This month’s cyber claims case study is “Quick Fix Complication.” This tells the story of a US-based healthcare service provider that fell victim to a ransomware attack.

Thanks to CFC’s in-house incident response team, the healthcare service provider managed to avoid a costly notification to their entire patient population and the consequential reputational harm that may have arisen from such a notification.

The key takeaway points are as follows:

  • It is essential that when a ransomware attack or any other cyber event occurs, policyholders should engage their cyber insurance provider as soon as possible. By doing so, a co-ordinated response to the event can be devised and any evidence that may become crucial later on can be preserved from the outset.
  • The cyber insurance market is becoming increasingly competitive, with new carriers regularly entering the market. Businesses should be aware, however, that not all insurers are alike, and the skills and expertise that a well-established, experienced cyber insurer can bring can make a big difference, especially when making a claim.
  • By having our in-house incident response team with specialist knowledge of cyber security and forensics, we were able to prevent the policyholder’s claim costs from escalating and ensured that the organisation’s reputation didn’t suffer unnecessarily. If they had been with a less experienced cyber insurer without a dedicated in-house incident response team, they may have gone ahead with the breach notification process.

You can download the case study here.

Webinar: Beyond the Breach

Yesterday James Burns, Cyber Product Leader at CFC, held a webinar focusing on one of our cyber claims case studies.

We took a deep dive into Beyond the Breach – Hospital Faces Huge Operational Disruption which details a malware attack that left a small hospital reeling and how our policy helped get the hospital operational again.

You can watch the webinar here and download the slides here.

Keep your eyes peeled for more cyber webinars coming soon!


Cyber Insurance Guide

As we become increasingly reliant on technology, the potential impact of cyber-related incidents continues to grow. Yet the cyber insurance market is relatively new in comparison with other lines of cover.

This straightforward guide explains how cyber risk and insurance has evolved and how a good cyber policy addresses these modern exposures.

“Cyber” is one of the most talked about topics in business, insurance and media but also seems to be one of the most misunderstood. And with good reason – it is an area associated with jargon, buzz words and what feels like a whole lot of complexity.

This is largely down to the fact that the development of cyber insurance has historically focused primarily on third party privacy exposures. At the same time, traditional insurance policies have tried, but rarely succeeded, at addressing cyber risks; this has left clients believing many exposures are covered when they actually aren’t.

So what should we mean when we talk about cyber risk? What do clients need to protect  themselves against? The real answer is crime. Technology has revolutionised the world for businesses and individuals alike and the past twenty years in particular have seen monumental shifts in human behaviour directly linked to technological advancements. From the way we shop to the way we access bank accounts and book holidays, everyday life has changed fundamentally.

However, while the technology revolution has brought with it unparalleled levels of convenience and choice to millions of people across the globe, it has done the same for the criminal underworld. It is now far easier and far more lucrative for criminals to ply their trade digitally rather than physically. Cyberattacks are the modern crime and cyber insurance is the way to protect against them.

Download and read the full guide here.

Healthcare in Transit

As the elderly population in the US continues to grow, so too does the necessity for non-emergency medical transportation services to cater to this demographic in both urban and rural areas nationwide. The transportation services provided by these companies are vital to the accessibility of routine healthcare services and survival of patients who otherwise would not be able to make it to routine medical appointments. Some of these potential barriers may include a lack of mass transit options and significant distances to their providers. In addition, a patient’s physical disabilities and/or financial circumstances can also further complicate access to these services.

The rising need for these services can be felt even more palpably in rural areas as these geographic regions statistically contain a larger portion of elderly inhabitants than do urban areas where providers are located at significantly closer distances. Further to this point, the geographic isolation of patients residing in rural areas typically carry with them the burden of more chronic health conditions, poverty and consequently, poor health outcomes.

To highlight this point, studies have uncovered that nearly four million Americans have experienced some type of transportation complications which have led to them missing scheduled appointments. This also levies a devastating blow to healthcare providers as no-show rates, in some instances higher than 30% have cost providers more than $150 billion per year.

The impact of patients’ inaccessibility to affordable and convenient transportation services has not gone unnoticed by the Tech industry, however, as we have recently seen on-demand transportation app giants Lyft and Uber make their entrance into the healthcare field. Lyft, working in conjunction with the healthcare information exchange platform Allscripts have partnered to integrate “ride-hailing functionality” into AllScripts database platform which will allow for nearly 200,000 providers to request transportation services for their patients through the Lyft application. Similarly, Uber has recently launched Uber Health which deploys a comparable ride-hailing functionality for the patients of its partner healthcare systems, most notably MedStar and LifeBridge.

