Top five reasons to buy cyber

Top five reasons to buy cyberMaking the case for cyber insurance, a relatively new type of cover, can be tough for brokers even if it’s clear that nearly all companies would benefit from it. So to help brokers make the argument for cyber insurance more easily, we’ve put together the top five reasons to buy cyber.

5. Cybercrime is the fastest growing crime in the world, but standard property or crime insurance policies can be restrictive in the cover they offer.
The widespread use of technology and the internet now means that your business is exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. For example, social engineering scams are becoming a pandemic in the business world, leading to significant losses for companies of all types. Cyber insurance is at the forefront of protecting against this new wave of crime, providing cover for a wide range of electronic perils, from wire transfer fraud to ransomware.

4. Technology systems are critical to operating your day-to-day business but their downtime is not covered by standard business interruption insurance.
Almost all businesses rely on computer systems and other technology to conduct their core business, from electronic point of sales software to back office work flow management systems. In the event that these systems are brought down, a traditional business interruption policy would likely not respond. Cyber insurance can provide cover for loss of income and extra expense associated with a cyber event.

3. Data is one of your most important assets yet it is not covered by standard property policies.
Most businesses would agree that data or information is one of their most important assets and worth many times more than the physical equipment that it is stored upon. Yet most business owners do not realize that a standard property policy would not respond in the event that this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and even re-creation in the event of a loss.

2. Complying with breach notification laws costs time and money.
Breach notification laws are now commonplace across many territories, and among other things, generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected or risk hefty fines and penalties. Australia’s Notifiable Data Breaches Act, Canada’s Digital Privacy Act, Europe’s General Data Protection Regulation, and several US state laws make it a legal obligation to notify, and there is also a growing trend towards voluntary notification in order to protect your brand and reputation. Cyber policies can provide cover for the costs associated with providing a breach notice even if it’s not legally required, and can also cover the associated regulatory fines and penalties.

1. A good cyber policy provides access to a wide range of incident response services.
Responding to a cyber incident requires a range of specialists – from IT forensics firms to specialist PR agencies – that help deal with both the immediate aftermath as well as the longer term consequences of a cyber event. Small and medium sized businesses, in particular, are facing an uphill battle; not only are they increasingly being targeted by cybercriminals but they are also unlikely to have the range of required incident response specialists in-house. The good news is that cyber insurance can provide easy access to these services, helping companies more easily negotiate the changing face of crime.

Beware the data breach bear trap

Beware the Data Breach Bear Trap!Over the course of 2018, we have seen numerous pieces of data breach legislation come into force. Back in February, the Australian government enacted the Notifiable Data Breaches Act. In May, we saw the introduction of the EU’s General Data Protection Regulation (GDPR). In June, Alabama’s Data Breach Notification Act of 2018 came into force, meaning that all 50 states in the US now have data breach notification laws in place. And November will see the Canadian government bring in notification and record-keeping requirements as part of the Digital Privacy Act.

With all of these laws coming in to force, it’s understandable that brokers have given a lot of attention to their clients’ data breach and privacy exposures. However, while all this legislation is undoubtedly important in its own right, brokers and their clients shouldn’t see cyber insurance exclusively through this lens.

There are a couple of reasons for this. For a start, many businesses do not collect or deal with consumer data, so the argument that this legislation affects them and that they should buy cyber insurance to mitigate this risk is not one that will resonate. It’s important to stress that cyber insurance is not just about covering the losses associated with a data breach. It’s much broader than that and provides cover for a whole host of cyber related risks, ranging from theft of funds and cyber extortion to system damage and business interruption. In fact, almost a third of CFC’s cyber claims are a result of the theft of funds, which is a significant risk for almost any business, regardless of how much data they hold.

Secondly, for those organisations that do collect or deal with consumer data and are purchasing cyber insurance as part of their risk management strategy, there is a danger of focusing on data breaches to the exclusion of everything else. Unfortunately, we’ve seen a number of organisations purchase their policy limits based on the estimated cost of a data breach to their business (going off the number of records that they hold), and this can leave them woefully underinsured when other, non-privacy related events occur. For example, we recently dealt with a claim where a hospital fell victim to a destructive malware attack on their systems and incurred $7.1 million in system damage and business interruption costs, but they had only purchased a $5 million limit because they had primarily focused on the impact of a data breach on their business. You can read more about this case here.

