Menu
iPMI Magazine Is Proudly Sponsored By:
For a healthier journey.

Lloyd's Leads Development Of Core Data Requirements For Cyber Insurance

Lloyd’s of London recently announced that a set of common core data requirements for cyber risks has been agreed through ground breaking collaboration with modelling firms AIR Worldwide (AIR) and RMS with the Cambridge Centre of Risk Studies.

Both AIR and the RMS/Cambridge team have agreed to highlight common elements when they publish their data schemas later this month and most importantly each has agreed to use similar terminology and precise definitions. The common core data requirements can be found at www.lloyds.com/cybercoredata

Tom Bolt, Lloyd’s Director of Performance Management, said, “Cyber insurance is an important new area of coverage and it is essential that we have good quality standardised data to track exposures. I am delighted that the RMS/Cambridge team and AIR, in consultation with the Lloyd’s Market Association, have worked with us to propose standard definitions for some common data. I have written to major brokers to ask them to endeavour to provide this data to Lloyd’s underwriters.

“The cyber insurance industry is showing real innovation and demonstrates the ability of insurers to develop policies to cover modern, complex risks. Due to the growing importance of this risk class, quality standardised exposure data is critical for increased levels of insurance coverage and better risk modelling.

“Models for natural catastrophe risks are well developed in the (re)insurance industry and the data requirements are relatively standardised. But in comparison, models for cyber risks are still developing and need the industry to work collectively so that risk can accurately be calculated. Lloyd’s is pleased to have worked with AIR, RMS and the Cambridge Centre for Risk Studies to progress this issue.”

Read more...

Kenya Travel Advice: Heightened Personal Security During The Christmas Holiday Season

The Kenyan authorities have advised heightened personal security during the Christmas holiday season; on 21 December 2015, the Kenyan Ministry of Interior and Co-ordination of National Government issued a public watch notice urging citizens to play a role in counter terrorism and prevention of criminal activities by being vigilant and reporting any suspicious activity, items and people.

117,000 British residents visited Kenya in 2014.

International Private Medical Insurance For Kenya

Take out comprehensive international private medical insurance before you travel to Kenya, to cover the cost of any medical treatment abroad or emergency repatriation and evacuation. Be sure to read the small print of all iPMI policies before you purchase. 

Cholera, malaria and dengue fever occur in Kenya.

You should drink or use only boiled or bottled water and avoid ice in drinks. Don’t eat food prepared by unlicensed vendors.

If you need emergency medical assistance during your trip, dial 999 and ask for an ambulance. You should contact your international medical insurance/medical assistance company promptly if you are referred to a medical facility for treatment.

Read more...

SMEs’ Concerns Over Cybercrime Have Doubled

Small and medium-sized enterprises (SMEs) around the world are making greater use of the internet and are therefore becoming more exposed to potential cyber risks threats. Zurich’s survey reveals: SMEs’ greatest fear is loss of customer data and damage to their reputation resulting from a cyber-attack. However, many still believe they are too small to be at risk.

The survey, which polled 3000 C-suite executives and managers at SMEs across 15 countries in EMEA, the Americas and Asia-Pacific, revealed that in 2015 SMEs’ concern over cybercrime has doubled to eight percent from four percent in 2013. SMEs in Malaysia (which ranked the risk as fifth), Turkey (ranked sixth) and the U.S. (ranked sixth), are most worried about cyber-attacks.

From a list of nine potential threats resulting from cybercrime, SMEs globally rate theft of customer data as the most critical risk of cybercrime (28 percent), while damage to reputation following a cyber-attack ranked second (16 percent).

One in six (17 percent) SMEs still consider themselves to be too insignificant to attract the attention of cyber criminals. Zurich does not share this view since hackers are not only looking at the size of the potential gain, but also at the ease of committing the crime.

