Category Archives: Cyber Risk

Business Insurance, Business Risk, Cyber Risk, Insurance Industry

The latest reports from FBI and ITRC reveal that cyber incidents in 2023 broke records for financial loss and frequency.

Leave a comment
This image has an empty alt attribute; its file name is Cybersecurity-Blog.jpg

Cyber incidents reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023 totaled 880,418. These attacks caused a five-year high of $12.5 billion in losses, with investment scams making up $4.57 billion, the most for any cybercrime tracked. Phishing, with 298,878 incidents tracked (down from its five-year high in 2021 of 323,972), continues to reign as the top reported method of cybercrime.

The 2023 Data Breach Report from Identity Theft Resource Center (ITRC) reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals. Meanwhile, supply-chain attacks increased, and weak notification frameworks further increased cyber risk for all stakeholders.

Email compromise, cryptocurrency fraud, and ransomware increase

In addition to record-high financial losses from cybercrimes overall in 2023, the report revealed trends across crime methodology and targets. Investment fraud was the costliest of all incidents tracked. Within this category, cryptocurrency involvement rose 53 percent, from $2.57 billion in 2022 to $3.94 billion. Victims 30 to 49 years old were the most likely group to report losses.

Ransomware rose 18%, and about 42 percent of 2,825 reported ransomware attacks targeted 14 of 16 critical infrastructure sectors. The top five targeted sectors made up nearly three-quarters of the critical infrastructure complaints: healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).

Adjusted losses for 21,489 business email compromise (BEC) incidents climbed to over 2.9 billion. The IC3 noted a shift from dominant methods in the past (i.e., fraudulent requests for W-2 information, large gift cards, etc.). Now scammers are “increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”

The report disclosed a $50,000,000 loss from a BEC incident In March of 2023, targeting “a critical infrastructure construction project entity located in the New York, New York area.”

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The FBI’s recommendations for solutions to minimize risk and impact include:

  • Ramping up cybersecurity protocols such as two-factor authentication.
  • More robust payment verification practices.
  • Avoiding engagement with unsolicited texts and emails.

The scale of 2023 data compromises is “overwhelming.”

According to the ITRC, the surge in breaches during 2023 is 72 percent over the previous record set in 2021 and 78 percent over 2022. To add more perspective, the ITRC notes that “the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020, except for 2017.”

Meanwhile, as the report highlights, two other outsized trends converged: increasing complexity and risk. The number of organizations and victims impacted by supply-chain attacks skyrocketed. The notification framework conspicuously weakened, too. Since some laws assign liability for notification to organizations owning the leaked data, the notification chain would stop there, leaving downstream stakeholders unaware. For example, a software company servicing nonprofits might duly notify its direct B2B customers but not the individuals served by the nonprofit organization.

The ITRC has been reviewing publicly reported data breaches since 2005, and it now has a database of more than “18.8K tracked data compromises, impacting over 12B victims and exposing 19.8B records.” This ninth report forecasts a bleak outlook for the coming year. Specifically, “an unprecedented number of data breaches in 2023 by financially motivated and Nation/State threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.”

The faster a breach is identified and reported, the faster all potentially affected parties can take measures to minimize impact. However, reporting regulations can vary across jurisdictions and businesses, and their supply chain partners may hesitate to disclose breaches for fear of impacting revenue and brand reputation. ITRC outlines its forthcoming uniform breach notification service designed to enable due diligence, emphasizing swift action and coordination with business and regulatory authorities. The service will be offered for a fee to companies looking to better handle cyber risk in their supply chains and regulatory requirements. Other recommendations include the increased use of digital credentials, facial identification/comparison technology, and enhancing vendor due diligence. 

The increased risk and rising financial losses from cyber risk likely drive growth for the cyber insurance market, which tripled in volume in the last five years. Gross direct written premiums climbed to USD 13 billion in 2022. For a quick rundown of how cyber insurance coverage supports risk management for organizations of all sizes, take a look at our cyber risk knowledge hub. To learn more about the fastest-growing segment of property/casualty, look at our recent Issues Brief.

Cyber Risk, Insurance Industry

Cyber insurance market continues rapid growth as risk management strategies improve

Leave a comment

As the number of cyber security breaches soars, direct written premiums (DPW) for cyber insurance worldwide could rise to $23 billion by 2025, with U.S. businesses paying about 56 percent of the total, according to Triple-I’s latest Issues Brief.

