Perspectives on Cyber Risk

John J. Hampton

All rights reserved ©

This publication is available from www.Princetonbooks.com, a subsidiary of the Princeton Consulting Group. It provides a knowledge foundation for underwriters, risk analysts, information systems specialists, accountants, human resources managers, and other professionals who participate in or support the commercial property and casualty insurance industry. It covers:

Princeton BooksISBN 978-0-9835452-5-5

2017 Princeton BooksAll rights reservedDistributed in the United States of America

This publication may not be reproduced or transmitted in whole or in part, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of Princeton Books. The original purchaser may print one copy as an exception to this agreement.

2

Table of Contents

Foreword 6

Part 1. Cyber Risk

Chapter 1. Cyber Insurable Risk. 10Nature of Risk.Speculative and Pure Risk.Severity and Frequency.Insurable Risk.Exposures, Perils, and HazardsMagnitude of Insurable Risk.Cyber RiskRecent Cyber Attacks.

Chapter 2. Malicious Software, Hacking, and Cybersecurity 25Malicious Software.Cyber Scams.Computer Hacking.Malware Attacks.Authorized User Attacks.Cybersecurity.Appendix 2. Red Flags in Identify Theft

Chapter 3. Business Cyber Risk. 52Cyber Risk in Organizations.Cyber Risk and Top ManagementSony Pictures Entertainment Hack.The Dark Web.

Chapter 4. Cyber Risk Management. 65Risk Strategies.The Cloud.Cyber Risk Questions and Answers.Cyber Risk Business Disruption.

3

Part 2. Cyber Risk Insurance

Chapter 5. Cyber Insurance. 88Nature of Cyber Insurance.Indemnification.Buying Cyber Risk Insurance.Layering of Insurance.

Chapter 6. Insurance Law. 100The Law of Contracts.The Law of Insurance Policies.Questions and Answers.

Appendix 6a. Lloyd’s of London.Appendix 6b. Bermuda Insurance Market.

Chapter 7. Cyber Insurance Underwriting. 120Introduction to Underwriting.Insurance Ratemaking.Underwriting Cyber Insurance.U.S. Underwriters.Structure of a Cyber Insurance Policy.

Chapter 8. Brokers, Agents, and Claims. 143Parties Involved in Cyber Insurance.Buying Cyber Insurance.Adjusting Cyber Claims.

Chapter 9. Cyber Property Insurance. 154Cyber Property Risk.Property Indemnification.Contingent Interruption.

4

Chapter 10. Cyber Liability Insurance. 165Legal Liability.Tort Liability.Cyber Risk Liability.Negligence.Cyber Liability Insurance.Cyber Liability Lawsuits.

Chapter 11. Cyber Reinsurance. 186Overview of Reinsurance.Facultative Reinsurance.Treaty Reinsurance.Cyber Insurance High Limits.

Chapter 12. Captives and Cyber Insurance. 201Overview of Captives.Investing in a Captive.

Chapter 13. Cyber Risk Insurance Policy 211Cyber Risk Policy Features.Cyber Risk Policy Structure.Questions and Answers.Cyber Insurance ProductsAppendix 13. Sample Cyber Insurance Policy

5

Preface

It is hardly necessary to define risk for anyone who is likely to want to read a book on cyber risk management. Even if you do not want to read this book, you know all about the Internet, Google, and email. You probably worked on, and then lost, electronic files, or got dropped and could not get back on your favorite website, or faced countless other small tragedies that arise from computers, systems, and networks.

Perhaps you have a risk management philosophy. You may be described by one or more quotes such as, “I don’t like to be surprised.” “I don’t take chances.” “I am not afraid of danger.” “I climb mountains because they are there.” “Nothing is more exciting than jumping out of an airplane.” Whatever your philosophy, you confront and deal with risk every single day.

At one or more times in life we come upon something so different we are not sure how to think about it. It’s like the mountain climbers who said, “We'd done a lot of climbing in Colorado, but the Himalayas were a whole new ball game.” This is the case for cyber risk and what it is doing to us and our organizations.

Someone who understands risk is Woody Allen, the movie director and comedian. Sometimes it seems his life and his work deal only with risk. Check out a few quotes:

Risk Quote #1. “More than at any other time in history, mankind faces a crossroads. One path leads to despair and utter hopelessness. The other to total extinction. Let us pray that we have the wisdom to choose correctly.”

Risk Quote #2. “My one regret in life is that I am not someone else.”

Risk Quote #3. “The lion and the calf shall lie down together but the calf won't get much sleep.”

Risk Quote #4. “I don't want to achieve immortality through my work…I want to achieve it through not dying.”

Even as we might admire Woody Allen, most of us take a different risk management path. We recognize that we must understand the exposures in the world and develop strategies to deal with them. The simple failure to take a risk is a risk itself. The effort to take calculated risks provides both the danger and joy to life.

So what do we do about cyber risk. The people hacking our computers, stealing our identity, and bombarding us with unwanted messages, pictures, and

6

advertisements? We manage them as best we can in our lives. We deal with them in our business affairs.

Structure of the BookThis book starts with risk management broadly and incorporates cyber risk as a relatively new area of exposure. It develops details on the sources of risk for individuals and businesses alike. It morphs into a discussion of risk sharing and transfer with a primary emphasis on cyber risk insurance. It incorporates the broad lessons of modern insurance, property and liability coverages, role of brokers and agents, processing of claims, and availability of reinsurance and captives, into a framework to deal with the difficult-to-place cyber coverages needed by many businesses and other organizations. An annotated chapter outline:

Chapter 1. Cyber Insurable RiskThis chapter examines the nature of risk. What is the difference between an exposure and uncertainty? Is a missed opportunity a form of risk? Topics include speculative risks with an upside and downside as well as pure risk that can produce only a loss. Questions include, “How likely is a loss to occur? How big will it be if it happens?” We call these two dimensions severity and frequency. We consider whether risk measurement is objective or subjective and we try to calculate the odds of an occurrence of loss. We conclude with examples of cyber business risks.

Chapter 2. Malicious Software, Hacking, and Cybersecurity.This chapter introduces tools used to take advantage of the computers, networks, and systems. Malicious software, malware for short, takes center stage. Viruses and cyber scams are shown with examples. A section on computer hacking ranges from honest hackers to egregious malware attacks. Authorized users are shown as sources of cyber risk. Antivirus software and detection techniques conclude the chapter.

Chapter 3. Business Cyber Risk.This chapter examines risk from information technology, the Internet, and the Cloud. It identifies physical and intangible damage, business interruption, and liability exposures. It provides examples of recent attacks on organizations. It argues for top management to focus on disruption. The story of the North Korean attack on SONY Pictures is told in detail.

Chapter 4. Cyber Risk Management.

7

The chapter begins with strategies to deal with risk and moves on to cyber risk teams and chief information and technology officers. Incident response plans are covered for physical and electronic breaches. A discussion of the Cloud is followed by cyber risk questions every CEO should ask about cyber risk. The conclusion addresses cyber risk business disruption.

Chapter 5. Cyber Insurance.This chapter looks at acceptable cyber exposures for specialty insurance coverage. Topics include indemnification, how to make decisions on purchasing coverage, and the layering of insurance to protect against catastrophe.

Chapter 6. Insurance Law.Beginning with the law of contracts, this chapter covers concepts integral to insurance law including utmost good faith, misrepresentation, assignment, waiver, void and voidable contracts, the expectations principle, contract of adhesion, and subrogation. Lloyd’s of London and Bermuda markets are introduced.

Chapter 7. Cyber Insurance Underwriting.The chapter covers the tricky task of insuring cyber risk. It examines setting premium levels, balancing experience and judgment approaches to assess losses, and important factors and advanced skills needed for underwriting cyber loss. It concludes with the structure of a cyber insurance policy.

Chapter 8. Brokers, Agents, and Claims.The chapter provides an overview of the parties involved in cyber insurance and the market where it can be found. It deals with activities of brokers and agents in the process of buying cyber insurance including excess coverages in specialty markets. It also examines the claims process after a cyber loss.

Chapter 9. Cyber Property Insurance.This chapter covers loss of assets, business disruption, and indemnification. Topics include insurance for real and personal computer property, specific and blanket coverages, actual cash value and replacement value coverages, and business interruption and contingent interruption insurance.

Chapter 10. Cyber Liability Insurance.This chapter covers contractual and tort liability, monetary damages and specific performance, legal fees, and cyber liability exposures. Issues include cyber risk liability, quirks in U.S. tort liability, and cyber risk negligence. It discusses cyber liability coverages including errors and omissions and class action lawsuits.

8

Chapter 11. Cyber Reinsurance.This chapter shows how reinsurance backs up the major exposures in cyber insurance. It covers an overview of reinsurance and provides the distinction between facultative and treaty reinsurance. It includes excess of loss andumbrella insurance, the role of the capital markets, and insurance securitization.

Chapter 12. Captives and Cyber Insurance.This chapter shows how captives can offer tailored coverage and lower cost covering retained cyber risk. It distinguishes between expected business risk and catastrophic occurrence risk. It shows the process of evaluating and investing in a captive.

Chapter 13. Cyber Risk Insurance Policy.This chapter examines the features of cyber risk policies includinglosses, defense expenses, and definitions. It provides examples of first party and third party coverages. It shows the structure of and asks questions and provides answers about a cyber risk policy.

ConclusionThis book tackles cyber risk management mostly from an organizational

perspective and quite formally in many cases. The lessons should be useful to us when we wear our professional hats. They might also be instructive in more personal moments. Cyber risk management for organizations is like taking a trip through a strange and foreign land.

Dear reader. Have a pleasant journey.

John J. HamptonLitchfield, CTOctober 2015

9

Chapter 1. Cyber Insurable Risk

NATURE OF RISKMost of our activities involve a degree of risk. This ranges from crossing the street to the investment of money. To be acceptable, a behavior must offer a value that exceeds the danger that accompanies it. With a higher degree of risk, we expect a higher return.

The advent of the Internet and accompanying technology expands the risk framework for modern organizations. While using technology, companies avoid some risks as they accept others. They retain some exposures and transfer others. These decisions are made after seeking to install the proper electronic capabilities to conduct their operations. In this discussion, we deal with cyber risk that is the result of organizational activity. We create a foundation for understanding cyber risk management and cyber insurance.

Risk ItselfWhat is risk? One definition of risk refers to the possibility of injury, harm, damage, or loss to people or property. Formally stated, it is the dispersion of return from likely or possible outcomes. We expect to make a profit. Instead, we make a loss. We expect to successfully climb Mount Everest. Instead, we die on the slope. A different definition is that risk is the probability of any undesirable result of behavior. We buy a truck to start a delivery service. We accept the risk of an accident.

The term risk is both a noun and a verb. As a noun, it refers to a situation involving danger. “She works as a fire fighter and accepts the risk of physical harm.” As a verb it refers to conditions involving harm or loss. “He risked his life to save a person who was drowning in a storm.” Whether a noun or verb, the term deals with decision-making and behavior. We can choose an action that can lead to an undesirable outcome. “Why would anyone risk his life by climbing Mount Everest?”

QuestionSuppose someone offered you $1 million if you climb Mount Everest and reach the top. You would get $500,000 if you only reached the base camp at 24,000 feet. You would also get expenses covered in either case. Would you accept the offer?AnswerThis question can produce an interesting discussion about risk at a dinner party.

All definitions recognize that risk is derived from three sources:

10

Exposure. A condition that can cause a downside loss. A person can lose money or suffer physical harm as the result of an action or activity.

Uncertainty. A negative variance from expectations. We may achieve a positive outcome but not at the level of reward that was sought when the risk was accepted.

Missed Opportunity. The failure to accept risk when we have the chance to improve a situation or condition. The refusal to take action can be a risk itself.

QuestionSometimes we try to measure risk but our belief may not match the actual level of exposure. Assume that twenty-five people are gathered in a room. What is the probability that two of them will have the same birthday?AnswerOver 50 percent. Understanding risk involves the realization that some “coincidences” are more likely than we might expect. Most people would answer with a much lower percentage as they consider 25 dates out of 365. The actual calculation starts with 1/365 or .00274. It builds quickly until the probability is 1 - (364/365)(363/365) . . . (341/365) > 50%.

SPECULATIVE AND PURE RISKWe can identify two broad categories of risk that affect business operations:

Speculative Risk. The chance where both an upside and downside are possible. For business activities the term refers to financial gains or losses. The ownership of a computer can offer a financial gain if we use it to provide services for customers or clients. A loss occurs if the revenues do not cover expenses or if the value of the computer declines.

Pure Risk. The chance of an unexpected or unplanned loss without the accompanying chance of a gain. Also called absolute risk, the ownership of a server presents a pure risk with respect to fire. One possibility is that no fire will occur and no loss will be experienced. The other possibility is fire causes damage to the server and its ancillary equipment.

QuestionWhich of the following are pure risks?

Placing a bet on an Internet horse race website. An explosion in a data center. A decline in the value of a computer software package. A website emitting harmful messages from the devil.

