Dear Valued Customer,

This issue of the “—————–” is focused on Cyber Security. Hundreds of millions of million data records of U.S. residents have been exposed due to security breaches, and businesses rely on their use of technology and access to the Internet. This reliance increases the potential for data security and privacy breaches.

Read on to understand the growing threat posed by high profile mega data breaches like those recently experienced at eBay, Target, Neiman Marcus and even the U.S. government. What does this mean to your personal security? And why most companies have cyber-risk gaps in their insurance coverage.

We appreciate your continued business and look forward to serving you.

Kind regards,

Amid a rising number of high profile mega data breaches—most recently at eBay, Target and Neiman Marcus—government is stepping up its scrutiny of cyber security. This is leading to increased calls for legislation and regulation, placing the burden on companies to demonstrate that the information provided by customers and clients is properly safeguarded online.

Despite the fact that cyber risks and cyber security are widely acknowledged to be a serious threat, many companies today still do not purchase cyber risk insurance. However, this is changing. Recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Specialist cyber insurance policies have been developed by insurers to help businesses and individuals protect themselves from the cyber threat. Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding in response to this fast-growing market need.

There is also growing evidence that in the wake of the Target data breach and other high profile breaches, the number of policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks in future.

For an analysis of the state of cyber risk and the insurance industry, download the full White Paper below.

Please click on the file name below to view the white paper in PDF format. You will need Adobe Acrobat Reader to view the file.

Download paper_cyberrisk_2014.pdf

Source: Insurance Information Institute, “Cyber Risks: The Growing Threat” http://www.iii.org website. Accessed August 5, 2014. http://www.iii.org/white-paper/cyber-risks-the-growing-threat

© Copyright 2014. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations and financial institutions and other businesses exposed to potentially enormous liability, if and when a breach in data security occurs.

The Consumer Sentinel database, maintained by the Federal Trade Commission, contains over 9 million consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations over the five years 2009 to 2013. In 2013 alone, over 2 million complaints were filed.

The increase in online shopping in recent years has created new avenues for identity thieves. However, a 2013 study by Travelers Insurance of its 2011 identity fraud claims found that burglary and theft of physical objects led to the majority of identity fraud claims. The study identified the following four top causes of identity fraud:

• Stolen wallet or purse (44%)
• Auto burglary (16%)
• Online (15%)
• Home Burglary (12%)

IDENTITY THEFT AND FRAUD COMPLAINTS, 2011-2013 (1)

id_theft_and_fraud_comp_11-13.gif

(1) Percentages are based on the total number of Consumer Sentinel Network complaints by calendar year. These figures exclude “Do Not Call” registry complaints.

Source: Federal Trade Commission.

View Archived Graphs

See also the Identity Theft section of our Web site Click Here

CYBER SECURITY

In 2000 the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance joined together to create the Internet Crime Complaint Center (IC3) to monitor Internet-related criminal complaints. In 2013 the IC3 received and processed 262,813 complaints, averaging about 22,000 complaints per month. The IC3 reports that 119,457 of these complaints involved a dollar loss, and puts total dollar losses at $782 million. The most common complaints received in 2013 included auto auction fraud involving the sale of automobiles, real estate scams and FBI impersonation email scams.

CYBER CRIME COMPLAINTS, 2009-2013 (1)

cyb_crime_comp_09-13.gif

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

© Copyright 2014. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.

As companies become more dependent on their computer networks for vital data, business continuity and communications, their vulnerability to cyber catastrophes increases.

“Unfortunately, most companies are operating in a 21st century threat environment with 20th century insurance coverage,” states John Spagnuolo, spokesperson for the Insurance Information Institute (I.I.I.). “The dynamics of risk management have changed with technology.”

The insurance industry has developed cyber insurance products to help businesses confront the growing number of network security risks that have the potential to shutdown a network, destroy vital data or steal customer information. For example, as the public becomes more concerned about privacy, businesses will become more aware that they are liable if their customers’ personal information is compromised. However, only a small number of businesses are properly insured.

According to a recent Ernst & Young survey of 1,400 organizations in its 2003 Global Information Security Survey, only seven percent of respondents knew they had a specific insurance policy geared to this network and cyber-risk. Nearly a third (33 percent) thought they had coverage they actually lacked. Another 34 percent knew they lacked such coverage, while 22 percent didn’t know the answer. Ernst & Young characterized the fact that only 7 percent of surveyed companies had cyber insurance as “astonishingly low, given the risk environment and the fact that general policies don’t provide such coverage.”

Regardless of its product line or service, virtually all major businesses today rely on computer networks to function,” adds Spagnuolo. “But they need to recognize that network security risks are fundamentally different than traditional physical risks like fire. If a hacker or virus shuts down a network or destroys computer software or data, most businesses today have either limited or no coverage. Insurers have excluded these risks from standard commercial policies and are now offering stand alone coverage. Whether your company conducts business over the Internet, stores customer data on servers or simply uses email, it is at risk.”

