Category Archives: Cyber Risk

Business Risk, Cyber Risk, Floods, Insurance Industry

RiskScan 2024 reveals risk priorities across the insurance marketplace

Leave a comment

By Mary Sams, Senior Research Analyst

Cyber incidents, changes in climate, and business interruption are the chief risk concerns among key marketplace segments in the insurance industry, according to RiskScan 2024, a new survey from Munich Reinsurance America Inc. (“Munich Re US”) and the Insurance Information Institute (Triple-I) reveals.

RiskScan 2024 provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. The survey explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions. 

Methodology

To produce a compelling snapshot of cross-market views, Munich Re US and Triple-I engaged independent market researcher RTi Research in the summer of 2024 to survey 1,300 US-based individuals.

Market surveys typically focus on a single audience, but RiskScan 2024 is a multi-segment survey offering a comprehensive view of risk perceptions and yielding comparative results between audiences. The key insights present a variety of commonalities and disparities across the five distinct target segments, covering the full range of insurance buyers and sellers across the United States.

This online survey was conducted across gender, age, geographic region, household income, business revenue, and company size. 

Two primary cohorts make up five segments of participants in the RiskScan research:

  1. consumers and small business owners (n=700) and
  1. Insurance industry participants, which included carriers, agents, and brokers as well as middle market businesses (n=600). 

Research participants were presented with various risks across five segments and then asked to select their top three risk concerns. 

Key Insights

More than one-third of respondents chose economic inflation, cyber incidents, and climate change as their top three concerns based on insurance risks and market dynamics. All three of these reflect post-pandemic news topics. Economic inflation has increased over the last several years.  Consumers and small business owners have experienced direct impacts with increased costs and industry participants have seen these impacts on increased replacement costs and P&C insurance premiums.

There are significant disparities in the ranking results between the two primary cohorts within the research. Insurance professionals tend to identify a variety of risks and have significant awareness of all risk categories, including emerging technologies. As expected, these audiences exhibit broader knowledge and awareness of risk transfer and mitigation of new and emerging risks. Consumers identified a smaller number of risks associated with more immediate and direct impacts on themselves. 

The structure of RiskScan 2024 research yields a more complete understanding of the “white space” that exists between risk perception and action. The gaps were identified along three key risk areas: 

  • Flood risk
  • cyber risks, and
  • legal system abuse

Flood risk was also indicated as one of the chief concerns for each audience. However, consumers lack awareness that flood events are typically excluded from homeowner’s policies. Industry professionals are more aware of flood coverage exclusions, the importance of purchasing flood coverage before a flood event, and the likelihood of these events occurring.

Cyber incidents are a primary concern in all five market segments. Most audiences in the research, both consumer and commercial, feel unprepared as this threat vector is constantly emerging, expanding, and changing. Many people are knowledgeable about cyber risks and are concerned about how to mitigate new cyber threats. Troubling stories have come to light as the frequency and severity of cyber threats grow.

“The knowledge gap about insurance risks demonstrates the continued need for education of consumers and businesses, especially about flood, cyber, and legal system abuse,” says Triple-I CEO Sean Kevelighan. “Increasing knowledge will be instrumental for the collective work needed to better manage and mitigate future risks.”

The report includes additional results for each of the five primary audiences: consumers (n=500), small business owners (n=200), insurance carriers (n=200), insurance agents and brokers (n=200), and middle market businesses (n=200).

Download the full RiskScan 2024 report to review the details. Triple-I aims to empower stakeholders by driving research and education on this and other key insurance topics. Follow our blog to keep abreast of these essential conversations.

Cyber Risk, Insurance Industry

FBI: Elder Fraud Up; Bolsters Case for Personal Cyber Insurance

Leave a comment

By Neil Rekhi, Personal Cyber Product Lead, HSB

Targeting of the demographic with the most to lose increases.

In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.

The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:

  • Call Center/Tech Support Scam
  • Confidence/Romance Scams
  • Cryptocurrency Scams
  • Investment Scams

The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.

A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively. 

Increasing digital lives and advancing technology create new threats.

The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.

However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.

Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.

New tools and methods increase cyber security threats.

A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.

This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.

Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.

The options for managing personal cyber risk can differ in crucial ways.

Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.

Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.

In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.

“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).

HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.

“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.

Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.