Cyber Insurance: State of the Risk, published last week, says the most recent data shows standalone policies have emerged as the preference for larger insureds, accounting for more than 70 percent of DPW – an increase of 61.5 percent from the prior year. These growth trends may signify that businesses recognize the growing threat of cyber risk requires mitigation beyond the typical coverage limitations of packaged options. Loss ratios also improved over 2021 rates, with declines of 23 percentage points, to 43 percent, on standalone policies and 18 percentage points, to 48 percent, on packaged policies. These improvements are evidence of improved cost-containment strategies. 

A two-edged sword

The brief outlines how technology can foster opportunities for cyber attackers and deliver ways for cybersecurity managers to predict, prevent, and manage threats. Increased use of cloud storage, remote working, and the “bring your own device” IT approach has amplified points of organizational vulnerability. And, as more companies and their employees are increasingly leveraging AI to boost operational efficiency, cyber attackers have created large language models (LLMs) to mimic the functionalities of ChatGPT and Google’s Bard to aid in phishing and malware attacks. 

Even the smallest businesses face threats that can incapacitate an organization. However, organizations can manage breaches more efficiently using AI for faster breach detection and implementing requirements for two-factor authentication, VPN use on external Wi-Fi networks, and data-wiping processes for lost or stolen devices.

Cyber insurance has become an integral part of robust prediction and prevention.

The bulk of cyber insurance claims by volume and frequency stem from ransomware and extortion-based attacks, according to an October 2023 report from Allianz. The report also says the annual proportion of cases in which data is stolen has consistently risen from “40 percent of cases in 2019 to around 77 percent of cases in 2022, with 2023 on course to surpass last year’s total.”  

The Allianz report highlights the growing need for businesses to improve prediction and prevention strategies, internally and with external partners and supply chain relationships. It makes practical sense that indemnification for cyber risk has become a common requirement for vendors doing business with frequently targeted sectors.  

The Triple-I brief states that as insurers refine policy terms to make the scope of coverage more understandable, business risk managers are better able to comprehend how cyber insurance can mitigate their risks. In turn, insurers may have been able to gain improvements in cost containment and rate stability. 

Triple-I supports increased awareness of the threat landscape

Cyber insurance can play a pivotal role in liability management. Sean Kevelighan, Triple-I’s CEO, participated on a panel during the Small Business Cyber Summit, a series hosted by the U.S. Small Business Administration (SBA). Discussions offered insights and tips for cybersecurity risk managers and other experts. Kevelighan explained how cyber insurance can allow “businesses to more strategically allocate their resources” in the battle against cyber threats.

Kevelighan participated in another fall 2023 cyber risk panel hosted by The Institutes Griffith Foundation in collaboration with Indiana University. The presentation, Cyber Risk: Exploring the Threat Landscape and the Role of Risk Management, focused on risks to national infrastructure and companies. Accordingly, panelists discussed how regulators and businesses have responded to the inevitable threat of cyberattacks. Speakers shared expertise in three core areas:

  • the Cyber Threat Landscape
  • ransomware and insurer solvency; and
  • eminent challenges for cyber risk insurance.
Cyber Risk, Disaster Resilience, Earthquakes, Floods, Highway Safety, Insurers and the Economy, Terrorism Risk

It’s Not an “Insurance Crisis” — It’s a Risk Crisis

Leave a comment

Ten states – Louisiana, Florida, Idaho, Kentucky, Mississippi, Montana, North Dakota, South Carolina, Texas, and Virginia – as well as additional plaintiffs, are suing the Federal Emergency Management Agency (FEMA) over its new methodology for pricing flood insurance, Risk Rating 2.0. On Sept. 14, a federal hearing lasted six hours as the plaintiffs sought a preliminary injunction to halt the new pricing regime while the lawsuit plays out.

Many residents of these states are understandably upset about seeing their flood insurance premium rates rise under the new approach. There may not be much comfort for them in knowing that the current system is much fairer than the previous one, in which higher-risk homeowners subsidized those with lower risks. Similarly, policyholders who have had their premium rates reduced under Risk Rating 2.0 are unlikely to take to the streets in celebration.

These homeowners aren’t alone in seeing insurance rates rise – or even having to struggle to obtain insurance. And these difficulties aren’t confined to holders of flood insurance policies. Florida and California are two states in which insurers have been forced to rethink their risk appetite – due in part to rising natural catastrophe losses and in part to regulatory and litigation environments that make it increasingly difficult for insurers to profitably write coverage.

