On Thursday, Paul reminded us of the ongoing trends which are playing out in the realm of cyber Insurance. According to content sourced from AM Best, we are witnessing an increase in both frequency of events as well as average cost per event in the cyber space. This trend will, no doubt, bring about not only marked increases in cyber insurance premiums, but more rigorous requirements in cyber security by carriers willing to continue offering products in this space. For full details, check out his post Annual Growth of Cyber Claims is Double Growth of Cyber Premiums. Â
On this day, June 11th in 1776 the Continental Congress created a committee to draft a Declaration of Independence with Thomas Jefferson, John Adams, Benjamin Franklin, Roger Sherman, and Robert R. Livingston as members. Thomas Jefferson primarily penned the original draft which was dived into five sections, including an introduction, a preamble, a body (divided into two sections) and a conclusion. While the body of the document outlined a list of grievances against the British crown, the preamble includes its most famous passage: “We hold these truths to be self-evident; that all men are created equal; that they are endowed by their Creator with certain inalienable rights; that among these are life, liberty and the pursuit of happiness; that to secure these rights, governments are instituted among men, deriving their just powers from the consent of the governed.”
The Continental Congress reconvened on July 1. The process of consideration and revision of Jefferson’s declaration continued on July 3 and into the late morning of July 4, during which Congress deleted and revised some one-fifth of its text. The delegates made no changes to that key preamble, however, and the basic document remained Jefferson’s words. Congress officially adopted the Declaration of Independence later on the Fourth of July (though most historians now accept that the document was not signed until August 2).
What would Thomas Jefferson think of our cyber insurance woes of today?
Content taken from Andrew G. Simpson’s May 2021 article in the Insurance Journal and is a reformatted post
While a typical business interruption can often be a confusing insurance situation, the picture gets even muddier when it involves cyber coverage.
According to Chris Mortifoglio, who is a Certified Public Accountant and a Certified Fraud Examiner (CFE), understanding the “nuances and differences” of a cyber insurance business interruption exposure or claim compared to a traditional one is more important now than ever.
“I will tell you that in my experience business interruption is often the most misunderstood part of property coverage. Part of that has to do with the fact that it can be very subjective. If you have 10 accounts looking at the same set of financial data, you’ll oftentimes receive 10 different calculations or estimates of what a business interruption loss might be,” said Mortifoglio, who has been dealing with business interruption exposure assessments and claims for more than a decade as the director of forensic accounting at Procor Solutions and Consulting in New York.
A cyber business interruption risk can be difficult to estimate and manage. To further the understanding of cyber BI, Mortifoglio identified five areas where cyber BI differs from traditional BI: period of measurement; period of restoration; personnel involved; geographic constraints, and reputational risk.
1. PERIOD OF MEASUREMENT
The differences between traditional and cyber business interruption begin with the period of measurement or evaluation of lost business income, a period that typically runs shorter for cyber. The timing of a cyber incident can have a major effect on the amount of a potential loss. “Traditionally, when you have a property loss, you’re usually valuing the disruption for a period of weeks or months or years as it takes time to physically repair the property damage that was occurring,” he said. In a cyber incident, the loss may last for just a few hours or a few days. This much shorter time period requires detailed or as Mortifoglio refers to it “granular” on the impact and the disruption on a company. “This means that in order to properly evaluate cyber business interruption, you need much more granular levels of data, maybe even hourly revenue data, or certainly daily sales data, as opposed to a traditional business structure loss where, in some cases, monthly profit and loss statements are enough to evaluate the impacts of the loss,” he said. The granular data is particularly important, for example, when the business operates 24 hours a day, 7 days a week making online sales. “There may be much more greater impacts, and there may be more of a need to really drill down into the disruptions that happen at different times of the day. What happened at midnight versus what happened at 8:00 am?” he explained. When comparing traditional versus cyber BI coverage, the waiting periods following an event before coverage begins are usually different as well. The waiting period for a cyber policy is often denoted in hours, whereas a traditional policy is typically for at least a few days, although it may be written as 48 hours or 72 hours, as opposed to perhaps a 12 hour waiting period for a cyber business interruption loss.
2. PERIOD OF RESTORATION
Another difference is the period of restoration. Defining the period of restoration is very important because that drives the ultimate value of a cyber business interruption loss. The period of restoration is defined as starting on the date of loss, which is the date of physical damage, and ending on the date “when the repairs should have been completed if the insured had utilized due diligence and dispatch.” That period of time is the period of time that an insurance policy will provide coverage for any loss of business income. But determining when this period starts or ends is not always easy. “When it comes to property losses, there’s usually a very clearly defined start to that business interruption period, known as the date of loss. We can define very easily what that period of indemnity is and what a potential extended period of indemnity is because it all depends on the physical damage,” he said. If a fire, earthquake or hurricane impacts an organization, it’s not hard to define when that physical damage occurred. That is the starting point for the period of restoration. However, when it comes to cyber, “there is much less certainty, not only to when a cyber event has started, but also when a cyber event ended” including when the system was repaired and there no longer is a breach. These dates are critical to figuring out the period of time that’s going to be evaluated for a cyber business interruption loss. Mortifoglio recited some questions that come up when evaluating cyber business interruption: “When did the loss start? How do we know that it started at this point in time? Was there a full disruption for an organization or just partial. For example, was it a specific system that was impacted, an email system or an accounting system that went down? And then when did this loss end?”