A new conversation about personal cyber insurance begins.

Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.

Business Insurance, Business Risk, Cyber Risk, Insurance Industry

The latest reports from FBI and ITRC reveal that cyber incidents in 2023 broke records for financial loss and frequency.

Leave a comment
This image has an empty alt attribute; its file name is Cybersecurity-Blog.jpg

Cyber incidents reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023 totaled 880,418. These attacks caused a five-year high of $12.5 billion in losses, with investment scams making up $4.57 billion, the most for any cybercrime tracked. Phishing, with 298,878 incidents tracked (down from its five-year high in 2021 of 323,972), continues to reign as the top reported method of cybercrime.

The 2023 Data Breach Report from Identity Theft Resource Center (ITRC) reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals. Meanwhile, supply-chain attacks increased, and weak notification frameworks further increased cyber risk for all stakeholders.

Email compromise, cryptocurrency fraud, and ransomware increase

In addition to record-high financial losses from cybercrimes overall in 2023, the report revealed trends across crime methodology and targets. Investment fraud was the costliest of all incidents tracked. Within this category, cryptocurrency involvement rose 53 percent, from $2.57 billion in 2022 to $3.94 billion. Victims 30 to 49 years old were the most likely group to report losses.

Ransomware rose 18%, and about 42 percent of 2,825 reported ransomware attacks targeted 14 of 16 critical infrastructure sectors. The top five targeted sectors made up nearly three-quarters of the critical infrastructure complaints: healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).

Adjusted losses for 21,489 business email compromise (BEC) incidents climbed to over 2.9 billion. The IC3 noted a shift from dominant methods in the past (i.e., fraudulent requests for W-2 information, large gift cards, etc.). Now scammers are “increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”

The report disclosed a $50,000,000 loss from a BEC incident In March of 2023, targeting “a critical infrastructure construction project entity located in the New York, New York area.”

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The FBI’s recommendations for solutions to minimize risk and impact include:

  • Ramping up cybersecurity protocols such as two-factor authentication.
  • More robust payment verification practices.
  • Avoiding engagement with unsolicited texts and emails.

The scale of 2023 data compromises is “overwhelming.”

According to the ITRC, the surge in breaches during 2023 is 72 percent over the previous record set in 2021 and 78 percent over 2022. To add more perspective, the ITRC notes that “the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020, except for 2017.”

Meanwhile, as the report highlights, two other outsized trends converged: increasing complexity and risk. The number of organizations and victims impacted by supply-chain attacks skyrocketed. The notification framework conspicuously weakened, too. Since some laws assign liability for notification to organizations owning the leaked data, the notification chain would stop there, leaving downstream stakeholders unaware. For example, a software company servicing nonprofits might duly notify its direct B2B customers but not the individuals served by the nonprofit organization.

The ITRC has been reviewing publicly reported data breaches since 2005, and it now has a database of more than “18.8K tracked data compromises, impacting over 12B victims and exposing 19.8B records.” This ninth report forecasts a bleak outlook for the coming year. Specifically, “an unprecedented number of data breaches in 2023 by financially motivated and Nation/State threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.”

The faster a breach is identified and reported, the faster all potentially affected parties can take measures to minimize impact. However, reporting regulations can vary across jurisdictions and businesses, and their supply chain partners may hesitate to disclose breaches for fear of impacting revenue and brand reputation. ITRC outlines its forthcoming uniform breach notification service designed to enable due diligence, emphasizing swift action and coordination with business and regulatory authorities. The service will be offered for a fee to companies looking to better handle cyber risk in their supply chains and regulatory requirements. Other recommendations include the increased use of digital credentials, facial identification/comparison technology, and enhancing vendor due diligence. 

The increased risk and rising financial losses from cyber risk likely drive growth for the cyber insurance market, which tripled in volume in the last five years. Gross direct written premiums climbed to USD 13 billion in 2022. For a quick rundown of how cyber insurance coverage supports risk management for organizations of all sizes, take a look at our cyber risk knowledge hub. To learn more about the fastest-growing segment of property/casualty, look at our recent Issues Brief.

Cyber Risk, Insurance Industry

Cyber insurance market continues rapid growth as risk management strategies improve

Leave a comment

As the number of cyber security breaches soars, direct written premiums (DPW) for cyber insurance worldwide could rise to $23 billion by 2025, with U.S. businesses paying about 56 percent of the total, according to Triple-I’s latest Issues Brief.

