~Nationwide Reaches $5.5 Million Dollar Breach Settlement~

Nationwide reaches $5.5M data breach settlement with 33 AGs

States claimed Nationwide and a subsidiary failed to apply a critical security patch to its network that could have protected it from the cyberattack!

PCI360 Aug 11, 2017 | By B. Colby Hamilton

Nationwide agreed to hire a technology officer responsible for monitoring application and software security as part of the settlement.

Nationwide Mutual Insurance Co. agreed to a $5.5 million settlement over a 2012 data breach that led to the theft of more than 1 million customers’ personal information, attorneys general for 33 states announced Wednesday.

The settlement came after the states claimed Nationwide and a subsidiary failed to apply a critical security patch to its network that could have protected it from the cyberattack. Attorneys general from Connecticut, Florida, New York, Pennsylvania, Texas and Washington, D.C., were among those involved with the settlement.

Data from consumers seeking quotes

Hackers were able to gain access to Social Security numbers, driver’s license numbers, credit scoring information and other personal data the company collected on consumers seeking quotes, according to New York Attorney General Eric Schneiderman’s office. Many of the victims were not ultimately insured by Nationwide.

Could Nationwide’s Security Breach Happen to Any Insurer?

The security breach of Nationwide Insurance last week is the last thing anyone in the business world wants to announce….

As part of the settlement, the insurance company agreed to be more transparent about its data collection policy for those that don’t become customers, Schneiderman’s office said.

“This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t,” Schneiderman said in a statement, noting that nearly 3,000 New Yorkers were among the victims.

Agreed to improve internal security practices

As part of the agreement, Nationwide will improve its internal security practices, according to the AGs. The company also agreed to more regularly apply security updates, and to hire a technology officer responsible for monitoring application and software security.

Connecticut Attorney General George Jepsen noted state law “requires that anyone in possession of another person’s personal information safeguard that data.” Nearly 1,000 Connecticut residents were affected by the breach.

In the wake of the breach, Nationwide provided free credit monitoring and identity theft protection to those impacted, in addition to fraud expense coverage up to $1 million and access to credit reports, the AGs noted.

“Consumers in the district and across the nation entrust their personal information to retailers every day,” D.C. Attorney General Karl Racine said in a statement. “Data breaches open the door to identity theft, which can have real and devastating consequences for hard-working people, and we hope today’s settlement reminds retailers that they have a responsibility to do everything they can to protect consumers’ private information.”

‘Protecting consumer data is something that we take seriously’

In a statement, Nationwide spokesman Eric Hardgrove said the company was “pleased” with the settlement over the data breach caused by “a sophisticated, criminal attack” that the company “took immediate steps to successfully contain.” The settlement itself “does not include any allegations that we violated data security laws” as the insurance company does not believe any such laws were violated.

“The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations,” Hardgrove said. “Protecting consumer data is something that we take seriously. We believe a private/public partnership would be the best approach to combat cyberattacks on U.S. companies, and we are pleased Nationwide is at the forefront of this approach.”


Lloyd’s Puts Potential Cyber Attack Loss in Range of Hurricane Sandy

LONDON – A major cyberattack could cause as much as $53 billion in economic losses around the world, putting it in the same category as Hurricane Sandy, which hit the East Coast of the United States in 2012, Lloyd’s has warned in a report.

The report, “Counting the cost: Cyber exposure decoded,” was prepared by Lloyd’s and cyberrisk modeling firm Cyence. The document sketched two possible incidents: a $53 billion malicious hack of a cloud service provider; and a range of attacks, costing $28.7 billion, on computer systems around the world. Lloyd’s and Cyence pointed to the estimated economic losses of between $50 billion and $70 billion from Sandy.

The Lloyd’s-Cyence report said there is a cyberrisk insurance gap in the range of tens of billions of dollars, with the majority of potential losses not covered.

“This report gives a real sense of the scale of damage a cyberattack could cause the global economy,” Inga Beale, chief executive officer of Lloyd’s, said in a statement. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”

Lloyd’s has detailed the possible incidents, Beale said, in order to encourage insurers to consider both their cyber exposures and their limits in a “fast-growing, innovative insurance class.”

The economic loss from an attack on a cloud system, the report said, could range upwards from $4.6 billion. “Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss,” the report said.

A broad-based software incident, the report said, could produce economic losses from $9.7 billion, with the average insured losses ranging from $762 million to $2.1 billion.

The report put the uninsured gap surrounding a cloud-based incident at as high as $45 billion. This, Lloyd’s said, would mean just 17% of the economic losses would be insured.

“Cyber, as we all know, is the one of the most challenging risks that insurers and businesses are facing in today’s world,” Jon Hancock, director of performance management at Lloyd’s, told a seminar at Lloyd’s on the launch of the report. “It is fast-evolving as changes in technology drive both attack and defense strategies. It’s also just naturally by its newness one of the least-understood risks.”

Hancock said Lloyd’s is committed to increasing its market share in cyber, which he likened to Lloyd’s three centuries of experience in natural catastrophes. He said cyber premiums are predicted to double in the next three years.

Hancock, who emphasized Lloyd’s determination to increase its understanding of cyberrisk and exposures, listed previous studies Lloyd’s has released in this area. “Ultimately we do want to help businesses build greater resilience into their models,” he said.

Lloyd’s reports, Hancock said, have considered such issues as the possible effects of an attack on the U.S. power grid; and how organizations can help mitigate the impact of cyberattacks.

“We’re publishing a lot of material on this, and we will continue to do so,” Hancock said.