Even before the COVID-19 pandemic and Russia’s invasion of Ukraine – and the supply-chain and inflationary pressures they created – the property/casualty insurance market was hardening as insurers adjusted their pricing and their risk appetites to keep pace with conditions that were driving losses up and eroding underwriting profitability – topics Triple-I has written about extensively (see a partial list below).

“Rising insurance rates are not the problem,” says Dale Porfilio, chief insurance officer at Triple-I. “They are a symptom of rising losses related to a range of factors, from climate and population trends to post-pandemic driving behaviors and surging cybercrime to antiquated policies, outdated building codes, fraud, and legal system abuse.”

In short, we are not experiencing an “insurance crisis,” as many media outlets tend to describe the current state of the market; we are experiencing a risk crisis. And even as the states referenced above push back against much-needed flood insurance reform, legislators in several states have been pushing measures that would restrict insurers’ ability to price coverage accurately and fairly – rather than addressing the underlying perils and forces aggravating them.  

Triple-I, its members, and a range of partners are working to educate stakeholders and decisionmakers and promote pre-emptive risk mitigation and investment in resilience. We are using our position as thought leaders and our unique non-lobbying role in the insurance industry to reach across sector boundaries and drive constructive action. You will be hearing more about these efforts over the next few months.

The success of these efforts will require a collective understanding among stakeholders and decisionmakers that for insurance to be available and affordable frequency and severity of risk must be measurably reduced. This will require highly focused, integrated projects and programs – many of them at the community level – in which all stakeholders (co-beneficiaries of these efforts) will share responsibility.

Want to know more about the risk crisis and how insurers are working to address it? Check out Triple-I’s upcoming Town Hall, “Attacking the Risk Crisis,” which will be held Nov. 30 in Washington, D.C.

Learn More:

Shutdown Threat Looms Over U.S. Flood Insurance

FEMA Incentive Program Helps Communities Reduce Flood Insurance Rates for Their Citizens

More Private Insurers Writing Flood Coverage; Consumer Demand Continues to Lag

Shift in Hurricane Season’s Predicted Severity Highlights Need for Prospective Cat Risk Pricing

California Needs to Make Changes to Address Its Climate Risk Crisis

Illinois Bill Highlights Need for Education on Risk-based Pricing of Insurance Coverage

IRC Outlines Florida’s Auto Insurance Affordability Problems

Education Can Overcome Doubts on Credit-Based Insurance Scores, IRC Survey Suggests

Matching Price to Peril Helps Keep Insurance Available & Affordable

Triple-I “State of the Risk” Issues Brief: Flood

Triple-I “State of the Risk” Issues Brief: Hurricanes

Triple-I Issues “Trends and Insights” Brief: Risk-Based Pricing of Insurance

Cyber Risk, Technology

Keep It Simple:Security System Complexity Correlates With Breach Costs

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Artificial intelligence is helping to limit the costs associated with data breaches, a recent study by IBM and the Ponemon Institute found. While these costs continue to rise, they are increasing more slowly for some organizations – in particular, those using less-complex, more-automated security systems.

According to the study, the average cost of a data breach was $4.45 million in 2023, a 2.3 percent increase from the 2022 cost of $4.35 million. The 2023 figure represents a 15.3 percent increase from 2020, when the average breach was $3.86 million.

However, not all organizations surveyed by the study experienced the same kinds of breaches – or the same costs. Organizations with “low or no security system complexity” – systems in which it is easier to identify and manage threats – experienced far smaller losses than those with high system complexity. The average 2023 breach cost $3.84 million for the former and a staggering $5.28 million for the latter. For organizations with high system complexity, this is an increase of more than 31 percent from the year before, amounting to an average of $1.44 million.

As David W. Viel, founder and CEO of Cognoscenti Systems, put it: “The size and complexity of a system directly results in a greater number of defects and resulting vulnerabilities as these quantities grow. On the other hand, the number of defects and cybersecurity vulnerabilities shrinks as the system or component is made smaller and simpler. This strongly suggests that designs and implementations that are small and simple should be very much favored over large and complex if effective cybersecurity is to be obtained.”

