Cyber: The New CAT
Superstorm Sandy. The Joplin tornado. The Japanese earthquake and tsunami. California wildfires. 9/11. Catastrophes come in many forms. It is universally understood that despite our best efforts, disaster can strike due to forces beyond our control. Cyber threats are equally dangerous and diverse — and just as unstoppable.
Yet even as catastrophe risk management matures and scores of executives join the catastrophe conversation, the dragon known as cyber risk still sits in the middle of the board room, quietly smoldering.
In every industry and at every company size, cyber risk is a foundation-level exposure that every business must confront — one that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
As recent as a decade ago, that might have been an overstatement. But not now. Technology and business are fundamentally linked. Computers and the Internet are the primary platform for communicating with customers and vendors, managing profits and expenses, paying employees, operating the machines that produce goods and provide services, and making sure that the end product gets into customers’ hands on schedule. Mobile technology and the Internet of Things are opening new channels, making technology a physical extension of ourselves, both personally and commercially.
“The entire economy is so reliant, in ways that we don’t even see, on technology and the storage, transmission and usage of data, both personal and for analytical purposes, that it’s fundamental to almost every sector,” said Oliver Brew, vice president for professional, privacy, and technology liability at LIU Liberty International Underwriters, the specialty line division of Liberty Mutual in New York.
Video: Computer security expert Mikko Hyppönen explains how he tracked down the creators of the first PC virus, which hit the net 25 years ago, and how to stop the new viruses of today.
That reliance is only going to grow. A January report by Forrester Research described software assets as more critical to business success than financial assets over the next 20 years.
“If you take a look at the public companies’ 10-Ks and publicly disclosed statements, what are they emphasizing that’s going to differentiate them from their competitors, increase sales, decrease costs and maximize efficiency? They focus on the use of technology and the use of information assets,” said Kevin Kalinich, global practice leader for cyber and network risk at Aon Risk Solutions.
With increased technology comes increased opportunity for attack. However, that reality didn’t get a lot of traction in the C-suite until the recent Target breach splashed it across world headlines. Even now, there are still some resting easy, confident that their IT teams have everything under control. Others assume cyber attacks are a threat largely confined to industries such as retail, health care and financial services — sectors with the most data to lose.
Small businesses, in particular, downplay the risk, said Jesse Bessler, an account executive at Lacher & Associates, of Souderton, Pa. “I think it’s that they just don’t understand the risk, and they think that [a cyber policy] is an add-on item they don’t need.”
Security experts, however, are trying to break through the wall of denial. Cyber attacks, they argue, are akin to massive storms or similar to the focused destruction of a tornado — something you can prepare for, but not something you can prevent. Despite firewalls and antivirus programs, experts say, cyber punches will eventually land inside every company.
To grasp the magnitude of the threat, it’s important to recognize that the driving forces behind cyber crime are vast, varied and as uncontrollable as any atmospheric or geologic force. The threat is now ubiquitous, and experts agree that while making an effort to reduce the risk of a breach is important, it is no longer possible to completely prevent cyber attacks.
“It’s like two identical cars in a mall parking lot,” explained Kurtis Suhs, vice president and national technology and privacy product manager for Ironshore. “If one’s locked and one’s unlocked, the bad guy’s going to go to the unlocked car. But if the bad guy really wants to get into the locked car, he will — it’ll just take longer.”
And yet, organizations keep brushing off the threat. That may be because “cyber risk” has become synonymous with data theft. If an entity does not have a significant aggregation of customer financial data, executives assume they won’t be targeted. The reality is that the true exposure is no longer just about credit card or Social Security data. Hackers have expanded their target list, adopted a more patient approach and found deep-pocketed sponsors, whether private-sector or state-sponsored, security experts said.
Sophisticated hackers are conducting long-term surveillance and probing for weaknesses they can exploit for financial gain, said David Remnitz, global and Americas leader of Ernst & Young’s forensic technology and discovery services business. “The end result here is the theft of highly valuable, internal information for significant financial gain,” he said.
