Risk Insider: Jack Hampton

Cyber Risk: It’s Like Living on Mount Etna

By: | May 3, 2016 • 2 min read
Jack Hampton is a Professor of Business at St. Peter’s University in New Jersey and a former Executive Director of the Risk and Insurance Management Society (RIMS). He was named a Risk Innovator in 2008 by Risk and Insurance®. He can be reached at [email protected]

Everybody should have a favorite volcano and mine is Mount Etna in Sicily. A long time ago I became intrigued with the risk it poses for its neighbors.

Five distinct, active craters. A major eruption every two years throughout recorded history. Occasional destruction of entire villages.


A Risk & Insurance® webinar on April 27, Maximizing ROI in Mitigating Cyber Risk conjured up a question. Is modern cyber risk the electronic equivalent of an active volcano? If yes, what do we do about living on it?

The webinar examined how organizations can maximize the return on investment from cyber risk mitigation. That is, how can we invest capital to achieve a specific financial goal?

The situation is straightforward. If we operate on Mount Etna, we will never control the volcano. We either get off or prepare for the year 1669 when an eruption wiped out parts of Catania and lava streams reached the Mediterranean Sea.

The sponsor was the Society of Actuaries. Thus, we could expect quantitative solutions to cyber problems. That was not what happened.

For starters, the speakers separated the information technology viewpoint from enterprise risk management. Organizations invest in computers and networks to earn a return on capital.

Time value of money paints the picture of the wisdom of the investment. This does not happen with cyber security decisions. The takeaway from the webinar was that quantitative tools are not at the level we need in an ERM context. In my view, they never will be.

The situation is straightforward. If we operate on Mount Etna, we will never control the volcano. We either get off or prepare for the year 1669 when an eruption wiped out parts of Catania and lava streams reached the Mediterranean Sea.

With cyber risk we are stuck about halfway up the mountain. We will be ducking lava flows for many years.

Where can we take refuge?

Business analytics can help understand the costs and opportunities of cyber risk mitigation. The webinar recommended The National Institute of Standards and Technology (NIST) framework to help with cyber security decisions:

Identify. What are the things that are at risk? Include assets, data, computer systems and capabilities.

Protect. How do we safeguard those things? Include “hard” techniques like firewalls, encryption, and segregation. Do not forget “soft” approaches to reduce intentional or careless behaviors of employees, customers, vendors and authorized users.

Detect and Respond. Spend big money to hire people who could otherwise be wealthy beyond their wildest dreams if they took up hacking and avoided jail. Turn them loose to spot system weaknesses and block cyber security losses.

Recover. This may be the most important item on the NIST list. Assume the unexpected. Develop a contingency plan. Create a crisis team. Simulate an event. Assess your ability to restore assets, data, and capabilities. Spend the money to fix that which needs to be fixed.


Now we go back to the return on investment. Measure it partly in financial terms with discounted cash flow techniques. Extend the analysis to incorporate the negative consequences of loss of markets, damage to reputation, and downgrading of stock value.

The common lesson of Mount Etna and cyber risk is that we cannot control the “mountain.” We should focus on our ability to survive an “eruption.”

This means we do not pursue the maximum return on investment. Instead, we should seek the maximum return on creating resilience after a cyber event.

Share this article:

Risk Insider: Tony Boobier

Is There a Need to Redesign Cyber Insurance?

By: | April 28, 2016 • 3 min read
Tony Boobier holds a WW Executive role at IBM, focusing on solutions for Risk and Finance, and was previously IBM Insurance Analytics leader for EMEA. He can be reached at [email protected]

When FBI Director James Comey said, “There are two kinds of big companies in the United States. There are those who’ve been hacked … and those who don’t know they’ve been hacked…,” he was reinforcing the fact that hacking is increasingly becoming a mainstream activity.


Tools such as Crackz, hackz, scriptz and others enable a user to gain additional access to computer systems and information or to run a program they have not legally purchased. Ask your search engine “how to hack” and not only will you get a long list of advice, but you will even find a video which has had more than four million visits.

The problem has moved beyond individual opportunists. It is an issue which increasingly involves premediated crime, often with a financial or disruptive motive. It also has its own language such as “Trojan” — a malicious program that perform actions not authorized by the computer user.

Will the vision of insurance marketers to have insurance based on connected cars, homes and people ultimately prove to be the Achilles’ Heel of their companies?

Increasingly hackers see themselves as guns for hire, selling both services and data on the dark web. Sometimes known as “Butterfly Hackers,” they focus on corporations and use sophisticated tools, often with inside knowledge of the organization.

