Top Reasons to Purchase Cyber Insurance

By | Uncategorized | No Comments

Having a hard time garnering interest in cyber insurance with your insureds?  One thing to point out is that relative to other lines of business insurance, cyber insurance is inexpensive and easy to customize specifically to risks facing your insureds. Other pitch points include:

  1. Data is one of your most important assets yet it is not covered by standard property insurance policies
    Most businesses would agree that data or information is one of their most important assets. It is almost certainly worth many times more than the physical equipment that it is stored upon. Yet most business owners do not realize that a standard property policy would not respond in the event that this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and rectification in the event of a loss no matter how it was caused and up to the full policy limits.
  2. Systems are critical to operating your day to day business but their downtime is not covered by standard business interruption insurance
    All businesses rely on systems to conduct their core business, from electronic point of sales software to hotel room reservation systems. In the event that a hack attack, computer virus or malicious employee brings down these systems, a traditional business interruption policy would not respond. Cyber insurance can provide cover for loss of profits associated with a systems outage that is caused by a non-physical peril like a computer virus or denial of service attack.
  3. Cyber crime is the fastest growing crime in the world, but most attacks are not covered by standard property or crime insurance policies
    New crimes are emerging every day. The internet means that your business is now exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. Phishing scams, identity theft, and telephone hacking are all crimes that traditional insurance policies do not address. Cyber insurance can provide comprehensive crime cover for a wide range of electronic perils that are increasingly threatening the financial resources of today’s businesses.
  4. Third party data is valuable and you can be held liable if you lose it.
    We all hold more data than ever before and often this data belongs to our customers and suppliers. Non-disclosure agreements and commercial contracts often contain warranties and indemnities in relation to the security of this data that can trigger expensive damages claims in the event that you experience a breach. Increasingly, consumers are also seeking legal redress in the event that a business loses their data. This risk is further heightened in the event that you hold any data on US consumers.
  5. Retailers face severe penalties if they lose credit card data. 
    Global credit card crime is worth over $7.5bln and increasingly this risk is being transferred to the retailers that lose the data. Under merchant service agreements, compromised retailers can be held liable for forensic investigation costs, credit care re-issuance costs and the actual fraud conducted on stolen cards.
    These losses can run into hundreds of thousands of dollars for even a small retailer. Cyber insurance can help protect against all of these costs.
  6. Complying with breach notification laws costs time and money.
    Breach notification laws are slowly being introduced across many different countries. These generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected. Even though a legal obligation to notify only currently exists in some countries, this is changing and there is a growing trend towards voluntary notification in order to protect your brand and reputation. Customers who have had their data compromised expect openness and
    transparency from the businesses they entrusted it with. Cyber policies can provide cover for the costs associated with providing a breach notice even if it is not legally required.
  7. Your reputation is your number one asset, so why not insure it?
    Any business lives and dies by its reputation. Although there are certain reputational risks that can’t be insured, you can insure your reputation in the event of a security breach. When your systems have been compromised, you run a risk of losing the trust of your loyal customers which can harm your business far more than the immediate financial loss. Cyber insurance can not only help pay for the costs of engaging a PR firm to help restore this, but also for the loss of future sales that arise as a direct result of customers switching to your competitors.
  8. Social media usage is at an all-time high and claims are on the rise. 
    Social media is the fastest growing entertainment channel in the world. Information is exchanged at lightning speed and exposed to the world. But often there is little control exercised over what is said and how it is presented and this can give rise to liability for businesses who are responsible for the actions of their employees on sites such as LinkedIn, Twitter and Facebook. Cyber insurance can help provide cover for claims arising from leaked information, defamatory statements or copyright infringement.
  9. Portable devices increases the risk of a loss or theft
    The advent of portable devices and the ability to work away from the office has made life a lot easier for many of us. However, this new style of working also means that important and confidential data can be stolen or lost much more easily. A laptop left on a train, an iPad stolen in a restaurant, or a USB stick going missing are all good examples. In addition, the devices themselves are being targeted with a growing number of viruses being built just for them. Cyber insurance can help cover the costs associated with a data breach should a portable device be lost, stolen or fall victim to a virus.
  10. It’s not just big businesses being targeted by hackers, but lots of small ones too. 
    While the large-scale hack attacks on the news often involve big companies, small companies are also at risk and often don’t have the financial resources to get back on track after a hacking attack or other kind of data loss. In fact, over a third of global targeted attacks were aimed at businesses with less than 250 employees. Cyber attacks are quickly becoming one of the greatest risks faced by smaller companies, making cyber liability insurance a must. It can help protect smaller companies against the potentially crippling financial effects of a privacy breach or data loss.

