject of public exchange rates. Therefore, the endorsement requires the exchange to be used for valuation in the event of a loss be scheduled on the endorsement.

Both of these endorsements indicate an incremental movement towards addressing cyber exposures beyond data breach that are emerging from the “internet of things.” Stay tuned for there is surely more to come.

Post Originally Appeared on IIANC’s Blog. Reproduced with Author’s Permission.

stuartStuart Powell, CPCU, CIC, CLU, ARM, ChFC, AAI, ARe, CRIS, has over 40 years experience in the industry, both as an independent agent and as IIANC’s resident insurance guru for the last 20 years. A valuable resource for IIANC members providing technical information, Stuart is well-known across the country for his vast insurance knowledge. He regularly teaches for numerous insurance organizations and is on the national faculty for the Society of Certified Insurance Counselors.

Questions? Contact Stuart at spowell@iianc.com or 888-275-8914.

by

TRIA Dies in US Senate

 Washington, DC – After the United States House of Representatives approved the reauthorization of the Terrorism Risk Insurance Program (TRIA) on December 10th, the bill died in the Senate last night (December 16th, 2014) after soon-to-retire Oklahoma Senator Tom Coburn blocked the legislation from being called for a vote. Without renewal, the existing legislation expires on December 31st, 2014.

TRIA was enacted after the 9/11 attacks on New York City, which resulted in a majority of insurers declining to write coverage on buildings in NY due to the threat of future attacks. The bill, similar to Flood Insurance through FEMA, provides governmental assistance on systemic, multi-industry losses – in TRIA’s case: terrorism-related.

Coburn’s opposition to the bill stems from a new provision that would require insurance agents and brokers to register with a newly-formed body, the National Association of Registered Agents and Brokers Reform Act (NARAB).

The Property Casualty Insurers of America (PCI) issued the following statement today, expressing concern and disappointment in the bill’s defeat:

It is unconscionable that the U.S. Senate would adjourn without finishing their job and reauthorizing a long-term Terrorism Risk Insurance Act (TRIA) when the threat of a terrorist attack against the United States is at the highest level it has been in a decade,” said David A. Sampson, PCI’s president and CEO. “TRIA plays a vital role in our national economic security. If a massive attack occurs before TRIA is reauthorized, there could be no terrorism insurance coverage or taxpayer protection. PCI is profoundly disappointed by the dysfunction in Washington and we urge the next Congress to address a long-term reauthorization of TRIA immediately when they convene in January.

Without TRIA’s backstop support, fears are wide-ranging throughout the insurance industry that insurers could face insolvency without the legislation, should a terrorist attack occur.

Even with the bill passing, many within the insurance industry are concerned with whether the legislation would address cyber terrorism or not. The bill makes no mention of “cyber,” which leaves a great deal of ambiguity. More on that HERE.

Sources: Bloomburg News, Insurance Journal, Advisen

by

Corporate Risks and Cyber Criminals Lurking in the Cloud

Most of us are already aware of the benefits of cloud computing. But what many don’t realize is that cyber criminals are also harnessing the power of the cloud to gain unauthorized access to sensitive data.

Phishing scheme artists, for one, have learned to utilize the redundancy, scalability, and automation powers of the cloud to gain illegal access to bank accounts. This is easily accomplished by procuring cloud services through a website with an approved, though likely stolen credit card. This sets the stage for criminals to work their craft anonymously and make them even harder to catch.

What are the risks of cloud computing to a corporation?

There are many risks that a company faces from the use of cloud computing. Some of the major risks include disputes over ownership of data, records and assets. Risks can also include lost data, unavailability of information and malicious attacks. In addition, risks from shared access, authentication and authorization are broad.

Will a Commercial General Liability respond to data breaches or cloud computing risks?

No, your Commercial General Liability will not respond to claims that arise from data breaches or activities in the cloud. In order to protect against those types of risks, a company should consider the benefits of purchasing a cyberliability policy that is designed around your unique risks.

What can a company do to prevent these types of security breaches to your network?

The good news is that cloud providers are more diligent than ever in detecting unusual patterns of activity as they monitor how customers utilize the service. One very effective measure is the deployment of a dedicated antifraud team trained to recognize illicit activity from the start, such as the detection of a stolen credit card to procure cloud services. However, this does not mean you should relax your own security measures. Whether your data sits on another server, or is in the cloud, it is your corporate asset and you should take appropriate steps to protect that risk. Companies should be on the lookout for any security loopholes that allow easy access from unauthorized parties.

Working with a member of TechAssure Association can provide your organization with a range of insurance and risk management tools to help you manage your risks in the cloud. Contact a TechAssure Association member for more information on risk management services that can protect your corporate assets.

by

Top Five Causes of Data Breaches and Why Firms Should Buy Cyberliability

Because of advances in technology, companies have been able to grow and expand like never before. On the downside, cyber threats lurk around every corner, from hackers corrupting systems and networks to criminals attempting data breaches.

Because of the nature of their business, technology companies are at an increased risk to these types of threats. Here are some of the top causes of data breach and what steps you can take to ensure your company’s information is safe.

  1. Credential Theft: Hacking puts all of your sensitive information at the fingertips of individuals trying to steal your company’s most important information. In a recent study, 76% of data breaches occurred because of weak credentials. Password protection is essential to preventing hackers from entering your company’s networking systems.
  2. Application Vulnerability: Hackers use back doors and SQL injection accounts for almost half of all data breaches. Web applications are most vulnerable to this type of attack.
  3. Data on the Move: This type of breach involves stolen or lost-in-transit devices such as laptops, storage devices, hard copy reports, and hand-held devices. Securing these items during travel can help ensure that your sensitive information does not fall into the wrong hands.
  4. Insider Breach: This type of security threat involves insider attacks. Employees who can access company information can easily transfer firm financials, passwords, network and security access, etc. When employees go rogue, it is important to have a secure plan in place to prevent loss of data or worse.
  5. Employee Error: Employee negligence can inadvertently expose your firm to data breach. Some of these instances may be unpreventable, but it is important to educate your employees on how they can prevent data breach by following certain system protocols and implementing criteria each day that can help close the gap.

Maintaining a comprehensive cyberliability insurance and risk management program can ensure that your information is protected and that you will have a plan of action for managing the aftermath. Protect yourself and your firm’s credibility with an insurance policy custom tailored to your specific requirements. A TechAssure Association member can help you customize a cyberliability program around your unique risk profile. Please contact us for more information.