Posts made in July 2017

Lloyd’s Puts Potential Cyber Attack Loss in Range of Hurricane Sandy

LONDON – A major cyberattack could cause as much as $53 billion in economic losses around the world, putting it in the same category as Hurricane Sandy, which hit the East Coast of the United States in 2012, Lloyd’s has warned in a report.

The report, “Counting the cost: Cyber exposure decoded,” was prepared by Lloyd’s and cyberrisk modeling firm Cyence. The document sketched two possible incidents: a $53 billion malicious hack of a cloud service provider; and a range of attacks, costing $28.7 billion, on computer systems around the world. Lloyd’s and Cyence pointed to the estimated economic losses of between $50 billion and $70 billion from Sandy.

The Lloyd’s-Cyence report said there is a cyberrisk insurance gap in the range of tens of billions of dollars, with the majority of potential losses not covered.

“This report gives a real sense of the scale of damage a cyberattack could cause the global economy,” Inga Beale, chief executive officer of Lloyd’s, said in a statement. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”

Lloyd’s has detailed the possible incidents, Beale said, in order to encourage insurers to consider both their cyber exposures and their limits in a “fast-growing, innovative insurance class.”

The economic loss from an attack on a cloud system, the report said, could range upwards from $4.6 billion. “Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss,” the report said.

A broad-based software incident, the report said, could produce economic losses from $9.7 billion, with the average insured losses ranging from $762 million to $2.1 billion.

The report put the uninsured gap surrounding a cloud-based incident at as high as $45 billion. This, Lloyd’s said, would mean just 17% of the economic losses would be insured.

“Cyber, as we all know, is the one of the most challenging risks that insurers and businesses are facing in today’s world,” Jon Hancock, director of performance management at Lloyd’s, told a seminar at Lloyd’s on the launch of the report. “It is fast-evolving as changes in technology drive both attack and defense strategies. It’s also just naturally by its newness one of the least-understood risks.”

Hancock said Lloyd’s is committed to increasing its market share in cyber, which he likened to Lloyd’s three centuries of experience in natural catastrophes. He said cyber premiums are predicted to double in the next three years.

Hancock, who emphasized Lloyd’s determination to increase its understanding of cyberrisk and exposures, listed previous studies Lloyd’s has released in this area. “Ultimately we do want to help businesses build greater resilience into their models,” he said.

Lloyd’s reports, Hancock said, have considered such issues as the possible effects of an attack on the U.S. power grid; and how organizations can help mitigate the impact of cyberattacks.

“We’re publishing a lot of material on this, and we will continue to do so,” Hancock said.

Sean Kanuck, director of future conflict and cybersecurity for Cyence, said the report was “an important stepping stone in maturing the conversation about how to think about the costs and develop this marketplace with a full appreciation of strategic trends.”

Kanuck, who cited his background in cyber analysis for the U.S. intelligence community, said he tends to think of global information risk rather than security. Networks, he suggested, will be compromised, particularly as the means of breaching data defenses are converging.

In the intelligence and national security world, Kanuck said, “you don’t think about building things. You think about breaking them.”

Kanuck said a rapidly increasing rate of technological change will create concerns as well as opportunities for those organizations that can provide products to help manage and transfer that risk.

~4 Trends Shaping Cyber Security This Year~

While cyber threats continue to evolve, many organizations are falling behind due to a lack of resources and skilled employees. As cyber attacks continue to increase in frequency, a company’s cybersecurity action plan must be able to rein in and mitigate threats as they develop.  ISACA’s third annual cybersecurity study finds that this issue is increasingly a business priority. The challenge? Resources and available skills are not keeping pace with a threat landscape that is rapidly escalating in complexity and volume. The ISACA survey targets managers and practitioners who have cybersecurity job responsibilities. Respondents primarily came from North America (42%) and Europe (31%), and were employed in an enterprise with at least 1,500 employees (49%). Its “State of Cyber Security 2017 report compares the results of this year’s survey with previous results to determine recognizable trends that impact how cybersecurity is practiced, particularly where such trends point to an overall shift in the profession.

 

With this in mind, here are four trends shaping cybersecurity in 2017:

 

As cybersecurity budgets fall short, businesses are increasingly relying on third-party vendors. (Photo: Shutterstock)

 

No. 4: Growing areas of concern.