The research also noted that organizations that involve law enforcement in ransomware attacks experienced lower costs. The 37 percent of survey respondents that did not contact law enforcement paid 9.6 percent more than those that did, with the breach lasting an average of 33 days longer than those that did contact law enforcement. These longer breaches tended to cost organizations far more, with breaches with identification and containment times under 200 days averaging $3.93 million, and those over 200 days costing $4.95 million.

AI and automation are proving key

Security AI and automation both showed to be significant factors in lowering costs and reducing time to identify and contain breaches, with organizations utilizing these tools reporting 108-day shorter times to contain the breach, and $1.76 million lower data breach costs relative to organizations that did not use these tools. Organizations with no use of security AI and automation experienced an average of $5.36 million in data breach costs, 18.6 percent more than the average 2023 cost of a data breach.

Now, most respondents are using some level of these tools, with a full 61 percent using AI and automation. However, only 28 percent of respondents extensively used these tools in their cybersecurity processes, and 33 percent had limited use. The study noted that this means almost 40 percent of respondents rely only on manual inputs in their security operations.

Cyber insurance demand is growing

A recent study by global insurance brokerage Gallagher showed that the vast majority of business owners in U.S. – 74 percent – expressed extreme or very high concern about the impact of cyberattacks on their businesses. Indeed, a study by MarketsandMarkets found that the cyber insurance market is projected to grow from $10.3 billion in 2023 to $17.6 billion by 2028, noting that the rise in threats like data breaches, ransomware, and phishing attacks is driving demand.

Organizations are now responding more thoroughly to these threats, with increased underwriting rigor helping clients progress in cyber maturity, according to Aon’s 2023 Cyber Resilience Report. Aon states that several cybersecurity factors, including data security, application security, remote work, access control, and endpoint and systems security – all of which experienced the greatest improvement among Aon’s clients – must be continually monitored and evaluated, particularly for evolving threats.

Insurers and their customers need to work together to more fully address the risks and damages associated with cyberattacks as these threats continue to grow and businesses rely ever more heavily on technology.

Cyber Risk, Technology

Digital Tools Help Agency Revenues, But Cybercrime ConcernsMay Hamper Adoption

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Insurance agencies that adopt digital methods to interact with customers have seen their revenues grow faster than their less digitally sophisticated competitors, according to new research by Liberty Mutual and Safeco Insurance. However, the research also indicates that digital adoption by agencies has slowed in recent years.

The study, The State of Digital in Independent Insurance Agencies, found that “highly digital adopter” agencies — based on a 10-point scale related to the number and complexity of the tools the agency uses — experienced a 70 percent growth rate, as opposed to 17 percent for “high digital adopters”, and a mere 10 percent for “low” and “medium” digital adopters.

But while digital adoption has gained traction, it has declined as a priority in agencies’ plans. In the latter part of 2020, 58 percent of agencies said improving digital capabilities was part of their five-year growth plans, according to the Liberty Mutual/Safeco study. However, by late 2021, this had decreased to 47 percent, approximately the same as in 2017.

The digital tools that have seen a decrease in use range from social media to live online chats. Additionally, many agencies said they are not tracking which digital tools are driving growth.

The survey found that 60 percent of digitally focused agencies said they planned to invest in new digital capabilities within their five-year agency growth plans. Only 42 percent of slow and steady growth agencies said the same. Growth-focused agencies have used several tools to increase their reach and revenue. Self-service portals, video calls, live online chats, video quotes, and policy reviews have all driven significant improvement among these agencies.

These, however, are not the only tools being recommended and used. Artificial intelligence, machine learning, Internet of Things, and big data analytics are all being considered and used to increase engagement with customers and prospects.

Cybercrime may be a factor hampering growth in digital adoption. Indeed, global cybercrime costs are predicted to hit $10.5 trillion annually by 2025, according to Cybersecurity Ventures. Additionally, more than half of all consumers have experienced a cybercrime at some point, according to a 2021 survey by Norton.

Agents remain alert to cyber threats. The Liberty Mutual/Safeco study found that 57 percent of survey respondents anticipated that cyber liability would have a major impact on their agencies by 2025, an increase from 46 percent in 2017.

Cyber Risk

New U.S. Cyber Strategy Heralds Major Shift for Addressing Attacks

Leave a comment

By Max Dorfman, Research Writer

A maturing Internet of Things (IoT) calls for measures to increase cybersecurity at the national, international, and private sector levels, according to a recent report by the White House.  