Sean Kanuck, director of future conflict and cybersecurity for Cyence, said the report was “an important stepping stone in maturing the conversation about how to think about the costs and develop this marketplace with a full appreciation of strategic trends.”

Kanuck, who cited his background in cyber analysis for the U.S. intelligence community, said he tends to think of global information risk rather than security. Networks, he suggested, will be compromised, particularly as the means of breaching data defenses are converging.

In the intelligence and national security world, Kanuck said, “you don’t think about building things. You think about breaking them.”

Kanuck said a rapidly increasing rate of technological change will create concerns as well as opportunities for those organizations that can provide products to help manage and transfer that risk.

~4 Trends Shaping Cyber Security This Year~

While cyber threats continue to evolve, many organizations are falling behind due to a lack of resources and skilled employees. As cyber attacks continue to increase in frequency, a company’s cybersecurity action plan must be able to rein in and mitigate threats as they develop.  ISACA’s third annual cybersecurity study finds that this issue is increasingly a business priority. The challenge? Resources and available skills are not keeping pace with a threat landscape that is rapidly escalating in complexity and volume. The ISACA survey targets managers and practitioners who have cybersecurity job responsibilities. Respondents primarily came from North America (42%) and Europe (31%), and were employed in an enterprise with at least 1,500 employees (49%). Its “State of Cyber Security 2017 report compares the results of this year’s survey with previous results to determine recognizable trends that impact how cybersecurity is practiced, particularly where such trends point to an overall shift in the profession.


With this in mind, here are four trends shaping cybersecurity in 2017:


As cybersecurity budgets fall short, businesses are increasingly relying on third-party vendors. (Photo: Shutterstock)


No. 4: Growing areas of concern.

Organizations with a chief information security officer (CISO) in 2017 increased to 65% compared to 50% in 2016. Staffing challenges and budgetary distribution, however, reveal where organizations face exposure. Finding qualified personnel to fill cybersecurity positions is as ongoing challenge. For example, one-third of study respondents note that their enterprises receive more than 10 applicants for an open position. More than half of those applicants, however, are unqualified. Even skilled applicants require time and training before their job performance is up to par with others who are already working on the company’s cybersecurity operation. Half of the study respondents reported security budgets will increase in 2017, which is down from 65% of respondents who reported an increase in 2016. This, along with staffing challenges, has many enterprises reliant on both automation and external resources to offset missing skills on the cybersecurity team. Another challenge: Relying on third-party vendors means there must be funds available to offset any personnel shortage. If the skills gap continues unabated and the funding for automation and external third-party support is reduced, businesses will struggle to fill their cybersecurity needs



As cyberattacks increase in volume and sophistication, businesses are increasingly exposed, particularly as their budgets to fight such breaches are declining. (Photo: Shutterstock) 


No. 3: More complicated cyber threats. 

Faced with declining budgets, businesses will have less funding available on a per-attack basis. Meanwhile, the number of attacks is growing, and they are becoming more sophisticated.

More than half (53%) of respondents noted an increase in the overall number of attacks compared previous years. Only half (roughly 50%) said their companies executed a cybersecurity incident response plan in 2016.


Here are some additional findings regarding the recent uptick in cyber breaches:

  • 10% of respondents reported experiencing a hijacking of corporate assets for botnet use;
  • 18% reported experiencing an advanced persistent threat (APT) attack; and
  • 14% reported stolen credentials.
  • Last year’s results for the three types of attacks were:
  • 15% for botnet use;
  • 25% for APT attacks; and
  • 15% involving stolen credentials.  Businesses are now more sophisticated in the mobile arena. The proof: Cyber breaches resulting from mobile devices are down. Only 13% of respondents cite lost mobile devices as an exploitation vector in 2016, compared to 34% in 2015. Encryption factors into the decrease; only 9% indicated that lost or stolen mobile devices were unencrypted. IoT is an increasingly important element in governance, risk and cybersecurity activities. This is a challenging area for many, because traditional security efforts may not already cover the functions and devices feeding this digital trend.   The number of code attacks, including ransomware attacks, remains high: 62% of respondents reported their enterprises experienced a ransomware attack specifically.
  • Businesses can conduct “tabletop” exercises that stage a ransomware event or discuss in advance decisions about payment vs. non-payment. Payment may seem like the easiest solution, but law enforcement agencies warn it can have an encouraging effect on those criminals as some cases lead to repeated attacks of the same business. Many cybersecurity specialists argue that the best way to fight a ransomware attack is to avoid one in the first place. Advance planning that might include the implementation of a governing corporate policy or other operating parameters, can help to ensure that the best cybersecurity decisions are made when the time comes to battle a breach.
  • What does that look like?
  • Half of the respondents believe financial gain is the biggest motivator for criminals, followed by disruption of service (45%) and theft of personally identifiable information (37%). Despite this trend, only 53% of respondents’ companies have a formal process in place to deal with ransomware attacks.
  • No. 1: Ransomware is the new normal.
  • Ransomware continues to be favorite means of attack for criminals. Respondents believe this is likely because of the possibility for financial gain. (Photo: Shutterstock) 
  • IoT continues to rise as an area of concern. Three out of five (59%) of the 2016 respondents cite some level of concern relative to IoT, while an additional 30% are either “extremely concerned” or “very concerned” about this exposure.
  • No. 2: Mobile takes a backseat to IoT.
  • Managing the Internet of Things (IoT) has risen as an area of business concern.
  • Phishing (40%), malware (37%) and social engineering (29%) continue to top the charts in terms of the specific types of attacks, although their overall frequency of occurrence decreased: Although attacks are up overall, the number of attacks in these three categories is down.