Answer

11

Internet Horse Race Bet. Not a pure risk as it has an upside possibility. The horse can win the race and pay out more than the initial bet.

Explosion. A pure risk. Such an event is not planned. In almost any situation, only a downside impact can result from an explosion.

Software Value Decline. Not pure risk. Software value may go up as well as suffer a decline.

Website Devil Message. Not a pure risk, as it cannot happen.

Speculative RiskBusinesses can only be successful when they accept cyber risks that lead to a possible profit. Such risks fall into many categories:

Operating Risk. The possibility of loss from installing technology. This may be a mixture of the operations themselves as well as inadequate financing from other parties. A government may spend more money on systems than it saves using them.

Financial Risk. The chance that we may lose money on an investment in fixed assets. We may borrow money to install a computer system that does not work properly. We may purchase hardware that proves to be too expensive for us to recover our capital investment.

Pure RiskPure risk is the domain of risk management and insurance. An individual or organization can only be hurt. There is no chance of an upside gain. Generally, we perceive pure risks from three vantage points.

Two Possible Outcomes. A pure risk can achieve or fail to achieve an expected outcome. We do not expect a new factory to stop operations. A young, healthy person should live a long life. These are expected outcomes. Yet, an explosion can destroy the factory or an individual can die in an accident. Risk management recognizes that pure risks contain the possibility of unfavorable and unexpected outcomes.

Weak Risk Management. A pure risk exists when it is a possibility of the real world. It is not necessary that we know about it or prepare for it. This creates two puzzles:o Unknown Risks. An organization may not realize that an exposure

exists. It may build a facility on an earthquake fault line. It may start an operation in a country that subsequently has an overthrow of its government. These exposures can destroy all the assumptions about risks that were considered in operating plans.

o Artificial Risks. Some exposures are simply not relevant to our operations. A company may purchase earthquake insurance to protect its operating facilities. It may not realize that the properties are

12

constructed in areas that lack fault lines and have never had an earthquake. The risk may be included in an operating plan but it is not real.

Immeasurable Exposures. The organization often does not know the likelihood of facing a loss. How likely is it that a meteorite will hit an operating facility? It is not a risk management issue as to whether we can measure, and thus predict, the possibility of loss. Some losses will occur even though we cannot assess their frequency or severity. We must be prepared for the unexpected and be flexible with respect to pure risks.

Dimensions of Pure RiskTwo dimensions determine the degree of pure risk:

Likelihood of Loss. A high probability of the occurrence of a loss considered to be a high degree of risk.

Size of Loss. A large potential loss is the second aspect of a high degree of risk. The definition of “large” will depend partly on the raw magnitude of the loss and partly on the ability of the organization to sustain it. A million-dollar loss to one company will be of little consequence to a much larger organization.

SEVERITY AND FREQUENCYThe total degree of risk involves a combination of both likelihood and size of potential loss. This concept is expressed more formally in terms of severity and frequency.

Severity. The amount of damage that is or may be inflicted by a negative event. A loss can be partial or total. It can be minor or serious. A loss can be catastrophic from the perspective of an individual or organization that faces it. Severity can also be defined for insurance purposes as being the intensity of a peril.

Frequency. The likelihood that a loss will happen. A low frequency indicates that a loss event is possible but either has rarely happened in the past or is not likely to occur in the future. A moderate frequency describes a loss that happens every so often and can be expected in the future. High frequency is reserved for losses that occur regularly and are likely in the near future. For insurance purposes, high frequency losses include employee injury and vehicle accidents. Liability lawsuits offer a moderate frequency for entities. Property losses usually have a low frequency.

13

Organizations recognize that insurance is concerned primarily with important risks. They accept the small exposures, deal with them on a daily basis, and retain them.

The diagram shows a graphic representation of the relationship between severity and frequency. As we move up and to the right, risk grows until it reaches the area of critical risks.

Diagram of Severity and Frequency.

High

SEVERITYIncreasingRisk

Low

Low FREQUENCY High

Degree of Pure RiskThis refers to the magnitude of loss from a pure risk. A situation with a high degree of risk can be described as very risky. With a low degree of risk, we can say it is not too risky. What does this mean? We often have disagreement because risk can be measured objectively or subjectively.

Objective Measurement. A company, including its insurer, can evaluate historical and other data to determine the level of past losses and estimate the likelihood that past patterns will continue in the future.

Subjective Measurement. In this situation, often caused when historical data is not available or reliable, we assess the degree of risk using intuition or judgment. This is how we see the world. This is how we see exposures.

Calculating the OddsThe odds can often be calculated for both pure and speculative risks. Statistics can be developed to estimate the number of automobiles that will be in accidents. Similarly, we can forecast the likelihood of making a gain when purchasing stock in corporations.

14

QuestionBlack Beauty (BB) is twice as likely to win a horse race as Charley’s Child (CC) and Charley’s Child is twice as likely to win as Desert Dawn (DD). These are the only horses in a race. A two-dollar bet on Black Beauty will pay five dollars. Is this a good risk to accept?AnswerYes. Start with the probability of DD winning at one. Then CC is twice as likely to win so assign it the value of two. BB is four times as likely as DD so BB is four. The total likelihood is seven. BB has four chances out of seven to win. The upside is three dollars. The downside is two dollars. In this case, statistically at least, the failure to bet is a missed opportunity.

INSURABLE RISKWe have already identified hazard risk as being largely the same as insurable risk. When organizations address the issue of insurable cyber risk, they essentially examine the following risk areas.

Personnel. The losses that affect employees, customers, suppliers, visitors, and unrelated third parties. An example is the electronic theft of credit card information.

Property. Accidents, vandalism, and other causes of loss to physical property, equipment, information systems, and intangible assets. An example is hacking a computer and destroying its hard drive.

Liability. Arise from employees, customers, vendors, contractors, partners, and unrelated parties where allegations are made that the organization failed to protect another party from harm. An example is negligence processing a client’s data.

Performance. A special area covering claims by other parties that the organization failed to deliver products or services as stipulated in an agreement. An example is the failure of a computer sales company to install a working system on the premises of a client.

Tests of Insurable RiskOnce we have distinguished between pure and speculative risks, we are ready to take an additional step. First, we recognize that we cannot insure speculative risks. Although mechanisms exist to protect against losses from investments and other financial activities, those mechanisms are not forms of insurance. Only pure risks can be transferred via insurance and not all pure risks qualify for transfer. An insurable risk is a form of pure risk that meets specific tests:

Financial Loss. The risk must create the possibility of a decrease in money or a decline in monetary value. This is true even in situations, such

15

as emotional distress, where it is difficult to assign a specific number to a loss. Absent the possibility of assigning a financial number to damages, we cannot have insurance.

Definite Loss. We must be able to know conclusively that a loss took place. We must be able to identify the cause of the loss, time and place when and where it occurred, and the extent of damage. Insurance companies are reluctant to accept risks where it is not possible for reasonable people to agree upon whether a claim must be paid.

Fortuitous Loss. The loss must occur as a result of chance from the perspective of the insured. This is also called a contingent loss. An individual or entity cannot purchase insurance and then intentionally take action to create a valid claim under an insurance policy.

QuestionA company wants to purchase vandalism insurance to cover a telecommunications tower located in a large city. Is this an insurable risk under the following conditions? If teenage gangs are present in the area? If teenage gangs are disputing with each other in the area? If a teenage gang has demanded a “protection payment” from the company?AnswerInsurable if loss is contingent.

Yes, if gangs are present in the area. The coverage will have a high premium.

Still yes, but considerable documentation and some risk management steps may be required by the insurance company.

Maybe not.

EXPOSURES, PERILS, AND HAZARDSAn insurable risk can cause a financial loss and disrupt the operations of a business. Three terms help dimension the risk:

Exposure. A condition where risk could cause a loss. Whenever an organization does anything, it may expose itself to a variety of risks. Some will be insurable. Some will not.

Peril. The immediate cause of a loss. It is the condition of the world that acts upon the exposure and creates financial damages.

Hazard. A situation or behavior that increases the likelihood of a loss from a peril. The peril can exist by itself. A hazard makes the odds or severity of occurrence higher than would be expected in normal circumstances.

Question

16

A company purchases a building. With respect to the possibility of fire, what are an exposure, a peril, and a hazard?AnswerThe exposure is simply the purchase of the building. An electrical fire is an example of a condition that causes damage to the property. The fire is a peril. A hazard makes the peril more likely to occur. In our example it would be a hazard if the owner stored gasoline in open containers in the building.

QuestionIdentify each of the following as an exposure, peril, or hazard: A programmer stunned by an electric charge from a computer server. A repairman climbing a telephone pole. A cup of coffee placed near a personal computer. Theft of a smart phone in a department store. An ATM password written on a bank credit card. An ATM outside a 24-hour McDonald’s.Answer Exposures: A repairman climbing a telephone pole and an ATM outside a

McDonald’s. Perils. A programmer stunned by an electric charge and the theft of a smart

phone. Hazard. A cup of coffee near a personal computer and an ATM password

written on a bank credit card.

Hazard CategoriesThe world is filled with hazards. One way to think about them involves four categories:

Physical. A condition of the real world that creates a danger. Such hazards include unsafe conditions that can cause injury, illness and death. Examples include electrical hazards, unguarded electronics, constant loud noise, working from heights, spills on floors, and failures of equipment that cools computers and servers.

Moral. A tendency of a person to lack integrity or be dishonest. A moral hazard can be present any time two parties make an agreement. Each party has the opportunity to gain from acting contrary to the principles laid out by the agreement. In other cases, no agreement is present. A person may damage property, steal assets, commit computer fraud, or perform a wrongful act that causes financial loss to another party.

Behavioral. A tendency of a person to be careless or indifferent to risky circumstances. Examples include carelessness in locking the doors and windows of offices with computing equipment, failing to sign off a

17

computer terminal, and giving system or banking passwords to unauthorized individuals. This is also called a morale hazard.

Legal. In the United States and elsewhere, characteristics of the legal system can increase the frequency or severity of losses. The simple fact that individuals or organizations can file lawsuits can cause financial loss to the parties that are targets of litigation. This has become such a serious problem that legal risk deserves its own category as a hazard.

Interaction of RiskIn a risk management program one exposure may cause reactions with respect to a variety of losses. This is known as the interaction of risk.

QuestionIn violation of company policy, an employee entered a data storage facility at night without permission and had a party with friends. One of the nonemployees stood on a computer accessory and broke it. Another started a small fire that was quickly extinguished after causing serious damage to some equipment. Still another broke into a desk and stole access codes to the system. Three days later much of the data was wiped off a computer used to store medical data. The information was posted on a website causing considerable embarrassment to a number of people. One of the victims committed suicide and two others attempted it but failed. The local TV news channel blamed the company for negligence. What are the risks, exposures, perils, and hazards in this situation?Answer

Risks. These include injury to people, personal risk of individual behavior, damage to property, liability related to behavior, and the possibility of lawsuits.

Exposure. The presence of the facility. Conduct data storage on the cloud and the events would not happen.

Peril. Damage from the careless behavior by standing on equipment and starting a fire.

Hazards. A moral hazard when an employee brings in friends without permission. Behavioral hazards by damaging equipment. Moral hazard by posting information on the Internet.

MAGNITUDE OF INSURABLE RISKWe might conclude our introduction to risk with an overview of the kinds and size of losses that must be covered outside of cyber risk. This will help us understand the level of risk that we face from computer systems, networks, social media, and the Internet.

18

Hierarchy of Insurable RiskInsurable risks fit into a pattern of all risk facing an organization. We can see it in a hierarchy from the broadest to more specific definitions.

Risk. The broadest concept. It covers any possibility of injury, damage, or loss. Some risks are insurable. Some are not.

Pure or Speculative Risk. This is the first subdivision. It separates risk where no gain is possible from risk that has an upside as well as a downside.

Economic or Noneconomic Risk. We divide insurable risk into one category where financial damage can occur and another category where the exposure does not have an economic impact. Only economic risks are insurable.

Insurable or Noninsurable Risk. Not all risks can be transferred via insurance. In a book on insurable risk management, we are not concerned with risks that do not qualify for insurance transfer.

Personal, Property, Liability, and Performance Risk. Within the category of insurable risk, we find a wide variety of exposures that can be considered for transfer.

Levels of Insurable RiskSome insurable risks are not serious problems for individuals or organizations. An early step in risk identification is to evaluate the potential harm caused by an exposure. One way to assess risks is to assign them to categories, such as:

Minor. Would hurt an operating unit but hardly be noticed throughout the organization.

Significant. Risks that would hurt but not cripple the organization. Major. Risks that would cause a visible decline in profits and cash flow. Critical. Serious danger such as would occur with the loss of an important

operating unit or ability to conduct business after a dramatic interruption. Catastrophic. Organizational devastation from a risk that causes the

destruction of the majority of assets accompanied by unbearable financial loss.

Risk Management Levels of RiskFrom a risk management perspective, we can use a similar structure of categories. We identify situations where a negative event could develop or has already materialized. What do we do now?