Organizations with a chief information security officer (CISO) in 2017 increased to 65% compared to 50% in 2016. Staffing challenges and budgetary distribution, however, reveal where organizations face exposure. Finding qualified personnel to fill cybersecurity positions is as ongoing challenge. For example, one-third of study respondents note that their enterprises receive more than 10 applicants for an open position. More than half of those applicants, however, are unqualified. Even skilled applicants require time and training before their job performance is up to par with others who are already working on the company’s cybersecurity operation. Half of the study respondents reported security budgets will increase in 2017, which is down from 65% of respondents who reported an increase in 2016. This, along with staffing challenges, has many enterprises reliant on both automation and external resources to offset missing skills on the cybersecurity team. Another challenge: Relying on third-party vendors means there must be funds available to offset any personnel shortage. If the skills gap continues unabated and the funding for automation and external third-party support is reduced, businesses will struggle to fill their cybersecurity needs

 

 

As cyberattacks increase in volume and sophistication, businesses are increasingly exposed, particularly as their budgets to fight such breaches are declining. (Photo: Shutterstock) 

 

No. 3: More complicated cyber threats. 

Faced with declining budgets, businesses will have less funding available on a per-attack basis. Meanwhile, the number of attacks is growing, and they are becoming more sophisticated.

More than half (53%) of respondents noted an increase in the overall number of attacks compared previous years. Only half (roughly 50%) said their companies executed a cybersecurity incident response plan in 2016.

 

Here are some additional findings regarding the recent uptick in cyber breaches:

  • 10% of respondents reported experiencing a hijacking of corporate assets for botnet use;
  • 18% reported experiencing an advanced persistent threat (APT) attack; and
  • 14% reported stolen credentials.
  • Last year’s results for the three types of attacks were:
  • 15% for botnet use;
  • 25% for APT attacks; and
  • 15% involving stolen credentials.  Businesses are now more sophisticated in the mobile arena. The proof: Cyber breaches resulting from mobile devices are down. Only 13% of respondents cite lost mobile devices as an exploitation vector in 2016, compared to 34% in 2015. Encryption factors into the decrease; only 9% indicated that lost or stolen mobile devices were unencrypted. IoT is an increasingly important element in governance, risk and cybersecurity activities. This is a challenging area for many, because traditional security efforts may not already cover the functions and devices feeding this digital trend.   The number of code attacks, including ransomware attacks, remains high: 62% of respondents reported their enterprises experienced a ransomware attack specifically.
  • Businesses can conduct “tabletop” exercises that stage a ransomware event or discuss in advance decisions about payment vs. non-payment. Payment may seem like the easiest solution, but law enforcement agencies warn it can have an encouraging effect on those criminals as some cases lead to repeated attacks of the same business. Many cybersecurity specialists argue that the best way to fight a ransomware attack is to avoid one in the first place. Advance planning that might include the implementation of a governing corporate policy or other operating parameters, can help to ensure that the best cybersecurity decisions are made when the time comes to battle a breach.
  • What does that look like?
  • Half of the respondents believe financial gain is the biggest motivator for criminals, followed by disruption of service (45%) and theft of personally identifiable information (37%). Despite this trend, only 53% of respondents’ companies have a formal process in place to deal with ransomware attacks.
  • No. 1: Ransomware is the new normal.
  • Ransomware continues to be favorite means of attack for criminals. Respondents believe this is likely because of the possibility for financial gain. (Photo: Shutterstock) 
  • IoT continues to rise as an area of concern. Three out of five (59%) of the 2016 respondents cite some level of concern relative to IoT, while an additional 30% are either “extremely concerned” or “very concerned” about this exposure.
  • No. 2: Mobile takes a backseat to IoT.
  • Managing the Internet of Things (IoT) has risen as an area of business concern.
  • Phishing (40%), malware (37%) and social engineering (29%) continue to top the charts in terms of the specific types of attacks, although their overall frequency of occurrence decreased: Although attacks are up overall, the number of attacks in these three categories is down.

The Southeast’s Storm Surge Risk and Florida’s Hurricane Wake-Up Call

 

Report:

Amy O’Connor | July 11, 2017

The Southeast has seen its fair share of natural disasters and flooding in the last several years, including two hurricanes in Florida last year – the first hurricanes to hit the state in more than a decade. But none of these events have come close to reaching the potential impact a serious storm surge event could have on the region.

According to CoreLogic’s 2017 Storm Surge Report, which examines risk from hurricane-driven storm surge for homes along the Atlantic and Gulf coastlines across 19 states and the District of Columbia, as well as 86 metro areas, the total reconstruction cost value (RCV) in the event of a hurricane storm surge inundation in these regions would be more $1.5 trillion.

The total number of homes that could be affected along the Gulf and Atlantic coasts, defined by CoreLogic as the 3,700 miles of coastline extending from Maine to Texas, is nearly 6.9 million. In the Gulf Coast region – running from Texas through the tip of South Florida – almost 3 million homes are at risk with a total RCV of $593 billion. The Atlantic Coast accounts for 3.9 million homes and a RCV of more than $970 billion.