Uber and Lyft’s presence in healthcare transportation may well prove to be an effective remedy to an ailing community of patients who otherwise would have less accessibility to healthcare appointments and quality outcomes. However, this does not come without the gleaming risk exposure that current and longstanding emergency and non-emergency medical transportation services are faced with on each and every patient transport. Perhaps the most prevalent source of claims faced by these companies are the result of injuries sustained by patients during the loading and unloading phases of the transport. As many of the patients requiring these services have significant physical limitations, this puts the onus on the company to ensure that all employees have been properly trained to perform these tasks. Other sources of claims in this class which may lead to a sustained bodily injury by the patient(s) in transit include but are not limited to collisions with other vehicles or objects, failing to secure or improperly securing a patient to their seat, failing to properly secure wheelchair bound patients, the improper use of chair lifts and potentially leaving patients in extreme or unsafe conditions unattended.

With these risk factors in mind, it will be the responsibility of tech companies like Lyft and Uber and surely many others who follow suit to ensure that they are employing competent, well-trained and vetted employees who are only providing transportation services to patients which are in line with the safety installations of the vehicle they are operating, such as four-point tie downs for wheel chair and stretcher bound patients.

Overall, this industry class will only continue to be relied upon as a necessity in the years to come and it is primarily important for providers in this space to hold its employees to the highest standards of training and risk mitigation. Non-emergency transit appointments have the potential to quickly escalate into emergency transports due to an unexpected change in the patient’s condition along the way which, if not properly handled, can lead to a delay in services that may subsequently lead to a loss of life. It is also crucial for insurance brokers who will be placing coverage for non-emergency medical transit companies to fully understand the risk exposure presented by these companies and ensure that the carrier will not be excluding claims for some of the fundamental services provided, such as loading and unloading.

California Consumer Privacy Act of 2018

At the end of June, California state legislators passed the California Consumer Privacy Act of 2018. Coming in to effect on January 1st 2020, the act is set to bring in a number of data protection requirements and new consumer rights similar to those enacted by the EU’s General Data Protection Regulation.

However, amid all the noise about the bill’s passing, one crucial area of the act appears to have been given surprisingly little attention – California has established a minimum cash amount that victims of a data breach could expect to receive should they pursue damages.

The act stipulates that for consumers whose unencrypted or unredacted personal information has been subject to unauthorised access, exfiltration, theft or disclosure, as a result of a business’s failure to implement and maintain adequate security standards, will be able to claim damages of $100 as a minimum and $750 as a maximum per incident or actual damages, whichever is greater.

The law will apply to organisations that are run for profit and do business in California and that meets one or more of the following thresholds:

  • Annual gross revenues in excess of $25 million;
  • Annually buy, sell or share the personal information of 50,000 or more consumers, households or devices;
  • Generate 50% or more of annual revenues from the selling of consumers’ personal information.

This particular part of the act marks a change of fundamental importance for a number of reasons. First, it will almost certainly increase the financial exposure that businesses face as a result of a data breach. Now, even a relatively small breach of, say, 1,000 records could result in statutory damages of $100,000-$750,000 being claimed.

Secondly, it is likely to lead to a big uptick in class action cases in general. To date, claimants in data breach class actions have often struggled to demonstrate standing as it can be difficult to prove what, if any, financial harm might be experienced as a consequence of a breach. For smaller breaches, this has meant less impetus on the part of plaintiff attorneys to bring class actions.

But with the law now enshrining minimum statutory damages for certain data breaches and with affected consumers knowing that they might stand to receive up to $750, we could see a proliferation of class action cases when the act comes into force from opportunistic lawyers looking to get involved in lucrative cases. Importantly, this could lead to a surge in class actions resulting from smaller breaches in particular.

Finally, the act sets a precedent. Back in 2003, California was the first state to introduce breach notification laws. Now, just 15 years later, every state in the union has implemented such laws. Could this act mark the beginning of minimum statutory damages being introduced elsewhere? If history is anything to go by, it shouldn’t come as a surprise if similar acts become more widespread.

For more further Information:

Insurance and the digital health revolution

Timothy Boyce, US Healthcare Team Leader, CFC

Healthcare is about to change beyond recognition. A host of technologies are uniting to transform the way we treat patients and develop cures – from artificial intelligence to remote patient monitoring and interactive telemedicine services.