Incident. An occurrence of seemingly minor importance that can lead to serious consequences. A primary goal of risk management is to identify such events.

19

Emergency. A serious situation when an unexpected incident demands immediate action to avoid an even more damaging development. It requires urgent action or assistance.

Crisis. A time of intense difficulty or danger when an important decision must be made. The quality and speed of reaction determines the turning point for an improved or worse outcome.

Disaster. A point when an incident threatens the survival of the organization. It may be possible to rescue the situation but the entity is not likely to survive or fully recover.

Catastrophe. The final stage of organizational failure to deal with a risk. The organization is destroyed with negative consequences for owners, employees, customers, and even the broader society.

QuestionIn the United States, the insurance industry has enough money to pay for a single loss up to $200 billion. Insurance companies are concerned about cyber attack on New York. At what dollar level of losses would such an attack be a crisis? At what point would it be major? Critical? Catastrophic?AnswerMaybe:

Major. $ 50 billion Critical. $ 80 billion Catastrophic. $100 billion

QuestionIt is fairly easy to conceive of insurable losses that could not be absorbed by the insurance industry. What is the estimated insured loss from a cyber attack on the electrical grid of the United States?AnswerLet us hope we never find out. In addition to destroying the electricity structure of the nation, it could damage many billions of dollars of equipment and cause an unknown number of losses of life. It is entirely possible that the financial cost would exceed that of a major terrorist attack. By way of reference, in 2006 the American Academy of Actuaries estimated a terrorist attack on New York City using chemical, biological or radioactive weapons could cost $778 billion in insured losses. That number could be one trillion dollars in 2015.

CYBER RISKThe term cyber may be defined as something that relates to or involves computers, computer systems and networks, or the Internet. It generally

20

precedes another term either as a separate word or prefix. Common usages are cyber attacks, cyber system, cyber marketplace, and cybersecurity.

Cyber risk is the chance of loss connected to electronic systems and technological networks and includes online activities, use of the Internet for data storage, processing, or exchange, or any other uses where electronic technology facilitates the creation, retention, or sharing of strategies, activities, ideas, or communications.

Common Forms of Cyber RiskAttacks on computer systems take many forms. Among the most common, we can identify:

Data Breach. An incident when sensitive, protected, or confidential data has been viewed, stolen, or used by an individual unauthorized to do so. Most commonly it involves personal health information, personally identifiable information, trade secrets, or intellectual property.

Security Breach. An incident that results in unauthorized access of data, applications, services, networks, or devices by bypassing their underlying security mechanisms.

Hacktivism. The use of computers and computer networks to promote political ends. This behavior is the electronic equivalent of traditional acts of protest, activism, and civil disobedience. Systems are attacked to bring attention to areas such as human rights, ethics, and free speech

Cyber Crime. A criminal act when a computer is purposely damaged or disabled or when it is used as a tool to commit a criminal offense.

Cyber Business Interruption. An incident that causes losses because a firm cannot operate normally as the result of a cyber disruption to one of its computers, networks, or facilities.

Cyber Extortion. A crime that occurs when a person uses the Internet to demand money or other goods or behavior from another person or organization by threatening to inflict harm to its computers, other assets, networks, people, or reputation.

Cyber Supply Chain Disruption. A major breakdown in the production or distribution components that comprise a supply chain that occurs as the result of the use of computers, networks, or the Internet.

Cyber Espionage. The act of using the Internet to obtain secrets from individuals, competitors, governments, and enemies for personal, economic, political, or military advantage.

Cyber War. A politically-motivated hack to deliberately weaken a country or organization through obstruction, disruption, or destruction. Commonly suggested targets are electric power grids, financial institutions, and nuclear power plants.

21

Cyber Espionage. The obtaining of government information considered secret or confidential without permission and using that information to politically or economically harm individuals, private organizations, or the government.

RECENT CYBER ATTACKSThe area of insurable cyber risk has grown dramatically along with the advances in computing and communications technology.

Cost of Cyber CrimeCyber crime is a major financial cost for organizations around the world. As we can see from the list of the top 10 countries in the world, the annual cost of cyber attacks approaches $500 billion.

Annual Cost of Cyber Crime

$Millions Percent of WorldUnited States 113,400 23%China 63,000 13%Germany 62,000 13%Brazil 8,100 2%United Kingdom 4,500 1%India 4,200 1%France 3,200 1%Russia 2,100 0%Japan 1,100 0%Italy 1,000 0%Rest of World 230,000 47%Total 492,600 100%

Cyber risk is a worldwide problem.

2013 U.S. Cyber Attacks.

Data for Organizations in the United States:900+ successful data-breach incidents.200+ million records stolen.75+ percent of attacks by hacking.70+ percent used special software (malware).90+ percent would have easily been stopped with simple controls.

22

Estimates of Risk Management Issues in Cyber Attacks:90+ percent of attacks involved servers.90+ percent were discovered by third parties.85+ percent took weeks or more to discover.80+ percent were targets of opportunity, not prior targets identified for attack.

2014 U.S. Cyber AttacksA list of data breaches organized in terms of when they became public includes the following for the calendar year 2014:

Target Stores. From the second-largest discount retailer in the United States, hackers stole the contact information of 70 million customers. The loss included 40 million customer credit and debit card numbers.

Neiman Marcus. From this luxury specialty department store, hackers stole credit card information of 350,000 customers. In the months after the attack, more than 9,000 of the credit cards were used fraudulently to make purchases. The hacking effort was so sophisticated it was not detected for months by company information technology personnel.

Yahoo! Mail. This free e-mail service with 280 million users has been hacked multiple times. Media reports claim that dangerous software was added to individual email accounts and subsequently downloaded into personal computers.

AT&T. An employee hacked the company data base stealing customer information including social security numbers. Apparently the individual, who was subsequently fired, had authorization to access the private data.

eBay An outside hacker apparently gained access to an eBay employee log-in information and was able to access the records of 200 million purchasers of items offered for sale by vendors. eBay advised all users to change their passwords.

P.F. Chang. This China Bistro lost credit and debit card information centrally stored for the company’s 33 restaurants. Many of the credit cards were then used to make fraudulent purchases.

Home Depot. Credit card information was compromised for roughly 56 million shoppers online and for 2,300 U.S. and Canadian stores.

Google. Five million Gmail usernames and passwords were compromised. 100,000 of them were posted on a Russian public forum website.

Apple iCloud. Hackers accessed Apple users’ online data storage. One outcome was they posted celebrities’ private photos online. After considerable media coverage, it was not clear whether users or Apple were the source of weakness that allowed the attack. The FBI investigated, tracked the source of the attack, and caught the hacker.

23

ConclusionAn understanding of the risks that are insurable and why they can be transferred is a foundation concept in risk management. The historical concept of risk evolved gradually as people gained new tools in mathematics, probability and the ability to dimension and assess exposures. They also prepared themselves to deal with the unexpected. Today we have a fairly complete knowledge of the value of making correct decisions with respect to avoiding, transferring, retaining, and reducing risk.

The exact opposite situation exists for cyber losses. We have little data and few reference points to assess the extent of damage that could occur. We can expect the problems of cyber risk to be a major risk management concern of organizations in the near future.

24

Chapter 2. Malicious Software, Hacking, and Cybersecurity

MALICIOUS SOFTWAREMany serious forms of cyber risk involve software that allows hackers to use the Internet to attack information systems. Malicious software refers to a variety of forms of hostile or intrusive software that can take the form of executable code, scripts, or active content. These programs are disguised as or embedded in non-malicious files.

MalwareThis term, short for malicious software, is any software designed to be used for computer hacking.

Goal. To disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Intent. The term is limited to software that is purposely designed to cause harm. It does not cover software that causes unintentional harm due to a flaw in the software itself. The term badware refers to software that is both malicious and unintentionally harmful software.

Long Duration. Malware may be stealthy. It hides in a system and steals information or spies on computer users for an extended period without their knowledge.

Short Duration. Malware may be designed to cause immediate harm, causing damage or gaining information that can be exchanged for money.

VirusesA virus is a common form of malware. The defining characteristic of a virus is that it is a self-replicating computer program that installs itself without user consent.

Goal. To disrupt computer operation, gather sensitive information, cause malfunctioning of software or systems, or achieve some other goal. Specific motivations seemed to be making a profit, sending a political message, personal amusement, or demonstrating that a vulnerability existed in the software.

Malicious Damage. Some viruses steal hard disk space or central processing time, access private information, corrupt data, spam user contacts, or log user keystrokes. Some wipe out all data and render the computer useless.

Annoyance. Some viruses are mischievous displaying political or humorous messages on the user's screen.

25

Replication. A unique feature of most viruses is that they can replicate themselves into other computer programs, data files, or the operating system of the computer. When replication succeeds, the new area is said to be “infected.”

Targets. Historically, the majority of viruses were designed to attack computers running Microsoft Windows. They employed a variety of mechanisms to infect programs and used sophisticated anti-detection strategies to evade antivirus software.

Economic Cost. Computer viruses cause billions of dollars' worth of economic damage to individuals and organizations who must pay to repair systems that fail, replace corrupt data, incur higher maintenance costs, and purchase antivirus software.

Common Forms of Malware Rogueware. Software that introduces malware to a computer. It may pop

up anywhere on the Internet. A typical application occurs when the user receives a message that the computer is infected. A “vendor” offers or sells a download that claims to erase the virus. Instead, the rogueware installs malware.

Ransomware. Malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

Drive-by Download. An incident when software is installed on a computer without the user’s knowledge. It may occur when a user is visiting a website and clicking on a link. It can occur when a person is viewing an e-mail message or clicking on a pop-up window.

Trojan Horse. A standalone malware that resides on a computer without injecting itself into files. It masquerades as a legitimate file or program. It can steal information or harm the host computer.

Rootkit. A malicious software that enables unauthorized access to a computer or its software while hiding in the system disguised as something else. It can provide administrator access and thus can be used to gain information, change programs, or damage the system or hardware.

Backdoor. This malware bypasses the required method of authentication to access a computer system. Essentially, it explores for weaknesses in the security features of hardware and software and then exploits the opening to gain access to the system. Once inside, the malware is installed to allow future access.

Packet Sniffer. An application that intercepts and logs traffic passing over a digital network. A standard tool in network troubleshooting that is also used by hackers to collect data.

26

Structured Query Language Injection (SQL). A programming language for data manipulation and control. It inserts queries and updates or deletes data in a system. It can be used to insert malicious code into a computer system or network.

Spyware. A software that hides on a system and gathers and transmits information without the knowledge or approval of the system owner.

System Monitor. Tracks usage. Can capture and record keystrokes, mouse clicks, sites visited, and even files that are opened without data being typed. It is difficult to detect by virus security detectors

Adware. Automatically inserts advertisements on the user screen and analyzes Internet sites visited by the user.

Tracking Cookies. A cookie is a small piece of data sent from a website and stored in a user's web browser while the user is visiting a website. A tracking cookie compiles long-term records of a user’s browsing history and allows a third party to use the information without knowledge of the user.

Widely-known Malware Stuxnet. Attacks the software and equipment of industrial systems. In

2010 it targeted the Siemens system regulating hardware and software in the Iranian nuclear program. The malware destroyed or damaged many centrifuge systems used to enrich uranium to bomb quality.

Flame/Skywiper. Attacks computers running Microsoft Windows. It was identified as the most sophisticated and complex malware in the world in 2012. It stole information from computers in Middle Eastern countries, including one notable attack against Iran’s Ministry of Oil. Flame/Skywiper is quite powerful. It can capture images of computer screens, copy e-mails and instant-message chats, turn on remote microphones, monitor keystrokes and network traffic, and use Bluetooth technology to spread to devices that are not connected to the Internet.

CYBER SCAMSA computer scam is an effort to fraudulently obtain money or something else of value using the Internet or some related technology. A dishonest individual, group, or company misrepresents itself as another party, generally someone with power, skill, or authority They ask for money, make requests for help, or otherwise seek to take advantage of an individual or organization.

PhishingThis refers to any effort to acquire sensitive information by pretending to be a trustworthy entity in an electronic communication. The effort pursues usernames,

27

passwords, personal information, credit card details, and money. The communication:

Originates from a fake but trusted social web site, bank, well-known retailer, or organization known to the recipient.

Is commonly in the form of an email or instant message. Displays a link that opens a fake website whose look and feel are almost

identical to the legitimate one. Is set up so clicking on the link infects the computer with malware. Often also directs the recipient to enter personal details.

Phishing exploits weaknesses of web security technologies and is of great concern to risk managers and insurance companies. Companies make major attempts to deal with phishing incidents. The government and nonprofit entities have programs to promote legislation, user training, and public awareness on its dangers.

Phishing is a negative outcome arising from the freedom and lack of gatekeepers on the Internet. For a sum as small as ten dollars an individual can purchase a Web address that resembles a well-known organization. With minimal web design tools, scammers and phishers can create a website that can be used to harm users of the Internet. Cyber losses are a daily and even hourly reality of modern telecommunications.