The new National Cybersecurity Strategy comes as cyberattacks continue to wreak havoc across the world, causing billions of dollars in damages. Furthermore, autocratic states such as China, Russia, and North Korea have ramped up aggressive cyber abilities to disrupt other nations’ interests and “broadly accepted international norms.”  

Key Takeaways 

The White House report aims to “build and enhance collaboration” for cybersecurity around five main tenets: 

  1. Defending critical infrastructure, involving mandatory requirements for cybersecurity, as the marketplace insufficiently rewards and even hinders who invest in measures to protect against cyberattacks. 
  1. Disrupting and dismantling threat actors, including diplomatic, military, and law enforcement measures to negate these attacks. 
  1. Shaping market forces to drive security and resilience through driving adoption of best practices in cybersecurity and resilience, utilizing the market to enhance capabilities. 
  1. Investing in a resilient future by engaging strategic public interests involving innovation, R&D, and education to ensure U.S. leadership in these areas. 
  1. Forging international partnerships to pursue shared goals through working with international institutions to identify and progress state behavior in cyberspace, including building peacetime norms and confidence-building measures through the U.N.  

Reimaging collaboration as partnerships and investment 

 According to the report, adhering to these principles require two fundamental changes in how the U.S. “allocates roles, responsibilities, and resources in cyberspace.” 

The first shift involves rebalancing the responsibility to defend cyberspace. The report states that end users are often tasked with far too much responsibility for lowering cyber risks. With small businesses, state and local governments possessing limited resources, a single individual’s failure to judge these risks can have national security consequences—which must be rectified. 

With this in mind, the report states that the government must protect its systems, while safeguarding private entities, particularly critical infrastructure. Further, “core government functions” like diplomacy, intelligence, imposing economics costs, law enforcement, and interrupting cyber threats are all essential to counteracting the threat of cyberattacks.    

The second shift involves realigning incentives to favor long-term investments. This entails defending current systems, while simultaneously advancing a digital ecosystem that is more defensible and resilient. This includes rewarding security and resilience with market forces and public programs, embracing designed security and resilience, and investing in research and development for cybersecurity in a strategic manner.  

While the implementation of these strategies is complex, the National Security Council (NSC), alongside the Office of Management and Budget (OMB), will lead efforts to implement a cohesive strategy, reviewing existing policy and assessing the need for new policy. The Federal Government will also use a data-driven approach to evaluate its efficacy, a much-needed move as cyberattacks continue to threaten the safety and economy of nations around the world.  

Rising cybercrimes create risks for insurers and consumers 

In 2022, 1,802 data compromises affected approximately 422 million people, according to a report by the Identity Theft Resource Center. Although data compromises remained even from 2021, the number of overall breaches has continued to rise. Additionally, losses continue to rise from cybercrime complaints, resulting in 10.3 billion in damages in 2022, according to the Internet Crime Complaint Center.  

As these issues present major problems for consumers, the global cyber insurance market continues to grow, with an estimated reach of over 91.22 billion by 2031. This represents a compound annual growth rate of 23.78 percent from 2023 to 2031. 

This market poses challenges and opportunities for insurers, as more cyber security professionals are needed to examine and prevent these threats. These risks can be addressed through training in cyber intelligence – but it will take significant investment to achieve this market’s expansion.  

Read more: 

Cyber liability risks | III 

Cyber Risk

Despite Warnings,Weak Password Policies Still Invite Cybercrime

Leave a comment

By Max Dorfman, Research Writer, Triple-I

It’s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are table stakes for preventing incursions.

Nevertheless, “Password,” “12345”, and “Qwerty123” are among the most commonly found passwords leaked on the dark web by hackers, according to mobile security firm Lookout. And, despite the amount of attention the issue receives, the situation does not appear to be improving.

A survey by EY, a consulting firm based in the United Kingdom, found that only 48 percent of government and public sector respondents said they are “very confident in their ability to use strong passwords at work.” The problem is exemplified by a recent study by the U.S. Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.

Hacking DOI, it turns out, is relatively easy.

In fewer than two hours – and spending only $15,000 – the Inspector General’s Office was able to procure “clear-text” (non-encrypted) passwords for 16 percent of user accounts. In total, 18,174 of 85,944 – 21 percent of active user passwords – were hacked, including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.

