When it comes to cyber threats and how they continue to evolve, Adam Cottini, managing director of Gallagher’s Cyber Liability practice, offers a chilling assessment: “You have the known, and the massive unknown."
The potential damages are at once serious and extensive: Physical loss. Financial loss, in myriad forms. Reputational loss. All of these perils are woven into a threat from which no insured is truly safe, regardless of their size or the industry in which they operate. As the digital frontier expands, every single client, to a greater or lesser degree, is exposed.
Acknowledging the intersection of cyber liability, business interruption and property policies is particularly important when determining how clients may — or may not — be covered for a cyber loss, and just which policy is triggered depending upon how the incident occurred. As Laura Rieben, director of privacy for Independence Blue Cross’ internal audit division, stated during a panel at ALM’s cyberSecure conference in New York City on Dec. 5, 2017, “The devil’s in the sublimits.”
Commercial property protection
Steve Anderson, vice president and product executive in Privacy & Network Security at QBE North America, points out that 2017 saw seven of the top 20 all-time largest breaches in terms of the number of records exposed world-wide. He notes that many cyber liability forms now have property elements that weren’t there a year ago; insureds are now asking for carriers to specifically include protections for commercial property in their cyber policies.
Similarly, he adds, property policies in many cases used to contain exclusions for digital threats; that’s no longer the case. Coverage for cyber-based physical damage can be added as an endorsement to a property policy, but depending on the extent of the client’s needs, more comprehensive limits might be available through a well-crafted standalone cyber policy.
Otherwise, the client — and the insurer — would be relying on what’s referred to as “silent” cyber coverage (in which such losses are not explicitly excluded as part of a property policy, for example), as opposed to affirmative, distinctly stated protections.
As is often the case with cyber coverage, one size does not fit all. It’s become incumbent on brokers to assure clients that all cyber-related potential losses are either covered by a specially tailored cyber policy or not specifically excluded in their other suite of policies — and even in the case of the latter, that the sublimits are adequate.
“Concurrent causes of loss may exist, but the direct cause is what triggers the policy” notes Shiraz Saeed, Starr Companies’ practice leader, Cyber Risk. “You need to look at the wording.”
A cyber attack could have a significant impact on infrastructure, like a nuclear power plant or hydro-electric dam, wreaking havoc and causing extensive property damage. (Photo: Shutterstock)
Where property meets cyberspace
While perhaps not immediately apparent to some, the cyber-based threat to physical assets cannot be underestimated. Consider pharmaceutical giant Merck, which was dealt a serious blow by the Petya/NotPetya malware cyber attack in June 2017. NotPetya was a virus that spread across computer networks and encrypted hard drives so that machines could not run.
With its computer networks frozen, the drug manufacturer was unable to produce vaccines and medications in normal volumes while its production facilities were affected, and its delivery and distribution, back-office, research and sales operations also took a hit. When reporting its third-quarter financial results, Merck said its sales were down by $240 million after it had to borrow that amount of stores of its star HPV vaccine, Gardasil, from the Center for Disease Control’s stockpile just to fulfill orders. Merck reported an additional $135 million in lost sales that it claims related to the attack.
The result? An estimated $275 million hit for its insurers — and that’s just for the insured portion of the manufacturer's larger loss. “Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement in October.
Yet a client doesn’t have to be a major drug company to suffer a crippling physical loss; the remote manipulation of a sprinkler system, for example, could destroy a manufacturer’s inventory. Temperature controls could be compromised and set high enough to ruin the entire in-house stock of a food company. A rogue nation could hack into a utility company and cause a shutdown of electricity or a power surge that fries a transmission line, or open up a dam and put a community under water.
While there haven’t been a great number of such cases reported in the U.S. yet, Cottini says that engenders a sense of complacency. “We’re sitting on a precipice of the next concern. We need to align policies to make sure the client is covered.” The insured’s General Liability or Property coverage might not respond in such cases.
Although some in the industry thought property underwriters would add appropriate limits to meet cyber threats, the aforementioned major ransomware events have made them seriously reconsider, says Cottini: “Now, the property market is looking at whether they want to provide current limits with regard to cyber, tailor it back, or not offer it at all.”
“The Property market has a major problem in that it carries a silent cyber exposure,” says Michael Palotay, chief underwriting officer for NAS Insurance Services in Encino, Calif. Clients, he notes, are “very concerned about what their potential loss is in the event of a [cyber] attack that causes property damage.”
Currently, insurers can offer property damage in the event of an attack, and “the cyber market is better equipped to manage the aggregates of that exposure,” Palotay explains. He’s concerned, however, that there hasn’t yet been a major event to make the threat of property damage “real” to insureds.
“There hasn’t been a lot of cyber aggregation until recently,” he notes, referencing Petya and the worldwide May 2017 WannaCry ransomware attack. “Those added fuel to the fire about how we’re going to manage aggregated risks.”
Related: 6 ways cybersecurity changed in 2017
A cyber attack could shut down a small to midsize business for a long time or even put the company out of business. (Photo: Shutterstock)
Business interruption ahead
Starra Companies’ Saeed says that when most people hear the phrase “cyber attack,” they think of thieves trying to steal information. But cyber events go far beyond that, and more often than not they mean a hard stop for an organization’s business.
“People think it’s about data,” he says, and the business-interruption aspect can get short shrift — yet the BI part is the most critical to small to midsize businesses, which can’t afford to have their operations shut down for a week.
Attention to the risks posed by ransomware becomes critical for these types of clients. Greg Vernaci, head of Cyber, U.S. & Canada, for AIG, says ransomware attacks (in which one’s systems are held for ransom by a perpetrator) have been trending steadily in last year or two. This includes cyber extortion, which from a claims-handling standpoint often gets tangled up with BI, he says, because the insured can’t access their assets and can suffer a business-income loss. “No industry is immune to it.”