Identity TheftPhishing often leads to identity theft, defined in cyber risk as obtaining the personal or financial information of another person to cause financial harm. A hacker or other unauthorized party assume that person's name or identity to make transactions or purchases. Some colorful terms identity theft terms are:

Skimming. Using an external device to capture and record credit card magnetic stripe data usually with a goal of creating counterfeit credit and debit cards.

Dumpster Diving. This refers to an effort to steal data from a computer connected to the Internet. It comes from the generic term when someone is looking for treasure in someone else's trash.

Stolen Wallet. A Bitcoin wallet is software program where Bitcoin balances are stored. Using a password, an owner can use the wallet to store, purchase, or sell Bitcoins. This term refers to hacking that removes Bitcoins from the control of the owner.

Shoulder Surfing. This refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is a low-tech way to obtain passwords, security codes, and similar data at ATMs and point-of-sale terminals.

28

SmSishing. A variation on phishing when text messaging is used. Vishing. Another variation on phishing when voice messages are used.

Phishing and Cyber ScamsAre there many phishing and cyber scams that can be individually identified?AnswerYes. Some examples:

Intimidation Scams. Work-at-Home Scams Weight Loss Claims Lotteries and Sweepstakes Scams Fake Check Scams Imposter Scams Mystery Shopper Scams Bogus Apartment Rentals Miracle Cures Debt Relief Scams Pay-in-Advance Credit Offers Investment Schemes The "Nigerian" Email Scam Online Dating Scams Money Transfer Scams Tech Support Scams

What does a cyber scam person do with money once it is received? The answer is to use a “money mule.” In illegal drug trafficking a “mule” is a person who smuggles contraband across a border to reduce the risk of the actual criminals getting caught themselves. A money mule, also called a "smurfer," transfers stolen money electronically. They are often recruited on-line for what they think is legitimate employment and are not aware that the money they are transferring, typically to another country, is an illegal transaction.

Sources of Loss from Identify TheftOnce a thief has successfully stolen a person’s identity, many ways exist to profit from the information. The breakdown:

Percent of SituationsUse of existing credit or debit card 36%Tax or unemployment fraud 21%Secure additional credit cards 13%Obtain medical or social security benefits 6%

29

Other 24%

QuestionCan an individual purchase any tools or services to reduce the possibility of identity theft?AnswerYes. As an example, PC magazine gives high marks to LifeLock, a 24-hour service that monitors bank and credit accounts to identify efforts to misuse someone’s personal information.

QuestionHow serious is the problem of identity fraud?AnswerOne measure is that some 12-15 million Americans are victims each year causing $15 to $20 billion in losses to individuals, financial institutions, and retail stores.

Personal Insurance for Identity TheftAn individual can purchase insurance to reimburse financial loss from identity theft. One policy covers:

Lost Wages. Up to a maximum of $1,000 per week for five weeks. It covers absence from employment, including for wrongful incarceration.

Extra Expenses. This reimburses legal and other costs to reverse the negative effects of identify theft. It includes removing wrongful criminal or civil judgments, challenging information in a credit report, and defending lawsuits brought incorrectly by merchants or their collection agencies. It also covers pursuing the release of medical records, contesting wrongfully incurred tax liability, and defending against the wrongful transfer of ownership of personal property.

Discount Health PlanAn email offers you a discount health care plan with an enrollment fee of $59 and a monthly fee of $99. It is accepted by 88 percent of the doctors and dentists in your area. It gives you a discount on medical services of 75 percent off the posted price. Fill out the attached form and send it to request approval. How do you respond?AnswerThis is likely to be a medical discount plan scam. None of the promises may be true except the fees that will be charged to your credit card if you fill out all the information on the form.

30

$299 for a Vintage Rolex WatchA message pops up when you visit a website. It offers you a vintage Rolex watch for $299, guaranteed to keep time to within one second a month. Free shipping if you complete the order form and insert credit card information. Almost immediately the offer disappears and a message reads, “Sorry. Sold. Better luck next time.” In the subsequent days and weeks, the message reappears with different merchandise. About half the time it is followed with a sold message. Then, a great bargain pops up and you have to make a quick decision. Do you make a purchase?AnswerNo. It is probably a phony merchandise scam. It could be a non-existent product or it might be counterfeit.

Angler MalwareThe Angler Exploit Kit, was one of the most effective of several malwares at capturing control of personal computers. It infected 40 percent of those it targeted, typically sending spoof emails, hacking into websites, or distributing malicious advertisements. Once it won control of a computer, the ransomware encrypted the user files and the screen displayed a message demanding payment to release them. Suppose this happened to a company you manage and the ransom charge is $300. Would you pay it?AnswerEvery company makes this decision on its own. A cybersecurity expert estimated that more than 300,000 computers were infected by Angler. If three percent of infected users paid the ransom averaging $300, the criminals spreading Angler would have made $30 million.

Email from the Federal Reserve Bank (typos not corrected)A man received the following from the Federal Reserve Bank of New York:

FEDERAL RESERVE BANK OF NEW YORK33 LIBERTY STREET NEW YORK, NY 10045. USANOTIFICATION OF CREDIT.

Urgent Attn:

OFFICIAL NOTICE: this is to notify you that Series of meetings have been held over the past (1) Month now with the Secretary General of the United Nations Organization United State of America, which ended Today been Tuesday Dated 29th of September 2015, It is obvious that you have not received your fund which is now in the amount of $11,000,000.00 USD

31

(Eleven Million United States Dollars) as a compensation award to you, due to past corrupt Governmental Officials who almost held your fund to themselves for their selfish reasons and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to unnecessary delay in the receipt and so many losses from your end.

When the man receives the money by clicking on the link, what should he do to invest it properly?AnswerNothing since he will receive no money. He should, however, take his computer to a service technician to remove the malware that will be installed on his computer.

Email from KimberlyA man got a nice message from Kimberly (Kimberly@exodusartgallery.com)

Hi there,Me again, just touching base to let you know the education grant that the government owes you to go back to school (worth up to $5,775), is waiting to be claimed.Please request your paper check or direct deposit below.This is NOT a joke or scam.Visit us here to start the two-minute process now.You are receiving this message because you expressed interest in our daily newsletters If you wish to unsubscribe, go here637 Hillside St #Paradise Valley AZ 85253 US

The man was 73 years old and had a master’s degree. Should he resume his education? Should he click on either link or contact Kimberly by mail at her Paradise Valley address?AnswerWhatever other decision, he should not click on either link. The Paradise Valley address does not exist. Whether he should go to school at his age is a personal choice.

Email with Job OfferAnother man got a message from Bertha Fix (pic@lawwheals.com)

You have been presented with a job offer.Final Response needed by October 8th.Learn more about this position herePosition Summary

32

Weekly: Receive $5,000Hours: FlexibleAvailable Positons:– Take Vacation Whenever you like– Unlimited sick Days.– No Dress Code– Make Your Own HoursIf we do not have a response by 7:00pm EST, this position will no longer be available to you.Give us your response now

Did he accept the job offer for the salary or $5,000 a week or did he demand more than simply taking vacation whenever he wanted, unlimited sick days, no dress code, and make his own hours?AnswerWhat do you think? As long as he did not click on the link.

Another Job OfferFortunately, he got a job offer two days later. This time it was from Darryl Cary.info@job5notificationalert.com

Regarding Your Job Position OfferFinal Date to Respond: Thu, 08 OCT 2015 8:15:01If you are a person who thrives in a non-structured and unsupervised environment, Google and facebook have (3) work-from-home opportunities. Please apply hereSalary: $91k per yearHours: 19 Hours a weekStatus: LIMITED (2 spots left)There are just a few spots left. Set your own hours, no dress code, no supervision - your paycheck comes from Google or facebookBegin at $91,000 TODAY- Confirm Here If Interested: Job #4657491294500701226 -

The salary dropped from $250,000 a year to $91,000 but maybe that is enough. Plus, now the jobs were from Google and Facebook. Or were they?AnswerRemember not to click on the link, no matter how many times an email arrives.

Email from Chase BankCyber spam sometimes has random text hidden within HTML content. These messages are not visible unless the recipient views the source code of the email.

33

Sometimes, highlighting empty space in the spam message will reveal the hidden text.

The below message was received from an address in Moldova. It contained hidden text highlight in red. Why do you think the hidden text has been included?AnswerIt is designed to fool the software that recognizes spam. Many spam filters are configured to detect messages that contain certain words or phrases commonly used by spammers. If these signs of spam add up to a significant percentage of the message, the filter will block the message as spam.

From: "Support Chase" <kaleemuddin.md@gmail.com>Subject: Your Account is now limited - Read More #8392Date: August 17, 2015 at 7:11:51 PM EDTTo: “Addressee Name Removed”Reply-To: "Support Chase" <kaleemuddin.md@gmail.com>

fascist child grade politician comprehensive meanwhile ironically co acheson declared department decade recovering estimated griffin claims expansion changesNote:This is a service message with information related to your Chase Online account(s).

We apologize for the inconvenience, but we don't recognize the computer you have used to access your Chase Online Accounts the last time you logged in.

voice enlist introduced assisted recovered europe judgments tried debts lodge scenes still being strongly acquire aloof represented redefined

In order to prevent an unauthorized person from accessing your accounts, we have suspended your Chase Online Online service until verification.

All you need to do is to follow the link below and complete our online verification process.Chase Settings Update

importance ballot declined entertainment committee iron setting supplemental seats negotiation rising eden resounding unprecedented overhaul sea arose further jurisdictions feared redefine building policies risk rich richly executive coal unpalatable heartily reward soils countrymen

34

implementation within demanding ties resources unharmed injured stephen ministry claiming ethel violated angered busy fascist critically disintegrating taking backers busy smoke told outbreak restrictions advocate firm observing when countries mcgilverys leaders ultimately nation assaults secured rolls ohio relocated john turkey rejoined gradual ashamed location past meets couples institute battalion central advise clement implication program tossed exposed market preservation lacked white either agreements unsustainable poorly group distinguishedMake sure your information is correct in the quick and easy verification process. We are sorry for any inconvenience that this might have caused.

© 2015 Online Chase Online & Co.Your personal information is protected by advanced online technology. For more detailed information, view our Online Privacy Policy. To request in writing: Chase Online Privacy Operations, 451 Florida Street, Fourth Floor, LA2-9376, Baton Rouge, LA 70801

COMPUTER HACKINGComputer hacking refers to any efforts to modify or alter computer hardware or software to accomplish a goal outside of the creator’s original objective. The term hacker describes individuals who engage in computer hacking activities. Hacking requires an advanced understanding of computer operations, programming, technology, and systems. It always involves some degree of infringement on the privacy or rights of others or causes damage using a computer-based system. This includes intrusion and mischief to personal and other computers or ancillary computer equipment. It covers mischief or harm to software, files, or web pages. It is used to describe a range of actions from a simple invasive procedure to an illegal extraction of confidential or personal information.

The federal Computer Fraud and Abuse Act provides the legal foundation for understanding cyber risk in the United States. It criminalizes misbehavior when computers or information systems are used to harm people or property. It addresses distribution of malicious computer code, denial of service, trafficking in passwords, and other harmful acts. It covers:

Government Information. Revealing classified data or communications that can be used to cause injury to the United States or advantage to any foreign nation.

Financial Records. Revealing personal information covered by the Fair Credit Reporting Act.

Hacker

35

The New Hacker’s Dictionary offers multiple definitions for a computer hacker as any person who:

Explores the intricacies of programmable systems and how to stretch their capabilities.

Programs computers. Possesses exceptional skill regarding computer programming. Maliciously meddles with computers. Attempts to discover and subsequently tamper with sensitive information

using computer-based technologies.

From a cyber risk perspective, only the last three definitions apply.

Cyber Risk HackingIn the context of cyber risk, a hacker is someone who attempts to exploit weaknesses in a computer system or network. Hackers may be motivated by many factors including profit, protest, challenge, or simple mischief. In some cases, the motivation is positive as when a hacker uncovers a flaw in a program and alerts the owner to fix the system.

Categories of HackersOne of the biggest concerns of risk managers deals with a global community of individuals who attack computers. Some hackers are not a major cyber risk concern:

Honest Hacker. An individual not interested in mischief. Commonly, the person has no respect for authority, business, government, laws, property, "suits", grooming, or personal hygiene. The goal is to punish people or organizations that do something bad on the Internet.

White Hat Hacker: A computer security expert who specializes in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hacker. A person who breaks into a network or computer with a goal to cause harm. The goal is to create a computer virus, steal, destroy, or damage data or systems, share confidential information, or achieve another negative impact from the perspective of the system owner or users.

Gray Hat Hacker. This is an individual who once was a harmful hacker but who turned away from malicious hacking and now works as a security consultant to help organizations protect their systems from breaches.

Cracker. Any person who breaks into computer systems to do mischief.

36

Script Kiddy. An individual who downloads automated hacking tools and launches them against random Internet Protocol (IP) addresses. The goal is to pursue mischief.

Hacktivist. Someone motivated by politics or religion who tries to expose wrongdoing, exact revenge, or simply harass a target organization or audience.