Lori Bailey, Global Head of Special Lines at Zurich commented: “The results of this year’s SME survey, as well as the Advisen Cyber Survey findings reveal that demand for cyber insurance is growing significantly around the globe. However, there is still a misconception among some SMEs that they will not be affected by this pervasive issue. We at Zurich are continuing to invest in identifying risks and delivering solutions to meet the expectations of our customers, irrespective of the size of their business.”

SMEs in many parts of the world see new sales channels (e.g., online trading) as one of the key opportunities for growth (top two in Austria, top three in the U.S. and Turkey, top four in Portugal and UAE, top five in Brazil and Hong Kong), but surprisingly they are not worried about technological vulnerabilities and cybercrime.

Other findings of the survey are as follows:

  • The global survey once again revealed significant regional differences, with SMEs in Europe (11 percent) and the U.S. (10 percent) far less worried about the potential impact on their reputation compared to those in APAC (31 percent), LatAm (19 percent) and MEA (18 percent).
  • Business disruption following a cyberattack is of particularly high concern in Europe (ranked second) compared to LatAm (ranked 10th) and globally (ranked 5th).
  • The number of SMEs that claim they have cyber protection in place is twice as high in LatAm (12 percent) and APAC (10 percent) compared to MEA and the U.S. (five percent in each).
  • Theft of money/savings has made it into the top three of the biggest cyber risks in Turkey, Austria and the U.S.

Zurich recently published the results of its fifth annual Advisen Cyber Survey of U.S.-based risk managers, which revealed a growing interest in increased limits and security breach response plans and showed that greater attention is being paid to emerging risks from new technologies.

According to the survey’s results, the overall upward trend of organizations purchasing cyber liability insurance has accelerated in 2015, up nine percentage points over 2014. Since the first survey in 2011, there has been a 26 percentage point increase in the number of business respondents with cyber liability coverage.

Read more...

Philippines Travel Advice: Security Ramped Up For APEC Summit

The Philippines hosts the Asia Pacific Economic Co-operation (APEC) summit in Manila on 16 to 20 November. There will be a heightened security presence across the city including at Ninoy Aquino International Airport. Scheduled road closures and security checkpoints will cause delays in travel across the city and many schools, government offices and businesses will be closed. If you are flying to or from Manila during this period check with your airline, as flight delays, diversions and cancellations may occur.

Around 133,665 British nationals visited the Philippines in 2014. Most visits are trouble-free.

Take out comprehensive travel and medical insurance before you travel to the Philippines.

Read more...

Aviva Launches Cyber Cover

Aviva is launching its first cyber cover designed for small to mid-market customers to help combat the increasing threat of data and privacy breach they face today. Aviva, in partnership with IDT911, is providing insurance that offers cover and risk management expert services to help customers prepare in advance for and manage any issues after a data loss or breach.

Aviva’s cyber cover is the perfect complement to any commercial combined policy at new business, mid-term or renewal and provides three benefits to the cover:

  • Data breach response – 1st Party, entry level cover picking up investigation and response costs.
  • Computer Cover – 1st Party, extensive protection for clients, tailored to their requirements
  • 3rd party liability – protection against the insured’s legal liability to 3rd parties arising from the use of electronic media up to a £500,000 limit of indemnity in any one period, costs inclusive.

Angus Eaton, MD commercial lines at Aviva, said: “Cyber risks like hacking , a stolen laptop, system failures or a memory stick going missing are unfortunately very much part of the digital world. The impact on business operations can be catastrophic, not just the financial impact of a data breach but also in terms of the damage to reputation.

“It is why, based on broker feedback, Aviva’s cyber cover has been designed to give businesses an affordable way to protect themselves as well as access to expert advice should they suffer a data loss or breach.

“For example, a virus that has resulted in the loss of customer data needs a quick response not only to remove the virus and protect the data but also to ensure that staff, suppliers and customers are kept informed of any risk and remedial measures.
“Aviva’s cyber cover looks after the financial impact and most importantly helps businesses know what to do when a breach occurs to keep the business running”.