This inside knowledge often comes from disgruntled employees. It’s even said that the most dangerous person in an organization is the IT manager, as they are best placed to know the system. They are paid through the very same technology that insurers and banks are contemplating for their own future, that of bitcoins operating in a blockchain environment.

Typical hacks may simply demand money from the personal user, using ransomware, which even provides call-back software for ease of payment. In a corporate environment, the hacks may extend to distributed denial of service (DDoS) attacks, effectively putting an online company out of business as it is bombarded with multiple anonymous inquiries.

But it isn’t always negative. A new profession of ethical hackers known as “white hats” has emerged. Their job is to assess the security of computer systems using penetration testing techniques. There’s even a professional qualification in the subject.

As this era of Big Data continues, 2.5 gigabytes of data are created daily by 6.4 billion connected things. In 2016, 5.5 million new things will get connected every day.

Technology research firm Gartner believes we will reach 20.8 billion connected things by 2020.

Some experts are already suggesting that the way into corporate systems will not be through a direct approach but rather through the multitude of less secure external devices. Will the vision of insurance marketers to have insurance based on connected cars, homes and people ultimately prove to be the Achilles’ Heel of their companies?

The recent news that cyber hackers stole $950 million in what is thought to be the world’s biggest bank raid should be enough to raise the alarm bells. JPMorgan’s 2014 hack is said to have affected 100 million customers. The recent hack of the Panamanian law firm Mossack Fonseca is said to involve 11.5 million documents. With the recent ‘Dieselgate’ affair at Volkswagen said to be likely to cost up to $35 billion, what might be the financial impact of a hacked connected car system for a major manufacturer?


As insurers increasingly focus on operational risk — that is, failure due to systems, processes, people and external events — as a key element of managing their capital adequacy and solvency, how will the regulators and insurance commissioners view the potential increase in the risk of someone infiltrating an insurer’s own site through some form of remote device?

Overall, there seems to be agreement that prevention is better than cure, but where cyber crime happens, it is critical that companies carry appropriate insurance cover. Cyber insurance cover has been around for a decade or so, but as cyber crime has developed, then doesn’t insurance cover also need to mature? With policies provided by some major insurers giving cover to $100m, isn’t it time to think about whether this is enough?

Share this article:

Sponsored: Berkshire Hathaway Specialty Insurance

Searching for Stability in Cyber Space

The dynamic cyber risk landscape demands a stable insurance carrier with a prudent approach and an eye on the long road.
By: | April 18, 2016 • 6 min read

SponsoredContent_BHSICyber risk affects every industry differently, but there’s one common denominator. No sector is safe.

As headline-grabbing breaches crack systems and tarnish reputations of major retail, healthcare and financial companies, the need for cyber insurance has become increasingly apparent.

Given the constantly changing nature of cyber risk and the market landscape, creating a stable, sustainable cyber insurance business demands a prudent approach, with an eye on the long road.

“We’ve seen carriers jump in and out, wanting to take advantage of a new opportunity, but perhaps underestimating the risk,” said Danielle Librizzi, Senior Vice President, Head of Professional Liability, Berkshire Hathaway Specialty Insurance (BHSI).

“As cyber exposure became more tangible to carriers, in-force coverage was tested and many made radical changes to pricing and availability of coverage. BHSI is committed to entering the cyber market in a thoughtful and sustainable way. We want to be there for our customers as the risks continue to evolve.”

Diverse, Evolving Risks

Danielle Librizzi, Senior Vice President, Head of Professional Liability, Berkshire Hathaway Specialty Insurance

Danielle Librizzi, Senior Vice President, Head of Professional Liability, Berkshire Hathaway Specialty Insurance

Cyber exposure – and coverage — have been evolving, posing different risks and underwriting challenges for different industries. The technology, financial services and healthcare industries illustrate the diverse issues that must be considered in order to provide effective, financially sustainable cyber solutions.

The technology sector was the first cyber battleground, and technology E&O forms included some cyber coverage by virtue of the nature of the risk. “There’s inherent cyber coverage for third party liabilities in E&O,” Librizzi said.

While coverage is widely available, tech companies pose challenges to underwriters because of their unique position in the cyber “supply chain.” These companies provide software, hardware and cloud services; virtually every organization in the world is dependent on a tech provider of some stripe. If an insurer is covering both the provider and its clients, the aggregate risk should be monitored closely.

Think of a DOS attack on a cloud provider that prevents all of its clients – which could include anyone from a bank to a retailer or transportation company — from accessing stored customer or corporate data or running cloud-based service apps. That single attack could bring business in multiple industries to a grinding halt, potentially causing business interruption and E&O losses.