The Southeast’s Storm Surge Risk and Florida’s Hurricane Wake-Up Call



Amy O’Connor | July 11, 2017

The Southeast has seen its fair share of natural disasters and flooding in the last several years, including two hurricanes in Florida last year – the first hurricanes to hit the state in more than a decade. But none of these events have come close to reaching the potential impact a serious storm surge event could have on the region.

According to CoreLogic’s 2017 Storm Surge Report, which examines risk from hurricane-driven storm surge for homes along the Atlantic and Gulf coastlines across 19 states and the District of Columbia, as well as 86 metro areas, the total reconstruction cost value (RCV) in the event of a hurricane storm surge inundation in these regions would be more $1.5 trillion.

The total number of homes that could be affected along the Gulf and Atlantic coasts, defined by CoreLogic as the 3,700 miles of coastline extending from Maine to Texas, is nearly 6.9 million. In the Gulf Coast region – running from Texas through the tip of South Florida – almost 3 million homes are at risk with a total RCV of $593 billion. The Atlantic Coast accounts for 3.9 million homes and a RCV of more than $970 billion.

To estimate the value of property exposure of single-family residences, CoreLogic uses its reconstruction cost valuation (RCV) methodology which estimates the cost to rebuild the home in the event of a total loss. The reconstruction cost estimates more accurately reflect the actual cost of damage or destruction of residential buildings that would occur from hurricane-driven storm surge since they include the cost of materials, equipment and labor needed to rebuild and also factor in geographical pricing differences. Actual land values are not included in the estimates. The values in this report are based on 100 percent, or total, destruction of the residential structure.

The Southeast coastal states CoreLogic examined in its report of Alabama, Florida, Georgia, Mississippi, South Carolina and North Carolina, account for at least 3.6 million of the 6.9 million homes at risk along the Gulf and Atlantic Coast.

Unsurprisingly, the majority of those homes – about 2.7 million – are in Florida, which carries a whopping $536 billion reconstruction cost value, the highest of any of the 19 states.

The Southeast also accounts for nine of CoreLogic’s top 15 metropolitan areas at greatest risk of storm surge, with six of those being Florida cities.

It’s common knowledge that Florida is at risk of hurricanes, but the state has gone many years without experiencing significant damage from a major storm. Dr. Tom Jeffery, senior hazard scientist at CoreLogic, said that can often lead to “hurricane amnesia,” among citizens and municipalities and that can impact whether they are adequately prepared for when a big storm event does occur.

“This report is about making people aware of the fact that we are in hurricane season. We don’t know when or where they will happen, but they have the opportunity to affect the coastal U.S. and we want to put it on people’s radar,” Jeffery said. “A lot of these areas don’t realize what the risk is once you are outside the 100-year flood plain.”

He added that many people in these communities don’t realize what their storm surge risk is, outside of the 100-year flood plain.

“Large hurricanes especially can really push surge water quite a bit inland, but after big events people say they didn’t realize their property was at risk,” Jeffery said. “Hopefully, this information can give them the incentive to go to their insurer and find out if they are in a high-risk area and adequately prepare.”

CoreLogic included a probabilistic storm surge analysis focused on Florida in this year’s report, with specific emphasis on storm surge from Hurricane Matthew, which changed course before making landfall last year, sparing the state from the worst possible scenario. The goal of probabilistic modeling of hurricane perils, CoreLogic’s report said, is to provide risk managers with greater insight as to what could happen in order for them to better plan and manage their businesses.

“Probabilistic loss provides an evaluation of the specific amount of damage that could be expected from a single storm event or a set of simulated events, called probabilistic events, which are informed by historical storm records that are similar in size and scope,” the report states.

This analysis focused on the historical storms in Florida that have caused storm surge damage beginning in 1900, and how Hurricane Matthew compares. Of the 97 catastrophic hurricanes in Florida since 1900, Hurricane Matthew ranked No. 19 among historical storm surge events. CoreLogic said the storm surge damage from Matthew made up less than 10 percent of the total financial loss, with the rest being a result of wind damage.

Number one on the list was the “13th hurricane of 1944″ (before hurricanes were given actual names), which caused $15 billion worth of damage on 471,000 homes in today’s terms. Hurricane Andrew, which hit in 1992, was ranked No. 4, and Wilma, which hit in 2005, was ranked No. 15.

Though Florida’s first hurricanes in 11 years were not as devastating as they could have been, the two storms that did occur – Hurricane Hermine, which hit in September of 2016, and Hurricane Matthew – caused more than $3.2 billion combined in damage to Florida.

Jeffery said the state got lucky last year. He added that awareness is key to minimizing loss in the future, and the modeling company has seen an increased interest in information and proactive mitigation discussions this year.

“Florida went a long stretch without an impactful landfall hurricane and last year was an eye opener, an awakening to get people to think about it since we don’t know when that next one is going to come ashore,” he said.


Personal Emergency Preparedness: Clients, Are You Really Ready??

Families need emergency preparedness plans as much, if not more, than businesses do. When there’s an emergency, we often run through a checklist in our heads of things we should have already taken care of. Do we have a will? What will happen to our children if we’re not around? Did we invest wisely?

The reality is that most people don’t prepare fully for emergencies. Although that checklist is a good place to start, a thorough personal preparedness plan is a good idea for all families and a must have for high net worth (HNW) individuals with complex lifestyles.

For most insurance agents and brokers, the preparedness topic quickly translates to disaster preparedness. You know, that annual conversation you have with your client right before hurricane season starts on June 1. Or maybe it’s the conversation you have with your client prior to wildfire season or spring flooding. Whatever triggers a preparedness conversation, the fact is that most advisors are simply scratching the surface.

