Ping Service
Feedback Forms

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

Protecting Our Children from Internet Predators, Marketers and Information Aggregators: The Need for Aggressive Government Intervention

As everyone knows, the Internet has dramatically altered (read: simplified) the way we communicate, do business and satisfy our intellectual and social curiosities. Indeed, Internet-based sales topped the trillion dollar mark for the first time in 2012 and are projected to increase 18.3% to 1.298 trillion in 2013. I’d take that rate of growth any day, particularly in the current world economy.

Read the rest of this entry »

WARNING: HHS Now Combating HIPAA Violations With HITECH Weaponry

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).


The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

Read the rest of this entry »

For Some Universities, Cyber Insurance Doesn’t Make The Grade

Data security breaches pose a serious threat to a corporation’s financial stability as well as to its credibility in the marketplace. Most notably, the 2007 TJX data security breach, where 45 million credit card and debit card numbers were stolen, cost the company over $4 billion. For many corporations, the solution is to purchase a cyber liability insurance policy, which provides insurance coverage in the event of such a breach.

The risk of data security breaches has also affected students of universities throughout the nation. In June of last year, Cornell University officials informed 45,000 members of the school’s community that their personal information, including their names and social security numbers, was stolen after a University-owned laptop was stolen. Due to such breaches, college officials nationwide have begun purchasing cyber liability insurance policies to offset the financial burdens of a data security breach.

Read the rest of this entry »

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Wake Up and Smell the Threats: Two Recent Examples of Why Municipalities Need Cyber Insurance

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post No One is Immune. Even Government Entities Need Cyber/Tech Insurance?

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

No One is Immune. Even Government Entities Need Cyber/Tech Insurance

cyberCyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.

Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.

What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.

The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:

Read the rest of this entry »

Non-Profits Face Massachusetts’ Tough New Data Security Law on March 1, 2010

j0297033

The roads traveled by non-profit entities have never been easy ones to negotiate. Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.

1. An Overview of Massachusetts’ New Data Security Law

Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.

2. What is Meant by “Personal Information”?

The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:

  1. The resident’s driver’s license number or state identification card;
  2. Bank/financial account or credit/debit account number; or
  3. Social Security number.

In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.

Read the rest of this entry »