State Sponsored Hacker. A government agency that hacks systems to achieve political, military, or economic objectives. This is a particularly dangerous entity as this hacker has extensive time and funding to target other governments, individuals, and profit and nonprofit organizations.

Spy Hacker. An individual or organization hired by a party to infiltrate the competition and steal trade secrets. As an approach to the effort, the hacker may attack from the outside or pursue employment to gain authorized access to a system.

Cyber Terrorist: Usually motivated by religious or political beliefs, this hacker attempts to create fear and chaos. Goals include disrupting critical infrastructures, destroying internal computer systems, disrupting business operations, creating dangerous conditions, and causing large-scale harm to people and property.

Criminal. This cyber attacker is interested in money. The goal is to steal money, use extortion by threatening to reveal information, or finding information to bribe or harass other parties.

QuestionThe TalkTalk Group provides pay television, Internet access, and mobile network services to millions of subscribers in the United Kingdom. It had $2.5 billion in sales at a time when it was hacked by someone who broke into its computer system and stole personal data for four million businesses and households. What category of hacker fits this situation? Is the hacker a nonsmoker?AnswerBlack Hat or Criminal comes to mind, especially since the hacker was arrested after sending the company a ransom request to keep the data confidential. We do not know about the smoking. The police did not release the culprit as the hacker was underage. He was described simply as a 15-year boy in Northern Ireland.

Ethical HackingMost observers of hacking accept ethical hacking as a relatively harmless or even beneficial behavior. This is the case when hackers follow certain unwritten rules:

A belief that information sharing is a powerful exercise.

37

It is the ethical duty of hackers to share their expertise. They share by creating free software. They facilitate access to information and computing resources. They perceive cracking into a computer system or programming code is

a hobby or fun activity and is ethically acceptable if it involves no vandalism, theft, or breach of confidential information.

Organizations need to be careful to understand that many people attach a “Robin Hood” mentality to computer hacking. This occurs when hackers release expensive computer codes, music, games, or capabilities to individuals who cannot afford to purchase them.

Hacker LanguageHackers have their own language. An entire vocabulary is used to describe cyber activities. It changes every day. Some terms are:

Zero Day. This is a tool developed by elite hackers. When launched, it is an unknown malware that is shared with close friends. The hacker realizes that antivirus software relies upon “signatures” to identify malware. Although the protective software can be effective, it cannot defend against malware until samples have been obtained and defenses have been developed and distributed to users.

Honeypot. This is a trap set to detect, deflect, or counteract a zero-day attack. Computer security specialists create a site that appears to be part of a network. Although it seems to contain information of value to attackers, it is actually isolated. When attacked, the security personnel learn the signature of the malware and develop software to block it.

Watering Hole. This happens when an attacker targets a particular organization in a three-stage process. It guesses or knows websites accessed by employees. It infects these websites with malware and waits until a member of the targeted group accesses the site and gets infected. The malware is brought back into the target organization.

Honest Hacker RiskSecurity personnel have long recognized the dangers from criminal hackers. Now, honest activist hackers have become a major concern. They attack in specific areas including:

Copyrights. They do not like the fact that people have to pay for information or entertainment. They create software that allows downloading of copyrighted and proprietary music, movies, books, and other knowledge.

38

Censorship. They strongly oppose efforts to restrict free speech. They can be vicious against governments or companies that seek to censor the Internet.

Oppression. They protect each other. They do not like attacks on other honest activist hackers.

Surveillance. They do not want to be known to the public or authorities. They attack agencies or others that try to identify them or collect information about their activities.

An Honest HackerEven though most hackers are not seeking publicity, some members have become well known. Dmitry Sklyarov is an example. In 2002 he was a Russian employee of an eBook processor. He got annoyed when Adobe encrypted eBooks blocking Braille readers. Dmitry built software to break encryption. He was arrested at the DEFCON conference, was put in jail for three weeks, and was stranded in the United States for six months. Adobe suffered no damage. The company apparently decided that Dmitry’s actions were a good idea.

MALWARE ATTACKSAlthough hacker attacks against computers, systems, and networks are an hourly or daily occurrence, some attacks capture the public imagination.

AnonymousAnonymous is an online community whose members consider themselves to be honest hackers. They apply the Anonymous label to themselves. For the most part, their members are unknown even as government efforts have located and arrested some of them. The members coordinate their actions toward self-agreed goals. They undertake collaborative “hacktivism” that often starts protests in retaliation for self-perceived bad behavior. The members of Anonymous are a big concern in the world of cyber risk managers.

Anonymous members try to hide their identities but the organizational viewpoint is quite public. The organization has posted a list of warnings.

Anonymous Warnings.

Get Ready for Anonymous Our community is serious and dangerous. We are the immune system, defenders, and enforces of the Internet. Ignore Anonymous at your own risk.Our community is active: We are tech savvy.

39

We have many, many members. We take down companies.You will see our activities. We troll the Internet. We like pranks against the powerful. We delight in juvenile humor.We are politically motivated against bad behavior

Mafiaboy AttackCyber attacks began a long time ago, at least in terms of Internet years. Michael Calce, at the time a 15-year old boy, took down Yahoo in 2000. The attack resulted in insurable damage of $1.2 billion. The teenager was punished with a $250 fine, restricted use of the Internet for a period of time, and eight months of time spent in a juvenile detention center.

Sony PlayStation AttackWe already mentioned a Sony attack. It occurred when George Hotz, nickname Geohot objected to the fact that Sony did not allow individuals to create their own games on Sony PlayStation. In 2011 he developed software that cracked the PlayStation codes and shared his findings. The codes allowed hackers to create their own games on PlayStation and also to play existing games without paying for them. Sony sued him for an estimated $170 million loss of revenue.

The lawsuit upset many other honest hackers including members of Anonymous. They launched a disruptive attack on the entire network and brought it down. The outage lasted 24 days. Personal details and other data was compromised from 77 million user accounts. Subsequently, Sony was hit with more than 50 class action lawsuits and the company suffered a loss that exceeded $2 billion. Sony had significant insurance coverage:

Property Damage. This was provided by a Zurich commercial general liability (CGL) policy for tangible losses to property and equipment.

Cyber Endorsements. The company had multiple general liability property insurance policy endorsements for “damage or disruption to electronic data.”

QuestionDid George Hotz (Geohot) and Anonymous attack Sony because it had less security that Microsoft or Nintendo?AnswerNot at all. Geohot initially was trying to do what he considered to be a good thing. When Sony sued him, the company messed with the Internet. The Anonymous

40

message was clear and devastating. Do not mess with Anonymous or the Internet.

Ashley Madison AttackIn 2015, hackers calling themselves "The Impact Team" stole the user data of Ashley Madison and threatened to release users’ names and personal data. Ashley Madison was a commercial website that marketed itself as a way for married adults to have discreet sexual affairs. It had 32 million members.The attack was particularly noteworthy on several counts.

Embarrassment to Members. With a goal to have liaisons outside of marriage, the release of names could be personally and professionally embarrassing. It could harm relationships with employers, customers, and family members.

Financial Cost to Members. The site contained full names, home addresses, and credit card transactions. This data could facilitate identify theft.

Financial Cost to Ashley Madison. In addition to extra expenses, the company could lose members who no longer trusted the security of their data.

The attack group demanded Ashley Madison shut down its site. When the company refused, it had to deal with a variety of legal liability issues:

Celebrities. Considerable activity occurred as individuals and organizations searched for famous persons who could be publically harassed.

Series Personal Damage. Criminals searched for individual names of people in categories where someone might pay a bribe to avoid disclosure. As an example, many Saudi Arabian email addresses were compromised. Adultery is a crime in Saudi Arabia. Many email addresses were military or government sites. These individuals could be punished for misusing government equipment or facilities.

One tongue-in-cheek report suggested the Ashley Madison hack actually created jobs. Individuals developed software or offered services so a person could enter the name of a spouse, family member, colleague, or enemy at work and learn whether the person was a member. That information could be used to extort money or confirm the intent of adultery. A failure of the effort, of course, would result in jail time for the extortionist.

Unfortunate though it was, the Ashley Madison attack gave risk managers insights into the degree of cyber risk that arises from a hacking event. Analysis showed:

41

Female Accounts. These were hardly used. Of some 6 million such accounts less than one percent were ever used.

Male Accounts. They were used more often but rarely received replies when they queried females.

Heavy Male, Light Female Participation. Males checked their accounts frequently while females checked rarely. Hardly any females replied to messages. Almost all men replied.

Fake Accounts. Many accounts used duplicate Internet Protocol addresses. The IP address is the way the Internet identifies a computer. This means many accounts lead to the same person hiding under difference user names.

Fake Female Accounts. Many of these existed indicating the presence of individuals who might be trying to obtain money from males.

As might be expected with the loss of sensitive data and an invasion of privacy, a class-action lawsuit was quickly announced.

Damage to Clients. A law firm recruited plaintiffs to join the lawsuit alleging a failure to keep the promise to secure personal data.

False Claims. The firm also sought plaintiffs who previously cancelled their accounts. Many such users paid a fee to have their data deleted. This did not happen and personal and credit card information was stolen from individuals with closed accounts.

Arab SpringMembers of Anonymous also showed their political power in 2011 with their participation in events in Tunisia and Egypt. The role of activists alerted companies and organizations around the world to a net set of cyber risks. The events were:

Tunisia. A street vendor was highly frustrated by corruption in the Tunisian government and local police force. After police arrested him, beat him up, and seized his cart, he set himself on fire as a protest against the confiscation of his wares and the harassment and humiliation inflicted on him by a municipal official and her aides. Riots broke out. Subsequently, rumors began to circulate that Tunisian government was censoring the Internet. Anonymous attacked. Members sent software to help people avoid censorship and to use the Internet and cell phones to attack corruption. The anger and violence became so intense that it brought down the government.

Egypt Day of Revolt. Shortly after the start of riots in Tunisia, similar protests began in Egypt. After three people were killed, the Egyptian government took steps to eliminate the nation's Internet access as part of

42

an effort to inhibit the protesters' ability to organize. Anonymous attacked taking down the websites of the Egyptian Ministry of Information and others. Subsequently, the government fell supported by the Anonymous participation in the protests.

Footnote. After the Anonymous attack, Internet access was restored in Egypt. As a result of the Anonymous attack, the government was not able to restore its own websites. At that time, an Anonymous member gloated on Twitter in a brief message:

"Welcome back to the Internet, Egypt. Well, except forhttp:/ www.moiegypt.gov.eg. You stay down. You stay down."

Damage from Cyber AttacksThe extent of hacking efforts is widespread and the damage done is significant across a wise spectrum. In a recent year:• 855 successful data-breach incidents.• 174 million records stolen.• 81% of attacks by hacking.• 69% used special software (malware).• 94% of attacks involved servers.• 92% were discovered by third parties.• 85% took weeks or more to discover.• 79% were targets of opportunity, not prior targets identified for attack.

QuestionIs the recovery from a cyber attack on a computer system expensive for a company?AnswerSony’s losses indicate the answer is yes. Other estimates of the cost of cyber attacks for 2012 include:

$1.2 billion. This is the annual payment for cyber insurance premiums. $8 million. This is the average cost of data breach. $200. This is the cost per compromised data record. It is not clear how

this number was reached. A 2014 estimate for the attack on Target estimated a cost of $5 per record.

Bankruptcy. This is the outcome for many companies that suffered a loss of their intellectual property.

AUTHORIZED USER ATTACKS

43

In addition to external hackers, organizations face attacks from individuals who have permission to access the computer system. Some of those are the largest and most costly to the organizations involved.

WikiLeaks 2010 LeakWikiLeaks, an international, online, non-profit organization, publishes secret information, news leaks, and classified media. It collects the information from hackers and other anonymous sources. The group has released a number of significant documents that have become front-page news items.

In 2010, WikiLeaks released 250,000 cables sent between 2006 and 2010 from the U.S. State Department and U.S. embassies and consulates. It was the largest set of confidential documents ever released into public domain. The cables showed U.S. spying on allies and the United Nations. They also showed the government lobbying for U.S. corporations and secret deals with various countries. Perhaps most damaging were documents showing confidential government actions ignoring corruption and human rights abuses. Those documents showed the government lied to the U.S. people.

Two individuals will long be remembered for their impact on the Internet when it was in its infancy.

Julian Assange. This Australian computer programmer, publisher and journalist co-founded WikiLeaks in 2006 after an earlier career in hacking and programming. In 1987, he formed an ethical hacking group called the International Subversives. He hacked into the computer systems of the U.S. Department of Defense, NASA, Citibank, Panasonic, Xerox and Stanford University. He was arrested, convicted, paid a $1,300 fine, and was released on behavior. He avoided a longer jail term because the court did not perceive malicious or mercenary intent. He was pursued after releasing the 2010 documents and was granted political asylum by Ecuador.

Bradley Manning. This U.S. Army soldier was an intelligence analyst with access to classified databases. In 2010, he leaked to WikiLeaks 750,000 classified or sensitive military and diplomatic documents. He was caught and received a long-term prison sentence. Aside from these events, he was later diagnosed with gender identity disorder and became a transgender woman.