Of course we are always available to assist you close deals!  Call or email us for addition for assistance.

 

 

InfoSec Distribution of Cyber Insurance: Has the time come?

By | Cyber Risk Underwriters Information | No Comments

Has the time come?

Cyber insurance is distributed by business insurance agents specializing in traditional commercial products such as property, general liability, workers’ compensation and employee benefits.  Despite diminishing premiums and dramatically improved coverage forms, cyber insurance take-up rates remain very low for SMB’s (small to mid-sized buyers under $250M annual revenue).  Can infosec channels more effectively provide comprehensive cyber cover to this highly vulnerable market?

 

“The only thing missing from managed security services offerings is cost effective financing for isolated and possibly catastrophic client events.”

Wrong buyers and wrong sellers?

Market survey estimates suggest somewhere between 16% and 35% of SMB’s purchase comprehensive cyber coverage. Many obstacles make for a difficult sale.  Almost 50% of brokers’ surveyed say not understanding exposures is the biggest obstacle to closing cyber deals.  This compares to onerous application process (15%), not understanding coverage (14%) and cost (13%).  In our experience, lack of exposure knowledge actually keeps some agents from presenting coverage.

When providing workers’ compensation insurance, agents maintain specialized knowledge and can accurately quantify and communicate key exposures to loss. Insurance agents and brokers are seen as subject matter experts in workers’ compensation, as well as other products comprising a business insurance portfolio. Due to the paucity of loss data and limited technical expertise, this is not the case with cyber insurance.  In response, many global and large regional brokerages employ talented, often credentialed cyber experts.  This is not true with middle market agents who often rely on spotty cyber endorsements added to existing business insurance products.

Travel insurance is a good example to consider.   Travel agents are subject matter experts when it comes to travel risk.  They can easily explain the risks involved and offer insight based on first hand traveler experiences.  Perhaps this is why travel agents distribute some 70% of travel insurance.

 

InfoSec involvement in procurement can improve underwriting and coverage outcomes

Unlike insurance agents, security experts can explain the exposures to buyers and clearly understand cost components involved in responding to a breach event. In many cases, it is easier to educate a security professional about how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber risks.

Sample Cyber Claim Denials

  • $275k: Reporting Delay
  • $475k: Use of Unapproved Vendors
  • $4.1M: Application Misstatements
  • $2.0M: PCI-DSS Contract Exclusion

Leaving infosec subject matter experts out of the procurement process often leads to coverage disputes and unacceptable claim recoveries. The likelihood such outcomes is minimized when infosec professionals are involved in the process and properly on-boarded.

In addition to understanding exposures, security vendors already possess data needed for the application process.  As such, CFO’s and other corporate officers may no longer need to endure the task of completing onerous applications

“Are you nuts? We don’t want to sell insurance”

MSSP’s should not get into the insurance selling business for many reasons.  Commercial insurance is one the most heavily regulated industries in the US.  Directly selling of commercial insurance and requires appropriately licensed and trained insurance professionals.

A cyber insurance product imbedded into a security service offering is possible and need not be overly complicated.  If designed properly, a successful program does not require vendor licensing, additional internal resources or material product “touch” by the vendor.  The volume of premium generated by a single InfoSec provider will also reduce premium costs for customers.  We note that Apple and Cisco recently teamed up with global insurance providers Aon and Allianz to offer discounted cyber cover to users of their platforms.

“In many cases, it is easier to educate a CISO on how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber exposure to loss”

Driving Demand

In order for the cyber insurance market to meet robust growth projections, catalysts beyond scare tactics about newsworthy mega-breaches such as Target, Equifax, and Yahoo are needed.  Most SMB’s can’t relate such large-scale events to their business.  One catalyst is the increasing number of companies requiring business partners purchase cyber coverage.  Better education of cyber risk is also driving some level of demand.

For small to middle market organizations, the use of external third party information security support services such as managed security providers is a key strategy to mitigate cyber risks.  The only thing missing from most security services is cost effective financing of isolated and possibly catastrophic events.

Some infosec vendors think rounding out services with cyber insurance will differentiate their services in a very crowded market resulting in improved new business and customer retention. If properly designed, incorporating a level of cyber coverage within the security services offering can result in better-educated buyers, painless application process, lower rates, and better coverage outcomes

 

Sources:

  • Deloitte University Press: Demystifying Cyber Insurance Coverage-Clearing Obstacles in a Problematic But Promising Growth Market 2017
  • PartnerRe & Advisen: Cyber Liability Market Trends Survey October 2016.
  • Finaccord: Distribution Channels for Travel Insurance and Assistance 2013.
  • https://www.apple.com/newsroom/2018/02/cisco-apple-aon-allianz-introduce-a-first-in-cyber-risk-management 

About Cyber Risk Underwriters:

We underwrite and distribute specialty cyber insurance products for InfoSec vendors and retail insurance agents.  Our products include cyber warranties, MSSP distributed cyber insurance, as well as stand alone cyber and technology errors & omissions insurance.