To estimate the value of property exposure of single-family residences, CoreLogic uses its reconstruction cost valuation (RCV) methodology which estimates the cost to rebuild the home in the event of a total loss. The reconstruction cost estimates more accurately reflect the actual cost of damage or destruction of residential buildings that would occur from hurricane-driven storm surge since they include the cost of materials, equipment and labor needed to rebuild and also factor in geographical pricing differences. Actual land values are not included in the estimates. The values in this report are based on 100 percent, or total, destruction of the residential structure.

The Southeast coastal states CoreLogic examined in its report of Alabama, Florida, Georgia, Mississippi, South Carolina and North Carolina, account for at least 3.6 million of the 6.9 million homes at risk along the Gulf and Atlantic Coast.

Unsurprisingly, the majority of those homes – about 2.7 million – are in Florida, which carries a whopping $536 billion reconstruction cost value, the highest of any of the 19 states.

The Southeast also accounts for nine of CoreLogic’s top 15 metropolitan areas at greatest risk of storm surge, with six of those being Florida cities.

It’s common knowledge that Florida is at risk of hurricanes, but the state has gone many years without experiencing significant damage from a major storm. Dr. Tom Jeffery, senior hazard scientist at CoreLogic, said that can often lead to “hurricane amnesia,” among citizens and municipalities and that can impact whether they are adequately prepared for when a big storm event does occur.

“This report is about making people aware of the fact that we are in hurricane season. We don’t know when or where they will happen, but they have the opportunity to affect the coastal U.S. and we want to put it on people’s radar,” Jeffery said. “A lot of these areas don’t realize what the risk is once you are outside the 100-year flood plain.”

He added that many people in these communities don’t realize what their storm surge risk is, outside of the 100-year flood plain.

“Large hurricanes especially can really push surge water quite a bit inland, but after big events people say they didn’t realize their property was at risk,” Jeffery said. “Hopefully, this information can give them the incentive to go to their insurer and find out if they are in a high-risk area and adequately prepare.”

CoreLogic included a probabilistic storm surge analysis focused on Florida in this year’s report, with specific emphasis on storm surge from Hurricane Matthew, which changed course before making landfall last year, sparing the state from the worst possible scenario. The goal of probabilistic modeling of hurricane perils, CoreLogic’s report said, is to provide risk managers with greater insight as to what could happen in order for them to better plan and manage their businesses.

“Probabilistic loss provides an evaluation of the specific amount of damage that could be expected from a single storm event or a set of simulated events, called probabilistic events, which are informed by historical storm records that are similar in size and scope,” the report states.

This analysis focused on the historical storms in Florida that have caused storm surge damage beginning in 1900, and how Hurricane Matthew compares. Of the 97 catastrophic hurricanes in Florida since 1900, Hurricane Matthew ranked No. 19 among historical storm surge events. CoreLogic said the storm surge damage from Matthew made up less than 10 percent of the total financial loss, with the rest being a result of wind damage.

Number one on the list was the “13th hurricane of 1944″ (before hurricanes were given actual names), which caused $15 billion worth of damage on 471,000 homes in today’s terms. Hurricane Andrew, which hit in 1992, was ranked No. 4, and Wilma, which hit in 2005, was ranked No. 15.

Though Florida’s first hurricanes in 11 years were not as devastating as they could have been, the two storms that did occur – Hurricane Hermine, which hit in September of 2016, and Hurricane Matthew – caused more than $3.2 billion combined in damage to Florida.

Jeffery said the state got lucky last year. He added that awareness is key to minimizing loss in the future, and the modeling company has seen an increased interest in information and proactive mitigation discussions this year.

“Florida went a long stretch without an impactful landfall hurricane and last year was an eye opener, an awakening to get people to think about it since we don’t know when that next one is going to come ashore,” he said.

 

Personal Emergency Preparedness: Clients, Are You Really Ready??

Families need emergency preparedness plans as much, if not more, than businesses do. When there’s an emergency, we often run through a checklist in our heads of things we should have already taken care of. Do we have a will? What will happen to our children if we’re not around? Did we invest wisely?

The reality is that most people don’t prepare fully for emergencies. Although that checklist is a good place to start, a thorough personal preparedness plan is a good idea for all families and a must have for high net worth (HNW) individuals with complex lifestyles.

For most insurance agents and brokers, the preparedness topic quickly translates to disaster preparedness. You know, that annual conversation you have with your client right before hurricane season starts on June 1. Or maybe it’s the conversation you have with your client prior to wildfire season or spring flooding. Whatever triggers a preparedness conversation, the fact is that most advisors are simply scratching the surface.

True personal preparedness means looking beyond the obvious and helping clients assess risks that would likely occur based on their family and lifestyle. From there, it’s crucial to systematically create a list of actionable steps to take when faced with an emergency.

Personal risk management starts with the right conversation.