Cyber Insurance: State of the Risk, published last week, says the most recent data shows standalone policies have emerged as the preference for larger insureds, accounting for more than 70 percent of DPW – an increase of 61.5 percent from the prior year. These growth trends may signify that businesses recognize the growing threat of cyber risk requires mitigation beyond the typical coverage limitations of packaged options. Loss ratios also improved over 2021 rates, with declines of 23 percentage points, to 43 percent, on standalone policies and 18 percentage points, to 48 percent, on packaged policies. These improvements are evidence of improved cost-containment strategies. 

A two-edged sword

The brief outlines how technology can foster opportunities for cyber attackers and deliver ways for cybersecurity managers to predict, prevent, and manage threats. Increased use of cloud storage, remote working, and the “bring your own device” IT approach has amplified points of organizational vulnerability. And, as more companies and their employees are increasingly leveraging AI to boost operational efficiency, cyber attackers have created large language models (LLMs) to mimic the functionalities of ChatGPT and Google’s Bard to aid in phishing and malware attacks. 

Even the smallest businesses face threats that can incapacitate an organization. However, organizations can manage breaches more efficiently using AI for faster breach detection and implementing requirements for two-factor authentication, VPN use on external Wi-Fi networks, and data-wiping processes for lost or stolen devices.

Cyber insurance has become an integral part of robust prediction and prevention.

The bulk of cyber insurance claims by volume and frequency stem from ransomware and extortion-based attacks, according to an October 2023 report from Allianz. The report also says the annual proportion of cases in which data is stolen has consistently risen from “40 percent of cases in 2019 to around 77 percent of cases in 2022, with 2023 on course to surpass last year’s total.”  

The Allianz report highlights the growing need for businesses to improve prediction and prevention strategies, internally and with external partners and supply chain relationships. It makes practical sense that indemnification for cyber risk has become a common requirement for vendors doing business with frequently targeted sectors.  

The Triple-I brief states that as insurers refine policy terms to make the scope of coverage more understandable, business risk managers are better able to comprehend how cyber insurance can mitigate their risks. In turn, insurers may have been able to gain improvements in cost containment and rate stability. 

Triple-I supports increased awareness of the threat landscape

Cyber insurance can play a pivotal role in liability management. Sean Kevelighan, Triple-I’s CEO, participated on a panel during the Small Business Cyber Summit, a series hosted by the U.S. Small Business Administration (SBA). Discussions offered insights and tips for cybersecurity risk managers and other experts. Kevelighan explained how cyber insurance can allow “businesses to more strategically allocate their resources” in the battle against cyber threats.

Kevelighan participated in another fall 2023 cyber risk panel hosted by The Institutes Griffith Foundation in collaboration with Indiana University. The presentation, Cyber Risk: Exploring the Threat Landscape and the Role of Risk Management, focused on risks to national infrastructure and companies. Accordingly, panelists discussed how regulators and businesses have responded to the inevitable threat of cyberattacks. Speakers shared expertise in three core areas:

  • the Cyber Threat Landscape
  • ransomware and insurer solvency; and
  • eminent challenges for cyber risk insurance.
Cyber Risk, Disaster Resilience, Earthquakes, Floods, Highway Safety, Insurers and the Economy, Terrorism Risk

It’s Not an “Insurance Crisis” — It’s a Risk Crisis

Leave a comment

Ten states – Louisiana, Florida, Idaho, Kentucky, Mississippi, Montana, North Dakota, South Carolina, Texas, and Virginia – as well as additional plaintiffs, are suing the Federal Emergency Management Agency (FEMA) over its new methodology for pricing flood insurance, Risk Rating 2.0. On Sept. 14, a federal hearing lasted six hours as the plaintiffs sought a preliminary injunction to halt the new pricing regime while the lawsuit plays out.

Many residents of these states are understandably upset about seeing their flood insurance premium rates rise under the new approach. There may not be much comfort for them in knowing that the current system is much fairer than the previous one, in which higher-risk homeowners subsidized those with lower risks. Similarly, policyholders who have had their premium rates reduced under Risk Rating 2.0 are unlikely to take to the streets in celebration.

