The E-merging Risk that Keeps on E-volving: Cyber

As providers of service and insurance to PEO’s, small and medium-sized businesses are the “bread and butter” of clients targeted.

“According to an ISO analysis, 80 percent of cyber breach victims in 2017 were small and medium-sized businesses.” — Neil Spector, president, ISO, a Verisk business

Great article on the current state of cyber from our friends at insurancejournal.com

The E-merging Risk that Keeps on E-volving: Cyber

    6 Reasons Cyber Remains Top Emerging Risk

    Property/casualty insurance experts may not agree on everything but there is a consensus that the most important emerging risk for the industry remains the five-letter word: CYBER. It is not new, of course, but it stays atop emerging risk lists because of its dynamic and pervasive nature.

    Insurance Journal defines emerging risks as those that are new and not yet widely recognized, or perhaps recognized but not well understood. A number of industry leaders explain why cyber remains such an important risk to watch.

    Not Slowing Down

    The number of data breaches and the average costs of cyber-crime are rising every year. These trends show no signs of slowing down. In fact, cyber risk is becoming more concerning as crime-as-a-service gains popularity and artificial intelligence technologies are used more frequently in attacks. Internet of Thing devices are increasing the attack surface and providing more ammo for hackers. One of the more difficult aspects about insuring cyber risk is the dynamic nature of the risk. Just a few years ago, cyber-attacks primarily involved stealing private credit card and health information from large companies. Today, cyber criminals focus on completely different tactics for making money, such as locking out users from computer systems using ransomware, or secretly hijacking computers to mine cryptocurrency. And large corporations aren’t the only targets. According to an ISO analysis, 80 percent of cyber breach victims in 2017 were small and medium-sized businesses. — Neil Spector, president, ISO, a Verisk business

    Keeping Up with IoT

    The biggest risks involve cyber crime. Under “emerging risks,” one of the biggest is the Internet of Things (IoT), and the cybersecurity risks created by billions of interconnected devices. The challenges for agents and brokers multiply in regard to understanding the potential implications, such as IoT devices in homes and businesses — tracking sensors, fire/flooding/intrusion warning devices and more. Agents need to be aware of the questions to ask clients to ensure they are offering complete coverages. They need to be vigilant in keeping up with the IoT devices emerging at an astonishing pace. — Robert Rusbuldt, CEO, Big “I” Independent Insurance Agents & Brokers of America.

    High Severity

    There are many scenarios where cyber risk comes into play, but one example is related to vehicle systems. Luxury automobiles, for example, have up to 150 or more computer programs that impact vehicle performance. Tractor trailer technology is also advancing rapidly, and just one of those systems being hacked could have catastrophic results. WSIA conducts a biennial survey of members regarding emerging issues. Cyber exposure jumped in priority this year, with members agreeing the issue has high severity in terms of current impact industrywide. — Jacqueline Schaendorf, president and CEO, Wholesale & Specialty Insurance Association

    Cyber Property Damage

    One definite area of emerging peril is the threat of substantial property destruction caused by intrusions into sensitive computer networks and connected hardware devices. Long gone are the days where the worst aspect of cyber vulnerabilities amounted to stolen credit card information or lost privacy. Instead, a new breed of cyber exposure is unfolding whereby energy infrastructure facilities and other industrial works have been targeted with cyber attacks causing explosions, wreckage and business interruption. Most expect these risks will soon expand to domestic infrastructure and transportation operations with the prospect of major instances of property damage and life-threatening injuries.

    — Joshua Gold, shareholder attorney, Anderson Kill

    Immature Market

    Cyber comes with a bit of a double-edge sword. On one hand, it is a new market that is growing faster than any other for the industry. But being an immature market means more time is needed to flesh out the data to improve underwriting. Where cyber may be a more interesting market — perhaps even one that helps us peer into the future value of insurance — is how risk mitigation tools are being incorporated into the mix. We are seeing many carriers partner with technology companies in order to assess the actual vulnerabilities within the customers. This presents more stability for underwriting. Customers’ value may evolve in the future toward risk mitigation and resilience building. This would be a shift for an industry that — at least for the past several decades — has based its value on price. — Sean Kevelighan, president and CEO, Insurance Information Institute

    Accumulation Risks

    In a study titled “Advancing Accumulation Risk Management in Cyber Insurance,” global insurance think tank The Geneva Association focused on the danger of accumulation risks as a threat to cyber insurance. The report highlights several cyber accumulation risk challenges:

    • Insurers and reinsurers could underestimate non-affirmative cyber exposure leading to an unplanned shock from a major event. Non-affirmative cyber exposure occurs when a cyber attack causes major losses by triggering coverages in other classes.
    • Data are of insufficient quality, are incomplete and/or lack the necessary consistency for more advanced modeling techniques.
    • Governments predominantly fail to provide frameworks for the sharing of large- scale cyber-terrorism-losses.