Components of a personal preparedness plan

A comprehensive personal preparedness plan should cover the following at a minimum:

  • The emergencies most likely to happen
  • An action plan
  • A communication plan
  • Personal safety
  • Protection of property
  • Cyber safety

1. Identify emergencies most likely to happen

Every preparedness plan needs a firm base. The first crucial step to creating a preparedness plan for your client is to identify emergencies that are most likely to happen to them. It’s important to keep in mind that emergencies affect not only people but assets as well. Here are a few examples:

  • Fire.
  • Natural disasters, including weather-related and seasonal events such as hurricanes, wildfires, flooding, tornadoes, winter storms or landslides
  • Infrastructure failures, for example, the California dam system failure.
  • Travel concerns, such as life safety, kidnap and ransom.
  • Terrorist threats.

2. Create an action plan

Once the list of potential emergencies has been created, it’s time to create an action plan. The plan should be specific to each emergency and should assign roles and responsibilities to all family members. Consider these questions:

  • Who will be responsible for the disaster kit?
  • Who will monitor the updates and news?
  • Who will be in charge of pets, manage all family documentation and medication?
  • Who will keep the family contact/communication plan up to date?
  • Who will be responsible for the protection of property?

3. Detail a communication plan

A communication plan is critical in ensuring that all family members are accounted for safely and have access to necessary resources. It should include names and contact information for all family members, meeting places if evacuation is necessary, knowledge of where school children will go, and even an emergency contact number outside of the local area that family members can call to check-in.

Depending on the scope of the disaster, family members may have better luck getting through to out-of-town connections versus relying on local ones.

In creating the communication plan, you should ask, “If something happens during the workday, where are my family members likely be, and how will we stay connected if we are not together?” This question should be considered for everyone in the family and should account for different schedules based on the time of day.

4. Think about personal safety

When we’re children, we learn about personal safety. We’re taught to avoid talking to strangers and to not walk home from school alone. We practice fire drills and evacuation plans at school, and at work as adults, and carry bits and pieces of this knowledge with us. But how often do we really think about these things in our personal and home lives? Not as often as we should.

These questions should foster conversation and raise awareness with your clients as they begin to proactively think about personal safety.

  • Are smoke and carbon monoxide detectors in working order and tested on a regular basis?
  • Are all household fire extinguishers in working order? Do family members know where they are and when and how to use them?
  • When family members travel, is there a commitment to share itineraries? Are safety protocols for the area understood and discussed in advance?
  • When traveling, do you know how to keep up to date on pending dangers that you may not be accustomed to, such as wildfires?
  • Do family members enroll in the State Department’s Smart Traveler Enrollment Program using the Smart Traveler App.

5. Protect property

At this point in the plan, you’ve already identified assets that can be impacted by emergencies. For each vulnerable asset, a plan must be put in place to safeguard and protect the property (real and personal), for example:

  • Who is responsible for getting storm shutters installed when you get a hurricane warning?
  • Who is responsible for coordinating the removal of valuable articles and property before the pending emergency?
  • If the property will stay on site, who will activate the shelter to protect and minimize damage?
  • Who is responsible for testing sump pumps and making sure sufficient battery backup or generator power is available in case of a power outage?

6. Manage cyber safety

As technology expands so do risk factors for high net worth clients. Traditional hackers have targeted personal computers, tablets and smartphones. New cyberattacks are targeting smart-home devices. These new vulnerabilities allow someone to monitor lifestyle patterns through connected thermostats, lighting systems, smart TVs and IoT [Internet of Things] security-based systems, all technology typically owned by high net worth individuals.

Each family should have a strong cyber safety plan that is understood and followed by all family members. The plan should account for the activities of all family members, all electronics and connected devices, and all networks the family uses to connect these devices. The plan should include an audit and assessment of risk exposures, including how to obtain professional guidance during a crisis.

Some great questions to ask your client to begin the conversation include the following:

  • Have you conducted a data privacy and security risk assessment of your home network and devices?
  • Do you use personal devices or accounts, such as email to conduct business including financial transactions?
  • Do you store sensitive data in your personal devices or accounts?
  • Do you have a response plan for what to do in the event of a privacy or security incident?
  • Are you aware of the information being shared on social media by family or friends and the risks that may arise?
  • Do you discuss cyber risks with family, business colleagues and your financial service provider?

Final thoughts

Raising awareness and helping your client create a personal preparedness plan is crucial to maintaining a personal risk management strategy. The plan should be detailed and specific and should cover all potential risks that can be monitored, updated and tested regularly.

Most people don’t plan for emergencies and pay the consequences. For high net worth clients, those consequences can be costly. It’s important for any agent or broker working with a high net worth client to not only understand the risk but to help their client plan for those risks.