True personal preparedness means looking beyond the obvious and helping clients assess risks that would likely occur based on their family and lifestyle. From there, it’s crucial to systematically create a list of actionable steps to take when faced with an emergency.

Personal risk management starts with the right conversation.

Components of a personal preparedness plan

A comprehensive personal preparedness plan should cover the following at a minimum:

  • The emergencies most likely to happen
  • An action plan
  • A communication plan
  • Personal safety
  • Protection of property
  • Cyber safety

1. Identify emergencies most likely to happen

Every preparedness plan needs a firm base. The first crucial step to creating a preparedness plan for your client is to identify emergencies that are most likely to happen to them. It’s important to keep in mind that emergencies affect not only people but assets as well. Here are a few examples:

  • Fire.
  • Natural disasters, including weather-related and seasonal events such as hurricanes, wildfires, flooding, tornadoes, winter storms or landslides
  • Infrastructure failures, for example, the California dam system failure.
  • Travel concerns, such as life safety, kidnap and ransom.
  • Terrorist threats.

2. Create an action plan

Once the list of potential emergencies has been created, it’s time to create an action plan. The plan should be specific to each emergency and should assign roles and responsibilities to all family members. Consider these questions:

  • Who will be responsible for the disaster kit?
  • Who will monitor the updates and news?
  • Who will be in charge of pets, manage all family documentation and medication?
  • Who will keep the family contact/communication plan up to date?
  • Who will be responsible for the protection of property?

3. Detail a communication plan

A communication plan is critical in ensuring that all family members are accounted for safely and have access to necessary resources. It should include names and contact information for all family members, meeting places if evacuation is necessary, knowledge of where school children will go, and even an emergency contact number outside of the local area that family members can call to check-in.

Depending on the scope of the disaster, family members may have better luck getting through to out-of-town connections versus relying on local ones.

In creating the communication plan, you should ask, “If something happens during the workday, where are my family members likely be, and how will we stay connected if we are not together?” This question should be considered for everyone in the family and should account for different schedules based on the time of day.

4. Think about personal safety

When we’re children, we learn about personal safety. We’re taught to avoid talking to strangers and to not walk home from school alone. We practice fire drills and evacuation plans at school, and at work as adults, and carry bits and pieces of this knowledge with us. But how often do we really think about these things in our personal and home lives? Not as often as we should.

These questions should foster conversation and raise awareness with your clients as they begin to proactively think about personal safety.

  • Are smoke and carbon monoxide detectors in working order and tested on a regular basis?
  • Are all household fire extinguishers in working order? Do family members know where they are and when and how to use them?
  • When family members travel, is there a commitment to share itineraries? Are safety protocols for the area understood and discussed in advance?
  • When traveling, do you know how to keep up to date on pending dangers that you may not be accustomed to, such as wildfires?
  • Do family members enroll in the State Department’s Smart Traveler Enrollment Program using the Smart Traveler App.

5. Protect property

At this point in the plan, you’ve already identified assets that can be impacted by emergencies. For each vulnerable asset, a plan must be put in place to safeguard and protect the property (real and personal), for example:

  • Who is responsible for getting storm shutters installed when you get a hurricane warning?
  • Who is responsible for coordinating the removal of valuable articles and property before the pending emergency?
  • If the property will stay on site, who will activate the shelter to protect and minimize damage?
  • Who is responsible for testing sump pumps and making sure sufficient battery backup or generator power is available in case of a power outage?

6. Manage cyber safety

As technology expands so do risk factors for high net worth clients. Traditional hackers have targeted personal computers, tablets and smartphones. New cyberattacks are targeting smart-home devices. These new vulnerabilities allow someone to monitor lifestyle patterns through connected thermostats, lighting systems, smart TVs and IoT [Internet of Things] security-based systems, all technology typically owned by high net worth individuals.

Each family should have a strong cyber safety plan that is understood and followed by all family members. The plan should account for the activities of all family members, all electronics and connected devices, and all networks the family uses to connect these devices. The plan should include an audit and assessment of risk exposures, including how to obtain professional guidance during a crisis.

Some great questions to ask your client to begin the conversation include the following:

  • Have you conducted a data privacy and security risk assessment of your home network and devices?
  • Do you use personal devices or accounts, such as email to conduct business including financial transactions?
  • Do you store sensitive data in your personal devices or accounts?
  • Do you have a response plan for what to do in the event of a privacy or security incident?
  • Are you aware of the information being shared on social media by family or friends and the risks that may arise?
  • Do you discuss cyber risks with family, business colleagues and your financial service provider?

Final thoughts

Raising awareness and helping your client create a personal preparedness plan is crucial to maintaining a personal risk management strategy. The plan should be detailed and specific and should cover all potential risks that can be monitored, updated and tested regularly.

Most people don’t plan for emergencies and pay the consequences. For high net worth clients, those consequences can be costly. It’s important for any agent or broker working with a high net worth client to not only understand the risk but to help their client plan for those risks.



Cyber Insurance – Many Choices Now That There Is NO Choice

Cyber Insurance: Many Choices Now That There Is No Choice


Every organization, of every size and operational orientation, needs cyber insurance to manage its exposures in this age of networked information.

That was one thing speakers agreed on at the recent 2017 Cyber Liability Symposium held by the Professional Liability Underwriting Society (PLUS).

No organization is off the radar for bad actors who relentlessly seek the weakest links for accessing valuable personal and financial information, threatening to shut down an operation, or seeking to do physical damage.

For example, said Robert Anderson, a managing director for Navigant, the health care sector is now under siege from “rampant” attacks by “ransomware,” malicious computer coding that essentially captures or disables an organization’s information assets until a ransom is paid.