What many insureds — and brokers — don’t immediately know is that unless your business is interrupted for at least 10–12 hours, you might not have a claim at all; that threshold of time is different for different insurers, but in some cases cyber losses covered under a Property policy can’t be triggered until 24 hours’ worth of interruption. (Again, analyzing one’s terms here becomes critical if you’re a policyholder.)
Matt Prevost, senior vice president of Financial Lines at Chubb, agrees that small business is and should be focused on business interruption, versus data breach exposure. Regardless of industry, he says, all have recognized the importance of security — and that creates positive momentum around clients wanting to make themselves better risks. “Those conversations are happening all over, which is a good sign,” he adds.
Vernaci adds, “Just because you’re small doesn’t mean that you’re going to be targeted. You are.”
“Those small business owners understand that to spend $5K to $10K on a $1 million policy is a smart move for them,” says Anderson. “That’s the space that has the largest potential for growth, and carriers are starting to give them applications that aren’t 20 pages long.”
In terms of the risk-management services offered, he adds, “it’s a no-brainer.”
Social engineering comes of age
Meanwhile, social engineering or “phishing” attacks continue to grow not just in number but also in polish. Palotay notes how perpetrators will now not simply hack into a company’s e-mail system and try to convince a subordinate to wire money to their boss, for example, but rather, first monitor that boss’ e-mails to better copy their writing style, in order to make the eventual request far more believable.
When in doubt, experts say, if it looks fishy, it’s probably phishing.
“Information is the new gold at all types of companies, and employees need to understand what that means,” says Christina Terplan, a partner at Clyde & Co. who practices in the areas of technology, intellectual property and privacy law, representing insurers in issues ranging from coverage evaluations and disputes to litigation management.
Terplan says she’s seeing a huge uptick in social engineering fraud, and an increase in the level of sophistication in the attacks: “It’s scary now, how much they know about their targets.” Law firms can be penetrated, their settlement funds wired to a different entity. In real estate transactions, one of the parties involved in the deal’s closing can be compromised and the money disappears.
“The best way to avoid litigation is to make sure you don’t have an incident, which boils down to practices and procedures,” says Terplan. In many cases, she adds, someone who ends up being negligent in unwittingly aiding a phishing scam could have saved a lot of heartache by simply calling the person requesting a funds transfer to verify the request.
“In those cases,” she says, “old-fashioned modes of verification work the best.”
Palotay says that many hackers have moved from trying to steal private information to more cyber extortion for two reasons: The payoffs are bigger, and the price of personal payment information has gone down on the black market with the advent of chip technology and more sophisticated encryptions. Credit card information now has a shorter shelf life than in recent years.
Previously, social engineering losses were in some cases considered a crime loss; now it could be a financial loss, depending on the insurer’s terms & conditions. Again, carriers are looking to make sure these gaps are being covered, or at least explicitly excluded.
In any case, Vernaci says in the event of a loss, policyholders should not wait to notify their carriers: “These types of incidents don’t age well, and it’s better to address them right away.”
“The fact that social engineering losses are common doesn’t change the level of damage that can be done,” Palotay adds. “If you’re looking down the barrel of a million-dollar loss when you’ve got only $5 million in total revenues, you’re really going to have a problem.”
An important component of any cyber security program is employee training and awareness. (Photo: Shutterstock)
Advice for brokers
“The broker with a team to actually dissect forms and not just beat someone else on price is the type that insurers want to work with,” says Saeed. Delving into the details of forms that can become highly complicated is a must for brokers wanting to do business in this sector.
“One of the difficulties we have in our space is that the policies can be very confusing,” says Anderson. “With cyber, we can have anywhere from two to 21 insuring agreements, broken down to first- and third-party liability risks.”
It helps, he says, that insurers now do a much better job now of offering risk management services on the front end — assessments, tools and other assistance to make sure guideposts are in place prior to a breach. The entire approach has become less reactionary and more proactive.
Midsize businesses in particular can be sold on the value of pre-incident services and education, such as employee-awareness training for no additional cost. Those services help to drive the conversation and articulate the insurer’s value proposition.
“Something as straightforward as a password manager is still foreign to [small businesses],” says Prevost. “Culturally, we do need to take this very seriously, but there are people out there still using ‘PASSWORD’ for their password. What are the best-in-class controls, and what mistakes have been made that we can learn from?”
He adds that brokers need to focus more on the impact of cyber risk across the client’s entire portfolio, how it crosses other coverage areas, “instead of focusing on one policy in their relationship.”
AIG’s Vernaci says that for new clients, “it needs to be an open-ended question. What does the client consider their greatest risk? Ask them what they believe their key exposure is. How do the client’s existing P&C policies respond to it? Are they silent, or affirmative?” From there, he adds, a standalone cyber policy can be thoughtfully crafted.
In terms of who’s driving the buy for cyber coverage, Anderson says that pattern has shifted. Three to five years ago, he explains, “it was a trickle-up from the broker to the risk manager to the CFO to the CEO, then to the Board. Now, that’s reversed. Now, the board is asking companies how well they’re protected.”
Vernaci likewise sees an increasing trend for the C Suite to be involved. When making the case for cyber protections to an organization’s top management, brokers can stress the availability of pre-incident services, which offer the client “far more value than just a risk-transfer solution.”
Cottini says that ultimately, it’s a question of how much revenue the client is willing to risk losing in a cyber incident versus what they think they could or should pay.
At the end of the day, “recognize your client’s risk and understand their exposures,” adds Saeed. “Think about hacking and where it can go — let your imagination run wild. Because it’s all possible.”
Related: A game-changing play in cyber risk