All posts by Jeff Dunsavage

Cyber Insurance: Why Do Small Firms Do Without?

Small-business owners know cyber risk threatens them – but many still are dubious about cyber insurance. Why?

Smaller businesses seem to be getting the message that cyber risk isn’t just something for big companies to worry about; nevertheless, many still balk at buying cyber insurance, according to a new survey from the Insurance Information Institute (I.I.I.) and J.D. Power.

The 2019 Small-Business Cyber Insurance and Security Spotlight found that 12 percent of survey respondents experienced at least one cyber incident in the past year, up from 10 percent in 2018.  Nearly 71 percent said they are “very concerned” about cyber incidents, up from 59 percent, and 75% said they believe the risk of being attacked is growing at an alarming rate, up from 70 percent last year.

Two of the top four reasons cited for not buying cyber coverage are within insurers’ control.

Respondents with cyber insurance increased this year, to 35 percent from 31 percent; but of the 44 percent who said they don’t have cyber coverage and the 21 percent who didn’t know if they do, 64 percent said they don’t plan to buy it in the next 12 months.

Why the hesitation?

Why are many smaller firms so reluctant to insure against a threat they recognize to be real and growing?

The top two reasons given were: cost (42 percent) and the belief that the companies’ risk profiles don’t warrant coverage (35 percent). Twenty-seven percent said they believe they handle cyber risk sufficiently well internally, and 17 percent cited “too many exclusions” as a reason for not buying coverage. For the non-insurers in the audience, “exclusions” are provisions in an insurance agreement that limit the scope of coverage.

So, in other words, two of the top four reasons cited by insureds for not buying cyber coverage – cost and exclusions – are within insurers’ control.

As David Pieffer, head of J.D. Power’s property and casualty insurance practice, put it:

“Given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.”

Risk-mitigation support may help

Closely related to cost is the question of value. What do insureds get for their premium dollar?

Among the respondents with cyber coverage, 70 percent said their insurer helps with cyberrisk mitigation, up from 65 percent in 2018. Fifty-one percent said their insurer offers contingency planning for data breaches, up from 40 percent, and 53 percent said their insurer will assess their vulnerability to data breaches, up from 51 percent.

“We’re seeing more insurers work with commercial customers to mitigate risks – in particular, with small and mid-size businesses,” said Sean Kevelighan, I.I.I. president and CEO. “We know many of the large cyber incidents can be sourced back to a smaller business or vendor, and, thus, it’s increasingly critical to assist in loss prevention measures that can make the customer more resilient, while also reducing claims and damages.”

It’s hard to say based on the data, but perhaps such insurer involvement plays as significant a role in small companies’ increased adoption of cyber insurance as does their growing anxiety about cyber perils. As companies increasingly see cyber insurers as trusted risk-management partners – not just writers of policies and payers of claims – perhaps take up rates will accelerate.

Bridging the Cyber Insurance Data Gap

 

 

Cyber risks are opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.

Underwriting cyberrisk is beyond difficult. It’s a newer peril, and the nature of the threat is constantly changing – one day, the biggest worry is identity theft or compromise of personal data. Then, suddenly it seems, everyone is concerned about ransomware bringing their businesses to a standstill.

Now it’s cryptojacking and voice hacking – and all I feel confident saying about the next new risk is that it will be scarier in its own way than everything that has come before.

This is because, unlike most insured risks, these threats are designed. They’re intentional, unconstrained by geography or cost. They’re opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.  Cheap to develop and deploy, they adapt quickly to our efforts to defend ourselves.

“The nature of cyberwarfare is that it is asymmetric,” wrote Tarah Wheeler last year in a chillingly titled Foreign Policy article, In Cyber Wars, There Are No Rules.  “Single combatants can find and exploit small holes in the massive defenses of countries and country-sized companies. It won’t be cutting-edge cyberattacks that cause the much-feared cyber-Pearl Harbor in the United States or elsewhere. Instead, it will likely be mundane strikes against industrial control systems, transportation networks, and health care providers — because their infrastructure is out of date, poorly maintained, ill-understood, and often unpatchable.”