According to Rock Health, $1.6bn of funding flowed into the eHealth sector during the first quarter of 2018, exceeding comparable investment marks for the previous two years. The principle driver, deregulation. In the last twelve months we’ve seen the formation of the Chronic Care Act, which will pave the way for greater use of technology in healthcare, and the VETS Act which allows providers to treat veterans across state lines using telehealth. The next segment will be the Opioid Crisis Act, which promises to put an end to a crisis with the assistance of telemedicine, digital pills and analytics tools.


The FDA have also played a key role in the rise of digital healthcare. In their budget for 2019, Scott Gottlieb cited that ‘we’re seeking to advance a new paradigm in the regulation of digital health technology that I believe will allow us to grow this promising field more quickly’. This of course was in reference to their Pre-Cert Pilot Program, which will aim to look at the software and/or digital health technology developer, rather than primarily at the traditional medical product/device. Since then they’ve also approved a ‘trackable’ pill which is linked to a patch and a smartphone to detect medication compliance.


We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’.


As the healthcare and technology sectors continue to intertwine, practitioners and companies operating in the digital health space will start to experience a wider range of risks. From misdiagnosis of medical conditions due to the distortion of x-ray images sent using store-and-forward technology, to incorrect readings of glucose monitors leading to patient harm. We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’. The risks are present, real and getting harder to predict. A recent study cited that the FDA reported receiving information on 260 incidents with potential for patient harm, including 44 injuries and six deaths, all arising from technology-related healthcare incidents. It was also reported that almost 25% of 176,409 medication errors notified to US Pharmacopeia were technology-related.


So what does this mean for the insurability of practitioners and companies operating in eHealth? Well, in short it becomes problematic. Medical malpractice insurers are rightly concerned about the potential for patient harm arising from technology-related errors, not to mention the lack of credible data to nullify their concerns for it eroding their profit margin. As a result, their policy triggers have stayed eye-wateringly static despite the global rise of technology within healthcare. Technology E&O insurers will only extend to losses arising from ‘technology activities’ and are loathe to offer any form of bodily injury whether it’s on a primary or contingent basis, and cyber insurers, quite simply, explicitly exclude all forms of bodily injury.


A dearth of affirmative coverage is therefore present in the insurance industry for traditional healthcare providers and digital health companies alike. This has already and will continue to lead to grey areas being present within insurance placements. The knock-on effect of this will be finger-pointing between three or more insurers over the proximate causation of the loss: was it a healthcare incident, technology error or cyber event? Absent any case law, and despite the litany of disclaimers, clients will then subsequently be required to pay three different deductibles and may even run the risk of having no coverage whatsoever. The debate will then intensify about who makes the ultimate decision on patient care, the technology or the traditional healthcare provider?


With these sentiments in mind, the insurance industry is on the cusp of a more modernized approach for healthcare providers. As the shift in healthcare delivery continues, it will become increasingly crucial for agents and wholesale brokers to advise their clients of these potential pitfalls in standard insurance policies, and to source bespoke insurance products tailored to meet clients’ refreshed needs and demands.


If you would like to download, print or share this article, you can do so here.


Is this the perfect modern-age insurance model?

by Bethan Moorcraft 06 Jul 2018

In the heart of London’s historic insurance district and nestled in the shade of the iconic Lloyd’s building lies the office of CFC Underwriting – a bright and busy space home to more than 200 staff selling commercial insurance products to thousands of businesses in over 75 countries.

Backed by Lloyd’s, CFC has grown into one of the largest independent MGAs in the world, with a focus on emerging risks like cyber, transaction liabilities and intellectual property insurance.

Cyber insurance is CFC’s hottest market worldwide, and it’s a product line that keeps on growing and growing, especially in North America. The firm writes about 15% of all cyber insurance business in Lloyd’s and has the largest cyber underwriting team in the London market. CFC’s cyber business grew at over 60% last year, outpacing growth in most international markets.

Approximately 50% of CFC’s gross written premium (GWP) is placed in the US, at just over $300 million, and a further 20% of its premium is written in Canada. So, just over 70% of CFC’s business takes place in North America, and yet the firm only has one office in the center of Leadenhall, London.

“In this day and age, I think it’s possible to have a local presence without having an office in every location where we do business,” said Graeme Newman, CFC’s chief innovation officer. “We have the technology at our fingertips to be able to communicate quickly with someone in any country and at zero cost. A lot of our brokers feel like we’re a local market because we travel a lot and conduct frequent in-person meetings. They have access to us almost 24/7, which shows we can do a lot from this one office.

