We’re continually updating our Cyber Liability Resource Center with topical information and materials for you. Feel free to contact us for other, or more specific, resources to meet your needs.
Cyber Risk News - February 2018 [ Article]
In this issue, cyber in M&A; upcoming cyber webinars; the increase in cyber extortion; Attempts at federal breach laws; banks sue retailers over breach costs; and biometrics.
Market Conditions 2018: Cyber Liability [ Market Report]
2017 was a record year for cyber attacks, and not in a good way. According to Risk Based Security, Inc., there were 3,833 breaches reported through the end of September 2017, exposing over 7 billion records. This represents an increase in the number of reported breaches of 18.2%, compared with the same period in 2016, with the number of exposed records up 305%.
Cyber Liability Practice Webinar Series [ Webinar]
Gallagher invites you to participate in a webinar series which will discuss the full gamut of cyber risk prevention services and tools across several fronts from issue awareness including employee privacy and security training to risks presented by outside third party service provider and vendors.
Defense Against Ransomware [ Whitepaper]
Ransomware (a common form of cyber extortion) is malicious software that blocks access to a victim’s data by locking a system or encrypting data until the victim agrees to pay a ransom. The frequency of ransomware attacks has increased drastically since these extortions began to emerge several years ago. In addition to increased frequency, the attacks have become more complex with the realization that the parties responsible for the infections have access to malware capable of crippling an entire network, while also having the ability to originate in one organization’s system, and use it as a conduit to access and infect third-party systems.
Determining Coverage: Fraud-Related Coverages in Cyber Insurance [ Article]
Cyber policies address the threats of intrusion attacks seeking to gain access to the insured’s computers and information. But how about social engineering fraud schemes such as telecommunication, funds transfer or computer fraud. There is potential for considerable overlap and confusion with the crime insurance policy.
Medical Device Cybersecurity [ Whitepaper]
The world of cyber risk continues to develop and expand since our May 2016 paper on Medical Device Cybersecurity. The threat of ransomware has come to the forefront as demonstrated by global attacks such as Wannacry2 and Petya. These attacks show how hackers have become more sophisticated in their ability to use malware to exploit vulnerabilities in systems, hardware and devices, as well as highlighting the vulnerabilities of devices and systems that, through their lack of patching and support, and outdated operating systems, are exposed to hacking, worms, etc., that can affect patient safety, system security and data integrity.
Security takeaways from latest global cyber attack [ News]
The cyberattack that swamped much of Europe and infiltrated American computer systems yesterday exploited the same vulnerabilities as the WannaCry attack in May.
Protecting Your Organization in an Escalating Cyber Threat Environment [ Whitepaper]
Cyber attacks have unfortunately become a common occurrence in today’s business economy. Organizations of all sizes, from small businesses to global enterprises, must take endpoint detection and prevention into consideration when establishing a cybersecurity strategy
Ransomware [ Article]
Ransomware is a type of malicious software that infects a computer and then holds the data hostage by encrypting the files until victims pay to have them unlocked. It comes in two major types: cryptors and blockers.
Market Conditions 2017 - Cyber Liability [ Market Report]
As we realize the extent that technological advancements have had on all organizations, we take an insurance perspective to look back at 2016 while also looking forward to 2017. Overall, 2016 was a year of stability for the cyber insurance industry. However, a relatively new insurance concept has evolved; cyber insurance can now be referred to as “traditional” cyber insurance.
Protecting Security and Privacy in an Interconnected World [ Whitepaper]
Every organization should focus on cyber security. Governments and consumers alike are pressuring organizations to reduce the frequency of cyber events.
Marine Practice Group Webinar [ Webinar]
Recently, the Government Accountability Office, the Department of Homeland Security and the United States Coast Guard have all issued warnings regarding the vulnerability of the maritime industry to cyberattacks and have provided suggestions to reduce the risk.
Understanding Your Cyber Policy Language ( 5/11/2016 ) [ Webinar]
As more claims are filed under cyber polices there is a new and developing understanding of how cyber policies are being interpreted by insurance companies and where the interplay is between other insurance policies.