This is the world the cyber underwriter inhabits – the rare business case in which a military analogy isn’t hyperbole.

We all need data — you share first

In an asymmetric scenario – where the enemy could as easily be a government operative as a teenager in his parents’ basement – the primary challenge is to have enough data of sufficiently high quality to understand the threat you face. Catastrophe-modeling firm AIR aptly described the problem cyber insurers face in a 2017 paper that still rings true:

“Before a contract is signed, there is a delicate balance between collecting enough appropriate information on the potential insured’s risk profile and requesting too much information about cyber vulnerabilities that the insured is unwilling or unable to divulge…. Unlike property risk, there is still no standard set of exposure data that is collected at the point of underwriting.”

Everyone wants more, better data; no one wants to be the first to share it.

As a result, the AIR paper continues, “cyber underwriting and pricing today tend to be more art than science, relying on many subjective measures to differentiate risk.”

Anonymity is an incentive

To help bridge this data gap, Verisk – parent of both AIR and insurance data and analytics provider ISOyesterday announced the launch of Verisk Cyber Data Exchange.  Participating insurers contribute their data to the exchange, which ISO manages – aggregating, summarizing, and developing business intelligence that it provides to those companies via interactive dashboards.

Anonymity is designed into the exchange, Verisk says, with all data aggregated so it can’t be traced back to a specific insurer.  The hope is that, by creating an incentive for cyber insurers to share data, Verisk can provide insights that will help them quantify this evolving risk for strategic, model calibration, and underwriting purposes.

Tapping the insurance ecosystem for insights

I had the pleasure last week of attending “Data in the New: Transforming Insurance” – the third annual insurtech-related thought leadership event held by St. John’s University’s Tobin Center for Executive Education and School of Risk Management.

To distill the insights I collected would take far more than one blog post.  Speakers, panelists, and attendees spanned the insurance “ecosystem” (a word that came up a lot!) – from CEOs, consultants, and data scientists to academics, actuaries, and even a regulator or two to keep things real. I’m sure the presentations and conversations I participated in will feed several posts in weeks to come.

Herbert Chain, executive director of the Center for Executive Education of the Tobin College of Business, welcomes speakers and attendees.
Just getting started

Keynote speaker James Bramblet, Accenture’s North American insurance practice lead, “set the table” by discussing where the industry has been and where some of the greatest opportunities for success lie. He described an evolution from functional silos (data hiding in different formats and databases) through the emergence of function-specific platforms (more efficient, better organized silos) to today’s environment, characterized by “business intelligence and reporting overload”.

Accenture’s James Bramblet discusses the history and future of data in insurance.

“Investment in big data is just getting started,” Jim said, adding that he expects the next wave of competitive advantage to be “at the intersection of customization and real time” – facilitating service delivery in the manner and with the speed customers have come to expect from other industries.

Jim pointed to several areas in which insurers are making progress and flagged one – workforce effectiveness – that he considers a “largely untapped” area of opportunity. Panelists and audience members seemed to agree that, while insurers are getting better at aggregating and analyzing vast amounts of data, their operations still look much as they have forever: paper based and labor intensive. While technology and process improvement methodologies that could address this exist, several attendees said they found organizational culture to be the biggest obstacle, with one citing Peter Drucker’s observation that “culture eats strategy for breakfast.”

Lake or pond? Raw or cooked?

Paul Bailo, global head of digital strategy and innovation for Infosys Digital, threw some shade on big data and the currently popular idea of “data lakes” stocked with raw, unstructured data. Paul said he prefers “to fish in data ponds, where I have some idea what I can catch.”

Data lakes, he said, lack the context to deliver real business insights. Data ponds, by contrast, “contain critical data points that drive 80-90 percent of decisions.”