While that could mean outright theft of trade secrets or confidential M&A data, it could also mean corporate sabotage, as in corrupting a decade of research and development results or putting competitors out of business. Imagine a market where most of the players used one primary vendor as a source for a key ingredient. An organization could contract with a lesser-used source for that ingredient, then disrupt the operations of the primary vendor via a denial-of-service attack or other type of malware, leaving the rest of the market scrambling for suppliers.
The potential for lost business and liability claims could be devastating for the affected companies. Even those with solid business continuity plans in place could still take heavy hits from the reputational fallout.
“A large company might be able to absorb that risk. A small company can’t,” said Elissa Doroff, a vice president and senior advisory specialist in Marsh’s network security and privacy practice in New York.
To date, breaches have largely been limited to individual companies, but the potential for larger events looms. One concern centers on cloud companies, which could host data for hundreds of businesses. A data breach or network interruption, or the physical destruction of a cloud-service data center could wreak larger havoc on the economy.
“That’s a potentially catastrophic loss,” said Doroff.
The sky’s the limit at this point. Criminals are capable of disrupting a multinational corporation, a transportation or logistics network, a health care system, an entire industry or even an entire region, creating havoc and leading to economic losses in the millions or billions — in many situations even putting lives at risk.
Keep in mind that those with ill intent don’t even need to have an IT background — the proliferation of hackers-for-hire means that anyone intent on doing damage can do so if their pockets are deep enough.
That said, it probably wouldn’t take a well-funded ring of genius-level hackers and a sophisticated attack plan to paralyze the average organization. Three years ago, the U.S. subsidiary of Shionogi, a Japanese pharmaceutical firm, suffered a devastating cyber attack that deleted the contents of 88 computer servers, crippling the company’s operations for several days, disabling its email, BlackBerry servers, order-tracking system, and financial management software. The attacker? A former mid-level employee, working from a public
Wi-Fi network at a nearby McDonalds, calmly sipping coffee while bringing Shionogi to its knees.
An Enterprise Approach
Even organizations that have never been affected by a catastrophe generally do not question the need for CAT planning. At the very least, most probably have a written evacuation plan in place and enough insurance to cover the potential physical damage of a storm. The smartest also address the whole picture from a supply chain and business continuity standpoint, and may have even considered questions about how to manage any reputational damage related to interruption of service to customers.
Cyber exposure should be approached in much the same way. It starts with engineering out the risk to whatever extent possible. If your roof is old, for instance, replacing it may be a way to ensure the building is more likely to stay intact if it’s battered by a storm. The cyber equivalent might be replacing old servers or upgrading any existing automated intrusion detection system. Security experts stress, however, that cyber risk is not an IT exposure, it’s an enterprisewide exposure. Therefore vulnerabilities need to be identified across an entire organization, with policies and procedures modified accordingly.
A comprehensive, enterprisewide disaster plan can also go a long way toward helping companies minimize the damage sustained in the event of a cyber attack. For every function of an organization, management needs to ask hard questions about how a cyber attack could disrupt that function, and what kind of back-up plan each department would need. Do you have a way to contact customers and suppliers if your email goes down? Do you have a crisis communication plan for alerting the public about how you’re handling the situation? Are your records backed up and accessible through a secure third-party?
Increasingly, organizations will rely on insurance to ensure their survival after a cyber event. In a February survey by BAE Systems, nearly 30 percent of companies said they expected the cost of a cyber attack to exceed $75 million. Another 20 percent expected the cost to fall between $15 million and $75 million.
“There’s an expectation that this could have an extremely material effect on business performance, and that’s a risk they look to hedge,” said Paul Henninger, global product director for BAE Systems Applied Intelligence, a business unit of BAE Systems.
Taking a realistic approach to cyber attacks could improve underwriting of the risk, he said. Just as carriers evaluate whether clients are prepared for a CAT-5 hurricane, knowing some damage is likely, they could determine whether clients are ready for a cyber storm.