Healthcare Privacy: Essential HIPAA Privacy Preparation ( 4/17/16 ) [ Webinar]
Understanding your obligations under HIPAA and the ramifications of non-compliance for healthcare organizations and business associates is a major concern. HIPAA preparation is essential to avoid costly audits, fines and penalties.
Advisor - Social Engineering Fraud [ Advisor Newsletter]
Social engineering fraud, also known as imposter/impersonation fraud, has become endemic throughout North America and Europe. It involves a criminal who purports to be a vendor, client, company executive or other legitimate party and provides seemingly credible information to support that representation.
CyberRisk: What We Know and What We Don’t Know (3/16/16) [ Webinar]
As cyber risk continues to evolve, managing this risk poses great challenges to those responsible. As newsworthy breach litigation escalates, emerging and future technological trends sit on the horizon potentially exposing organizations to even more risk. Many risks are understood yet many risks are still unknown.
Assessing Cyber Risk [ Whitepaper]
This paper reviews data that is both relevant and available, and subsequently demonstrates how to use it in the development of a model to assess your cyber risk in today’s business environment.
Market Conditions 2016 - Cyber Risk Insurance [ Market Report]
The year 2015 should be remembered as the year that the cyber insurance market took a first step toward risk engineering following the mega breaches of 2013 and 2014.
Cyber Risk Management Essentials [ Article]
Cyber Liability in the Marine Industry [ Whitepaper]
Recently, the Government Accountability Office, Department of Homeland Security and United States Coast Guard have all issued warnings regarding the vulnerability of the maritime industry to cyber attacks and have provided suggestions to reduce the risk.
Assessing Cyber Risk - 2015 [ Whitepaper]
Source, quantity and quality of data are the obvious keys to assessing or estimating risk. As the Cyber claims world is quite new, the amount of data available is relatively sparse. This paper reviews the data that is both relevant and available, and subsequently demonstrates how to use it in the development of a model to assess your cyber risk in today’s business environment.
Market Conditions Update: 2015 Cyber Liability Report [ Market Report]
In 2014, cyber attacks made top headlines in striking retailers, healthcare companies, financial institutions and even entertainment companies. Given an increasing awareness that no business is above a cyber security breach, this risk exposure has become a top priority within many companies. The Gallagher Market Conditions Update: 2015 Cyber Liability Report provides a recap of 2014 cyber attack fallouts and a look ahead at key risk exposures for 2015. Are you prepared?
Healthcare: The Financial Impact of a Data Breach [ Whitepaper]
Re-Release: As healthcare organizations become increasingly exposed to risks from data security breaches involving protected health information (PHI) or personally identifiable information (PII), it is important to understand the risks and their origin.
Cyber Risk for Higher Education [ Whitepaper]
Colleges and universities rely heavily on technology to collaborate on projects, address financial and medical information, transmit grades, provide class schedules and conduct general awareness. A cyber breach for these organizations represents significant risk as well as damage to their reputations.
Cyber Threats and Realities: Solutions for Real Estate and Hospitality [ Webinar]
Cyber attacks have spread beyond the “usual suspects” of government, banks and retail targets. The unauthorized access of data and unknown breaches are now a growing and documented exposure for any real estate or hospitality owner/operator who has access to credit cards; utilizes computer operating systems for their assets; accepts and warehouses anyone’s personal information; or engages in social media.
Over 45 states require that individuals (customers, employees, citizens, students, etc.) are notified if their confidential or personal data has been lost, stolen or compromised. The emergence of state privacy laws, various federal laws (HIPAA, Federal Trade Commission Regulations, Securities Exchange Commission), and foreign laws have created increased awareness of identity theft.
As such, there has been a rise in class action suits and regulatory actions are becoming more commonplace. The security and safeguarding of information is paramount to protecting an organization from embarrassment, reputational damage, financial loss, regulatory intervention and even public boycotting.
Below are some of the most commonly asked questions about Cyber Risk issues:
Q: Why are services and products needed?
- Traditional insurance has gaps
- Cyber insurance fills most of those gaps
- There is ALWAYS an information security RiskGap
- The RiskGap must be addressed by risk transfer or acceptance
- Threats and vulnerabilities are getting dramatically worse
- Corporate governance requires these issues be addressed
Q: What is the RiskGap?
The RiskGap is the unsecured exposures after security is put in place. No matter what
technical actions are taken, there is ALWAYS a RISK GAP.