Stephen Mildenhall, assistant professor of risk management and insurance and director of insurance data analytics at the School of Risk Management, went as far as to say the term “raw data” is flawed.

“Deciding to collect a piece of data is part of a structuring process,” he said, adding that, to be useful, “all data should be thoroughly cooked.”

Innovation advice

Practical advice was available in abundance for the 80-plus attendees, as was recognition of technical and regulatory challenges to implementation. James Regalbuto, deputy superintendent for insurance with the New York State Department of Financial Services, explained – thoroughly and with good humor – that regulators really aren’t out to stifle innovation. He provided several examples of privacy and bias concerns inherent in some solutions intended to streamline underwriting and other functions.

Perhaps the most broadly applicable advice came from Accenture’s Jim Bramblet, who cautioned against overthinking the features and attributes of the many solutions available to insurers.

“Pick your platform and go,” Jim said. “Create a runway for your business and ‘use case’ your way to greatness.”

Trip Coverage: It’s Not Just About Cancellations

As I’ve written previously, many who travel for pleasure think little, if at all, about the risks associated with their destinations and plans. Travel insurance, such folks believe, is to cover the cost and inconvenience of trip cancellations and lost luggage.

Who wants to think about illness, accidents, and – you know, the other thing – when going on holiday?

You don’t buy travel insurance for the best-case scenario. It’s when the worst happens you will likely regret not having it.

Industry numbers seem to bear this out. A recent report by the U.S. Travel Insurance Association (USTIA) found Americans spent nearly $3.8 billion on travel insurance in 2018, up nearly 41 percent from 2016.  However, trip cancellation/interruption coverage accounted for nearly 90 percent of the benefits purchased. Medical and medical evacuation benefits accounted for just over 6 percent.

Most common claim, but…

Indeed, trip cancellation is the most common claim paid on travel policies (or so I’m told – insurers hold their claims data close to the vest). Assuming this is the case, one might be tempted to roll the dice when it comes to occurrences that seem less likely – say, an automobile accident, a bad fall, or a heart attack or stroke.

Last week’s story about a 22-year-old Briton fighting for his life after falling from a hotel balcony in Ibiza got me thinking about value of the “post-departure benefits” of travel insurance. According to the article, the young man had insurance, though it wasn’t clear what kind of coverage he’d bought. The article did say his parents are soliciting funds on line to help with expenses.

“Globally, an estimated 37 million unintentional falls requiring medical treatment occur each year” write researchers in the journal Injury Epidemiology, citing 2018 World Health Organization (WHO) data. Unsurprisingly, alcohol consumption was found to be a major risk factor in these falls.

During one three-month period in 2018, the BBC reported, citing the Association of British Travel Agents, “11 British holidaymakers have been reported as falling from a balcony – with eight of them in their teens or 20s.” In March 2019, a Missouri man fell from the balcony of a Florida hotel where he was vacationing. In the same month, a Michigan teen on vacation in Cancun fell to his death.

Think you’re too smart, careful, or abstemious to fall from a balcony? Well, the most common cause of injury and death on vacation isn’t falls. It is – you guessed it – automobile accidents. According to a WHO and World Bank report, “deaths from road traffic injuries account for around 25% of all deaths from injury”.

According to the Centers for Disease Control and Prevention (CDC) 1.3 million people are killed and 20-50 million injured in crashes worldwide annually. The CDC says 25,000 of those deaths involve tourists.

There are things you can’t predict

Or maybe you avoid a fall or a crash and wind up in a situation like New Yorker Steve Lapidus, who credits his $79 travel insurance policy with saving his life when he became seriously ill while on vacation in Italy. Steve was in a coma for several days with sepsis and pneumonia and given 50/50 odds of surviving. But, after six-and-a-half weeks of medical care, doctors cleared him to fly home.