The key message, then, is that brokers should look at the whole range of cyber risks that their clients may face when they are considering or purchasing cyber insurance, rather than focusing narrowly on data breaches.

Business interrupted: Part one

Business interruption series: Part 1Today, business interruption in cyber insurance policies is back in a big way. To explore this growing risk, we’re running a three-part blog series on the subject exploring the many ways in which BI cover is essential for modern businesses, and key things brokers and clients should look out for. Today’s post examines the value of longer indemnity periods.

When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.

Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.

We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.

Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.

To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).

To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.

Indemnity periods on cyber policies typically work in one of three ways:
1) The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
2) The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
3) The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.

Click icon to view larger graphic: Business interruption and indemnity periods

Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown above is the most beneficial for insureds.

At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.

To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.

CFC wins four at the Cyber Rankings Awards

CFC wins four at the Cyber Rankings AwardsLast week, CFC attended the second annual Insurance Insider Cyber Rankings Awards in London. Based off the results of the publication’s Cyber Rankings Survey, these awards recognise the achievements of the market’s rising stars, most skilled practitioners, and most highly regarded companies.

We’re proud to announce that CFC won in four of the five underwriting categories, including two individual awards. Cyber Underwriter Matthew Lewis won in the Rising Star Underwriter category, and Corporate Cyber Practice Leader Andrew Prendergast won in the Cyber Underwriter of the Year category. For anyone who has worked with either, you’ll know they are greatly deserved. We’re so proud to have them on our team!

CFC’s Incident Response App, which provides policyholders with easy access to our 24/7 global cyber incident response centre, also won in the Cyber Innovation of the Year (underwriting) category. The app allows users to report incidents, notify claims and request urgent assistance at any time of the day or night.

Last but not least, CFC was voted Cyber Underwriting Firm of the Year for the second year running.

Thank you to Insurance Insider – the survey facilitators and event hosts – and to everyone who voted for us! We’re incredibly honoured.

FUNDS TRANSFER FRAUD – OLD TRICKS, NEW TACTICS

Social engineeringSocial engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information or clicking on a malicious link, and it’s causing serious financial harm to businesses all around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.

FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD

Social engineering is nothing new. In fact, it’s as old as human history. For example, consider the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or take the more recent, real world example of Victor Lustig, who in the 1920s pretended to be a French government minister and managed to successfully convince a number of scrap metal dealers that he was selling the Eiffel Tower.

But this age-old method of trickery is no longer confined to skilful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms.

One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out. Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.

Not all social engineering scams involve emails, though. At CFC, we recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.

Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organisation, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.

Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realised what had happened.

WAYS TO FIGHT THE FRAUD

Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:

Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.

Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.

Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognise such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.

A VALUABLE SAFETY NET

Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kind of attacks. This is why cyber insurance should be a part of any prudent organisation’s risk management programme, acting as a safety net should the worst happen.

CFC launches cyber insurance guide for brokers at BIBA 2018

BIBA press releaseSpecialist insurance provider behind BIBA’s cyber insurance scheme, CFC, will be launching its new BIBA Cyber Guide at BIBA 2018.

While one of the most talked about topics in business insurance, cyber insurance also seems to be one of the most misunderstood. CFC’s new guide aims to cut through the jargon and buzz words and bring simplicity to what has long been considered a complex line of business.

NOW AVAILABLE: Click here to read the BIBA Cyber Guide

“Cyber insurance policies tend to be modular in nature, consisting of a variety of different coverage areas so it’s no wonder that this has led to confusion around what they cover and how they work,” says James Burns, Cyber Product Leader at CFC. “We’ve worked with BIBA to produce this straightforward guide providing brokers with clear information about what cyber is all about and how they can articulate it to their clients.”

CFC’s BIBA Cyber Guide gives brokers simple information about what cyber actually means and how this area of insurance has evolved. It covers the types of cyber risks and types of cyber claims, drilling down into how a policy responds and providing brokers with some valuable tips on how they can overcome the most common objections they face when discussing cyber with their clients.

To guide brokers through the cyber maze, Graeme Newman, CFC’s Chief Innovation Officer, will be talking through the new BIBA Cyber Guide in a Seminar Session at 10.40am on Thursday 17 May. He will be joined by Richard Hollis, CEO, Risk Factory who will share his perspective on cyber threats.