“It’s not just payroll that’s affected,” he said. “You can’t do surgery. You can’t do dialysis. Every aspect of the institution is tied up.”

In a subsequent session, attorney Jennifer Coughlin, a partner in Mullin Coughlin LLC, commented, “Did we ever think hackers could take down an MRI? At one care facility, they took down the patients’ tracking anklets. For some time, they couldn’t find two patients. That’s a big deal.”

As cyber attacks and data breaches become more common, organizations “victimized” by an attack will find themselves under potentially harsh scrutiny for their level of security and preparedness. “If you suffer a major breach, it’s an investors’ event, it’s a board event,” said Brad Gow, global cyber product leader for Endurance.

Cyber vulnerabilities will almost certainly increase exponentially as the Internet of Things (IoT) expands. Today, there are now more equipment sensors and related devices connected to the Internet than cell phones, and Zurich estimates there will be more than six connected devices per person worldwide by 2020.

As a reflection of the spread of “smart” technology, symposium keynote speaker Pieter Zatko noted that a current fighter jet has 3,500 components that are directly or indirectly connected to the Internet. Zatko, known by the nickname “Mudge,” is a renowned hacker who has worked for the federal government and now serves as director of the Cyber Independent Testing Lab (CITL).

Adding to the pressure on organizations is the increased attention federal and state regulators are devoting to cyber security.

Symposium attendees heard several references to “OCR” and “NIST,” the federal Office of Civil Rights and the National Institute of Standards and Technology, respectively. OCR, a branch of the Department of Health and Human Services, is entrusted with promoting NIST standards with regard to the security of individuals’ health information.

Speakers expressed hope that the Trump Administration would relax OCR activity in this regard, but there was no indication of that yet.

“I’ve seen OCR step up its involvement [in recent years],” said Jennifer Coughlin. “The states are also more comfortable starting [cyber-security investigative] proceedings the past few years.”

“We were hoping for [the OCR] to step back [since President Trump’s inauguration], but unfortunately that’s not happening,” added Kimberly Horn, global focus group leader for Beazley breach response and information security claims.

As regulators consider whether to require organizations to obtain cyber insurance, a growing number of companies are requiring their business partners to do so. These requirements raise a fundamental question, according to Angela Gleason, senior counsel for the American Insurance Association: “What constitutes cyber insurance?” she asked. “Would standard data breach coverage suffice, or is something more needed?”

As organizations increasingly recognize the imperative of purchasing cyber insurance, they are still confronted with a complex variety of policy forms and coverages, and a daunting application process.

Cyber insurance is available from about 70 carriers, most of them with very different coverage features, according to Stephanie Snyder, national cyber sales leader for Aon. “When you look at coverage offers and review the triggers, definitions, and exclusions, it really runs the gamut.”

Moreover, she added, cyber risk changes from month to month, as do an organization’s exposures for digital assets, and the methods and systems for securing those assets. Given all this complexity, Snyder said even organizations that have purchased cyber insurance “may not have the appropriate coverages” when claims come in.

For example, she noted, retailers need coverage for breaches or violations of Payment Card Industry Data Security Standards, better known as “PCI DSS.” The presence or absence of a single coverage like that can be overlooked, however, when applicants are considering comprehensive packages.

Things are starting to improve for cyber insurance buyers, however. For one thing, “we’re starting to see policies come together;” i.e., become more standardized, according to Snyder.

Also, insurers recognize they can no longer compete effectively using applications with a “list of 100 questions,” said David Gilmore, director of business development for Symantec. Yet, he added, “there’s no three-question magic bullet either.”

Sales of cyber-insurance are bolstered by a slowly changing attitude toward the coverage among IT professionals.

Whereas IT professionals once considered cyber-insurance as unnecessary, or implicitly critical of their work, Snyder noted that “there’s been a change in IT professionals’ perception of cyber-insurance. They now understand how cyber-insurance is a backstop that protects them.”

“Cyber insurance is a part of cyber security,” added Gilmore from Symantec, an important acknowledgement from a leader in cyber-security.

 The purchase of cyber-insurance coupled with risk control and event response services is becoming a routine part cyber-security planning, according to Kevin Kirst, director within the forensic technology practice of PricewaterhouseCoopers.

 Given resource constraints, Kirst said that even highly sophisticated IT operations must choose between mission-critical cyber risks they must manage themselves and risks they can transfer. For some organizations protection of personally identifiable information of customers will be a top priority for maintain customer confidence and avoiding regulatory sanctions. For others, avoiding disruption of operations will be the top priority.

 Adding to the complexity of the process is the daunting array of cyber-security programs available from IT vendors.

 There are more than 600 products on the market for protecting digital assets, said Shaun Brady, executive director of the Center for Model Based Regulation. Some large organizations utilize and manage more than 100 of them.

 Acquiring cyber-security software is no guarantee that one will be protected from breaches, however. Zatko’s Cyber Independent Testing Lab rigorously examines networked applications for security vulnerabilities, and has concluded that “about a third of the vulnerabilities are vulnerabilities of security software we have installed to protect our systems.”

 For all organizations, therefore, the most important factors in loss control continue to be well-established and well-communicated employee data management practices, reinforced by staff training and stringent individual accountability for lapses.

 “Some of our clients push down accountability to the business units,” said Kirst of PricewaterhouseCoopers. “The business unit manager should be responsible.”

 Cyber-insurance may do little good for an organization, however, if the organization does not immediately recognize an attack or breach and notify the insurer. On this score, some IT departments are still slow to act, believing they can handle the problem themselves, or that reporting an incident will be seen as acknowledging an error on their part.