QuestionThe WikiLeaks ability to obtain classified documents from the U.S. government shows a weakness in security systems. It appears to be almost a total collapse of safeguards. How do you think a risk manager should react to such an incident?Answer

44

WikiLeaks increased the level of caution that already was a characteristic of risk managers facing cyber exposures. The release of data did not happen because of a failure of the technology. Instead, Army Specialist Bradley Manning illegally downloaded to unsecured computer equipment hundreds of thousands of secret diplomatic cables. He had access as a result of being an administrative assistant to a high-ranking government official. We can only wonder the financial cost of a similar leak by a large business or nonprofit organization.

National Security Agency (NSA) LeaksIn 2013, Edward Snowden leaked hundreds of thousands of classified documents from NSA and Department of Defense computer systems. Snowden, an American computer professional, government contractor, and former CIA employee, had a security clearance and access to the records as part of his job with Booz Allen Hamilton. He distributed the documents to individual journalists and major international publications including Der Spiegel and The New York Times.

The information from Snowden revealed numerous global surveillance programs run by the NSA and other agencies that were not previously disclosed to the public and may have been illegal under U.S. law. As a result of controversy over government behavior, people have sharp disagreement over his action. He has been called a traitor, patriot, hero, a whistleblower, and dissident. He fled the United States as the incident was uncovered and took refuge in Russia.

Certegy Check ServicesThis company gives us another example of a hack by an authorized user of a system. William Sullivan, an employee working for Certegy, stole 3.2 million customer records with credit card, banking and personal information. He sold the records to marketing firms. He and his company were named in a class action lawsuit charging CCS with negligence. The suit was settled for up to $20,000 per person for unreimbursed identity theft losses.

CYBERSECURITYCybersecurity refers to the measures taken to protect a computer or computer system against unauthorized access or attack. Its goal is to manage the many exposures inherent in the environment largely focused around the Internet. It covers the totality of an organization’s transmitted and stored information, including connected computing devices, infrastructure, applications, services, and telecommunications. It has specific objectives:

Data Integrity. Maintaining and assuring the accuracy and consistency of data over its entire life-cycle. It is a critical aspect to the design,

45

implementation, and usage of an electronic system that stores, processes, or retrieves data. Data integrity is the opposite of data corruption.

System Integrity. An electronic system that operates without deliberate or accidental unauthorized manipulation. The goal is total assurance that an IT system is useful, accurate, and reliable.

Availability. The system and its data are accessible for immediate use for their intended purpose. This means the hardware, software, and network are all functioning as designed whenever an authorized user seeks access and unauthorized users are denied entry.

Confidentiality. Restricting outsiders from gaining entry into a system and its data. The goal is to ensure that usage is confined to authorized users only.

Cybersecurity pursues its objectives by taking specific actions:

Safeguard Assets. Take efforts to protect information and communications systems from theft or damage to the hardware and software and the information on them.

Implement Controls. Create and implement tools to restrict or restrain efforts to gain unauthorized physical or electronic access to hardware, software, and systems.

Block Disruption. Stop or minimize interruption or misdirection of the services provided by computer networks.

Resist Misbehavior. Block harm from network access, data and code injection, and intentional or accidental malpractice by operators.

Enforce Security Policies. Halt actions in violation of secure procedures established to protect the cyber environment of an organization and its assets.

Antivirus Software and Data MiningThis refers to any software that prevents, detects, and removes malicious software. If malware is able to bypass the firewall, the next line of defense usually involves software searching for software. Data mining is a process used to turn raw data into useful information. Antivirus software uses the technique to look for patterns in large batches of code. Common data mining forms of detection and removal are:

Signature-based Detection. Every virus has a unique string of bits known as its signature. This binary pattern is like a fingerprint as it can be used to detect and identify a known virus. Antivirus software uses the virus signature to scan for the presence of malware by comparing the contents of a file to previously-recognized viruses. This is the most common method for detecting and removing malware.

46

Heuristic-based Detection: A heuristic approach uses experimental or trial and error approach to problem solving. Previously unknown viruses lack recognizable signatures and thus must be found for the first time. Heuristic approaches seek to detect malware based on characteristics previously associated with known malware.

Behavioral-based Detection. This approach is used after a system has been infected and the malware is causing damage. Security personnel assess what is happening and search for the malicious code. They use a combination of signature-based and heuristic-based tools to find and remove the infection.

Sandbox Detection. This approach isolates a portion of the system and puts it on an isolated platform where it cannot affect other programs or software. Then it executes the code and tests it for system performance in the presence of antivirus software. When misbehavior is identified, the malware has been detected. Efforts are then made to destroy it. This technique is quite effective but is not always so easy to use.

Detection of MalwareSecurity personnel use a variety of detection methods to identify malware:

System Comparison. Using a trusted operating system, compare it with the one that may be infected. The differences can be malware.

Abnormal Behavior. With this method we test the system for responses that we expect and we follow up when different results are given.

Signature Matching. Once a malware has been identified anywhere, we know how to identify it in other systems because it leaves a unique signature.

Data Mining. This method searches large amounts of data to find consistent patterns that appear in malware.

FirewallThis is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet.’ Three forms:

Network Firewall. Software on general purpose hardware that filters traffic between two or more networks.

Host-based Firewall. Controls network traffic in and out of a single machine.

Router-based Firewall. Controls traffic that passes through it.

47

Defense-in-depth StrategyThis is a system of information security where antivirus software seeks and removes malware as it moves across the components of an information system. The strategy is to have antivirus software searching:

Data. A virus can be in the file to be transmitted. When a computer connects to an infected file, malware is hidden inside it.

Application. The software to process the file can be infected. Host. The computer containing the file or application can have a virus. Network. The transmission system can be infected.

Intrusion Detection and PreventionThis refers to strategies to deal with computer viruses by identifying and blocking them. Three key terms:

Intrusion Detection. The process of monitoring events in a computer system or network and analyzing them for hacking efforts.

Intrusion Detection System (IDS). Software that identifies unwanted and malicious activities.

Intrusion Prevention System (IPS). Software that identifies and stops malicious activities.

Once discovered the malware can be removed. This may be easier said than done. In many cases a combination of detection methods is used. Even then removal does not always work. As an example, eliminating rootkit software can be extremely difficult or even impossible. A user may have to reinstall the operating system or replace the hardware.

Cybersecurity ConsiderationsEfforts to deal with the threats of Internet attacks must recognize the modern nature of computer hacking.

Hackers respect technology but they do not like lawyers. An organization needs to think twice before sending out the lawyers.

When a problem surfaces that can attract social media attention, fix the problem. Do not attack.

Never threaten anyone publically, particularly an individual or other party that would appear weak in an Internet posting. Nobody likes Goliath.

Ignore Anonymous. Do not stir up its members. Remember the Streisand effect. It refers to the 2003 efforts by American

entertainer Barbra Streisand to suppress pictures of her home that appeared on the Internet. Once information reaches the Internet, any attempt to suppress it has the unintended consequence of publicizing it more widely. Once it is online, you cannot remove it.

48

Do not engage in censorship or surveillance. Do not give customer data to the government. Include the information system staff in risk discussions.

ConclusionHackers are visibly active, their numbers are growing, and so is the threat of loss as a result of cyber attacks. The individuals who attack computer systems may be external to the organization or they may be authorized users. In many cases external parties find ways to assume the identity of employees, customers, vendors, or other parties with access to a system. Once hackers gain access they can do irreparable damage. This is a serious situation for most profit, nonprofit, and government agencies.

When we are dealing with cyber risk, organizations need to be careful not to upset people on the Internet. Are hacking, theft, and embarrassment bad? From a risk management perspective, it does not matter. This is the world we live in. An organization’s actions on the Internet can hurt it. Companies must rethink how they use their legal team and public relations messages. Unpopular actions can produce retaliation.

Having said this, risk management behaviors do not guarantee success with hacking. Exposures to information systems and data security breaches have increased dramatically with the growth of technology. Insurance can protect against catastrophic loss. At the same time, insurers are in the early stages of developing cyber risk insurance. Underwriters will consider an organization’s risk management activities and design products that are a mixture of risk management and risk transfer.

49

Appendix 2. Red Flags in Identify Theft

A “red flag” is a potential specific action or pattern of practices that can indicate the possibility of identity theft. They occur with respect to organizations that maintain personal and sensitive data as part of their business activities. Some considerations:

Risk Factors. Different types of business confront different kinds of risk. As an example, a red flag varies from deposit account, retirement account, credit account, consumer account, and employee account.

Sources of Red Flags. The indicators of hacker activity also vary by changes in technology and criminal innovation.

To protect against identify theft, an organization should be aware of warning signs to include in efforts to protect sensitive information. In the context of the specific business environment, some categories of red flags can be identified.

Warnings from Credit Reporting Companies. These include: a fraud alert on a credit report. a notice of credit freeze in response to a request for a credit report. a notice of address discrepancy. a credit report pattern inconsistent with the person’s history.

Suspicious Documents. Documents can offer hints of identity theft. Identification appears to be altered or forged. A person presenting the identification doesn’t look like the photo or match

the physical description. Information on the identification does not match a signature card or what

the person with identification is explaining.Personal Identifying Information. This can present questions about identity.

Inconsistencies. An address does not match the credit report. A Social Security number is listed on the Social Security Administration Death Master File. An address, phone number, or other personal information already used on a fraudulent account.

Counterfeit or Fake Information. A false address. An invalid phone number.

Incomplete Application. A person omits required information on an application and doesn’t respond to notices that the application is incomplete.

Failure to Authenticate. An application lacks a password. An applicant gives a wrong answer to a challenge question

50

Account Activity. The apparent behavior of an account owner can raise signs of identity theft:

Subsequent Request. Shortly after notification of a change of address, a new request asks for new or additional credit cards or seeks to add a user to the account.

Fraud-like Behavior. A customer fails to make the first payment after receiving a loan or buying a product requiring multiple payments. The available credit is used for cash advances or for items easily convertible to cash such as jewelry or electronics.

Unusual Behavior. A large increase in the use of available credit. A major change in buying or spending patterns or electronic fund transfers. A sudden use of an inactive account. Mail sent to a customer is returned as undeliverable. Information about unauthorized charges on an account.

Specific Notifications. A customer or a victim of identity theft reports an account that has been opened or used fraudulently. A law enforcement authority warns about suspicious activity.

51

Chapter 3. Business Cyber Risk.

CYBER RISK IN ORGANIZATIONSBusiness cyber risk refers to the possibility of loss from any source that involves a failure of information technology devices or systems. Areas of the exposure:

Information Technology (IT). The application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data,

The Internet. A familiar telecommunications structure that allows computers and other devices to exchange data and information among linked devices using either cable or wireless connections.

The Internet of Things. Any network of physical devices or objects structured with electronics, software, or sensors, and network connections designed to perform specific communications or other functions.

Data Storage on the Cloud. A whole new layer of risk arises from the storage and processing of data in a global system of servers. This is one of the most important exposures to consider in any program of cyber risk management.

Business cyber risk is a tangible or intangible insurable and non-insurable exposure that arises from information technology, the Internet, or the Internet of Things. It focuses on equipment and systems that support business operations. This includes the delivery of business products or services and management of the entity’s records, reports, and communications. It includes:

Information Loss. Stolen social security numbers, health care records, or user passwords.

Physical Assets. Cyber attacks from remote locations can damage or destroy machinery and equipment.

Financial Loss. This includes stolen bank account or credit card numbers.

Operational Loss. Examples are external attacks that shut down, alter, or destroy operations or damage business support systems.

Cyber Attack Areas of VulnerabilityCyber risk spans the waterfront of risk management and insurance, creating losses in four areas:

Physical Damage. A variety of perils to hardware, facilities, transmission towers and lines, satellites, and related tangible property.

52

Intangible Damage. Financial damage restoring or replacing software, lost data, failed communications, hacked operating systems, and other vulnerable components of systems.

Business Interruption. Loss of hardware or intangible components of systems that affects the ability to conduct operations.

Liability Exposure. This may be the largest risk of all. With interconnected networks and near-total reliance on technology for the conduct of operations, organizations face massive lawsuits.

Physical DamagePhysical damage to tangible property includes:

General Property Damage. Computers and communications facilities and equipment can be damaged by fire, floods, hurricanes, and other perils.

Physical Disturbance. With high levels of complexity, sophistication, and miniaturization, technological equipment is exposed to a variety of dangers from accidental or intentional misuse or breakage. One component can take down an entire network or system and cause widespread destruction.

Power Surges. Everything requires power. In some cases, a system needs a surprisingly large source of electricity. The risk is a double-edged sword. Too little energy can collapse a system, shut it down, or cause it to malfunction. Power surges can burn out sensitive components and even destroy total systems.

Human Errors, Bad Design, or Malicious Behavior. We build technology with fail-safe mechanisms but we can never be sure that all contingencies are covered. People make mistakes. Systems designers fail to consider all possible risks. Hackers are a constant worry.

