This is Why You Should Double Check Your Cyber Insurance Policy

Image

Whether a business is in healthcare, accounting, legal, real estate, manufacturing, etc., most of a business’ important assets are digital. (Government municipalities are included too.) To make matters complicated, it’s very common for these digital assets to be stored in various systems and locations, intertwined with a third party’s digital information. With so many opportunities for disaster, steps must be taken to insure this critical information.

Cyber insurance is a new frontier that is rapidly evolving as the industry gets its bearings. Many companies are finding that their current cyber policies have very minimal coverage in case of a cyber breach, and the majority of these policies will not come close to providing the necessary breach coverages to the business or municipality.

When looking at your existing or new cyber policy, it’s important to consider these types of coverages:


As we have come to realize, the idea that security starts and ends with the purchase of a pre-packed firewall is simply misguided

Art Wittman

1. Privacy Breach Notification

Some reports estimate the notification and credit monitoring costs alone are over $100 per record, so if you had 1,000 compromised records, this alone could cost $100,000 or more.

2.Data Loss Restoration

Believe it or not, many large insurance carriers have policy exclusions for the replacement and restoration of data, so be very careful in this area when reviewing your policy.

3. Privacy Liability

This covers for the theft or loss of private information related to customers and other third-party information that is in your care.

4. Regulatory and PCI Defense

Many industries are under strict regulatory control, and breaches may result in fines and other penalties from these regulatory agencies.

5. Public Relations

If an enterprise has a breach, the bad press they receive can do significant long term reputational damage and can also be used by competitors to their advantage. This coverage will help hire a public relations firm to mitigate the reputational damage your name brand might incur.

6. Cyber Crime

If your organization is threatened with various cyber threats such as malicious code that will result in financial loss or data loss, this coverage is needed for the reimbursement of the costs associated with these threats.

7. Defense and Settlement costs

A breach affecting a lot of customers may result in lawsuits and financial settlements, so insurance coverage is needed to offset these potentially enormous costs.

8. Consulting and Forensic Fees

If a breach does occur, the upfront investigative process will require a lot of professional expertise and a lot of money, and this specific coverage will offset these significant costs.

9. Business Continuity

If a hack causes your business to lose income, this coverage will reimburse you for these losses.

It takes 20 years to build a brand or company reputation and a few minutes within a cyber incident to ruin it

Stephane Nappo

For a free cyber insurance policy evaluation, contact Libertate Insurance today at 813-367-7574 or email me, James Buscarini at jbuscarini@libertateins.com.

Our professionals are happy to review and discuss your firm’s existing cyber liability insurance policy and the relation to your unique business requirements, needs and cyber coverage. Our goal is to help your PEO and client companies navigate the cyber liability insurance landscape and identify potential vulnerabilities that could be exposed based on your existing technology network and infrastructure. Finally, we want to make sure that in the event of a ransomware attack, business email compromise or phishing expedition your firm has adequate coverage in each of the areas that you might be vulnerable to be targeted in.

CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!

Annual Growth of Cyber Claims is Double Growth of Cyber Premiums

Time For Insurers to Reassess ‘Grim’ Cyber Insurance Market: AM Best

It comes as no secret that there has been an increase in both cyber events as well as the average cost per event. This escalation seems to be fueled by the ever-increasing volume of ransomware attacks. A few fun facts from the below article from our friends at Carrier Management, citing AM Best as a source.

  • Year over year loss ratio went up 551% from 44.8% to 67.8%. 15 of the top 20 cyber insurers saw deteriorating results (9 of top 10)
  • Industry stalwarts CNA, AIG, XL and Travelers got hit especially hard on this line
  • Defense and cost containment costs (the cost to contain claims like attorneys and forensic experts) are going to be substantial due to nature and sophistication of claims; prediction of costs uncertain based on lack of historical data to support it
  • Cyber claims number of claims is up 18%, strictly due the surge in first party ransomware. Ransomware was up 35% and now accounts for 75% of all cyber claims

Needless to say, pay attention to the market if you already buy this coverage as it is quickly shifting. Critical focus should be given on ransomware limits, deductibles and responsiveness due to significant amount of overall exposure this type of attack can bring.