“You can’t make it go away, but you can minimize the impact on the bottom line and customers and reputation,” he said.
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed. Every sector must prepare to withstand the storm.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.
You Can Go Home Again
It’s hardly a hard-market environment, and yet, U.S. excess and surplus lines carriers are expecting to compound last year’s healthy premium growth with continued expansion in 2014.
With the exception of cyber insurance — which is still competitively priced — commercial insurance rates have been firming across a number of property/casualty segments, E&S specialists said, and many tough classes are returning to the space.
Placements gracing E&S carriers’ books of business of late include construction and long-haul trucking liability programs, property-catastrophe coverage in areas impacted by Superstorm Sandy and the tornadoes in Oklahoma last May, as well cyber liability insurance, where penetration rates are rising following the massive Target breach.
“My take on this personally is that companies now have to rely on the underwriting, given they can’t make it on the investment income.”
– Richard Bouhan, consultant to the National Association of Professional Surplus Line Offices
Part of the impetus, E&S experts said, may be a prolonged low-interest-rate environment, which has injected more discipline into traditional insurance pricing trends.
“My take on this personally is that companies now have to rely on the underwriting, given they can’t make it on the investment income,” said Richard Bouhan, consultant to the National Association of Professional Surplus Line Offices (NAPLSO), in Kansas City, Mo.
“That’s true of the surplus lines writers as well as the standard companies,” he said, but it means that more high-risk business is gradually migrating from traditional markets into the surplus lines space, said Bouhan, who spent close to 24 years as NAPLSO’s executive director, from 1987 through 2011.
Tom McLaughlin, casualty division leader with Lexington Insurance in Boston, agreed that increased underwriting discipline has sent risks returning to E&S markets of late, leading to “low to high single-digit rate increases” across much of Lexington ’s casualty book over the past year or so.
Also driving the trend, he said, is the fact that the economy has been moving in a much more positive direction over this period of time, leading to gains across Lexington’s broad spectrum of casualty risks, including transportation and construction.
A January 2014 report from The Surplus Lines Stamping Office of Texas said that the E&S business made some very solid gains last year, in fact. The report pointed to double-digit growth for E&S carriers in several states through the end of 2013. It found that 14 states with stamping offices saw growth in surplus lines premium during 2013, compared to 2012.
Total surplus lines premium reported to the stamping offices was nearly $22.5 billion, representing more than 3.1 million transactions and demonstrating premium growth of 15.5 percent last year.
The report stated that New York’s 2012 premium number was impacted by premiums the state processed for other prior policy years, which skewed the 2012 to 2013 comparison, but even with New York excluded, 13 states saw a 12.2 percent increase in 2013 premium, compared to 2012.
The data included E&S premium volume for California, Florida and Texas — each of which produced more than $4 billion in surplus lines premium volume in 2013 — as well as smaller premium-generating territories like Illinois, Arizona, Idaho, Nevada, Minnesota, Oregon, Pennsylvania, Utah and Washington.
This is small when compared to premium increases in the U.S. surplus lines industry a decade ago. A.M. Best reported an 81.7 percent increase in domestic U.S. surplus lines carriers’ direct written premiums between 2001 and 2002, for instance, followed by a 31.1 percent increase between 2002 and 2003.
Still, the 2013 figures pointed to some positive trends for specialty carriers.
“We’ve been riding some rate lift for the past 24 to 26 months,” said NAPSLO President Kevin Westrope, president of RT Specialty Kansas City, managing director for RT Specialty, and managing director of parent company, RSG, of Chicago.
For instance, RT’s third-party casualty business including auto liability and workers’ compensation has grown roughly 20 percent per year for each of the past three years, some of it under the banner of Kansas City wholesaler Westrope, which merged with RT Specialty in December 2013.
“We’re writing in the $40 million range on our auto business [on an annual basis], including liability and physical damage,” Westrope said, noting that “long haul trucking is always a difficult risk from a liability standpoint.”