    – Anna Maria D’Hulster, secretary general, The Geneva Association

    Young Consumers Willing to Let Insurers Spy on Digital Data – If It Cuts Premiums

    As a sociology major and Orwellian it is hard for me to not think about “Big Brother” when reading these types of reports.  My gut would tell me that the younger generation of people that understand data management the most would be most conference about data collection – seemingly not the case –

    The majority of people between 18 and 34 would be willing to let insurance companies dig through their digital data from social media to health devices if it meant lowering their premiums, a survey shows.

    In the younger group, 62 percent said they’d be happy for insurers to use third-party data from the likes of Facebook, fitness apps and smart-home devices to lower prices, according to a survey of more than 8,000 consumers globally by Salesforce.com Inc.’s MuleSoft Inc. That drops to 44 percent when the older generations are included.

    As consumers share more of their personal data online, governments increased their scrutiny of how it’s collected and used following the harvest of 61 millions Facebook users’ accounts by U.K. firm Cambridge Analytica. The European Union’s new privacy law, known as the General Data Protection Rules, took effect on May 25.
    Of the older generations, 45 percent of 35- to 54-year-olds are happy to allow insurers broad access to their digital identity, while 27 percent of those 55 and older would do so.

    Insurers are investing millions improving their digital offerings amid growing competition from fintech startups. But that’s a work in progress: 58 percent of the survey’s respondents said that systems don’t work seamlessly for them, with many citing difficulty filling out a form online. And 56 percent said they would switch their insurance provider if digital service is poor.

    “Insurers are already struggling to deliver a connected experience,” said Jerome Bugnet, EMEA client architect at MuleSoft. That is happening “before even considering how they bring all these new data sources into the equation.”

    Buffett Not Eager for Berkshire to Be Cyber Insurance Leader

    https://www.insurancejournal.com/news/national/2018/05/07/488425.htm

    Some intriguing comments from Warren Buffet on the State of cyber insurance.  My favorite (which I agree with), “I don’t think we or anybody else really knows what they’re doing when writing cyber” insurance, Buffett said Saturday at his firm’s annual meeting in Omaha, Nebraska. “We don’t want to be a pioneer on this.”

    From both sides off the table (agent and underwriter) there is still much more to learn in this burgeoning insurance product line which has increased premiums written 35% in the last two years.

    Buffett Not Eager for Berkshire to Be Cyber Insurance Leader

    By and | May 7, 2018

     

    Warren Buffett said he doesn’t want Berkshire Hathaway Inc. being a leader on cyber insurance because neither he nor others in the industry really know the risk.

    “I don’t think we or anybody else really knows what they’re doing when writing cyber” insurance, Buffett said Saturday at his firm’s annual meeting in Omaha, Nebraska. “We don’t want to be a pioneer on this.”

    Buffett said that cyber risk is part of his estimate that every year carries about a 2 percent chance of a super catastrophe that would cause $400 billion or more of insured losses. While that kind of disaster will wipe out many companies, Berkshire will aim to keep its exposure low enough to remain profitable in such a year, the 87-year-old chairman said.

    Buffett said he’s fine with writing some cyber policies to remain competitive, but doesn’t want to be among the top three in the industry. Anyone who claims to know the base case or worst case for losses is “kidding themselves,” he said.

    [Property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best.

    According to the reports, the largest cyber insurance writers are American International Group, XL Group and Chubb. These companies had a combined market share of approximately 40 percent at year-end 2016. The top 15 writers of cyber held approximately 83 percent of the market in 2016.

    Completing the top 10 writers of cyber ranked by direct premium written are: Travelers, Beazley, CNA, Liberty Mutual, BCS Insurance (owned by Blue Cross licensees), AXIS Insurance Group and Allied World.]

    NAPEO Forms Cybersecurity Task Force

    As an fyi, NAPEO has formed  a Cybersecurity Task Force to better understand the exposures of PEO and how to mitigate them.  A very timely and critical task force that I am very proud to be a part of – This is by far the most misunderstood exposure to PEO today.

    “NAPEO recognizes the critical business and compliance risks faced by our members concerning cybersecurity. Although many member resources such as PEO Insider and various conferences have featured helpful information and programs for members on this topic, NAPEO recognized more is needed and formed the NAPEO Cybersecurity Task Force to help fill that gap. The Cybersecurity Task Force is comprised of a cross section of professionals with expertise in insurance, law, technology and the business environment of PEOs. Its primary mission is develop a set of best practices which NAPEO members could use to strengthen their compliance efforts and minimize their legal and business risks. The Task Force’s first step will be to survey members to gain a deeper insight into the cybersecurity concerns and exposures of members, which will be used to help shape the best practices the task force will produce. For more information, please contact Farrah Fielder.”

    ‘Petya’ Ransomware Outbreak Goes Global

    Does your company have a process in place to combat and/or react to a ransomware attack? If not, you should.  The below article published on krebsonsecurity.com outlines one of the newest ransomware threats.

    ———–

    A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.

    The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya.

    The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya.

    According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, some domestic banks and largest power companies all warned today that they were dealing with fallout from Petya infections.

    Danish transport and energy firm Maersk said in a statement on its Web site that “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” In addition, Russian energy giant Rosneft said on Twitter that it was facing a “powerful hacker attack.” However, neither company referenced ransomware or Petya.

    Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

    Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.

    Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now. However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks.

    Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.

    Petya seems to be primarily impacting organizations in Europe, however the malware is starting to show up in the United States. Legal Week reports that global law firm DLA Piper has experienced issues with its systems in the U.S. as a result of the outbreak.

    Through its twitter account, the Ukrainian Cyber Police said the attack appears to have been seeded through a software update mechanism built into M.E.Doc, an accounting program that companies working with the Ukranian government need to use.

    Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.

    Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.

    Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.

    “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

    Ransomware encrypts important documents and files on infected computers and then demands a ransom (usually in Bitcoin) for a digital key needed to unlock the files. With most ransomware strains, victims who do not have recent backups of their files are faced with a decision to either pay the ransom or kiss their files goodbye.

    Ransomware attacks like Petya have become such a common pestilence that many companies are now reportedly stockpiling Bitcoin in case they need to quickly unlock files that are being held hostage by ransomware.

    Security experts warn that Petya and other ransomware strains will continue to proliferate as long as companies delay patching and fail to develop a robust response plan for dealing with ransomware infestations.

    According to ISACA, a nonprofit that advocates for professionals involved in information security, assurance, risk management and governance, 62 percent of organizations surveyed recently reported experiencing ransomware in 2016, but only 53 percent said they had a formal process in place to address it.

    FBI: Cybercrime Losses Reached $1.33B in 2016, a 24 Percent Rise

    Unfortunately, cybercrime isn’t going anywhere anytime soon.  Below is a brief update from the FBI on the topic.

    FBI: Cybercrime Losses Reached $1.33B in 2016, a 24 Percent Rise

    June 22, 2017 by Laharee Chatterjee

    Losses from cyber crimes rose 24 percent in 2016 to over $1.33 billion, according to a report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3).

    The center, which was set up in 2000 to receive complaints of internet crime, received 300,000 complaints during the year from hacking victims.

    Businesses lost $360 million to cyber criminals, who tricked them into wiring money using fraudulent emails that appeared to be from corporate executives and suppliers, according to the report released on Wednesday.

    IC3 said it received 2,673 complaints last year from victims of ransomware, with losses totaling over $2.4 million.

    In May, the WannaCry ransomware attack infected 300,000 computers in more than 150 countries, disrupting factories, hospitals, shops and schools.

    Ransomware is a form of malware that encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

     

    Cyber Insurance is quite possibly one of the most discussed and equally misunderstood concepts over the past several years.  If you own a business, you must ensure you are protected from cybercrime. Libertate Insurance has access to several markets one of which is a new PEO Cyber Master program.  Contact us today for more information.

    Sharlie Reynolds, 305.495.5173 / sreynolds@libertateins.com

    Engage PEO Hits INC 500/5000

    It is with great pride that I announce that our friends at Engage have hit the INC 500/5000 for 2016!  Hitting the 5000 is a big enough deal but in the top 500 growth companies in the United States is a very special accomplishment.  Congratulations Jay, Midge and the rest of the Engage team!

    “Inc. ranked Engage as the 127th fastest-growing private company in the country. The report notes that Engage’s three-year revenue growth exceeded 2,700 percent. Engage ranked as the fastest growing professional employment organization, second among all human resource companies, and 12th of all companies in Florida.”

    Having started operations less then five years ago, Engage has grown its coemployee base to almost 25,000 employees at present.  With a focus on healthcare and human resources, the firm’s average client size is arguably almost triple the industry norm at over 60 employees.  With recent hirings of industry stalwarts Steve Scott and Craig Hill, it is my opinion that this is just the opening chapter for Engage.

    Congratulations !

    -PRH

     

    The Compass Brings You “The Cybersecurity Report”

    The PEO Compass has developed a column that will be devoted to cyber security and cyber threats due to the ongoing development of threats and problems that can potentially effect all of us in our day-to-day lives, both in business and personally.

    The Cybersecurty Report will cover varying topics that are both informative and current as to our current climate and the potential threats that can impact us from a time, financial, and credibility standpoint.

    From cyber crime to data breaches, the ever evolving world of and never ending tenacity of cyber criminals expands and the effects can be catastrophic.

    It is for this reason that we have established a strategic partnership and launched a cyber security platform called RiskMD Cyber.  The platform will encompass various risk mitigation and management techniques ranging from audit of current internal structure and security to insurance that will aid in the event of a breach or loss.

    Our partner in this venture and the key contributor to the report is Stackframe.

    Stackframe was founded in 2004 to leverage experience in building and maintaining sophisticated high-fidelity distributed simulation systems into other domains. Quickly gaining clientele in various diverse industries, StackFrame has matured into an organization capable of solving challenging technical problems in the areas of software development and information technology services management and was recently recognized as one of the 101 companies to watch in Florida.

    StackFrame’s company culture has attracted a talented, impactful staff that thrive tackling the problems faced by modern businesses and organizations as they grow more connected to the ecosystem of services and technologies served over the Internet.

    Currently employing 26 people and headquartered in Seminole County, Florida, StackFrame is well poised to assist organization of all sizes and continue growing in size and capability.

    To learn more please visit http://www.stackframe.com/