Top five reasons to buy cyber

Top five reasons to buy cyberMaking the case for cyber insurance, a relatively new type of cover, can be tough for brokers even if it’s clear that nearly all companies would benefit from it. So to help brokers make the argument for cyber insurance more easily, we’ve put together the top five reasons to buy cyber.

5. Cybercrime is the fastest growing crime in the world, but standard property or crime insurance policies can be restrictive in the cover they offer.
The widespread use of technology and the internet now means that your business is exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. For example, social engineering scams are becoming a pandemic in the business world, leading to significant losses for companies of all types. Cyber insurance is at the forefront of protecting against this new wave of crime, providing cover for a wide range of electronic perils, from wire transfer fraud to ransomware.

4. Technology systems are critical to operating your day-to-day business but their downtime is not covered by standard business interruption insurance.
Almost all businesses rely on computer systems and other technology to conduct their core business, from electronic point of sales software to back office work flow management systems. In the event that these systems are brought down, a traditional business interruption policy would likely not respond. Cyber insurance can provide cover for loss of income and extra expense associated with a cyber event.

3. Data is one of your most important assets yet it is not covered by standard property policies.
Most businesses would agree that data or information is one of their most important assets and worth many times more than the physical equipment that it is stored upon. Yet most business owners do not realize that a standard property policy would not respond in the event that this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and even re-creation in the event of a loss.

2. Complying with breach notification laws costs time and money.
Breach notification laws are now commonplace across many territories, and among other things, generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected or risk hefty fines and penalties. Australia’s Notifiable Data Breaches Act, Canada’s Digital Privacy Act, Europe’s General Data Protection Regulation, and several US state laws make it a legal obligation to notify, and there is also a growing trend towards voluntary notification in order to protect your brand and reputation. Cyber policies can provide cover for the costs associated with providing a breach notice even if it’s not legally required, and can also cover the associated regulatory fines and penalties.

1. A good cyber policy provides access to a wide range of incident response services.
Responding to a cyber incident requires a range of specialists – from IT forensics firms to specialist PR agencies – that help deal with both the immediate aftermath as well as the longer term consequences of a cyber event. Small and medium sized businesses, in particular, are facing an uphill battle; not only are they increasingly being targeted by cybercriminals but they are also unlikely to have the range of required incident response specialists in-house. The good news is that cyber insurance can provide easy access to these services, helping companies more easily negotiate the changing face of crime.

Beware the data breach bear trap

Beware the Data Breach Bear Trap!Over the course of 2018, we have seen numerous pieces of data breach legislation come into force. Back in February, the Australian government enacted the Notifiable Data Breaches Act. In May, we saw the introduction of the EU’s General Data Protection Regulation (GDPR). In June, Alabama’s Data Breach Notification Act of 2018 came into force, meaning that all 50 states in the US now have data breach notification laws in place. And November will see the Canadian government bring in notification and record-keeping requirements as part of the Digital Privacy Act.

With all of these laws coming in to force, it’s understandable that brokers have given a lot of attention to their clients’ data breach and privacy exposures. However, while all this legislation is undoubtedly important in its own right, brokers and their clients shouldn’t see cyber insurance exclusively through this lens.

There are a couple of reasons for this. For a start, many businesses do not collect or deal with consumer data, so the argument that this legislation affects them and that they should buy cyber insurance to mitigate this risk is not one that will resonate. It’s important to stress that cyber insurance is not just about covering the losses associated with a data breach. It’s much broader than that and provides cover for a whole host of cyber related risks, ranging from theft of funds and cyber extortion to system damage and business interruption. In fact, almost a third of CFC’s cyber claims are a result of the theft of funds, which is a significant risk for almost any business, regardless of how much data they hold.

Secondly, for those organisations that do collect or deal with consumer data and are purchasing cyber insurance as part of their risk management strategy, there is a danger of focusing on data breaches to the exclusion of everything else. Unfortunately, we’ve seen a number of organisations purchase their policy limits based on the estimated cost of a data breach to their business (going off the number of records that they hold), and this can leave them woefully underinsured when other, non-privacy related events occur. For example, we recently dealt with a claim where a hospital fell victim to a destructive malware attack on their systems and incurred $7.1 million in system damage and business interruption costs, but they had only purchased a $5 million limit because they had primarily focused on the impact of a data breach on their business. You can read more about this case here.

The key message, then, is that brokers should look at the whole range of cyber risks that their clients may face when they are considering or purchasing cyber insurance, rather than focusing narrowly on data breaches.

Business interrupted: Part one

Business interruption series: Part 1Today, business interruption in cyber insurance policies is back in a big way. To explore this growing risk, we’re running a three-part blog series on the subject exploring the many ways in which BI cover is essential for modern businesses, and key things brokers and clients should look out for. Today’s post examines the value of longer indemnity periods.

When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.

Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.

We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.

Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.

To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).

To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.

Indemnity periods on cyber policies typically work in one of three ways:
1) The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
2) The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
3) The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.

Click icon to view larger graphic: Business interruption and indemnity periods

Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown above is the most beneficial for insureds.

At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.

To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.

CFC wins four at the Cyber Rankings Awards

CFC wins four at the Cyber Rankings AwardsLast week, CFC attended the second annual Insurance Insider Cyber Rankings Awards in London. Based off the results of the publication’s Cyber Rankings Survey, these awards recognise the achievements of the market’s rising stars, most skilled practitioners, and most highly regarded companies.

We’re proud to announce that CFC won in four of the five underwriting categories, including two individual awards. Cyber Underwriter Matthew Lewis won in the Rising Star Underwriter category, and Corporate Cyber Practice Leader Andrew Prendergast won in the Cyber Underwriter of the Year category. For anyone who has worked with either, you’ll know they are greatly deserved. We’re so proud to have them on our team!

CFC’s Incident Response App, which provides policyholders with easy access to our 24/7 global cyber incident response centre, also won in the Cyber Innovation of the Year (underwriting) category. The app allows users to report incidents, notify claims and request urgent assistance at any time of the day or night.

Last but not least, CFC was voted Cyber Underwriting Firm of the Year for the second year running.

Thank you to Insurance Insider – the survey facilitators and event hosts – and to everyone who voted for us! We’re incredibly honoured.

FUNDS TRANSFER FRAUD – OLD TRICKS, NEW TACTICS

Social engineeringSocial engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information or clicking on a malicious link, and it’s causing serious financial harm to businesses all around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.

FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD

Social engineering is nothing new. In fact, it’s as old as human history. For example, consider the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or take the more recent, real world example of Victor Lustig, who in the 1920s pretended to be a French government minister and managed to successfully convince a number of scrap metal dealers that he was selling the Eiffel Tower.

But this age-old method of trickery is no longer confined to skilful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms.

One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out. Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.

Not all social engineering scams involve emails, though. At CFC, we recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.

Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organisation, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.

Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realised what had happened.

WAYS TO FIGHT THE FRAUD

Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:

Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.

Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.

Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognise such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.

A VALUABLE SAFETY NET

Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kind of attacks. This is why cyber insurance should be a part of any prudent organisation’s risk management programme, acting as a safety net should the worst happen.

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.

Webinar Registration: Backup Breakdown

Join us on Wednesday 29 August as we explore how an engineering firm lost access to all of its data – including technical drawings, prints and complex design specifications – as the result of a cyber incident in this deep dive of our cyber claims case study. 

In this webinar, you’ll learn:

  • How a small engineering firm were impacted by the global WannaCry ransomware attack
  • How their loss was compounded by a failure in their back-ups, resulting in the firm losing 3 years’ worth of data
  • How CFC’s cyber insurance policy helped calculate and cover the financial loss associated with data re-creation

You can read the case study here.

Sign up for the session in your time zone today!

UK | 11am BST | Wednesday 29 August

Canada | 12pm EDT | Wednesday 29 August

US | 12pm EDT | Wednesday 5th September

Webinar: Top Cyber Insurance Myths Debunked

Today, Lindsey Nelson, International Cyber Team Leader at CFC, held a webinar on debunking the top six cyber myths.

We explored common cyber insurance misunderstandings and objections we hear from clients, and how to overcome them.

We also have a handy article you can download here.

UPCOMING CYBER WEBINARS:

UK | Cyber Claims Case Study: Backup Breakdown – Engineering Firm’s Files Wiped Out By Ransomware | 11am BST, Wednesday 29 August

Canada | Cyber Claims Case Study: Backup Breakdown – Engineering Firm’s Files Wiped Out By Ransomware | 12pm EDT, Wednesday 29 August

Australia | WannaCry & NotPetya: Impact on Australian SMEs | 5pm AEST, Tuesday 4 September

UK | WannaCry & NotPetya: Impact on UK SMEs | 2:30pm BST, Tuesday 4 September

More to be added soon…

 

THE TOP 6 CYBER INSURANCE MYTHS DEBUNKED

Cyber is one of the hottest topics in insurance and, as a line of business, it’s projected to experience phenomenal growth in the years ahead. But cyber is still a relatively new market, and can be made unnecessarily complex by industry jargon, buzzwords of the day, and a lack of standardization in policy wordings. As such, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy.

To clear up the confusion, here are six of the most common misunderstandings that businesses tend to have about cyber insurance and how to overcome them.

 

Did you know we’re also running a webinar on this topic? You can sign up here!

 

MYTH 1 “WE DON’T NEED CYBER INSURANCE. WE INVEST IN IT SECURITY…”

The short answer:
No matter how much a company invests in IT security, they will never be 100% secure. The purpose of an insurance policy is to respond in the event that the worst happens.

 

MYTH 2 “WE OUTSOURCE ALL OF OUR IT, SO WE DON’T HAVE AN EXPOSURE…”

The short answer:
Even if you outsource your IT, the chances are you’re still liable. Assuming you’ll be successful in claiming back damages from a third-party is a risky gamble.

 

MYTH 3 “WE DON’T COLLECT ANY SENSITIVE DATA, SO WE DON’T NEED CYBER INSURANCE…”

The short answer:
Any business that relies on a computer system to operate, whether for business critical activities or simply electronic banking, has a very real cyber exposure.

 

MYTH 4 “CYBER ATTACKS ONLY AFFECT BIG BUSINESS. WE’RE TOO SMALL TO BE A TARGET…”

The short answer:
Cyber criminals target the most vulnerable companies, not just the most valuable.

 

MYTH 5 “CYBER IS ALREADY COVERED BY OTHER LINES OF INSURANCE…”

The short answer:
Some overlaps exist (as they do with all lines of insurance) but traditional insurance policies lack the depth and breadth of standalone cyber cover, and won’t come with experienced cyber claims and incident response capabilities.

 

MYTH 6 “CYBER INSURANCE DOESN’T PAY OUT…”

The short answer:
The number of cyber claims continues to rise, in terms of both frequency and severity, and insurers are paying them.

 

You can download the full article here.