“There’s a real disconnect sometimes between frontline IT and the risk manager,” said Kim Horn of Beazley.

Horn shared an anecdote of a client that had contracted for credit monitoring service and engaged a forensics firm and several lawyers before notifying the cyber carrier of a breach. It turns out that the cost of most of those services fell unreimbursed to the client, as those services were not covered under the policy.

“It could have been so much better if they had come to us first,” she said. “It you work with your carrier, your whole response might be covered. At least you will be acting with an informed view when you respond.”

Horn’s observations were echoed by Brad Vatrt, assistant vice president for cyber, media, and technology for AIG. It’s common, he said, for an IT department to “sit on” a breach report, and then try to address it, before reporting it to upper management. “Now we’re not dealing with a claim a few hours old but a few days old,” he said. “[Response] work may have already begun, some of it not covered.”

 The sooner you call the carrier, the better,” said attorney Coughlin in her remarks. “The longer you wait, you’re losing evidence, perhaps over-notifying people, and perhaps giving the wrong notice information.”

While an incident must be reported immediately, the response should not start, if possible, until the principal actors under the nature and extent of their cyber coverage.

“You need to understand how those coverages [in a cyber policy] relate to each other,” Vatrt said. “You have multiple retentions and multiple waiting periods. Know the costs [of notice and remediation] but also know how those costs are allocated under the policy.”

By now, no one should feel embarrassed at being the target of a cyber attack, even a successful one, as long as their response is prompt and effective.

“Attacks keep happening, and we can’t stop them completely,” said Matt Shabat, director of performance management for the U.S. Dept. of Homeland Security. The key question, he said, is “what do I do when that breach occurs?”

By Joseph S. Harrington, CPCU, ARP | April 12, 2017



Cyber Insurance ~ Understanding the Pitfalls


Cyber Insurance – Understanding the Pitfalls

As more and more companies enter the burgeoning cyber insurance marketplace, they often ask policyholder counsel like me how they can choose the best cyber policy when confronted with so many choices.

When the marketplace was still in its infancy just a few years ago, this was a considerably harder question because the policy forms, including the scope of first party and liability coverages being offered by different insurers, varied so drastically. But as the cyber insurance marketplace enters its adolescent stages, there is beginning to be more standardization in available coverages and exclusions, at least at a high level.

But what has not changed is that many key terms of these policies remain negotiable (considerably more so than for other types of insurance policies), and the courts have been presented with few opportunities to provide guidance on how key provisions in these policies are likely to be interpreted.

Cyber insurance remains a work in progress when it comes to assessing the risks carriers face and providing a clear…

The net result is that prospective policyholders can and should continue to negotiate aggressively in the underwriting process, especially when purchasing cyber coverage for the first time. But what provisions should a prospective policyholder be most concerned about? The answer depends largely on the most prevalent risks faced by individual companies, which are unique to them.

However, there are some provisions common to many cyber policies that, in my view, present risk to all policyholders due to imprecise or inappropriately restrictive coverage language. Because these provisions are almost certain to be the basis of numerous denials of coverage, they are likely to be tested in litigation in the next few years and deserve particular focus by prospective policyholders. Some of these looming battleground provisions include:

Retrospective dates

Most cyber policies are subject to a specified retrospective date, which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered. Often, the insurer will set the retrospective date at the inception date of the first policy the insurer issues to a particular insured. This can be a significant problem, especially for first-time insureds, due to the close temporal proximity between the retroactive date and any potential claims.

To make matters worse, many cyber policies contain language purporting to relate all causative events back in time to the date of the initial causative event. In many cases, this problem will begin to alleviate itself over time if the policyholder renews its cyber policy with the same insurer (i.e., the retroactive date will remain fixed at the initial inception date as successive policies are issued). That said, I still see more cyber claims denied on this ground than any other.

Some cyber insurers will agree to backdate applicable retroactive dates for prospective policyholders and some will not. Particularly with respect to the latter, significant factual disputes regarding the specific events precipitating an otherwise covered claim are entirely foreseeable. The complex technical aspects of data networks and the inherent uncertainties regarding the genesis of many breaches are likely to exacerbate these disputes even further.

Unauthorized access to computer systems

Many cyber policies provide coverage only where access to the insured’s computer system is “unauthorized.” Some insurers will argue that this precludes coverage where an employee negligently provides access (such as losing his or her password) or is tricked into providing access (such as in a spear phishing attack).

Some insurers have sought to clarify the scope of “unauthorized access” by defining that term in their policies, but others have not. Like many cyber policy provisions, the scope of this definition may be negotiable, and any ambiguities should be resolved in favor of the policyholder under general principles of insurance policy interpretation. But given the ever-increasing frequency of cyber fraud and the ever-increasing ingenuity of cyber fraudsters, the extent to which there is coverage under cyberpolicies for unintentional but arguably authorized access to computer systems is likely to be disputed vigorously.

War and terrorism exclusions

Many cyber policies exclude loss arising from acts of war and terrorism, and define those terms broadly. Because these exclusions are carryovers from older types of liability policies, they often are overlooked as mere boilerplate for companies whose operations are largely domestic. But the danger of these exclusions in the cyber context, if not worded appropriately, is that they potentially preclude coverage for cyber attacks initiated by individuals or entities in foreign countries, where many of the most serious attacks originate.

I have seen a number of these exclusions in which the insurer could make a reasonable argument that a state-sponsored attack by a foreign government (e.g., the North Korean attack on Sony), or even loosely affiliated groups or individuals with a particular political or social agenda, fall within the scope of the exclusion. Because cyber attacks by foreign entities are now so ubiquitous, this should be a serious concern for policyholders, not just an academic discussion.