 

Contact:  Jeffrey Smith
Managing Partner
Cyber Risk Underwriters
jsmith@cyberriskuw.com
866.292.3092

Why Mid-Market Healthcare Providers Need Stand-Alone Cyber Cover

By | Uncategorized | No Comments

Cyber Insurance: Mid-Market Healthcare Providers: Endpoints, Medjacking, Security Budgets & HIPAA

An attack surface is the sum of all the endpoints of entry that an attacker can breach your environment. In a healthcare setting, endpoints go well beyond workstations, laptops, PDA’s and cell phones to include digital medical devices and software. “Medjacking” is the hijacking of biomedical devices that create backdoors to hospital networks. Malware has been found on imaging equipment and blood gas analyzers, as well as in software that manages surgery and treatment schedules, power systems, and the administration of medicine. Reimbursement uncertainty leads to tight budgets for information security. This means a custom designed cyber insurance policy is a necessity to minimize financial and reputational costs of isolated cyber events.

Many small to medium providers don’t view HIPAA fines & penalties as a significant threat due to the limited number of patient records maintained. A review of HIPPA settlements for 2016 confirms that even breaches involving less than 50,000 records can result in catastrophic financial loss. For example, Raleigh Orthopedic Clinic, P.A. of North Carolina incurred a breach of 17,300 records erroneously released to a business associate. The HIPAA settlement was $750,000. The settlement is just one component of breach costs.   The cost of the corrective action plan, computer forensics, breach event costs, loss of revenue and other expenses that accompany a cyber breach event involving medical records likely tipped this claim over $1,000,000. The annual premium for a 20-physician practice is around $5,000 for $1,000,000 in coverage.

The latest firewall or anti-malware products will not prevent employee errors or a determined attacker. Too many small to medium sized providers rely on “short” cyber insurance limits included in a medical malpractice policy. These limits can range from $25,000 to $100,000. As indicated above, such limits are not remotely adequate to protect providers from isolated catastrophic cyber breaches that need only affect a small number of patients. A well-crafted, stand-alone cyber insurance policy is a low cost solution to a potentially devastating financial risk.

Stand-Alone Cyber for Mid-Market Healthcare Providers

 

Trouble Closing Cyber Insurance Deals?

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

Trouble Closing Cyber Insurance Deals?

The cyber security industry is broken. The industry sells over $80 billion of anti-viruss, firewalls, penetration tests, threat detection, consulting services and other products yet clients still get hacked[1].  Vendors aggressively sell security products based on hype as opposed to product efficacy.

Ask your client if the security products they purchase come with a return policy or warranty. Less than 3% of cyber security vendors provide warranties help a client financially recover from a failure of product performance.  In other words, if a security product fails and results in financial damage, your clients sole recourse is costly legal action.  More reason that a cyber insurance policy is a critical part of any business’ insurance portfolio and a great value given current market conditions. In fact, for most risks, cyber insurance premiums are less than 5% of total IT security spend.

As an example, a $200M manufacturer’s IT budget includes $500,000 for cyber security.  A well-crafted cyber policy cost around $10,000 for a $1,000,000 limit.  A relatively small price to pay for proven breach resources and loss cost financing.

Cyber Risk Underwriters is 100% focused on emerging risk insurance solutions.  We distribute products to retail insurance agents, CISO’s/CIO’s and via cyber security consultants, Managed Security Service Providers (MSSP’s) and Value-Added Resellers (VAR’s). Have any questions? Feel free to contact us here or call us at 866-292-3092 today!

[1] https://www.csoonline.com/article/3194829/security/the-pitfalls-of-cybersecurity-shopping-hype-and-shoddy-products.html

Hey Retail Agents! Does your cyber insurance connection offer a de facto super ninja on all things cyber?

By | Cyber Insurance News, Uncategorized | No Comments

Unlike other cyber MGA’s and wholesalers, we don’t look to old insurance guys for strategic direction.  We got industry leading ethical hackers to help you close deals.

Check out our Jeremiah Grossman discussing extortion, cyber insurance, and cyber security guarantees…and in terms your clients can understand.

 

 

 

RAND on Cyber Insurance Pricing…”in some cases the carrier would appear to guess..”