Westrope has also seen growth in the multi-family apartment building space, where it writes property and liability coverage for building owners who have seen an “explosion” of new interest in apartment living following the mortgage crisis of 2008. Westrope is also writing a good deal of builders’ risk programs since the construction industry has rebounded over the last couple of years.
David Grafstein, a casualty specialist with wholesaler Partners Specialty Group in Stamford, Conn., agreed.
“As respects E&S opportunities, again I think it will be similar to 2013 with the market being hard for New York construction, firming for pockets of habitational real estate [including] apartments in urban areas and higher-hazard manufacturing risks.”
Grafstein also expects to see a fair amount of private equity-driven merger and acquisition activity as well as consolidation, particularly in the health care industry.
This tends to create E&S opportunities due to the specialty coverages often sought by acquiring firms — including potential long-tail malpractice exposures and discontinued products coverage.
Other risks that have moved to the E&S space over the past 12 to 18 months include:
• Property-Catastrophe Exposures.
“After Sandy, we saw a lot of business moving to the surplus lines market,” said Westrope.
But the trend may be short lived.
During a webinar in late January, Dean Klisura, Marsh’s U.S. risk practices and specialties leader, said that Jan. 1, 2014 reinsurance treaty renewals saw average rates “fall significantly across nearly all regions and business segments” due to low loss experience and the influx of billions of dollars in new capital.
Westrope agreed that “catastrophe-driven property coverage is becoming more competitive again, with primary and reinsurance rates coming down due to the overabundance of capital in that area.”
“I think we’ll see property rates softening” in standard markets throughout 2014, he said, “sans major events like the ground shaking on the West Coast.”
• Cyber Liability Insurance.
Cyber insurance pricing remains competitive as new players continue to enter the marketplace.
Markel’s minimum premium is $1,500 for $1 million in insurance limits for its data breach claims-made policy, for instance.
Still, cyber remains the most promising growth line that exists today, according to Markel’s Jake Kouns, Richmond, Va.-based director of cyber security and technology risks underwriting.
More than any other form of insurance, “cyber seems to be filling the need for an up-and-coming growth product,” said Kouns, noting that Markel was up 65 percent in premium for the line in 2013, compounding 75 percent growth in gross written premiums for cyber a year earlier.
Several dozen non-admitted markets continue to dominate this space today, Kouns told Risk & Insurance®.
E&S markets providing standalone coverage include Markel, RSUI Group, Allied World Assurance Co. (AWAC), AIG and its surplus lines company Lexington Insurance, as well as Lloyd’s syndicates including Hiscox, Beazley and CFC Underwriting.
Many carriers’ “bread and butter” business is on the decline right now, as many areas that were once profitable are now more commoditized, Kouns said.
Coverage Questions Remain
With cyber insurance, however, “everywhere you look there’s some new issue. That’s an emerging risk,” said Kouns.
For example, what exactly is covered by a data breach program? This is one area still fraught with uncertainty, he said. “Breach mitigation breaks down further than most people think,” he said, noting that notification and credit monitoring is only the tip of the iceberg.
Buyers are also in need of forensics, he said. Not all cyber policies will cover the costs of “bringing in the experts to see what really happened,” after a breach has occurred. Markel is among those providing full limits for data-breach forensics, said Kouns, while other carriers may impose a policy sublimit for that.
Besides that, “in terms of [cyber] market penetration, there’s still a long way to go,” he said.
Also, the Target debacle continues to draw attention and awe.
If Target ultimately “blows through $100 million in insurance and we have a limit loss” with several insurers who participated on that tower impacted, “there’s going to be a reaction,” said Kouns.
“Some underwriters could decide that prices need to increase, [that writing] a class of business such as retailers is now prohibited, or even that now’s time to exit the business,” he said.
What Is Insurance Innovation?
Truly innovative insurance solutions are delivered in real time, as the needs of businesses change and the nature of risk evolves.
Lexington Insurance exemplifies this approach to innovation. Creative products driven by speed to market are at the core of the insurer’s culture, reputation and strategic direction, according to Matthew Power, executive vice president and head of strategic development at Lexington, an AIG Company and the leading U.S.-based surplus lines insurer.