Some insurers are now willing to negotiate a more appropriate scope of these exclusions (e.g., carving “cyberterrorism” out of the exclusion). But for insurers that refuse to negotiate this language, the extent to which attacks originating abroad constitute acts of war or terrorism is likely to be a hotly disputed issue.

Exclusions for generalized acts or omissions

Some cyber policies exclude coverage where the insured fails to follow “minimum required security practices,” employ “best security practices,” or comply with its own security policy. In my view, these exclusions are inappropriately overbroad and lend themselves to subjective application.

Even though these exclusions are becoming far less common in cyber policies (probably due to marketplace pressures to remove them), they still persist in some cyber policy forms. In fact, one of the few coverage lawsuits filed to date involving coverage under a cyber policy was focused on precisely this issue (although it was dismissed on other grounds). As long as these exclusions persist, their inherent ambiguity and uncertain application are likely to make them the subject of considerable dispute.




~Tow Truck Market Gets Hit Hard as Carriers Exit~


red tow truck

Our friends at the Insurance Journal shared this article with us.  It is a little long but worth the read to gain a better understanding what is going on in this specialized industry.


Tow truck drivers operate in a dangerous world. Every day they face angry drivers while repossessing vehicles, dangerous driving and road conditions, near misses while operating heavy equipment, and close calls on U.S. freeways while hitching up wrecked vehicles.

These are just a few of the reasons why the tow truck market is in a state of emergency, says one broker specializing in this class. Another reason: a crumbling insurance market with fewer and fewer carriers willing to write the business.

Chip Thompson, president and CEO of American Transportation Insurance Group (ATIG), has never seen the insurance market for tow trucks this bad since opening the doors of his specialty agency in 2001.

“I’ve never seen anything like what I’ve seen happen in the last six months,” said Thompson, whose book of towing and repossession business nears $20 million in premium. He’s been specializing in the higher risk transportation market, particularly in the garage, towing, trucking and repossession markets, on a nationwide basis since 2001.

“Right now, we are working three times as hard just to keep the risks that we have on the books.” The P/C industry’s competitive environment is not the problem, Thompson adds. The insurance market is so difficult for tow trucks some are forced to close shop. “We are losing one out of every four customers and we are not losing them to other agents. They are shutting down,” he said.

Mike House, vice president, producer, broker for USG Insurance Services Inc. in Canonsburg, Pa., agrees.

“Towing is a very difficult market right now,” House said. “None of my markets will write a towing operation and schedule a tow truck for auto liability or physical damage.” House said his markets will write the garage liability but won’t touch the scheduled auto for the tow truck. “It is a very difficult market and I’m hearing a lot of companies are pulling out.”

The tow truck insurance market has been hit with myriad factors leading to its current state of disrepair, according to Thompson. From reinsurance drying up to the commercial auto market exploding, combined with the ever-increasing costs of litigation and health care, tow truck firms are facing heavy obstacles and it’s only just begun.

Most of the U.S. commercial auto insurance market has had a tough time in recent years and tow truck operators are no exception.

The commercial auto market as a whole has posted underwriting losses for five consecutive years and has evolved into the most chronically underperforming product segment for U.S. property/casualty insurers, according to Fitch Ratings.

“It’s the perfect storm for garage and commercial auto in the last six months and I don’t see it letting up anytime soon,” Thompson said.

Shock Wave

The biggest shock wave hit the industry in September 2016 when Progressive pulled the plug on the towing sector nationwide, Thompson said.

“That was the bellwether for everything else that followed after that,” he said. “In the last 18 months, we’ve lost eight to nine carriers in this space and it’s a small field anyway.”

Some carriers made a profit and exited, some carriers lost money and exited, and some decided they didn’t want to write the class of business anymore, Thompson said. “It’s gone all ends of the spectrum.”

Progressive’s exit shut down any hope of new carriers coming into the space as well. “When Progressive shut it down that shut everybody else down,” Thompson said.

“It seemed as if the carriers that were entertaining coming into the market thought, ‘If Progressive is going the other way why are we going toward it?’ Progressive is very technologically savvy,” Thompson said. “They understand the rates per the ZIP code per the risk per the street. They are pretty good at what they do and if they can’t make money on towing who can?”

Progressive hasn’t gone so far as to leave current policyholders empty-handed, but will not be taking on new accounts.

“We’re not currently taking on new towing business, however, we continue to insure our existing customers,” Brett Stalnaker, Progressive’s commercial auto product manager told Insurance Journal.

Stalnaker says the insurer will return to the towing segment in the future. “In order to be more accurately priced, we’re making some small changes to our program, including introducing new segmentation and fully expect to continue insuring new tow truck business at some point in the near future,” he said.

The current state of the market for tow trucks hit very hard and very fast, Thompson said. “Normally I would think there would be 20 percent or 30 percent increases (in difficult times) but we are seeing 100 percent to 150 percent increases on accounts with no claims,” he said. “Anyone in the commercial auto space right now, if they haven’t gotten hit, they are going to be hit with a sledge hammer in the first two quarters of this year.”

Cost Drivers

Continuing challenges in commercial auto liability range from distracted driving to increased miles driven and vehicles on the road to higher vehicle repair costs and rising severity in liability claims. Tow trucks are no exception.

“Commercial auto in general is not going to catch a break for the next several years,” Thompson said. Most everything that’s commercial auto from trucking to dump trucks to garage risks is difficult. “Any place now where there is a human being touching an auto is warfare.”

For tow trucks, it’s rear-end collisions that are “bringing insurance companies to their knees,” Thompson said.