CFC’s International Cyber Team Leader, Lindsey Nelson, will also be helping young brokers to build their cyber knowledge at the Young Broker Session at 12 noon on Thursday 17 May. Specialising in cybercrime as it pertains to companies across various industry sectors, Lindsey will discuss the real cost of cyber incidents in the UK and preventative risk management practices that companies can introduce.

Delegates will also have the opportunity to meet CFC’s underwriting experts managing both the BIBA cyber and product recall schemes on stand B51 to find out more about each proposition and the benefits they deliver to BIBA members and their clients, as well as the many other specialty products available from CFC.

Click here to read the BIBA Cyber Guide

CFC tops the charts in the Insurance Times Cyber Product Report 2018

Team celebrating We are proud to have taken the top spot in this year’s Insurance Times Cyber Product Report. Our cyber policy achieved the highest score in the review test, scoring 90 out of 100 points, and marking us out as the only provider to receive the publication’s superior cover rating – with the highest level of coverage available for the SME market.

We were called out in particular for the wide range of risks that we cover (the broadest of all the policies reviewed for this report), insuring against everything from business interruption to reputational damage following a breach. Given the pace at which cyber risk is evolving, maintaining up-to-date and relevant coverage is a constant focus for our team.

Our policy also received particular recognition for the fact that it does not include exclusions for cyber events arising from terrorism or socially motivated hacking, nor an aggregate limit that would otherwise restrict cover in the event of multiple cyber breaches within a single policy period.

Some of the additional benefits that we offer, extending above and beyond the rating criteria used in this report, are:

– Enhanced cyber crime definitions that include cover for theft of funds.

– Provision of a range of crisis management and other incident response services, such as forensic IT investigations, legal services, breach notification and crisis communications, as well as a dedicated app that provides 24/7 access to CFC’s global cyber incident response centre.

Beyond this, we are particularly pleased to have been recognised for our “clear and concise” policy wording. This is so important, and core to our DNA. A commitment to simplicity avoids any confusion around which scenarios are covered and which are not.

As the nature of crime changes, so too must insurance policies. We’re on it – and leading the way.

Click here to read the 2018 Report

This report was reproduced with permission from Insurance Times. All rights reserved. No part of this publication may be reproduced or transmitted in any form, by any means, electronic or mechanical, including recording, photocopying or any information storage or retrieval system, without written permission from the publisher.

Royal Accolade for CFC Underwriting

Royal Accolade for CFC UnderwritingCFC is proud to announce that Her Majesty The Queen has approved the Prime Minister’s recommendation that CFC should receive a Queen’s Award for Enterprise in the International Trade category.

Winners in this category are recognised for having demonstrated a substantial and sustained increase in export earnings over three consecutive 12-month periods, to a level which is outstanding for the products and services concerned, and for the size of the organisation.

With a track record of pioneering emerging risks and disrupting inefficient insurance markets, CFC has grown to become one of the fastest growing specialist insurance providers in the UK. From just one office in the City of London, the business provides its range of insurance products exclusively through authorised insurance brokers in over 75 countries around the world.

CFC was previously awarded a Queen’s Award for Enterprise in International Trade in 2013.

“Speaking on behalf of the entire team, we are incredibly honoured to once again be recognised by Her Majesty The Queen for our contribution to UK business in achieving substantial growth in overseas earnings,” says David Walsh, CFC’s founder and CEO. “We are an insurance exporter in the truest sense of the word. We don’t set up local operations or buy up the competition, we export. Last year we brought in over £150m in premiums to the UK from overseas customers who would normally have purchased their insurance locally.”

“At CFC, we are very proud that today 60% of our business is owned by management and staff. Our success lies in their passion, entrepreneurialism, dedication and sheer hard work to deliver remarkable products and service. This award recognises their efforts. I couldn’t be more proud of them and firmly believe that by continuing to support these qualities in our team, we will achieve our business goals.”

The Queen’s Awards for Enterprise have been operating in various forms since 1966, developing over the years into the UK’s most prestigious business accolade. Today, the Awards are widely recognised as a highly valued mark of excellence across many sectors in a diverse and competitive business market.