Intangible DamageSources of intangible damage:

• User Error. As with physical damage, people make mistakes. Through accident or carelessness, people can cause data to be lost, stolen, or damaged.

• Viruses. A harmful computer program that can replicate itself and spread to other computers. Also called a “worm.”

• Malicious Software. Gains access to private computer systems, disrupts computer operation, and gathers sensitive information.

Business InterruptionFinancial loss when assets and systems are not available to support business.

53

• Lost Profits. Profits that would have been earned.• Fixed Costs. Operating costs that cannot be reduced.• Extra Expenses. Costs needed to allow the business to continue

operation while the assets and systems are being repaired.

Bay Area Rapid Transportation (BART)In January 2009, a BART police officer shot a man. The event in San Francisco was captured on digital video and cell phone cameras. Photos and videos were disseminated to websites and media outlets where they were widely viewed. The situation produced protests, riots, looting, and arson.

In 2011, another BART policeman shot a knife wielding drunken man on a subway platform. This sparked more protests on BART platforms. As a result, BART turned off cell phone towers to stop phone calls on its platforms and other property. According to BART, the move was taken to protect public safety. Anonymous went crazy at this attempt to interfere with the Internet. Anonymous announced trouble was ahead for the agency. Then it launched its attacks. It defaced the transit agency’s “myBART” website with its logo. It released to the Internet personal contact information about hundreds of individuals on the BART site.

The most vicious attack was against Linton Johnson, the BART chief public affairs spokesman. He publicly claimed credit for recommending the shutdown. Anonymous released the following message on the Internet:

RT@OpBART: Linton Johnson. We have 14 embarrassing photos of you. You have 24 hours to step down. #OpBart cc:SFBart.

When Mr. Johnson did not resign, Anonymous released the photos. Since this reaction by Anonymous, government agencies usually release announcements about restricting Internet access without using the name of government officials.

MegauploadAnother Anonymous story involves an attack on an online file hosting service. Megaupload is a Hong Kong Based company that was shut down by the U.S. Justice Department in 2012. Its owners were indicted for piracy and copyright infringement. The Hong Kong authorities froze $40 million worth of assets. In retaliation, Anonymous attacks brought down websites of the U.S. Department of Justice, Federal Bureau of Investigation (FBI) the Universal Music Group, and many other organizations involved in the case. It was the largest Anonymous attack up to that time. Learning from the BART episode, the U.S. government did not release the names of U.S. government officials involved in the action.

54

Distributed Denial-of-service (DDoS) AttackAny hacking can produce business disruption loss. A DDoS hacking occurs when multiple systems flood the bandwidth or resources of one or more web servers in a targeted system. Such an attack starts with a number of Internet-connected computers communicating together to perform repetitive tasks. Called a botnet, these computers overload the network and servers of the target and can crash a website and interrupt operations for hours or days.

Liability ExposureSources of cyber liability risk are found in two categories:

• Assets of Others. This involves the failure of a computer or communications system to protect the assets of a customer or other party. A virus from our system can physically destroy equipment owned by others.

• Intangible Financial Damage. We can barely imagine the amount of damage that can be done as the result of a loss of data, compromise of intellectual property, or business disruption. If a financial services company suffers the compromise of millions of sensitive financial, personal, health, or other records, the liability exposure can be enormous.

• Loss of Reputation. A company that suffers a cyber attack can be a target of criticism and even ridicule. The release of confidential information can cause a loss of confidence in its products or services. The brand can be diminished or destroyed. The damage to the firm’s image may be more serious and more expensive than the actual financial loss.

CYBER RISK AND TOP MANAGEMENTCyber risk ranges from the boardroom through senior management and operational units all the way down to desktop workstations and mobile devices carried by employees, vendors, and customers. Cyber experts are routinely quoted, “It’s not a question of if your company will suffer a cyber event. It’s simply a matter of when.”

Experts recommend proactive and even aggressive security for computer systems and networks. The actions include cybersecurity technology but demand a cyber risk aware culture. A starting point is to recognize four critical risk management practices with respect to a company’s networks.

Identify the suppliers and customers that pose the most risk. Identify the most critical first- and third-party risks. Select powerful security standards suitable for the organization as well as

for its linkages to the outside world. Continuously monitor all aspects of cybersecurity.

55

Focus on DisruptionOrganizations need to recognize that cyber risk goes beyond damage to hardware and software. It has business disruption consequences in addition to catastrophic damage to data, reputation, property or the ability to conduct operations. Given the serious nature of cyber risk, it is surprising that many companies manage it well below the level of senior management. The major exceptions to this situation tend to lie in banks, public utilities, airlines, hospitals, and computer and network companies.

We can respond to the serious consequences of a cyber loss with some specific behaviors:

Manage cyber risk at senior levels recognizing system failures as a broad organizational danger rather than as something that affects computers and networks.

Adopt modern tools of cyber risk management. Make investments to reduce the impact of operational and supply chain

disruption. Incorporate cyber risk insurance in a comprehensive program of cyber

risk management.

Protect Data and Systems at all CostsCyber risk often requires a major commitment both intellectually and financially to a cyber risk management strategy.

Understand The Nature of the Data at Risk. Prior to establishing a strategy, ask, “What is the scope of data, information, and systems that need to be protected at all costs?

Determine the Value of Data. The assets at risk can range from those with long-term value, such as intellectual property, to shorter streams of value with inventory or data supporting financial or regulatory reporting.

Develop A Plan to Manage the Data at Risk. Match investment spending against protecting the most important and vulnerable data and assets.

Beware of Endpoint Strategies. An endpoint is a device that allows entry into a computer network. Examples are personal computers, tablets, smart phones, and point of sale terminals. An endpoint strategy relies heavily on protecting data by requiring devices to comply with specific criteria before they can access network resources. Much more needs to be done to ensure unauthorized users do not hack a system.

Cyber Risk Challenges

56

The final perspective on cyber risk for top management addresses the challenge to get it right. We can highlight cybersecurity issues for top management and the board:

Boardroom Focus. Cyber risk is potentially a catastrophic risk. Tangible and intangible critical assets can be wiped out in a flash. If our only option is incident response, that may be too little, too late. The Board discusses the firm’s audit. It needs to discuss cyber risk with equal intensity and a focus on prevention, not reaction.

Risk Ownership. Cyber risk accountability is and is not the job of the chief information or chief technology officer. The CEO delegates responsibility but retains accountability for prevention, detection, and response. Every C-level executive has an ownership role for a portion of cyber risk as we realize that breaches can arise from anyplace in the organization.

Technology Prevention. The organization needs the best cybersecurity system available within its operating and financial capabilities and constraints. This means it must have system-wide security that does not leave gaping holes for intrusion. Piecemeal security systems and patch- work upgrades that fail to coordinate across the entire cyber risk spectrum are indeed dangerous.

Technology Automation. A related issue is that technology should operate largely without manual participation. The security management team needs help detecting and overcoming breaches.

Human Error. All of the above efforts can be destroyed in a moment by sloppy system user practices. It is easy to consider IT security as a computer problem. We are learning that nothing could be further from the truth in a world of identity theft and computer scams. Building a risk aware culture is a critical IT component.

QuestionIn 2015 WikiLeaks published personal information of John Brennan, director of the Central Intelligence Agency (CIA) of the United States, resulting from a hacking of his personal email account. The CIA said, “There is no indication that any the documents released thus far are classified.” Do you believe this is true?AnswerMaybe it is not true. Subsequently WikiLeaks posted, "Tomorrow we continue our @CIA chief John Brennan email series, including on US strategy in Afghanistan and Pakistan.”

Cyber Risk Insurance

57

All cyber risk cannot be retained by most organizations. The danger is simply too great. Organizations need to seek out insurance for several reasons.

Catastrophe Protection. The company retains what is can handle and gets protection above that level.

Risk Management Help. Insurers who offer cyber risk insurance and brokers who assist in finding the right coverage can help companies understand and manage cyber exposures.

Gap Assessment. Whenever we manage risk, we may overlook situations where we are not protected. Insurance can help fill in gaps when insurance underwriters, brokers, and risk managers work together on cyber risk.

SONY PICTURES ENTERTAINMENT HACKIn a separate class all by itself was a release of confidential data belonging to Sony Pictures Entertainment in November, 2014. The data included personal information about employees and their families, e-mails between employees, and salary information. It did not stop there. The hackers released Sony films including some that were not yet available in theaters. The motivation for the hack was an attempt to force the cancellation of the planned release of “The Interview.” This was a comedy about a plot to assassinate North Korean leader Kim Jong-un. The hackers identified themselves as the "Guardians of Peace." Most observers believe the attack was launched or sponsored by North Korea. The country denied the allegations.

ERM Assessment of Sony Cyber AttackEnterprise risk management emerged in the early 1990s as an extension of hazard risk management. It argues that an organization should manage enterprise risks in a single, comprehensive program. How much risk are we willing to take? What risks are we managing? Which risks are unbearable? Which are important? Which are unimportant? Enterprise risk management is built upon a simple premise.

Risk. Something that we attach to a probability. In many cases, we can also calculate or estimate the financial cost or benefit.

Uncertainty. Something that can go wrong without an understanding of the consequences, likelihood, or cost or benefit.

ERM raised issues about risk tolerance. How much risk are we willing to take? What risks are we managing? Which risks are unbearable? Which are important? Which are unimportant? ERM became an organizational priority to identify and manage new exposures. ERM became a buzzword on the lips of CEOs, CFOs, members of boards of directors, and shareholders. Everybody understood that

58

ERM was important. The question confronting organizations was how to get it right.

Sony had to answer these questions once it became apparent that North Korea was angry about the scheduled release of the movie involving the country’s leader. Apparently it did not take an ERM viewpoint as it dismissed the threats prior to the cyber attack.

Aftermath of the Sony Cyber AttackIn July 2015, Fortune magazine published a lengthy investigative article titled Sony Pictures: Inside the Hack of the Century. The following is a PowerPoint-style presentation based on that article. It is an ERM analysisthat an external security consultant might make if invited by the Sony board to answer a question about cybersecurity management.

Start of Presentation to SonyExecutive Committee

PurposeTo answer the question, “Should Sony Invest in Failsafe Cybersecurity?”

The Attack: November 24, 2014 Attack was launched on Sony Pictures. Hackers silently stole all the company’s data. Screens lit up with annoying sounds and threatening pictures. All data erased on 4,000 computers and servers. Startup software also destroyed.

Released to Public File-sharing Sites Completed and unreleased movie films. Unfinished movie scripts. Embarrassing emails. Salary data and social security numbers for 47,000 employees.

Continuing Operations Slow recovery: Fax machines replaced emails. Employees paid with paper checks. Cost of damage in hundreds of millions of dollars.

Cause of the Attack Inadequate System Security. Weaknesses that allowed

hacking.

59

Bad Judgment. Making a comedy depicting the killing of a renegade country’s leader.

Meeting Three Weeks Earlier Where? Sony Pictures Entertainment, Culver City, Ca. When? November. 3, 2014, 11:30 am. What? Sony requested a meeting with a “threat-intelligence”

firm to discuss help protecting Sony against computer and system hacking.

 Who? Four-man team from Norse Corp., San Mateo, Ca., arrived 30 minutes early.

The Arrival Security at the front gate checked in the team. It entered the IT Building through an unlocked door. No personnel were in the room. Cubicles displayed unattended computers logged in to Sony’s

international data network. The visitors sat alone for 15 minutes.

The MeetingIn a conference room with Sony representatives. Norse explained how it searched for and dealt with potential

threats to computer systems. Sony responded that it was worried about a movie with a plot to

assassinate Kim Jong-un. Sony later denied mentioning a North Korea cyber attack.

Fortune Magazine Article Fortune writer Peter Elkind investigated the Sony cyber hack. Article published on July 1, 2015. Title: Inside the Hack of the Century. Examined Sony emails and documents. Interviewed 50 Sony executives, cybersecurity experts, and

law-enforcement officials.

Fortune Magazine Findings Problems with the personalities of Sony leaders. Conflicts between U.S. and Tokyo executives. Heavy business challenges and competition.

60

More FindingsSony had only 11 people assigned to its information security team. 3 information security analysts. 3 managers. 3 directors. One executive director. One senior-vice president.

Still More FindingsIn 2007 the executive director of information security at Sony Pictures, was quoted: It is a "valid business decision to accept the risk of a security

breach.” Sony would not invest "$10 million to avoid a possible $1

million loss."

Big Picture at Sony A cyber threat was real as a result of releasing a movie about a

plot to assassinate the North Korean leader. Sony was not ready for such an attack.

RecommendationSony should authorize a major overhaul of security covering information technology and communications to create a failsafe system.

End of Presentation to SonyExecutive Committee

Assessment of Attack on Sony PicturesTwo viewpoints emerged after the Sony attack.

Sony Public view. A blameless victim “extremely well prepared for conventional cybersecurity. No amount of effort could have stopped the attack.

Outsider view. Security experts agree ‘the malware was “virtually undetectable by industry standard antivirus software.”