“Drivers are going too fast and are distracted,” Thompson said. “When you are driving a heavy commercial vehicle, like a tow truck, and you hit a car with three or four people in it, all of those people have neck and back injuries, you total their car, you will have $30,000 worth of damage to your tow truck, and it’s just a rear-end collision, which theoretically is preventable.”

Right now, Thompson and ATIG are doing damage control and just trying to keep their current clients insured. “We are working three times as hard to keep the risks that we have but there’s a lot of angry people right now. We are catching it from all sides.”

‘None of my markets will write a towing operation and schedule a tow truck for auto liability or physical damage.’

MGAs, other brokers, and the few insurers left in the space are swamped. “We are trying to hold our clients’ hands through this and explain what’s going on.”

Thompson has even had to turn away new business. “People are calling up panicked, they are in tears because they are going to lose their business. They expire in two days and their premium tripled but you can’t help them,” he said. “I’m at the mercy of the MGAs/brokers/insurers and they only have so much manpower. Everyone is on edge.”

Managing Risk

The only thing towing companies can do is to manage their risk, Thompson said.

“I’ve got guys that are now putting cameras inside the trucks both facing outward and inward and if they catch their drivers eating or talking on the phone or texting, there is zero tolerance. They are fired,” he said.

He doesn’t expect the insurance market for towing to bounce back anytime soon either. “It will be a long time before insurers react to improved risk management in firms.”

For now, focus on driver training, he said. “I can’t specify that enough. And settle more claims out of pocket if you can legally. And if you have insurance right now, and it’s semi affordable, then protect it with your life.”

(by Andrea Wells, via Insurance Journal)

~Orlando Passes New Drone Ordinance Effective Immediately!~

131213_ Drone flying in Brooklyn,  NY, NY, Exclusive for Sunday, J.C. RIce

We borrowed this article from the Orlando Weekly. It is only a matter of time before other cities and jurisdictions follow suit.

“It’s now a little harder to shoot one of those slick drone videos over Lake Eola.

The City Beautiful has passed a new drone law that requires permits for drone users, fines for violators and jail time for those operating the flying machines under the influence.

According to the new ordinance passed by city officials on Monday, drone use is now restricted within 500 feet of city-owned parks, schools and venues, such as the Amway Center, Camping World Stadium and Harry P. Leu Gardens. Drones are also restricted within 500 feet of gatherings with more than 1,000 people.

A permit is required to fly a drone in these areas, which cost $20 per flight or $150 annually.

Those caught in violation of the ordinance will have to pay fines between $200 and $400.

Anyone who operates a drone under the influence of alcohol or drugs also runs the risk of arrest or jail time, on top of the fines for violating the ordinance.

Opponents of the ordinance say that the federal government already has drone regulations and that this will discourage the sale and recreational use of the machines.

City officials say that they want to encourage drone use in the city, but also make sure that popular public places are kept safe for citizens and tourists.”

If you have a drone and need insurance coverage we have options for you. Give our office a call and speak with Rick Roman today.

~Breach Claims on the RISE!~

cyber hacker concept

The threats are all around in the Cyber world. We can help you with that!


Image caption Ransomware was less popular than breaches involving stolen credentials or the theft of cash

Insurance claims for data breaches are being made at a rate of more than one a day, figures from CFC Underwriting suggest.

The firm said that in 2016 it had handled more than 400 claims on cyber-breach policies it had issued.

The main types of attack being claimed for were privacy breaches and the theft of cash, it said.

The massive amount of stolen data shared online was driving many attacks, said the firm.

No recovery

Claims on CFC policies were up 78% on 2015, said Graeme Newman, chief innovation officer at the underwriter.

“About 90% of our claims by volume are from businesses with less than £50m in revenue,” he said, adding that a “disproportionate” number of claims were being made by British firms.

“This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts,” he said.

Ransomware, in which data is encrypted unless victims pay cash to a hacker to unscramble it, was behind 16% of the claims filed with CFC, putting it third behind data breaches and theft, he added.

Mr Newman also pointed out that the major breaches seen in 2016, which have seen huge amounts of login details stolen and shared, was starting to be used much more frequently.

These “phantom breaches” and account takeovers were proving tempting for criminal hackers, said Mr Newman.

“They are going after the low-hanging fruit,” he said.

Cyber-breach claim categories
Privacy breach 31%
Financial loss 22%
Ransomware 16%
Malware/viruses 7%
Website attacks 5%
Unauthorised access 5%
Business interruptions 4%
Other 10%
Source: CFC Underwriting

Cyber-insurance was becoming necessary to help firms cope with the volume of attacks they faced every day, he said.

“It’s now become more of an incident response service that pays all the costs associated with that,” he said. “You ring up the insurer and they get people in to help.”

Many insurance firms now had security, data forensics, incident response and PR firms on call to help respond when a claim is filed, he said.

Some also employed experts who had experience negotiating with kidnappers and can advise about the best way to deal with ransom and extortion demands.

The insurance policies were proving popular, said Paul Delbridge, a partner at professional services network PWC, who has studied the market, because the costs associated with investigating and fixing a breach were potentially so high.

“It can be incredibly expensive to work out what was stolen and remediate,” he said.

In the UK, most policies were for a few million pounds, said Mr Delbridge, and the highest cover that firms can buy is for £25m. In the US, the highest policies cover about $100m (£80m).

The cyber-breach policies were particularly attractive to smaller firms which cannot afford to staff and run a large internal security unit, he added.

“Not investing in your cyber-defense’s is very risky because if there’s a material breach it becomes a very public event and often the PR fallout is such that the business never really recovers,” he said.