Nate Spurrier, business development director, IDT911, said: “Cyber attacks continue to be big news and are a real threat to business operations. It’s an area of expertise that all businesses need to understand. Our experience means we can help businesses identify the steps they can take to effectively ‘lock the front door’ to intruders to reduce the risk of a cyber attack and in the event of a breach we can also help them respond appropriately to restore and secure their data quickly, and manage any reputational damage.”

IDT911 has been providing customers with prevention education, proactive protection services and incident remediation since 2003, today working with more than 770,000 businesses across the United States and Canada.

Read more...

Senior Security Heads Don’t Trust Cyber Insurance Products

New insurance products launched to protect businesses from suffering the losses of cyber-attacks have been met with great scepticism, according to new figures revealed today.  A survey of senior information security professionals, whose organisations are members of KPMG’s International Information Integrity Institute (I-4), found that the most common reason for not purchasing a cyber insurance policy was the belief that insurers would not actually pay out on a claim.

Distrust around insurers honouring their contracts is leaving businesses vulnerable to the effects of cybercrime. Seventy-four per cent of those surveyed stated their businesses had no cyber insurance in place. This is despite 79 per cent believing that cyber security threats are likely to increase over the next twelve months, with three quarters (74 per cent) perceiving organised crime and state sponsored activity to pose the biggest threat. For those whose businesses have purchased cyber insurance, 48 per cent think that the policies may not pay out if they need it.
 
Mark Waghorne, Head of KPMG’s International Information Integrity Institute, says, “It is worrying to see that so many businesses would rather risk having no insurance in place to protect themselves against a threat they believe is very real. It is also disappointing that cyber insurance is viewed as providing little comfort to those who have it, as almost half don’t believe they would be compensated properly if push came to shove.

“Of the information security professionals we spoke to, 30 per cent believed the market for cyber insurance does not appear to be sufficiently mature yet. Insurers will need to deliver more comprehensive packages in order to convince the business community that they can and will protect against losses on cybercrime.  However, discussions during a later debate at the most recent I-4 Forum showed that the availability of specialist, focussed cyber related insurance has much improved during the past year with clear evidence that carriers do pay out. Indicating that those organisations which have avoided cyber insurance in the past should perhaps revisit their positions.” 

Read more...

Lloyd’s Supports New Government Initiatives To Make Uk World Centre In Cyber Security Insurance

With 81% of large UK businesses and 60% of small companies suffering a cyber security breach in the last year, a new report published by HM Government and Marsh, and supported by Lloyd’s, has announced a new set of joint initiatives between Government and the insurance sector.

The joint report aims to help firms get to grips with cyber risk and establish cyber insurance as part of any firms’ cyber tool-kit.

The report, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, has been produced in collaboration with the UK’s insurance market and a number of top UK companies, and aims to make the UK a world centre for cyber security insurance.

It highlights the exposure of firms to cyber attacks among their suppliers with a key agreement that participating insurers will include the Government’s Cyber Essentials certification as part of their risk assessment for small and medium businesses.

Cyber threats are estimated to cost the UK economy billions of pounds each year with the cost of cyber attacks nearly doubling between 2013 -2014. The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. It issues a call to arms for insurers and brokers to simplify and raise awareness of their cyber insurance offerings and ensure firms understand the extent of their coverage against cyber attack.

Companies are recommended to stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of its operations. The report is the product of collaboration between Government and the sector following a Summit held last November. It recommends firms examine the different forms of cyber attacks they face, stress-test themselves against them and put in place business-wide recovery plans.

The report also notes a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware cyber risk insurance was available. Other surveys suggest that despite the growing concern among UK companies about the threat of cyber attacks, less than ten per cent of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

Inga Beale, CEO of Lloyd’s said, “I am very pleased to have had the opportunity to represent Lloyd’s on the working group which contributed to this excellent report. Cyber risk poses the most serious threat to businesses and national economies, and it’s an issue that’s not going to go away. The London market has a long, proud history of finding innovative solutions to insuring large, complex risks that are challenging to underwrite locally. Just as the market has responded to new challenges before, so it needs to again. The insurance industry, with the Lloyd’s market leading the way, has a key role to play in cyber risk protection going forward.”