These homeowners aren’t alone in seeing insurance rates rise – or even having to struggle to obtain insurance. And these difficulties aren’t confined to holders of flood insurance policies. Florida and California are two states in which insurers have been forced to rethink their risk appetite – due in part to rising natural catastrophe losses and in part to regulatory and litigation environments that make it increasingly difficult for insurers to profitably write coverage.

Even before the COVID-19 pandemic and Russia’s invasion of Ukraine – and the supply-chain and inflationary pressures they created – the property/casualty insurance market was hardening as insurers adjusted their pricing and their risk appetites to keep pace with conditions that were driving losses up and eroding underwriting profitability – topics Triple-I has written about extensively (see a partial list below).

“Rising insurance rates are not the problem,” says Dale Porfilio, chief insurance officer at Triple-I. “They are a symptom of rising losses related to a range of factors, from climate and population trends to post-pandemic driving behaviors and surging cybercrime to antiquated policies, outdated building codes, fraud, and legal system abuse.”

In short, we are not experiencing an “insurance crisis,” as many media outlets tend to describe the current state of the market; we are experiencing a risk crisis. And even as the states referenced above push back against much-needed flood insurance reform, legislators in several states have been pushing measures that would restrict insurers’ ability to price coverage accurately and fairly – rather than addressing the underlying perils and forces aggravating them.  

Triple-I, its members, and a range of partners are working to educate stakeholders and decisionmakers and promote pre-emptive risk mitigation and investment in resilience. We are using our position as thought leaders and our unique non-lobbying role in the insurance industry to reach across sector boundaries and drive constructive action. You will be hearing more about these efforts over the next few months.

The success of these efforts will require a collective understanding among stakeholders and decisionmakers that for insurance to be available and affordable frequency and severity of risk must be measurably reduced. This will require highly focused, integrated projects and programs – many of them at the community level – in which all stakeholders (co-beneficiaries of these efforts) will share responsibility.

Want to know more about the risk crisis and how insurers are working to address it? Check out Triple-I’s upcoming Town Hall, “Attacking the Risk Crisis,” which will be held Nov. 30 in Washington, D.C.

Learn More:

Shutdown Threat Looms Over U.S. Flood Insurance

FEMA Incentive Program Helps Communities Reduce Flood Insurance Rates for Their Citizens

More Private Insurers Writing Flood Coverage; Consumer Demand Continues to Lag

Shift in Hurricane Season’s Predicted Severity Highlights Need for Prospective Cat Risk Pricing

California Needs to Make Changes to Address Its Climate Risk Crisis

Illinois Bill Highlights Need for Education on Risk-based Pricing of Insurance Coverage

IRC Outlines Florida’s Auto Insurance Affordability Problems

Education Can Overcome Doubts on Credit-Based Insurance Scores, IRC Survey Suggests

Matching Price to Peril Helps Keep Insurance Available & Affordable

Triple-I “State of the Risk” Issues Brief: Flood

Triple-I “State of the Risk” Issues Brief: Hurricanes

Triple-I Issues “Trends and Insights” Brief: Risk-Based Pricing of Insurance

Cyber Risk, Technology

Keep It Simple:Security System Complexity Correlates With Breach Costs

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Artificial intelligence is helping to limit the costs associated with data breaches, a recent study by IBM and the Ponemon Institute found. While these costs continue to rise, they are increasing more slowly for some organizations – in particular, those using less-complex, more-automated security systems.

According to the study, the average cost of a data breach was $4.45 million in 2023, a 2.3 percent increase from the 2022 cost of $4.35 million. The 2023 figure represents a 15.3 percent increase from 2020, when the average breach was $3.86 million.

However, not all organizations surveyed by the study experienced the same kinds of breaches – or the same costs. Organizations with “low or no security system complexity” – systems in which it is easier to identify and manage threats – experienced far smaller losses than those with high system complexity. The average 2023 breach cost $3.84 million for the former and a staggering $5.28 million for the latter. For organizations with high system complexity, this is an increase of more than 31 percent from the year before, amounting to an average of $1.44 million.

As David W. Viel, founder and CEO of Cognoscenti Systems, put it: “The size and complexity of a system directly results in a greater number of defects and resulting vulnerabilities as these quantities grow. On the other hand, the number of defects and cybersecurity vulnerabilities shrinks as the system or component is made smaller and simpler. This strongly suggests that designs and implementations that are small and simple should be very much favored over large and complex if effective cybersecurity is to be obtained.”