___________________________

With the cyber risk hazard environment—ransomware, business interruption and aggregation—worsening significantly, “prospects for the U.S. cyber insurance market are grim,” according to a report from AM Best.

According to the global rating agency’s analysts, insurers “urgently need to reassess all aspects of their cyber risk, including their appetite, risk controls, modeling, stress testing and pricing, to remain a viable long-term partner dealing with cyber risk.”

The reassessment is needed because cyber insurance, which began as a diversifying, secondary line and another endorsement on policies, is now a “primary component of a corporation’s risk management and insurance purchasing decisions,” notes Best’s in its report, “Ransomware and Aggregation Issues Call for New Approaches to Cyber Risk.”

The loss ratio for cyber insurance rose dramatically in 2020, to 67.8 percent from 44.8 percent in 2019. However, the increase was not limited to just a few insurers—the loss ratio rose for 15 of the 20 largest cyber insurers, AM Best reports.

“The rate increases for cyber insurance outpaced that of the broader property/casualty industry, but the increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow,” said Sridhar Manyem, director, industry research and analytics.

Of special note, defense and cost containment (DCC) expenses are rising and “could become a significant issue because of potentially significant costs to defend claims as a result of either ambiguous coverage language or regulatory investigations that may involve defense costs,” the report adds.

According to the report, the challenges the cyber insurance market are facing include:

  • Rapid growth in exposure without adequate underwriting controls;
  • The growing sophistication of cyber criminals that have exploited malware and cyber vulnerabilities faster than companies that may have been late in protecting themselves; and
  • The far-reaching implications of the cascading effects of cyber risks and the lack of geographic or commercial boundaries.

See related article, “Federal Lawmakers Probe CNA, Cyber Insurance Payouts,” for a loss ratio ranking of the top 10 U.S. cyber insurers.

Direct written premiums for cyber insurance grew 22 percent in 2020, to $2.7 billion, which AM Best attributes to increases in both rates and demand for cyber insurance in the wake of well-known firms such as SolarWinds, Facebook and Capital One becoming victims. The average annual growth rate in premium has been 20 percent the past four years , while the average growth in claims has been 39.2 percent.

“Rapid growth is viewed with a healthy skepticism, as it comes with underwriting and reserving risks,” the authors comment.

Standalone cyber insurance policies, up 28 percent in 2020, have seen a higher rate of growth compared with packaged policies, which the report indicates signal organizations’ escalating concerns about cyber risk. Frequency on standalone policies also has increased faster than for packaged policies the last three years.

Hackers are becoming more sophisticated in their attacks and moving toward larger targets. The report also notes that hackers’ motives also appear to be changing as well, from stealing identities (third-party claims) to shutting down systems for ransom (first-party claims).

Total claims rose 18 percent in 2020 owing strictly to first-party ransomware claims, which were up 35 percent in 2020 and now account for 75 percent of cyber claims.

“The recent Colonial Pipeline hack—for a multi-million dollar ransom—is an example of first-party claims that have become so prevalent,” said Christopher Graham, senior industry analyst, AM Best.

Although AM Best said it views the industry as being well-capitalized, it also warns that individual insurers that venture into cyber risk without a thorough understanding of the market can find themselves in a vulnerable situation.

Noting that the industry has not yet faced a systemic event that challenges traditional underwriting categories of region, industry, size, the authors urge insurers to hire experts to help with mitigation and to take steps to improve their abilities to quantify their exposure and define their risk appetites.

“An insurer whose risk management approach is deficient can find itself subject to accumulation risk beyond its tolerance and could face ratings pressure,” said Fred Eslami, associate director, AM Best.

SourceRansomware and Aggregation Issues Call for New Approaches to Cyber Risk – AM Best