The Risk

In fact, the number of incidents reported rose by 377 percent between 2000 and 2002, increasing from 21,756 to 82,094, according to the CERT® Centers at Carnegie Mellon University’s Software Engineering Institute, which focuses on ensuring the integrity and survivability of computer networks. An incident may involve one site or possibly thousands of sites. The CERT® Centers also indicate that the number of potential system vulnerabilities has increased by 378 percent, increasing from 1,090 in 2000 to 4,129 in 2002. Possible effects of a cyber attack include denial of service, unauthorized use, loss/misuse of data and loss of public confidence regarding an organization.

The Computer Security Institute (CSI), in cooperation with the Computer Intrusion Squad of the San Francisco Federal Bureau of Investigation (FBI), released the results of its 2003 Computer Crime and Security Survey. More than 250 respondents, which included computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, reported over $200 million in losses. According to CSI, the findings confirm the threat from computer crimes and other information security breaches continues unabated.

“The trends the CSI/FBI survey has highlighted over the years are disturbing,” states Chris Keating, CSI Director. “Cyber crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.”

The number of intruders grows each day and they are quite different from those of 10 years ago. A hacker does not have to be a sophisticated programmer to be able to harm a computer system. Intruders can use the Internet to educate themselves, and now have access to easy-to-use tools which allow them to do large amounts of damage in short periods of time.

“Intruders could be professional criminals, terrorists, industrial spies, teenagers and perhaps even employees,” emphasizes Spagnuolo.

Cyber-Risk and Homeland Security

Securing the nation’s cyberspace is also a critical element of homeland security, a strategic challenge that requires commitments by both the public and private sectors.

According to the National Strategy to Secure Cyberspace, released by the Bush Administration earlier this year, “Cyber attacks on U.S. information networks can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property or loss of life?There is no special technology that can make an enterprise completely secure. No matter how much money companies spend on cybersecurity, they may not be able to prevent disruptions caused by organized attackers. Some businesses whose products or services directly or indirectly impact the economy or the health, welfare or safety of the public have begun to use cyber-risk insurance programs as a means of transferring risk and providing for business continuity.”

“The insurance industry can play a pivotal role in securing cyberspace by creating risk-transfer mechanisms, working with the government to increase corporate awareness of cyber-risks and collaborating with leaders in the technology industry to promote best practices for network security,” says Richard Clarke, former chairman of the President’s Critical Infrastructure Protection Board.

By writing policies for network security exposures, the insurance industry is providing:

1. Vital risk transfer for network security exposures;
2. Incentives for network security best practices, including lower insurance premiums; and
3. Improved cyber-risk management and education.

Coverage

“Traditional insurance policies such as standard property and commercial general liability insurance do not adequately deal with the risks of a cyber attack or network security failure,” cautions Spagnuolo.

Specialized cyber-risk coverage is available primarily as a stand-alone policy. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved. Both first- and third-party coverages are available, including:

• Loss/Corruption of Data – covers damage to or destruction of valuable information assets as a result of viruses, malicious code and Trojan horses.
• Business Interruption – covers loss of business income as a result of an attack on a company’s network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expense, forensic expenses and dependent business interruption.
• Liability – covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:
  • Breach of privacy due to theft of data (such as credit cards, financial or health related data),
  • Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties,
  • Failure of security which causes network systems to be unavailable to third parties,
  • Rendering of Internet Professional Services, and
  • Allegations of copyright or trademark infringement, libel, slander, defamation or other “media” activities in the company’s web site.

• Cyber Extortion – covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Public Relations – covers those public relations costs associated with a cyber attack and restoring of public confidence.
• Criminal Rewards – covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of the cyber-criminal who attacked the company’s computer systems.
• Cyber-Terrorism – covers those terrorist acts covered by the Terrorism Risk Insurance Act of 2002 and, in some cases, may be further extended to terrorist acts beyond those contemplated in the Act.
• Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

Depending on the policy, coverage can apply to both internally as well as externally launched attacks as well as viruses which are specifically targeted against the insured or widely distributed across the Internet. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations desiring comprehensive coverage.

Risk Prevention Services

As part of the application process, some carriers offer an on-line and/or on-site security assessment free of charge regardless of whether the applicant purchases the insurance. This is helpful to the underwriting process and also provides extremely valuable analysis/information to the company’s chief technology officer, risk manager and other senior executives.

The Market

“Thousands of policies have been written for cyber coverage since the late 1990s,” according to Robert Hartwig, chief economist for the Insurance Information Institute. “Policies written for cyber insurance are likely to reach $2 to $3 billion within the next four to five years as companies recognize existing gaps in their coverage.”

cent legislation and regulation such as the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA) and California’s Security Breach Information Act (SB 1386), effective 7/1/2003, are also expected to substantially increase potential legal liabilities in this area, increasing the need and demand for cyber-risk insurance coverage.

Source: Insurance Information Institute, “Most Companies Have Cyber-Risk Gaps in Their Insurance Coverage, States The I.I.I. — Traditional Insurance Policies Not Adequate For Cyber Exposures” http://www.iii.org website. Accessed August 5, 2014.  http://www.iii.org/press-release/most-companies-have-cyber-risk-gaps-their-insurance-coverage-states-iii-traditional

© Copyright 2014. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.