Much of this issue, according to the report, stems from a lack of multifactor authentication, as well as password complexity requirements that allowed unrelated staff to use the same weak passwords. The Inspector General’s Office found that:

  • DOI did not consistently implement multifactor authentication;
  • Password complexity requirements were outdated and ineffective; and
  • The department did not timely disable inactive accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.

The most commonly reused password was used on 478 unique active accounts. Investigators found that five of the 10 most-reused passwords at DOI included a variation of “password” combined with “1234”.

Simple passwords make hacking easy

With the average person having over 100 different online accounts with passwords, reusing passwords is understandable – but simple passwords make it easy for hackers to access personal data and accounts.

“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of cybersecurity firm Balbix. In 2020, Balbix found that 99 percent of enterprise users recycle passwords across work accounts or between work and personal accounts.

A growing peril

“The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure,” Allianz says in its Allianz’s 2023 Risk Barometer. “In April 2022, an attack impacted around 30 institutions of the government of Costa Rica, crippling the territory for two months.”

The global insurer goes on to say, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers, or customers.”

Part of this growth is due to the rise of “ransomware as a service” – a subscription-based business model that enables affiliates to use existing ransomware tools to execute attacks. Based on the “software as a service” model, it helps bad actors attack their targets without having to know how to code or hire unscrupulous programmers.

Shifting targets

Michael Menapace, an insurance attorney with Wiggin and Dana LLP and a Triple-I Non-resident Scholar, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware as a business model remains alive and well.”

What has changed in recent years, he said, is that “where bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets—in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Organizations and individuals must take the threat of cyberattacks seriously and do as much as possible to reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.

Cyber Risk, Industry Awards & Events, Insurance Industry

JIF 2022: Cyber Criminals Shift to Softer Targets And Reputation Threats

Leave a comment
Photo credit: Don Pollard

Cyber criminals continued to shift their tactics and adapt their techniques in 2022, according to experts speaking at the Triple-I Joint Industry Forum (JIF) last week.

Ransomware as a business model” remains alive and well, said Michael Menapace, an insurance attorney with the law firm Wiggin and Dana LLP and a Triple-I Non-resident Scholar. What has changed in recent years is that “where the bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets – in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Theresa Le, Chief Claims Officer for Cowbell Cyber, concurred with Menapace’s assessment, noting an increased tendency of cyber criminals to contact organizations’ customers or leaders as “a pressure point” for the organization to pay the ransom in order to avoid reputational harm.  

“Threat actors are focusing on the quality of the data that they can extract while they’re ‘in the house’,” Le said, “so it’s not just stealing Social Security numbers or other information they can sell on the Dark Web, as it was a few years ago. It’s really much more thoughtful and focused.”

Scott Shackelford, professor of Business Law and Ethics at Indiana University’s Kelley School of Business, reinforced Menapace’s and Le’s observations about the increased sophistication and adaptability of cyber criminals by talking about state-sponsored incursions.

“It’s not just the North Koreas of the world,” he said, adding that “a growing cadre of nation-states” are launching attacks “not just on large corporations but increasingly small and medium-sized businesses, even local governments.”

“We founded a cyber security clinic two years ago,” Schackelford said, “and the number one request we get from local government and small utilities has to do with insurance coverage. There’s a lot of need out there for better information.”

Shackelford emphasized the continuing evolution of the Internet of Things (IoT) as an “attack surface.” In the new pandemic-driven work-from-home environment, he said, “What counts as a covered computer device for some of these policies has led to litigation and remains a big vulnerability that we’ve only just begun to wrap our minds around.”

The conversation, moderated by Frank Tomasello, executive director for The Institutes Griffith Insurance Education Foundation, ranged across topics that included:

  • Deep-fake technology;
  • The importance aligning insurance pricing with the risk – and educating policyholders on how to get a better price by becoming a better risk;
  • How threats differ for different-sized organizations and for individuals; and
  • The need for better data and information sharing around cyberattacks and trends.

Learn More:

Triple-I “State of Cyber Risk” Issues Brief

Business Insurance, Business Risk, Cyber Risk

Piracy Incidents Decline, But Horizon Isn’t Clear

Leave a comment

Maritime piracy in the first half of 2022 is at its lowest level since 1994, the International Maritime Bureau (IMB) says, with 58 incidents, down from 68 for the same period last year. Nevertheless, the organization cautions against complacency.