“The excess and surplus lines sector is in a growth mode due, in no small part, to the speed at which our insureds’ underlying business models are changing,” Power said. “Tomorrow’s winning companies are those being built upon true breakthrough innovation, with a strong focus on agility and speed to market.”
To boost its innovation potential, for example, Lexington has launched a new crowdsourcing strategy. The company’s “Innovation Boot Camps” bring people together from the U.S., Canada, Bermuda and London in a series of engagements focused on identifying potential waves of change and market needs on the coverage horizon.
“Employees work in teams to determine how insurance can play a vital role in increasing the success odds of new markets and customers,” Power said. “That means anticipating needs and quickly delivering programs to meet them.”
An example: Working in tandem with the AIG Science team – another collaboration focused on innovation – Lexington is looking to offer an advanced high-tech seating system in the truck cabs of some of its long-haul trucking customers. The goal is to reduce driver injury and fatigue-based accidents.
“Our professionals serving the healthcare market average more than twenty years of industry experience. That includes attorneys and clinicians combining in a defense-oriented claims approach and collaborating with insureds in this fast-moving market segment. At Lexington, our relentless focus on innovation enables us to take on the risk so our clients can take on the opportunities.”
– Matthew Power, Executive Vice President and Head of Regional Development, Lexington Insurance Company
Power explained that exciting growth areas such as robotics, nanotechnology and driverless cars, among others, require highly customized commercial insurance solutions that often can be delivered only by excess and surplus lines underwriters.
“Being non-admitted, our freedom of rate and form allows us to be nimble, and that’s very important to our clients,” he said. “We have an established track record of reacting quickly to trends and market needs.”
Lexington is a leading provider of personal lines coverage for the excess and surplus lines industry and, as Power explains, the company’s suite of product offerings has continued to evolve in the wake of changing customer needs. “Our personal lines team has developed a robust product offering that considers issues like sustainable building, energy efficiency, and cyber liability.”
Most recently the company launched Evacuation Response, a specialty coverage designed to reimburse Lexington personal lines customers for costs associated with government mandated evacuations. “These evacuation scenarios have becoming increasingly commonplace in the wake of recent extreme weather events, and this coverage protects insured families against the associated costs of transportation and temporary housing.
The company also has followed the emerging cap and trade legislation in California, which has created an active carbon trading market throughout the state. “Our new Carbon ODS product provides real property protection for sequestered ozone depleting substances, while our CarbonCover Design Confirm product insures those engineering firms actively verifying and valuing active trades.” Lexington has also begun to insure new Carbon Registries as they are established in markets across the country.
Lexington has also developed a number of new product offerings within the Healthcare space. The Affordable Care Act has brought an increased focus on the continuum of care and clinical patient safety. In response, Lexington has created special programs for a wide range of entities, as the fast-changing healthcare industry includes a range of specialized services, including home healthcare, imaging centers (X-ray, MRI, PET–CT scans), EMT/ambulances, medical laboratories, outpatient primary care/urgent care centers, ambulatory surgery centers and Medical rehabilitation facilities.
“The excess and surplus lines sector is in growth mode due, in no small part, to the speed at which our insureds’ underlying business models are changing,” Power said.
Apart from its coverage flexibility, Lexington offers this segment monthly webcasts, bi-monthly conference calls and newsletters on key risk issues and educational topics. It also provides on-site risk consultation (for qualifying accounts), access to RiskTool, Lexington’s web-based healthcare risk management and patient safety resource, and a technical staff consisting of more than 60 members dedicated solely to healthcare-related claims.
“Our professionals serving the healthcare market average more than twenty years of industry experience,” Power said. “That includes attorneys and clinicians combining in a defense-oriented claims approach and collaborating with insureds in this fast-moving market segment.”
Power concluded, “At Lexington, our relentless focus on innovation enables us to take on the risk so our clients can take on the opportunities.”