The research also noted that organizations that involve law enforcement in ransomware attacks experienced lower costs. The 37 percent of survey respondents that did not contact law enforcement paid 9.6 percent more than those that did, with the breach lasting an average of 33 days longer than those that did contact law enforcement. These longer breaches tended to cost organizations far more, with breaches with identification and containment times under 200 days averaging $3.93 million, and those over 200 days costing $4.95 million.

AI and automation are proving key

Security AI and automation both showed to be significant factors in lowering costs and reducing time to identify and contain breaches, with organizations utilizing these tools reporting 108-day shorter times to contain the breach, and $1.76 million lower data breach costs relative to organizations that did not use these tools. Organizations with no use of security AI and automation experienced an average of $5.36 million in data breach costs, 18.6 percent more than the average 2023 cost of a data breach.

Now, most respondents are using some level of these tools, with a full 61 percent using AI and automation. However, only 28 percent of respondents extensively used these tools in their cybersecurity processes, and 33 percent had limited use. The study noted that this means almost 40 percent of respondents rely only on manual inputs in their security operations.

Cyber insurance demand is growing

A recent study by global insurance brokerage Gallagher showed that the vast majority of business owners in U.S. – 74 percent – expressed extreme or very high concern about the impact of cyberattacks on their businesses. Indeed, a study by MarketsandMarkets found that the cyber insurance market is projected to grow from $10.3 billion in 2023 to $17.6 billion by 2028, noting that the rise in threats like data breaches, ransomware, and phishing attacks is driving demand.

Organizations are now responding more thoroughly to these threats, with increased underwriting rigor helping clients progress in cyber maturity, according to Aon’s 2023 Cyber Resilience Report. Aon states that several cybersecurity factors, including data security, application security, remote work, access control, and endpoint and systems security – all of which experienced the greatest improvement among Aon’s clients – must be continually monitored and evaluated, particularly for evolving threats.

Insurers and their customers need to work together to more fully address the risks and damages associated with cyberattacks as these threats continue to grow and businesses rely ever more heavily on technology.

Cyber Risk, Technology

Digital Tools Help Agency Revenues, But Cybercrime ConcernsMay Hamper Adoption

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Insurance agencies that adopt digital methods to interact with customers have seen their revenues grow faster than their less digitally sophisticated competitors, according to new research by Liberty Mutual and Safeco Insurance. However, the research also indicates that digital adoption by agencies has slowed in recent years.

The study, The State of Digital in Independent Insurance Agencies, found that “highly digital adopter” agencies — based on a 10-point scale related to the number and complexity of the tools the agency uses — experienced a 70 percent growth rate, as opposed to 17 percent for “high digital adopters”, and a mere 10 percent for “low” and “medium” digital adopters.

But while digital adoption has gained traction, it has declined as a priority in agencies’ plans. In the latter part of 2020, 58 percent of agencies said improving digital capabilities was part of their five-year growth plans, according to the Liberty Mutual/Safeco study. However, by late 2021, this had decreased to 47 percent, approximately the same as in 2017.

The digital tools that have seen a decrease in use range from social media to live online chats. Additionally, many agencies said they are not tracking which digital tools are driving growth.

The survey found that 60 percent of digitally focused agencies said they planned to invest in new digital capabilities within their five-year agency growth plans. Only 42 percent of slow and steady growth agencies said the same. Growth-focused agencies have used several tools to increase their reach and revenue. Self-service portals, video calls, live online chats, video quotes, and policy reviews have all driven significant improvement among these agencies.

These, however, are not the only tools being recommended and used. Artificial intelligence, machine learning, Internet of Things, and big data analytics are all being considered and used to increase engagement with customers and prospects.

Cybercrime may be a factor hampering growth in digital adoption. Indeed, global cybercrime costs are predicted to hit $10.5 trillion annually by 2025, according to Cybersecurity Ventures. Additionally, more than half of all consumers have experienced a cybercrime at some point, according to a 2021 survey by Norton.

Agents remain alert to cyber threats. The Liberty Mutual/Safeco study found that 57 percent of survey respondents anticipated that cyber liability would have a major impact on their agencies by 2025, an increase from 46 percent in 2017.