“It’s the perfect model. If we can continue to scale this business at the rate it’s growing from one office, then that’s what we’ll do all day long, because it’s the most efficient way to do it.”

CFC was founded in 1999 during the dot-com boom, with the original idea of selling cyber insurance online. But the firm was almost too visionary for its own good, as almost nobody bought cyber insurance or commercial insurance online in 1999, so they redefined the company as a traditional MGA with a focus on cyber and technology professional liability.

Fast-forward almost 20 years and future-savvy CFC has embraced the technological capabilities first envisioned at its genesis, and is using that to connect Lloyd’s capacity to consumers around the world in the most efficient way possible. Newman describes the business as “the accessible face of Lloyd’s.”

“We’re 100% broker intermediated. We’re trying to challenge old-school insurance thinking and use technology to help our brokers become as efficient as possible,” Newman told Insurance Business. “When we’re trading in lots of overseas markets, we’ve got to turn business around fast, which means our service has to be the best. I truly believe that even here from London, we can get a quote to someone in New York or San Francisco faster than anyone else can, and that’s because we obsess about our service standards.”

Of course, international insurance markets have different qualities, which some might argue requires insurers to have people constantly on the ground. For example, buying cultures between the US, Canada and the UK are completely different, and CFC has to navigate this from one central location. The Canadian market has been relatively slow to adopt online trading and the US market is riddled with complex state-by-state regulations and heavy commission-based agency sales models. The UK, on the other hand, has been a front-runner in online insurance trading for some years.

Newman commented: “I think we’re well positioned on a global basis to start bringing some of the online trading capabilities so favored in the UK to other overseas markets as they start to make the change.”

From Insurance Business

Cyber Claims Case Study: Beyond the breach – hospital faces huge operational disruption

Healthcare providers, like any business, are exposed to a range of cyber exposures, including malware attacks, which can have a devastating impact on their operations, especially in relation to system damage and business interruption costs.

In this month’s cyber claims case study we have reviewed a malware attack at a small hospital and how our policy assisted with making the hospital operational again. While many cyber policies exclude physical property and hardware replacement costs, the hospital’s cyber policy from CFC provided cover for these items.

Here are a few key points from the case study:

  • Healthcare organisations have often seen their cyber risk as being primarily about data breaches, but the impact of other cyber events like malware attacks can be just as severe.
  • Any business that relies on computer systems to operate can have a substantial exposure, particularly when it comes to system damage and business interruption costs.
  • Some cyber insurance policies only cover data breaches, but it’s important to also consider operational interruption costs that could be incurred by a destructive malware

Read the full case study here and look out for our next Cyber Claims Case Study next month

CFC’s dedicated policy for nutraceutical companies

Interest in health and nutrition-related products is on the rise, making nutraceuticals an exciting and emerging industry. 

In fact, experts believe that by 2021, the nutraceutical industry alone will be worth $279bn.* An aging baby boomer generation combined with rising awareness about the benefits of a healthy lifestyle, especially among millennials, is driving this growth.

It’s clear that the evolution of this industry represents a huge opportunity for businesses involved in the manufacture and distribution of nutraceutical products. However, this inevitably comes with increasing exposures such as bodily injury or the threat of a publicised recall of a contaminated product.

CFC’s dedicated policy for nutraceutical companies can help manage these risks and provide peace of mind.  Read our brochure for full details.

CFC’s Life Sciences policy is designed to cover the full breadth of unique risk exposures faced by Life Science businesses. This innovative insurance product allows companies along the entire Research & Development chain to secure their funding streams and general business activities. Suitable for a range of companies from drug developers, CROs, CMOs and contract research service providers, our policy includes the below features and can be tailored to meet specific business needs.

Your top GDPR questions, answered

With GDPR now in force, we’ve addressed your most pressing questions to help you and your clients understand the complexities of the regulation.

GDPR was enforced on 25th May 2018. To ensure compliance, any company involved with the collection of personal data needs to make significant changes to the way they collect, process or document the data. Whereas some privacy tools and procedures have previously been seen as good practice, they will now become legally required. Fines for non-compliance can reach up to €20m or 4% of an organisation’s group worldwide turnover.

Whether GDPR applies to you, if it’s just about data breaches, are the fines insurable and whether your cyber / tech insurance policy covers it – it’s all your questions answered. You can read the full document here.

And don’t forget about your partners, especially if you’re a data processor. If you use sub-processors or contractors, they’ll need to comply with your contractual data protection obligations too. For more information on how the GDPR impacts data processors, view our quick guide.