For the full year 2020, IMB listed 195 actual and attempted attacks, up from 162 in 2019. The COVID-19 pandemic may have played a role in that rise in pirate activity – as it is tied to underlying social, political, and economic problems – and 2022 may represent the start of a return of a downward trend.

Source: International Chamber of Commerce/International Maritime Bureau (IMB)

Many people outside the maritime and insurance industries don’t realize that piracy remains a costly peril in the 21st century. Global insurer Zurich estimates the annual cost of piracy to the global economy at $12 billion a year.  In its 2022 Safety and Shipping Review, global insurer Allianz reports that piracy comes behind machinery damage or failure, collision, and contact, in terms of number of loss-causing incidents globally – and that total losses have fallen 57 percent over the past decade.

However, the shipping industry is vulnerable to disruptions and, as Allianz points out, has been affected on multiple fronts by Russia’s invasion of Ukraine: from loss of life and vessels in the Black Sea and disrupted trade to challenges to day-to-day operations that affect crews, cost and availability of fuel, and the growing for cyber risk.

“To date, the biggest impact has been on vessels operating in the Black Sea and/or trading with Russia,” Allianz says. “At the start of the conflict, approximately 2,000 seafarers were stranded aboard vessels in Ukranian ports. Trapped crews faced the constant threat of attacks, with little access to food or medical supplies, and a number have been killed.”

According to a recent industry survey, Allianz says, 44 percent of maritime professionals reported that their organization has been the subject of a cyber-attack in the last three years. Accumulations of cargo exposures at mega ports have been rising – and, with ports increasingly reliant on technology, an outage or cyber-attack could effectively close a port.

In February 2022, India’s busiest container port was hit by a ransomware attack, following incidents at U.S. and South African ports in recent years.

A third of organizations surveyed by Allianz said they don’t conduct regular cyber security training or have a cyber-response plan.

Cyber Risk, Disaster Resilience, Emerging Risks, Insurers and the Economy, Terrorism Risk

Complex Risks in a Complicated World:Are Federal Government “Backstops” The Answer?

Leave a comment

Two U.S. agencies have agreed to explore the potential need for a federal mechanism – analogous to the one put into place for terrorism insurance after the 9/11 attacks – to address the growing cybersecurity threat to critical infrastructure. The perceived need to do so speaks to the growing complexity and interrelatedness of this and other risks facing governments, businesses, and communities today.

The Government Accountability Office (GAO), in a recently published report, recommended that Treasury’s Federal Insurance Office (FIO) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) take this action.  It acknowledges that FIO and CISA have “taken steps to understand the financial implications of growing cybersecurity risks” – but those actions have not included the possible need for a federal insurance mechanism.

“Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks,” the GAO report says. “Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events.”

Insurers are excluding coverage for losses from cyber warfare and infrastructure outages, the report notes, and cyberattacks may not meet TRIP’s criteria to be certified as terrorism.

As we’ve previously reported, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for terrorist acts prior to the 9/11. Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded and, therefore, covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.  TRIA created TRIP as a temporary system of shared public and private compensation for certain insured losses resulting from a certified act of terrorism.

Treasury administers the program, which has to be periodically reauthorized. TRIP has been renewed four times – in 2005, 2007, 2015, and 2019 – and the backstop has never yet been triggered.

The GAO recommendation that a similar solution be considered for cyber risk highlights the potential insufficiency of traditional risk-transfer products to address increasingly complex and costly threats. Alongside terrorism and cyber, we’ve experienced – and continue to experience – the myriad perils of pandemic, with its assorted impacts on the global supply chain, driving behavior, business interruption and remote work practices, and the economy. Even if those challenges moderate, we will continue to face what is perhaps the most entangled set of risks on the planet: those associated with climate and extreme weather.

One only has to look as far as Florida, where the insurance market is on the brink of failure as writers of homeowners coverage begin to go into receivership and global reinsurers reassess their appetite for providing capacity in that hurricane-prone, fraud- and litigation-plagued state. Or, one could follow the wildfire activity in recent years; or flood loss trends, increasingly creating problems inland, where flood insurance purchase rates tend to be lower than in coastal areas; or insured losses due to severe convective storms, which have been rising in parallel with losses from hurricanes.

Fortunately, many states are taking steps – often with partners, including the insurance industry – to anticipate and mitigate such risks. Much is being done, but much work remains to change behaviors, best practices, and public policies in ways that will reduce risks and improve availability and affordability of coverage.