Francis Maude, Minister for the Cabinet Office and Paymaster General said, “It is part of this Government's long-term economic plan to make the UK one of the safest places in the world to do business online. The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks. Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats”.

Mark Weil, CEO of Marsh UK & Ireland, added, “While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.”

Key findings from the report:

  • Insurers can help firms better manage their cyber risks. By asking the right questions and educating clients, insurers can help drive the adoption of cyber security best practice, including Cyber Essentials.
  • The UK insurance sector is already a world-leader. With initiatives like this the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.
  • Insurers support shows the success of Government’s Cyber Essential Scheme. They recognise having Cyber Essentials certification is a valuable indicator of a mature approach to cyber security in SMEs that contributes to the reduction of risk.
  • The contributing insurers will incorporate Cyber Essentials into their risk assessment process for SMEs, making it easier for firms to get coverage.
  • Firms place cyber amongst their leading risks in terms of likelihood and severity of impact.
  • Banks and national infrastructure organisations are generally better equipped in modelling cyber risks which can be very fast moving and damaging whereas most other businesses are not as well equipped to deal with this type of ‘tail risk’.
  • Modelling of cyber risk has been difficult due to a lack of available data. However, there are alternative approaches to valuing the risk of cyber attack including using stress testing.
  • There is a lack of awareness of cyber insurance and certainty about coverage – less than 10% of companies have cyber insurance according to recent surveys.
  • A lack of data pooling poses a challenge for the insurers in the development of their pricing models and coverage.
  • The potential for the aggregation of losses impacting a large number of firms and arising from a is a growing concern for insurers.
  • The UK insurance market has a history of underwriting large complex risks and has established itself to be a leading market in the provision of cyber insurance

Recommendations include:

For insurers and Government

  • Participating insurers will include the Cyber Essentials certification as part of their cyber risk assessment for SMEs when backed by a suitable insurance policy in order to improve their supply chain resilience. This will simplify the application process for businesses.
  • A new forum will be established by HM Government with the insurance sector, including the ABI and Lloyd's, on data and insight exchange for policy discussions.

For businesses

  • Firms should review their management of cyber risk. Effective risk management needs to include a Board-level owner for cyber risk, a joined up recovery plan and the use of stress testing to confirm financial resilience against cyber threats

For insurance brokers

  • Participating insurers will include Cyber Essentials accreditation as part of their risk assessment for SME to encourage greater adoption. Marsh will launch a new cyber insurance product for SMEs which will absorb the cost of Cyber Essentials certification for the majority of firms. HMG encourages other brokers to follow suit.
  • Brokers should provide firms with a cyber assurance statement to give the Board confidence of the completeness of their cover.

For the market

  • Lloyd's will work with UKTI to market the cyber capabilities of the London Insurance market globally.
  • A new multi-disciplinary taskforce set up by CityUK aimed at bringing together different sectors to accelerate discussions on a joint UK cyber offering related to insurance for export.

The Cyber Essentials Scheme was launched on 5 June 2014. This new Government-backed and industry supported scheme guides businesses in protecting themselves against the most common cyber threats. Cyber Essentials documents are free to download and any organisation can use the guidance to implement essential security controls. Organisations successfully independently assessed by a Certification Body can achieve a Cyber Essentials award to demonstrate that they meet the government endorsed set of basic controls on cyber security.

The Ten Steps to Cyber Security guidance and the Cyber Security Guidance for small businesses show companies how they can manage cyber security risk and put best practice in place.

Read more...

CareFirst Announces Cyberattack;Offers Protection for Affected Members

CareFirst BlueCross BlueShield (CareFirst) today announced that the company has been the target of a sophisticated cyber attack.

The attackers gained limited, unauthorized access to a single CareFirst database. This was discovered as a part of the company’s ongoing Information Technology (IT) security efforts in the wake of recent cyberattacks on health insurers. CareFirst engaged Mandiant – one of the world’s leading cybersecurity firms – to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.