3. PERSONNEL INVOLVED
So in addition to requiring more and different types of data, and presenting complexities around the period of restoration, cyber business interruption also typically calls for more personnel to become involved from an organization. Mortifoglio cited a need for personnel from the risk manager and legal counsel to financial, technology and operations officers as well as others to contribute to the assessment. First and foremost is the risk manager, the “quarterback of the insurance recovery process” who is helping to manage the actual claims process once something happens, not to mention being the purchaser of the insurance on the front end. After a loss has happened, somebody from the accounting or finance department — perhaps the CFO or the controller—should be called upon to provide the financial data required to quantify any business interruption loss. In addition, it’s important to have someone from operations to assure that the full impacts of the loss are being documented and also connected to the actual financial calculation. And there’s more. “You now have to bring in more folks from your organization to help really provide the picture in the story of what happened and help to properly and accurately quantify cyber business interruption,” Mortifoglio added. This means calling in folks from the IT team to help to identify the status of the cyber incident and define the period of indemnity and the period of restoration. “That’s going to help narrow down the exact period of time that we need to evaluate from a financial perspective to quantify the loss,” he said. Also, the chief systems or technology officer may be needed to oversee data privacy and records issues that may come up in a cyber incident. The legal department may also deal with privacy issues, general legal ramifications and coverage issues, as well as interface with outside counsel brought in to help deal with a cyber breach. “The addition to these extra personnel can add to the complexity of the process,” the Procor executive said.
4. GEOGRAPHIC CONSTRAINTS
Whereas a traditional business interruption claim may be geographically constrained, the same is not always true for cyber exposure. In a traditional scenario, the property damage is contained to either a single location or region that has been hit by a widespread catastrophe. “Think of a hurricane that hit the state of Florida, and if you’re an organization that has multiple locations there, you may have multiple instances of damage. You may have multiple locations that are being impacted,” he noted. When it comes to a cyber loss, these geographic constraints do not exist and an entire organization could be impacted around the globe at the same time. “If you are an organization with a global presence and you have systems that are connecting all of your physical locations around the globe, then a cyber incident may impact you around the globe without any sort of restraints as far as geographic regions. With traditional business interruption, organizations can mitigate their risk by spreading out their operations geographically to avoid a catastrophe, really hampering the entire organization. When it comes to a cyber loss, those types of geographic constraints no longer apply,” he said. For risk mitigation purposes, Mortifoglio stressed the importance of understanding that if a global organization is running systems used by the entire workforce, all operations around the globe can be impacted immediately. “It can make it more complex because you can’t just look at a single isolated location. You have to look at the interconnectivity of your systems to see if something were to happen to them, what would the operational impacts be on your organization? And that’s what’s going to help you evaluate the potential cyber business interruption,” he said. In short, there are no geographic constraints with cyber business interruption and therefore it is harder to mitigate.
5. REPUTATIONAL RISK
Finally, cyber BI carries with it a reputational risk that traditional property business interruption does not. When there is a traditional BI loss such as a fire at a factory, customers and the general public usually do not to have any sort of reaction. Most of the time, the general public is not even aware of the fire and here is no effect on the company’s reputation. However, if a company is hacked and customer records are stolen, Mortifoglio said this can result in a “breach of trust in the public’s eye” and the reputation of an organization can be significantly harmed, often resulting in extended financial losses. In the case of a data breach, even though the system has been repaired and the breach fixed quickly, customers may be hesitant to return to do business with the organization “until they have absolute confidence that it won’t happen again. It’s hard to determine how long that might go on.” However, the forensic specialist noted, cyber business interruption policies are building in coverage to help recover any losses tied to the transitional risks, in a way that is similar to the extended period of indemnity coverage in traditional property policies. “The thought is that once a cyber incident is repaired and a breach is fixed, there may be lingering impacts due to some reputational risk” and there should be coverage there to help capture those losses, Mortifoglio said.
“The notion of implied meaning is the root of misunderstanding.”
— Eric Parslow
PEO Compass brings insight to your PEO related business through real-time reporting, application of innovative technologies, and expert opinions on the industry’s most turbulent topics. Learn about the latest trends in healthcare, risk management, workers’ compensation, and many other topics that affect the PEO community. To register and start receiving breaking industry news, legislative updates, small business, risk management, safety, property casualty, and all things relevant to the industry of professional employment organizations (PEO) click on the link below to register for free.
Please enjoy this excellent article by Steven Kaye which was originally posted on the Carrier Management website. The original post can be found here.
Insurance use cases for multi-factor authentication (MFA) include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access and policyholder access.