SponsoredContent_BHSIThe tech industry hasn’t seen a large scale event like this yet, but it isn’t waiting around for one to strike before addressing the underlying risk. Controlling and accounting for the aggregate exposure will mold the direction that coverage development takes.

“Our combined form, introduced in October, 2015, is a comprehensive solution that includes first and third party cyber coverage as well as traditional E&O coverage,” Librizzi said.

However, that approach may not be appropriate for other industries. Financial Institutions, for example, may seek a dedicated cyber only policy which does not include traditional E&O coverage.

While banks typically have strong protocols for network security and privacy, they also have a much greater exposure in massive stores of customer data. Financial Institutions are looking to address liability in the form of class action lawsuits or heavy regulatory investigations and fines emanating from cyber, and may not want to compromise their traditional E&O limits.


“Additionally, given the increased reliance on outsourced providers for technology solutions, we have started to see the introduction of sub-limited coverage for dependent business interruption and payment card industry (PCI) fines and assessments as enhancements to coverage,” Librizzi said. “We might see those sub-limits go to full coverage as competition gets heavier.”

Other industries, which may not be as advanced as financial institutions in addressing cyber threats, have suffered more from a lack of robust cyber coverage that can keep up with increasing exposure.

Healthcare, for example, has seen a surge of cyber attacks since hospitals and other health systems went electronic. To a hacker, healthcare providers represent a warehouse of valuable personal identifiable and protected health information.

SponsoredContent_BHSIEmail addresses from healthcare systems typically are white-listed and less likely to get caught in a spam filter, giving hackers incentive to obtain access and gain control of a healthcare provider’s network in order to launch phishing attacks.

After some high-profile breaches in 2015, Human Health Services and the Office for Civil Rights came under scrutiny for not doing enough enforcement of HIPPA. Fines imposed by regulators increased dramatically over the past decade, and seem poised to only get higher.

“They’ll be ramping up enforcement of regulations in 2016, and that’s only a peek of what’s on the horizon,” Librizzi said.

The burgeoning of healthcare’s cyber exposure has challenged the insurance industry to better understand the nature of the risk and how best to secure hospital systems. Coverage for this sector remains the most difficult to write effectively.

BHSI understands the need for different customers to have different solutions. Some customers desire a dedicated cyber policy that does not include traditional E&O coverage. BHSI’s Network Security and Privacy stand-alone policy is designed to address the needs to those customers.

“The cyber exposures and coverages needs of healthcare, financial services and technology are on different timelines and will look very different in the future,” Librizzi said.

Even in more mature markets, the conflation of commercial and personal cyber risk will challenge insurers going forward. Most existing cyber products don’t cover property damage and personal injury; as the risks emerge and the Internet of Things becomes more pervasive, the coverage will have to evolve as well.

“We must always be thinking about what is on the horizon from a risk and coverage perspective – our technology driven society demands it,” Librizzi said.

Anticipating challenges and adapting to each industry’s needs has been a cornerstone of BHSI’s approach to cyber. It’s careful and measured approach has also helped the specialty insurer build an arsenal of experts and ancillary services to help clients better grasp and mitigate their exposure.

“We know the importance of really understanding the risk and communicating it clearly to our customers,” Librizzi said. “We don’t bury our coverage in a pile of definitions, and we provide the expertise to help insureds stay ahead of the next big breach.”

To learn more about BHSI’s professional liability products, visit http://www.bhspecialty.com/.

Berkshire Hathaway Specialty Insurance (www.bhspecialty.com) provides commercial property, casualty, healthcare professional liability, executive and professional lines, surety, travel, programs, medical stop loss and homeowners insurance. The actual and final terms of coverage for all product lines may vary. It underwrites on the paper of Berkshire Hathaway’s National Indemnity group of insurance companies, which hold financial strength ratings of A++ from AM Best and AA+ from Standard & Poor’s. Based in Boston, Berkshire Hathaway Specialty Insurance has offices in Atlanta, Boston, Chicago, Fort Lauderdale, Houston, Los Angeles, New York, San Francisco, San Ramon, Stevens Point, Auckland, Brisbane, Hong Kong, Melbourne, Singapore, Sydney and Toronto. For more information, contact [email protected].

The information contained herein is for general informational purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product or service. Any description set forth herein does not include all policy terms, conditions and exclusions. Please refer to the actual policy for complete details of coverage and exclusions.



This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Berkshire Hathaway Specialty Insurance. The editorial staff of Risk & Insurance had no role in its preparation.

Berkshire Hathaway Specialty Insurance (www.bhspecialty.com) provides commercial property, casualty, healthcare professional liability, executive and professional lines, surety, travel, programs, medical stop loss and homeowners insurance.
Share this article: