Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.
‘Among the Largest Catastrophe Losses in Canadian History’
About 2,400 structures in and around Fort McMurray lie in ruins in the middle of 700 charred square miles of northern Alberta.
The oil sands boom town, once known as “Fort Make Money,” is now going to cost money — at least $4 billion (C$5 billion) by early estimates — to rebuild after a monster wildfire swept around and through parts of town the first week of May.
The immediate insurance question is not the property loss in town; that is quite straightforward.
Rather, it is the length of the oil sands outage and two stages of business-interruption (BI) claims: immediate losses for the time out of operation, as well as possible contingent losses for refiners that rely on the oil sands for raw materials.
At the peak of the fire, 1 million barrels a day of oil sands production was taken out of service — about 40 percent of total output, and roughly one-quarter of all Canadian oil production.
Some operations have already airlifted in skeleton crews to begin safety checks in advance of resuming operations, but the bulk of production is expected to remain out of service for several weeks, if not a month or more.
The wildfires “will be a huge BI event,” said Paul Cutbush, senior vice president catastrophe management at Aon Benfield Analytics in Toronto.
“Even with no damage we will have to see when workers are allowed to come back — and then how many and how soon. A lot of these facilities have been used for evacuations, a goodwill gesture. A great deal will depend on manuscript wording for each policy.”
Waiting periods for BI claims will likely not be as large a factor as in past large losses, Cutbush noted. “It used to be that 90 days was standard. Today, that is shorter, 60 days, maybe even just 30.”
It may take longer than that to get claims sorted, because the size and scope of the fire has presented so many new unknowns.
“The biggest thing is getting people back to work,” said Cutbush, but they need places to live and shop.
“It is our understanding that a lot of the housing in the area was rental or temporary housing for oil sands and services workers.” That means not just property claims for the assets themselves, but lost value from their revenue.
Utilities and infrastructure also have to be inspected, repaired or replaced.
The fires continue to rage uncontrolled, but are now in the deep boreal forest south and east of town. The evacuation order and state of emergency for the area remained in effect as of May 11.
During a press tour through the town, Alberta Premier Rachel Notley gave the first official estimate of initial recovery time: “First responders and repair crews have weeks of work ahead of them to make the city safe. I’m advised that we will be able to provide a schedule for return within two weeks.”
Official numbers said 88,000 people, were evacuated, but a local source puts the number closer to 100,000, counting transient workers.
Remarkably, there has been no loss of life, not even any major injuries. And the vast oil sands mining and processing operations that sprawl for more than 100 miles in every direction around Fort McMurray were undamaged.
On May 10, Notley met with industry officials and was told the operations were secure.
“The magnitude of the current destruction suggest that the new fires will generate among the largest catastrophe losses in Canadian history, affecting both personal and commercial property writers,” according to an initial evaluation by the ratings agency Moody’s.
“I suspect some of the [energy companies’ insurance] coverage may be on the lean side.” — Jason Mercer, assistant vice president and analyst, Moody’s
“Early estimates of the wildfires peg the cost of damages rising to C$5 billion or around 1.5 percent of Alberta’s GDP — an estimate that could increase,” Moody’s reported.
“The Fort McMurray fires destroyed four times as many buildings as the Slave Lake [Alberta] wildfire of May 2011, which cost Canadian property and casualty insurers more than C$700 million in pretax losses.”
“Home and auto insurance coverage in Canada is substantially similar to that in the U.S.,” said Jason Mercer, assistant vice president and analyst at Moody’s in Toronto, who co-wrote the report.
“The only notable difference is that some lines, such as workers’ compensation, are typically government issued.”
BI is also similar in the two countries, Mercer noted. “There is named peril and all-risk. Both are available, but my sense is that all-risk is probably more difficult to get and more expensive, if only because of the higher number and cost of major losses in the province.
“More than half of the major losses in recent years in Canada have been in Alberta.”
Mercer also emphasized that the price of oil has been depressed for almost two years, leading some operators to tighten their belts – including insurance protection.
“I suspect some of the coverage may be on the lean side,” he said.
It will also depend whether companies have limited BI coverage — which would cover losses beginning with the evacuation and ending with the “all clear,” or extended coverage, which would “could run until there is a return to the profit level pre-event.”
Contingency Clouds Business Interruption
Broadly speaking, capacity across the U.S. for business interruption insurance (BI) is ample, and terms and conditions are far from onerous.
That said, brokers report that the utility sector as well as a few others have experienced unexpected high losses, both in frequency and in value.
A few carriers have reduced their exposure to BI coverage in general, or to specific sectors or sub-segments.
As a result, there have been several situations where insureds were in the uncomfortable position of having to file and pursue a claim or claims, and simultaneously seek new placements after underwriters declined to renew or sought smaller positions in the owners’ programs.
On top of those tactical concerns for owners and their brokers, there are also more strategic shifts taking place in BI and more generally in the property and casualty market, driven by the realization by underwriters that contingent coverage is far less quantified than had long been thought.
Overlooked Supply Chain Risk
The trends of outsourcing, just-in-time delivery, and electronic orders and billing have been highly effective in reducing costs and boosting profitability. But that same evolution leaves even the most stable companies vulnerable to small disruptions in the physical supply chain or the internet.
Several of this year’s Power Brokers earned their laurels sorting complex BI claims compounded by short-notice renewals.
Michael J. Perron, senior vice president for the northeast region and property placement leader in the energy and engineered risk group at Willis Towers Watson, has made something of a cottage industry out of slicing through Gordian knots in BI claims.
“In general, BI capacity and coverage are available,” said Perron, a Power Broker® in the Utilities-Alternative category.
“Some carriers have seen losses in the power sector, and a few other places, but generally P&C remains soft. Still, carriers are being especially careful these days on contingent coverage. They are finding they did not realize the full exposures they had. They are finding it difficult to get their arms around all the exposures.”
Part of the problem, Perron suggested, is modeling, especially in the catastrophe market. “For the most part insurers do a good job of monitoring CAT risk. But for the most part those models do not include supply chain.”
Even those that do can cause further complications for insureds. Perron recalled that recently one client wanted to increase its coverage. Based on limits, that should not have been a problem.
“But their carrier, which is one that is particularly good with contingency and with supply chain, also writes for several of their suppliers, so the carrier was concerned about aggregation risk,” he said.
That situation was resolved by going back to the market, but for other clients it hasn’t been that straightforward.
Solving Complicated Claims
In one instance, the owner of a hydropower plant had a failure in one of twin turbines. The second unit continued to operate normally, albeit under more careful watch.
The property insurer decided not to renew because they feared the second unit could suffer the same failure as the first. Only one of the units could be dewatered at any given time, so it was impossible to open the operating unit to inspect until the disabled turbine was back in operation. A real Catch 22.
It is difficult to compile traditional best practices for unique situations.
Several insurers would not write the risk. One offered to write the risk but excluded BI and equipment breakdown (boiler and machinery).
“That approach would render the policy effectively useless against common failures very different than what impacted the disabled turbine,” noted Perron.
Another insurer offered coverage, including BI and equipment breakdown, but with a deductible of $20 million for the turbines until the operating unit was inspected and found to be free of the problems that seemed to have damaged the other.
For a permanent resolution, Perron said he and his group “worked with several insurers to provide coverage that was not perfect, but better than the coverage offered by the first two to bid.
Two carriers offered coverage similar to the client’s expiring coverage with one key exception: They would exclude an event emanating from a failure similar to what had occurred.
Another insurer charged a higher premium, but provided coverage without this limitation.”
In another case, a gas-fired power generator sustained three very different losses: one involving turbine failure, another involving a generator breaker failure, and a third involving a transformer failure.
“In any loss, in any claim, you want to show that you are working to maximize recovery and minimize losses.” — Michael Perron, senior vice president, Willis Towers Watson
“The incumbent carrier recognized that the client had taken appropriate steps to address lessons learned from each of these events, and actually had taken steps to minimize the carrier’s claim payments with savvy negotiations with providers and others,” said Perron.
“Still, the carrier chose to take a reduced line on the renewal.”
It is difficult to compile traditional best practices for unique situations, but Perron does suggest some guidance.
“Together the broker and the client have to convince the underwriters that the owner is managing the situation,” he said.
“Losses happen. That is why you have insurance. It helps for owners to understand that if they have multiple losses, their carrier is going have internal questions from management about the situation and the insurability of this client.”
Just as Perron spoke with underwriters and the carriers’ engineers to understand their take on the loss, he urges owners to do everything they can to help insurers understand that the owner can manage and mitigate the loss.
That may seem counterintuitive; BI by definition is for events out of the owner’s control.
“In any loss, in any claim, you want to show that you are working to maximize recovery and minimize losses,” said Perron.
In one recent situation a client needed a replacement transformer. Rather than order a new one with a longer lead time from the manufacturer of the original equipment, the owner was able to rent a transformer. That enabled them to accelerate the recovery time, and also saved the carrier a million dollars.
That little maneuver also expanded the owner’s supply chain. Ultimately, the insured ordered a new replacement transformer from the rental supplier, rather than from the maker of the initial unit, thus broadening its portfolio of suppliers.
In the end, maximizing recovery and minimizing loss is not just a sound strategy for expediting claims and mitigating for renewal after the claim. It is enlightened self interest.
“Companies often underestimate the tremendous impact that business interruption has,” Perron said. “It is not just the loss of revenue. It can be loss of prestige in the industry. It can be loss of customers.” &