Evidence suggests the attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.

Mandiant determined that in June 2014 cyberattackers gained access to a single database in which CareFirst stores data that members and other individuals use to access CareFirst’s websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed.

CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.

“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”

Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014, are affected by this event. Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords.

More information about the cyber attack can be found at www.carefirstanswers.com.

Read more...

CareFirst Announces Cyberattack;Offers Protection for Affected Members

CareFirst BlueCross BlueShield (CareFirst) today announced that the company has been the target of a sophisticated cyber attack.

The attackers gained limited, unauthorized access to a single CareFirst database. This was discovered as a part of the company’s ongoing Information Technology (IT) security efforts in the wake of recent cyberattacks on health insurers. CareFirst engaged Mandiant – one of the world’s leading cybersecurity firms – to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.

Evidence suggests the attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.

Mandiant determined that in June 2014 cyberattackers gained access to a single database in which CareFirst stores data that members and other individuals use to access CareFirst’s websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed.

CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.

“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”

Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014, are affected by this event. Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords.

More information about the cyber attack can be found at www.carefirstanswers.com.

Read more...

“Cyber WHO” Needed To Strengthen World’s Inadequate Cyber Governance Framework

A new report on cyber governance commissioned by Zurich Insurance Group highlights challenges to digital security and identifies new opportunities for business. It calls for the establishment of guiding principles to build resilience and the establishment of supranational governance bodies such as a Cyber Stability Board and a “Cyber WHO”.

Zurich Insurance Group (“Zurich”) and ESADE Center for Global Economy and Geopolitics (“ESADEgeo”), a leading authority on global governance, today published a report, “Global Cyber Governance: Preparing for New Business Risks”, that proposes new measures to strengthen the global governance framework for managing evolving cyber risks.

The report observes that while emerging technologies such as drones, 3-D printing and self-driving cars are fundamentally changing the nature of cyber risk, the current regulation and governance regimes in place globally are inadequate to ensure the security of the world’s cyber infrastructure. 

“The existing governance framework from the 20th century cannot be expected to respond sufficiently to 21st century technology,” Zurich’s Chief Risk Officer Axel Lehmann said. “We live in a world full of opportunities, but also risks. There is no better example of this than the relationship between information and communications technologies and cybersecurity. The cyber realm underpins almost all economic and societal activity – from finance to trade, information, energy and beyond.”

Geopolitical and ideological tensions between states, the report points out, are increasingly played out in cyberspace – including over matters of governance. “Growing political instability could be exploited by some governments aiming to reduce capabilities and scope of some technical institutions that provide stability and resilience to cyberspace, thus undermining its multi-stakeholder approach” said Javier Solana, President of ESADEgeo. “Isolating effective cyber governance from the current geopolitical tensions must therefore be a priority.”

Companies in almost all sectors are exposed to cyber threats with the potential to cause enormous damage in terms of reputation and physical losses, liabilities, and regulatory costs. Unchecked, these cyber threats could severely affect technical and economic development globally.

“The nature of cyber security is evolving so quickly it can be difficult for businesses to keep track of the risks let alone the solutions,” said Mike Kerner, CEO of General Insurance for Zurich. “It is very clear that businesses that want to protect themselves from cyber security and privacy risks must adopt a mindset of resilience.”

Based on a detailed mapping of the rules, institutions and procedures that form the current global cyber governance framework, the report highlighted opportunities for the private sector, civil society and policy makers to improve the current situation and facilitate the mitigation of cyber threats.

Recommendations to policymakers include the creation of a Cyber Stability Board to strengthen global institutions and insulate them from geopolitical tensions, and the creation of a cyber alert system based on the World Health Organization (WHO) to enhance crisis management.

At the same time, the private sector needs to engage in sharing information and employ  an approach which will increase their overall cyber resilience in order to address the inadequacies of the framework.

Read more...
Subscribe to this RSS feed