Legislation and regulators are increasingly mandating MFA to ensure greater security as well as to reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law. Insurers have traditionally balanced security against expense and inconvenience to their users, especially if their coverages are marketed to older demographics (e.g., final expense policies). Regulatory mandates combined with growing digital adoption and criminals turning their eyes to life and annuities account takeover means the calculus has changed.
Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, is driving their adoption of MFA.
There is minimal variation between size and sector of company when it comes to deployment rates, with the exception of large life/annuity/benefits insurers, which are much more likely to use MFA for policyholders than is any other class of insurer. A low deployment rate of MFA for policyholders among smaller property/casualty insurers reflects the fact that few small P/C insurers offer direct policyholder access at all.
Midsize P/C insurers lag behind other sizes and sectors in deployment of MFA for both distributors and policyholders but are ahead of large life/annuity/benefits insurers in deployment for other external parties. Midsize P/C insurers are also ahead of midsize life/annuity/benefits insurers in deployment internally.
How MFA Helps
As many knowledge workers moved from the office to home during the pandemic, securing infrastructure became another key driver. Hybrid work models that blend office and home working environments are gaining traction, and the need for MFA becomes more crucial to validate that users are actually employees.
In addition to security needs, carriers are obtaining policyholder emails and cellphone numbers as part of the MFA process. These bits of data, which are often difficult to obtain, can provide insurers with the opportunity to digitally connect with customers in their preferred channel.
There is no mandated number of identification methods for MFA, but the consensus is to have two at a minimum. Insurers are starting to use multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some are taking this a step further to include role-based authentication for internal access as well.
The best defense is a layered approach, combining multiple authentication methods with secure and documented business processes and other security solutions. Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.
Insurers should ensure that MFA processes are documented and that solutions generate auditable logs. Some wholesale brokers require attestations from insurers they work with.Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.
For consumer-facing use cases, depending on the age of policyholders, insurers may wish to opt for MFA methods that are more straightforward (e.g., less complex knowledge-based authentication, voice print). Final expense and Medicare supplement are two lines of business where voice signatures are well established. Many solutions support establishing different access policies based on risk assessment, such as requiring MFA for new devices, or conversely accepting password-free authentication for low-risk access requests.
Types of Authentication
MFA relies on several of the following authentication methods:
Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users.
Knowledge-based authentication (e.g., answers to questions, passwords or PIN codes, randomly generated authentication codes from authenticator apps).
Location (e.g., GPS or IP address).
User characteristics (behavioral or biometrics-based).
Some authentication methods are more secure than others. For example, sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. With many employees working from home, phishing and other identity theft methods are on the rise. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.20 percent of CIOs surveyed by Novarica said they are planning to require MFA for distributors and policyholders within six months, adding to 30 percent that already do so.
Novarica recently conducted a survey of insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods and use cases. It is important to keep in mind that solution providers typically offer a range of authentication methods.
Only 30 percent of participants currently require MFA for distributors or policyholders, but another 20 percent are planning to require MFA within six months. Roughly 80 percent of participants require MFA for most or all internal systems users.
Deploying MFA
The most common authentication methods deployed are mobile authenticator apps, used by 80 percent of participants. More than half of participants use SMS. Email and security keys are used by roughly 40 percent and 33 percent of participants, respectively. Behavioral authentication, voice-based authentication, IP location and knowledge-based authentication are used by fewer than a third of insurers.
Note that only 16 percent of insurers report using just one method; overall, insurers said they use an average of 2.8 different authentication methods.Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks.
The security threat landscape continues to grow in number and impact. Although many carriers are not currently considering MFA, regulatory scrutiny and enforcement of IT security will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security. Many solution providers offer MFA as part of a broader portfolio of identity and access management and IT security solutions.
Insurers should consider MFA approaches as part of a broader IT security strategy.
Steven Kaye is Vice President of Research at Novarica and lead editor of the firm’s Business and Technology Trends in Insurance series. He has managed a wide range of research projects since joining the firm in 2008. Previously, Kaye worked for Accenture as an insurance researcher focused on the U.S. life and property/casualty markets. He also served in both knowledge management and research roles at Gemini Consulting (now part of Capgemini) for several of the firm’s industry practices. Kaye holds MILS and BA degrees from the University of Michigan at Ann Arbor. Reach him directly at skaye@novarica.com.
With two carriers now offering master PEO cyber programs, the question here is PEO’s be able to sell these as part of their overall package?
A recent 2017 RIMS survey has shown that 83 percent of organizations have a standalone cyber insurance policy (up 3 percent from 2016) and only 14 percent are utilizing the cyber coverage offered in their other insurance policies.
One reason for this statistic could be that Risk Managers want specific endorsements and add-on coverages that apply directly to their industry or are a result of a problem they’ve faced in the past. This has been a crucial part of individual cyber policies over the past few years as the carriers try to keep up with the quickly evolving cyber space.
With the above in mind, it may be difficult for PEO’s to make this as part of their basic package as EPLI has become over the past decade.
I would like to note the PEO cyber program has one crucial endorsement, Social Engineering, that can be added on for an individual client company. This has to be individually underwritten for each client company adding another layer for the PEO sales rep to cross-sell.