Cyber Risk

New U.S. Cyber Strategy Heralds Major Shift for Addressing Attacks

Leave a comment

By Max Dorfman, Research Writer

A maturing Internet of Things (IoT) calls for measures to increase cybersecurity at the national, international, and private sector levels, according to a recent report by the White House.  

The new National Cybersecurity Strategy comes as cyberattacks continue to wreak havoc across the world, causing billions of dollars in damages. Furthermore, autocratic states such as China, Russia, and North Korea have ramped up aggressive cyber abilities to disrupt other nations’ interests and “broadly accepted international norms.”  

Key Takeaways 

The White House report aims to “build and enhance collaboration” for cybersecurity around five main tenets: 

  1. Defending critical infrastructure, involving mandatory requirements for cybersecurity, as the marketplace insufficiently rewards and even hinders who invest in measures to protect against cyberattacks. 
  1. Disrupting and dismantling threat actors, including diplomatic, military, and law enforcement measures to negate these attacks. 
  1. Shaping market forces to drive security and resilience through driving adoption of best practices in cybersecurity and resilience, utilizing the market to enhance capabilities. 
  1. Investing in a resilient future by engaging strategic public interests involving innovation, R&D, and education to ensure U.S. leadership in these areas. 
  1. Forging international partnerships to pursue shared goals through working with international institutions to identify and progress state behavior in cyberspace, including building peacetime norms and confidence-building measures through the U.N.  

Reimaging collaboration as partnerships and investment 

 According to the report, adhering to these principles require two fundamental changes in how the U.S. “allocates roles, responsibilities, and resources in cyberspace.” 

The first shift involves rebalancing the responsibility to defend cyberspace. The report states that end users are often tasked with far too much responsibility for lowering cyber risks. With small businesses, state and local governments possessing limited resources, a single individual’s failure to judge these risks can have national security consequences—which must be rectified. 

With this in mind, the report states that the government must protect its systems, while safeguarding private entities, particularly critical infrastructure. Further, “core government functions” like diplomacy, intelligence, imposing economics costs, law enforcement, and interrupting cyber threats are all essential to counteracting the threat of cyberattacks.    

The second shift involves realigning incentives to favor long-term investments. This entails defending current systems, while simultaneously advancing a digital ecosystem that is more defensible and resilient. This includes rewarding security and resilience with market forces and public programs, embracing designed security and resilience, and investing in research and development for cybersecurity in a strategic manner.  

While the implementation of these strategies is complex, the National Security Council (NSC), alongside the Office of Management and Budget (OMB), will lead efforts to implement a cohesive strategy, reviewing existing policy and assessing the need for new policy. The Federal Government will also use a data-driven approach to evaluate its efficacy, a much-needed move as cyberattacks continue to threaten the safety and economy of nations around the world.  

Rising cybercrimes create risks for insurers and consumers 

In 2022, 1,802 data compromises affected approximately 422 million people, according to a report by the Identity Theft Resource Center. Although data compromises remained even from 2021, the number of overall breaches has continued to rise. Additionally, losses continue to rise from cybercrime complaints, resulting in 10.3 billion in damages in 2022, according to the Internet Crime Complaint Center.  

As these issues present major problems for consumers, the global cyber insurance market continues to grow, with an estimated reach of over 91.22 billion by 2031. This represents a compound annual growth rate of 23.78 percent from 2023 to 2031. 

This market poses challenges and opportunities for insurers, as more cyber security professionals are needed to examine and prevent these threats. These risks can be addressed through training in cyber intelligence – but it will take significant investment to achieve this market’s expansion.  

Read more: 

Cyber liability risks | III 

Cyber Risk

Despite Warnings,Weak Password Policies Still Invite Cybercrime

Leave a comment

By Max Dorfman, Research Writer, Triple-I

It’s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are table stakes for preventing incursions.

Nevertheless, “Password,” “12345”, and “Qwerty123” are among the most commonly found passwords leaked on the dark web by hackers, according to mobile security firm Lookout. And, despite the amount of attention the issue receives, the situation does not appear to be improving.

A survey by EY, a consulting firm based in the United Kingdom, found that only 48 percent of government and public sector respondents said they are “very confident in their ability to use strong passwords at work.” The problem is exemplified by a recent study by the U.S. Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.

Hacking DOI, it turns out, is relatively easy.