Man who fell ill during overseas trip says Richmond travel insurance company saved his life

The problem was, he couldn’t walk and needed special care and a specially modified plane. Lufthansa built a special pod within one of its commercial flights.

That $79 policy covered the entire $70,000 bill.

Plan for the best – insure for the worst

No one wants to buy insurance. Who on Earth would choose to buy a product that, under the best possible circumstances, they never use?

But you don’t buy insurance for the best-case scenario. It’s when the worst happens that you will likely regret not having it.

 

 

 

Wedding Big Rigs to IoT: What Could Possibly Go Wrong?

“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”

Transportation and logistics companies are now among the top-targeted industries by computer hackers

When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.

I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!

Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”

Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.

From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.

“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.

Who doesn’t love fuel efficiency?

And then I read an article in Today’s Trucking that began:

“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”

Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”

Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young.  It hasn’t been long since researchers demonstrated that they could remotely do everything from altering a big rig’s  instrument panel to triggering unintended acceleration or disabling brakes.

“These trucks carry hazardous chemicals and large loads,”  Bill Hass, one of the researchers from the University of Michigan’s Transportation Research Institute, told Wired. “If you can cause them to have unintended acceleration…I don’t think it’s too hard to figure out how many bad things could happen with this.”

J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”

According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”

This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!

Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.

But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk.  As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

Travel company collapse offers lessons in risk

Most people don’t like to think about risk — especially when planning a holiday abroad. If they think about travel risk at all, it tends to be in terms of nuisances like flight cancellations or misrouted luggage.

The collapse of British travel company Thomas Cook, which left many thousands of travelers stranded, highlights the types of risks travelers rarely think about.

This week’s seemingly overnight collapse of British travel company Thomas Cook – leaving approximately 600,000 travelers stranded worldwide and leading U.K. authorities to launch what has been called be the “largest peacetime repatriation ever” – underscores several of the myriad risks that most travelers rarely think about.

For better or worse, when I hear “repatriation” the word is typically followed in my mind by “of remains.” While mass repatriations like the one occurring this week are rare, people often die while traveling for pleasure or business. Whether it’s headline-grabbing strings of mysterious deaths like those in the Dominican Republic earlier this year or more common, less publicized deaths by auto, drowning, or natural causes, the cost and complexity of returning the bodies of loved ones can compound the stresses typically experienced by grieving families. A travel policy with adequate coverage for repatriation of remains is a relatively inexpensive way to help address this burden.

Now, you’re even more likely to become ill or injured while traveling than you are to die. Have you checked your current health insurance to see what it does and doesn’t cover when you’re traveling outside your country? Depending on what you learn, you may want to consider buying medical travel insurance. If your health policy does provide international coverage, the U.S. State Department advises that you remember to carry your insurance policy identity card and a claim form.

In the case of a serious illness or injury, the State Department says, medical evacuation can cost more than $50,000, depending on your location and condition. A policy that covers medical evacuation and emergency extraction (say, in the event of natural disaster or political unrest) also is worth considering for international trips.

Perhaps the most important lesson to draw from the “surprise” collapse of 178-year-old Thomas Cook is that it wasn’t exactly a surprise for those who were paying attention. As the U.K.-based Guardian news site reports, “The tour operator’s woes go back much further” than its inability to secure a £200 million lifeline from its bankers. The Guardian calls Thomas Cook “a victim of a disastrous merger in 2007, ballooning debts and the internet revolution in holiday booking. Add in Brexit uncertainty, and it was perhaps only a matter of time before the giant of the industry collapsed.”

Travelers often are so focused on capturing bargains that they don’t take the time to research the organizations bringing them great deals or the safety considerations in the lovely destinations being marketed to them. In travel, as in other adventures, it’s often the case that “you get what you pay for.”

Maybe a bit of research might have kept some of the hundreds of thousands of inconvenienced Thomas Cook clients from putting all their holiday eggs in a single overstuffed basket.