- Exposures have two components: controlled and uncontrolled.
- Controllable exposures have two flaws.
- Networks are so complex, it's impossible to consider everything.
- For business reasons, ALL controls are NEVER implemented.
- Uncontrolled exposures come from NEW threats such as viruses.
Our practice helps you decide what to control and what to insure.
Q: What are the challenges?
- System security is a holistic problem in which technological, managerial, organizational, regulatory, economic, and social aspects interact.
- Neither the insurance community nor the information security community is organized or trained to address this environment.
Q: How does Gallagher CyberRisk address these challenges?
- It creates new forms to deal with these dynamic exposures.
- It includes information security expertise in its organization.
- It functions as a products and services integrator between the insurance community and the information security community.
Q: What are Electronic/Internet Risks?
These are losses caused by viruses, programming errors, theft/corruption/ alteration of data, malicious hacking, copyright infringement, denial of service attacks, and accidental destruction or alteration of data, among others. It has been estimated that these perils will generate over $253 billion in losses to the US economy in 2001.
Information and Databases have become critical organizational assets - and will become increasingly important in the future as electronic record keeping becomes ever more prevalent.
Q: Why aren't these losses covered by standard insurance?
Traditional Property and General Liability policies are triggered by tangible, physical damage to property. Most types of electronic loss result in NO damage to physical property - only data is lost or destroyed. The question of what exactly is tangible property is the subject of much litigation.
For insurance purposes, most courts have ruled that 'bits and bytes" are not tangible property and therefore traditional policies are not triggered by these kinds of losses. Most EDP policies also require physical, tangible damage to computer equipment before coverage is triggered. Policy language is very ambiguous regarding this issue, and historically the distinctions have not been made clear to the insurance buyer.
The subject should become moot as the market continues to harden, and coverage becomes more restrictive. We are starting to see specific cyber exclusions appearing on renewals.
Q: Our company doesn't have a big Internet presence. Why would we
be a target for a hacker?
Hackers have many motivations, and profit is not always the primary one. Studies have estimated that over 80% of all malicious hacking comes from inside the organization - the proverbial "disgruntled employee", not the pale teenage hacker sitting in front of a PC in his basement, is your greatest danger.
In addition, viruses are capable of corrupting any system, and can infect a system from a variety of sources. You don't need to be a specific target to catch a virus.
Q: We keep intruders out. Isn't that enough protection?
While firewalls are an important component of a complete security solution, they are only able to address a certain class of risk. There are many information risks that firewalls do not, and cannot, address.
Firewalls are devices placed between the public and your web/email servers, and they monitor and control traffic in and out of your network. But firewalls need to be properly configured and actively monitored and managed to work properly. Typically they are installed around the perimeter of an enterprise network, which still leaves an entity vulnerable to attacks from insiders.
Studies have consistently shown that over 80% of all hacking damage is done by
people inside the organization. There are over 1,900 known vulnerabilities that can be exploited to break into a computer network - and the list grows weekly. As this is being written, the Code Red and Nimda viruses are compromising networks across the country.
If the IT department isn't super-vigilant about applying patches against vulnerabilities, there will be holes in network security that can be exploited. An IT department has their hands full just keeping a computer network up and running,
and security takes a back seat unless they have a full-time Information Security staff member.
And even if they do have a dedicated staff member handling infosec, these vulnerabilities are often still unaddressed. The IT Department is often very sensitive about Risk Management prying into their activities. Information Security is a very specialized skill set, and most IT Directors do not have the staff or resources to do a thorough job of securing the network. Risk Management must be wary of any attempts made by IT to stonewall inquiries into the level of organizational information security. It's common knowledge in the industry that there is no such thing as 100% security.
Q: Is there a specialized type of insurance for these kinds of risks, and if so what does it do?
Yes, the insurance industry has responded with special "e-insurance" policies to protect against these types of losses. These policies typically protect against First Party losses (e.g., your own data) and Third Party losses (e.g., liability arising out of failure to properly secure electronic data/records), and are designed to dovetail with standard Property and CGL forms. Although hard to generalize, they typically exclude the traditional Bodily Injury/Property Damage exposures, while giving explicit grant of coverage for the electronic perils.