In fewer than two hours – and spending only $15,000 – the Inspector General’s Office was able to procure “clear-text” (non-encrypted) passwords for 16 percent of user accounts. In total, 18,174 of 85,944 – 21 percent of active user passwords – were hacked, including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.

Much of this issue, according to the report, stems from a lack of multifactor authentication, as well as password complexity requirements that allowed unrelated staff to use the same weak passwords. The Inspector General’s Office found that:

  • DOI did not consistently implement multifactor authentication;
  • Password complexity requirements were outdated and ineffective; and
  • The department did not timely disable inactive accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.

The most commonly reused password was used on 478 unique active accounts. Investigators found that five of the 10 most-reused passwords at DOI included a variation of “password” combined with “1234”.

Simple passwords make hacking easy

With the average person having over 100 different online accounts with passwords, reusing passwords is understandable – but simple passwords make it easy for hackers to access personal data and accounts.

“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of cybersecurity firm Balbix. In 2020, Balbix found that 99 percent of enterprise users recycle passwords across work accounts or between work and personal accounts.

A growing peril

“The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure,” Allianz says in its Allianz’s 2023 Risk Barometer. “In April 2022, an attack impacted around 30 institutions of the government of Costa Rica, crippling the territory for two months.”

The global insurer goes on to say, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers, or customers.”

Part of this growth is due to the rise of “ransomware as a service” – a subscription-based business model that enables affiliates to use existing ransomware tools to execute attacks. Based on the “software as a service” model, it helps bad actors attack their targets without having to know how to code or hire unscrupulous programmers.

Shifting targets

Michael Menapace, an insurance attorney with Wiggin and Dana LLP and a Triple-I Non-resident Scholar, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware as a business model remains alive and well.”

What has changed in recent years, he said, is that “where bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets—in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Organizations and individuals must take the threat of cyberattacks seriously and do as much as possible to reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.

Cyber Risk, Industry Awards & Events, Insurance Industry

JIF 2022: Cyber Criminals Shift to Softer Targets And Reputation Threats

Leave a comment
Photo credit: Don Pollard

Cyber criminals continued to shift their tactics and adapt their techniques in 2022, according to experts speaking at the Triple-I Joint Industry Forum (JIF) last week.

Ransomware as a business model” remains alive and well, said Michael Menapace, an insurance attorney with the law firm Wiggin and Dana LLP and a Triple-I Non-resident Scholar. What has changed in recent years is that “where the bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets – in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Theresa Le, Chief Claims Officer for Cowbell Cyber, concurred with Menapace’s assessment, noting an increased tendency of cyber criminals to contact organizations’ customers or leaders as “a pressure point” for the organization to pay the ransom in order to avoid reputational harm.  

“Threat actors are focusing on the quality of the data that they can extract while they’re ‘in the house’,” Le said, “so it’s not just stealing Social Security numbers or other information they can sell on the Dark Web, as it was a few years ago. It’s really much more thoughtful and focused.”

Scott Shackelford, professor of Business Law and Ethics at Indiana University’s Kelley School of Business, reinforced Menapace’s and Le’s observations about the increased sophistication and adaptability of cyber criminals by talking about state-sponsored incursions.

“It’s not just the North Koreas of the world,” he said, adding that “a growing cadre of nation-states” are launching attacks “not just on large corporations but increasingly small and medium-sized businesses, even local governments.”

“We founded a cyber security clinic two years ago,” Schackelford said, “and the number one request we get from local government and small utilities has to do with insurance coverage. There’s a lot of need out there for better information.”

Shackelford emphasized the continuing evolution of the Internet of Things (IoT) as an “attack surface.” In the new pandemic-driven work-from-home environment, he said, “What counts as a covered computer device for some of these policies has led to litigation and remains a big vulnerability that we’ve only just begun to wrap our minds around.”

The conversation, moderated by Frank Tomasello, executive director for The Institutes Griffith Insurance Education Foundation, ranged across topics that included:

  • Deep-fake technology;
  • The importance aligning insurance pricing with the risk – and educating policyholders on how to get a better price by becoming a better risk;
  • How threats differ for different-sized organizations and for individuals; and
  • The need for better data and information sharing around cyberattacks and trends.

Learn More:

Triple-I “State of Cyber Risk” Issues Brief