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

So we just finished reading a very deep dive by Rand called “Content Analysis of Cyber Insurance Policies:  How do carriers write policies and price cyber risk?”  The depth of the analysis is significant including discussion of pricing “boxes”, increased limits factors, and security factor weighting.  When all was said and done, our favorite excerpts include:

  • “Only in a few cases were carriers confident in their own experience to develop pricing models”
  • “We are not using claims counts as the basis for credibility because we have not experienced any claims over the past three years..”
  • “Further, it is not unforeseen for carriers to examine their competitors in order to define rates
  • ..”in some cases, the carrier would appear to guess..”

Guess we don’t know what we don’t know eh?  It’s a “last look market”…damn the sexy marketing slicks!

Negligent employees are no. 1 cause of cybersecurity breaches at small to middle market enterprises.

By | Cyber Insurance News | No Comments

Careless workers and poor passwords have led to a rise in ransomware attacks and other breaches on SMBs, which cost an average of $1 million.

Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, according to a new study from Keeper Security and the Ponemon Institute, released Tuesday. Of the 1,000 IT professionals surveyed, 54% said careless workers were the root cause of cybersecurity incidents, followed by poor company password policies.

This is especially concerning due to the rise in ransomware attacks: More than 50% of SMBs surveyed had experienced such an attack in the past year, which often enters an organization via a phishing email aimed at tricking an employee into clicking a malicious link or download. Indeed, in the survey, 79% of those hit said the ransomware entered their system through a phishing or social engineering attack. Further, of those who experienced an attack, 53% were hit more than once in the year.e

Check it out at:

 

 

Equifax: Protect Yourself!

By | Cyber Insurance News | No Comments

From the experts…

  • Use credit monitoring service such as LifeLock:  They won’t prevent identity theft put can help you recover.
  • Place a freeze on your credit files:  Security freeze laws vary by state, but they usually cost between $0 and $15 to instate. To adequately protect yourself, you must place a security freeze on your credit file with each of the three main credit bureaus (TransUnion, Equifax, and Experian) as well as Innovis, a credit reporting agency.
  • Periodically order a copy of your credit report: A security freeze doesn’t prevent everyone from viewing your credit file. For that reason, it’s a good idea to periodically order a copy of your credit report so that you can review it for unauthorized charges.
  • Create a security alert or security freeze for your consumer file:  Services such as ChexSystems provides a bank with a consumer report whenever someone attempts to create a new savings or checking account in your name.
  • Opt out of new credit report and insurance offers:  Some attackers try to intercept new credit or insurance offers in the mail so that they can open new lines of credit in your name. Fortunately, you can opt out of these free offers by visiting OptOutPrescreen.com.

How to protect yourself in the wake of the Equifax data breach

 

 

 

Security Guru Adrian Sanabria on Equifax Breach: “Should We Be Surprised?”

By | Cyber Insurance News | No Comments

Just the facts

Equifax announced yesterday, September 7, 2017, that it experienced a cybersecurity incident. Equifax is one of the “big three” US credit bureaus, along with Experian and TransUnion. They lost data belonging to 143 million Americans, which sounds like a lot, because it is. That’s 57% of the adult US population. Additionally, the company says payment information for 209,000 individuals was also lost, along with dispute documents belonging to an additional 182,000.

Savage Thoughts

As the title implies, I don’t think anyone was terribly surprised by this. We’re numb to the announcement of a breach has at this point. In most cases, we’re powerless to do anything about it. It’s been shown that breaches have little to no long-term financial impact on the organizations that experience them. We’re resigned to the fact that companies will continue make security a secondary priority, will continue to get hacked and will continue getting away with no serious consequences.

If you think about it, by offering its own products as a solution to the incident, this whole thing is one giant lead-generation campaign for Equifax. Yeah, it’s a big loss leader, but it’s still a loss leader on 143 million leads.

 

https://blog.savagesec.com/equifax-breached-no-eyebrows-raised-4ac57bf3bb9c

Do you know what your clients spend on cybersecurity?

By | Cyber Insurance News | No Comments

As indicated by the graph, cyber security is a growing concern yet cyber insurance is not perceived as a key part of the enterprise cyber risk management strategy.  No wonder the sales cycle to close a cyber insurance deal is over 12 months!

Know your client’s and prospect’s total investment in cybersecurity tools.  What products do they use?  Do vendors stand behind these products with security guarantee?  Is the cybersecurity function internal CISO’s (Chief Information Security Officer) or outsourced to Managed Security Providers (MSP’s)?  Do they have affordable contingent capital available to cover the costs of a breach response plan?