On balance it appears that Sony was distracted. For years the company had been an easy target for devastating high-profile electronic attacks. Senior executives failed to realize the exposure and repeatedly declined to take greater precautions. Things might have been different if someone had sent an email to Sony prior to the decision to release the movie:

61

Email to Sony Management

The release of an upcoming movie, “The Interview,” poses a massive cyber risk exposure for Sony pictures.

We had a serious problem with hackers in 2011. We should recognize that there are three kinds of large companies:Group A. Those that have been hacked.Group B. Those that do not know yet that they have been hacked.Group C. Those that refuse to believe they can be hacked.

Which category of company describes Sony? North Korea has significant hacking capability. Sony announced an upcoming movie on assassinating its leader. North Korea threatened to hack Sony.

We recommend canceling the release of The Interview.

Regards.

(signed) Everyone Who Understands the Vulnerabilities of the Internet

THE DARK WEBWe should not finish with cybersecurity without covering the hidden component of the Internet. Let us start with some terms.

Dark Web. A computer network that uses the public Internet but is hidden from users who do not have specific software and the authorization to access the system.

World Wide Web. A system of Internet servers that can use HTML (HyperText Markup Language) to allow us to exchange documents, graphics, audio and video files, and other information.

Deep Web. Part of the World Wide Web that is not discoverable by means of standard search engines. It contains password-protected pages and encrypted networks.

Darknet. Small, friend-to-friend, peer-to-peer networks on the Dark Web. Tor Dark Web. Free software for enabling anonymous communication on

the Internet. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than 6,000 relays. This conceals a user's location and usage from anyone conducting network surveillance or traffic analysis. Tor makes it difficult for organizations to identify senders of

62

communications. The system started under the name The Onion Router, hence the shorter name “Tor,” with an intention to protect the personal privacy of users. It also sought to allow them to conduct confidential communication by keeping their Internet activities from being monitored. To this end it became a popular anonymous internet communication system.

Risk Management and the Dark WebThe Dark Web allows anonymous electronic transactions and creates serious problems for risk management. It hides hackers from their victims and facilitates illegal activities including drug trafficking, illegal financial transactions, identity theft, credit card fraud, and many other forms of cyber losses.

Cybersecurity firms are working to develop tools that can effectively monitor the Dark Web. These include mapping hidden services directories, monitoring customer data and social sites, and analyzing words and phrases to find illegal activities. On balance, the Dark Web hosts many malicious services and activities and is an on-going threat to cyber risk management efforts.

QuestionAre there any positive aspects to the existence of the Dark Web?AnswerWe can actually identify some. The Dark Web protects whistle-blowers who report news that their companies want to suppress. It allows confidential communication for human rights workers struggling against repressive governments. It allows parents to create a safe way for their children to explore the Web.

Private Branded Web DomainsA domain is a simple identification label that matches a more complicated Internet Protocol (IP) address for a site on the Internet. It indicates ownership or control of a website. It establishes a unique identity that helps Internet users to reach the website. Two categories are:

Generic Domain. Used for a general category. Examples are www.books.com, www.yahoo.com, and www.redcross.org.

Private Branded Domain. The domain itself matches an organization name. Examples are www.home.barclays and www.jpmorganchase.

Thousands of companies have requested private branded domains. This is largely because they can control of the operation, security, and maintenance of the system. This should make it more secure than with a generic domain.

63

Security experts do not expect the change of domain to solve all of the Internet’s security problems. Hackers can still focus on weak spots in the systems and networks themselves.

ConclusionCyber risk is a reality for everyone who uses the Internet and even for those who do not. It also affects our communications with others in any case where emails, social media, or other electronic systems are involved. It affects credit cards, bank accounts, and financial recordkeeping systems as we interact with various agencies. It affects the decisions by businesses, schools, charities, and other organizations as they set up their operations and conduct their business. As changes occur in technology, we must assess what we are doing and respond to new cyber threats that arise.

As we can see business cyber risk is a serious exposure for modern organizations. A wide variety of perils face organizations that use the Internet or other electronic systems to conduct business. We can expect cyber risk retention, mitigation, avoidance, and transfer to be a rapidly developing area of risk management in the near future.

64

Chapter 4. Cyber Risk Management

RISK STRATEGIESIndividuals and organizations use a mixture of four strategies to deal with frequency and severity of risk. They are:

Avoidance. When an individual or organization does not accept an exposure, it is effectively avoiding the negative consequences of the decision. We can avoid dealing with the consequences of an automobile accident if we do not purchase and drive a car.

Retention. We can face some risks and decide to keep them. We can own and drive a car and, if allowed by law, can fail to purchase automobile insurance.

Transfer. Finally, we can shift the financial burden of our loss to another party. We can purchase automobile insurance to reimburse us for theft of or damage to our automobile or one’s self or liability for harm to the body or property of others.

Reduction. We often have the chance to decrease the frequency or severity of a loss. We can take a safe driving course to learn better techniques for avoiding an automobile accident when driving on ice or snow.

QuestionWith respect to the four risk strategies, we always seek reduction when assessing the frequency and severity of a loss. Then, we make the decision to avoid, retain, or transfer the risk. Of the remaining strategies of avoid, retain, or transfer, which one is most appropriate for each of the following potential losses?

Low frequency, high severity. Low frequency, low severity. High frequency, high severity. High frequency, low severity.

AnswerThe most suitable strategy for each potential loss:

Transfer low frequency, high severity. At the right price, this risk can be given to an insurance company or other party.

Retain low frequency, low severity. This is essentially a cost of doing business. It is not necessary to pay the additional costs to transfer it. Even if we did, the insurance company would charge a premium that effectively reaches and then exceeds the cost of retention.

Avoid high frequency, high severity. If we cannot reduce either frequency or severity, who would accept the risk?

65

Retain high frequency, low severity. These losses happen all the time but are not that damaging. The cost of transfer is financially efficient.

Cyber Risk StrategiesWe can drill down and focus on cyber risk. This can be discussed in terms of four strategies:

Secure Computer and Network Systems. Install hardware and software protection, develop systems to detect hacking and other misbehavior, and create the capability to respond immediately to any incidents.

Link Up with Cybersecurity Organizations. Follow the guidance of government agencies and private security groups to secure computers and networks with current tools including strong passwords, effective firewalls, and antivirus systems. Keep the system updated with efforts to detect and remove gaps or weaknesses.

Enforce an Organizational Cyber Awareness Culture. Develop a cyber risk management policy and train employees to guard against opening email attachments and clicking on links or responding to messages from unknown sources. Monitor employee behavior for compliance with security precautions. Update users with reports about new threats and malware. Apply filters to block suspicious material or messages.

Test your Defenses. Employ a security service to routinely attempt to invade your system or network. Review findings for weaknesses. Use secure encryption that requires regular changes of passwords that use a combination of numbers, letters, and other characters.

Cybersecurity ChallengesWhen developing these strategies, the organization should be aware of four major challenges that affect likely success:

Focus On Cyber Breach Prevention. The organization sets up critical assets at risk when it depends too much on detecting threats. If incident response is the only too, it may be too little, too late.

View Security as More than an IT problem. Cyber risk discussions must extend far beyond the parties that create and maintain computer systems and networks. Cyber security needs to be part of a totally risk-aware culture.

Avoid Cybersecurity as a Silo Strategy. Cyber risk should be addressed across the entire life cycle of people, assets, and systems and have strategies to prevent, detect, and remediate across the organization. Uncoordinated piecemeal security systems with gaps and weak links are inadequate.

Automate as Much as Possible. The chance for failure rises dramatically

66

if cybersecurity involves too many manual steps and interventions. For one thing, the attack can overwhelm responders if they must take individual actions. For another, most enterprise security teams are not resourced to manually handle a large number of incidents.

With respect to these challenges, they can only be handled at the level of top management. Decisions to replace weak or endangered systems can demand significant funding that exceed historical expenditures on information systems. Top management and even the board of directors needs to be sensitized to the risk and be included in the pursuit of cybersecurity solutions.

Total Cost of RiskAssessing strategies that work for cyber risk also includes the cost of prevention, detection, and correction. Decisions are made in the framework of a concept called the total cost of risk. It has two definitions:

Insurance TCOR. This is the cost of retaining or transferring risk primarily through the mechanism of insurance. It is calculated by the formula:

TCOR = Insurance + Retained + Administrative Premiums Losses Expenses

where the administrative expenses involve processing claims and other activities linked to insurable losses.

Enterprise TCOR. Enterprise risk management (ERM) is a broad and complex concept that unites strategic, operational, and insurable risk into a comprehensive program of risk management. No simple formula or even quantitative analysis can capture it.

From this perspective, the insurance TCOR definition does not work for cyber risk. Senior executives and boards must view risk in an ERM context. The importance of taking this viewpoint can be illustrated by a few U.S. statistics:

Annual Cost of Cyber Crimes. $500 billion Annual Successful Cyber Attacks per Company. 100 Annual Cost of Cyber Attacks per Company $12 million

We also have numbers of the value of cyber risk management. Companies with strong security technologies reduced losses by $4 million a year. Those with excellent security governance practices reduced costs by an average of $1.5 million per year.

67

Automated WarehouseA company used three separate warehouses as fulfillment centers for its online sales of thousands of products. The buildings were highly automated, creating a beehive of activity with people and machines working in frenzied coordination. Tall rectangular storage units were the dominant feature of the buildings. They were stocked and removed by forklifts and robots that moved products back and forth from the loading docks and the shelves. The equipment did most of the work including electronically accepting orders, finding items, and bringing products to be stored, packaged, or shipped. People intervened occasionally as needed.

The company was studying a proposal to consolidate into a single giant warehouse. The financial analysis showed the action would reduce costs significantly. The project would be more than justified by the rate of return on the money expended for the capital investment. A final consideration involved risk management. The company assessed the risks:

Initial Disruption. What might happen during the phase of learning the new technology?

Single Source Supplying. What would happen if the warehouse suffered a breakdown of the computerized system?

Cyber Attack. What would happen if a competitor or other party gained access to the computer system and installed a virus?

After completing a financial plan, the company augmented it with a risk management plan that had two major components:

Risk Strategy. This included the physical and cyber risks to be avoided, reduced, retained, or transferred via insurance or other mechanism.

Network System Security. This included the components of cultural, behavioral, and technological features that would be safeguard computers, servers, machinery, and people in the warehouse.

BlockbusterAn example of the need for an ERM perspective on TCOR comes from Blockbuster, an American-based provider of home movie and video game rental services. Founded in 1985, it expanded rapidly. By 2005, it had 9,000 stores with 60,000 employees. If management had asked three questions, it might have saved itself from considerable grief:

What are we doing? Our business is renting DVD’s to customers who stop in our stores.

What will we be doing? We may be doing less business. Competition coming from Netflix. The company is using new technology to automate

68

the process of providing DVDs by mail. We do not have the technology to manage that kind of activity.

What should we be doing? It would be a good idea to hedge our bets and investment in new technology.

Apparently, Blockbuster did not ask the three questions. In 2005, revenues were $6 billion and profits were $600 million. By getting a late start on DVDs by mail, it suffered a massive decline in business. In 2009, revenues of $4 billion were accompanied by a loss of $550 million. In 2010 the company filed for bankruptcy and eventually was acquired by DISH Network. In 2013 the company announced the closing of its last 300 stores.

QuestionWhat was the total cost of risk facing Blockbuster when Netflix began renting DVDs by mail?AnswerThe total cost of risk was bankruptcy. This was not an insurable risk TCOR. It was an ERM TCOR.

Cyber Risk TeamMany organizations have identified a group of individuals to design and implement an incident response plan. This organizational committee identifies safeguards to protect people, processes, assets, and technology and makes recommendations to reduce cyber risk. Its work is an integral component of the entity’s cyber risk management system.

QuestionWhat people should a company choose to make up a cyber risk team?AnswerIt can be composed of a senior executive and others who can make contributions on cyber exposures. An example:

Risk manager (chairs the meetings). Chief information officer. General counsel. Representation from marketing. Representation from human resources. Representation from manufacturing. Representation from finance.

QuestionWhy do senior executives need to know about cyber risk?

69

AnswerCyber risk decreases when top leaders are informed on:

The nature of cyber risk and recent developments in cyber exposures and techniques to manage them.

Specific risks identified by the cyber risk team. Actions being taken by the company to mitigate cyber exposures. Structure of the company’s property and liability insurance and the

protection they offer to protect the entity against catastrophic risk from a cyber attack.

Chief Information and Technology OfficerLarge organizations often identify a C-suite position to deal with cyber risk. The two common titles are chief information officer (CIO) and chief technology officer (CTO). Sometimes the CTO role is confused with the CIO role when discussions of cyber risk arise. The difference is usually the following:

CIO deals with Cyber Risk in Business Strategies. Oversees technology issues that affect whether a firm is using technology to be an effective competitor in existing and developing markets and to make better strategic decisions.

The CTO deals with Cyber Risk in Business Operations. Overseas technologies that support or enable a firm to carry out its ongoing operations.

Chief Information OfficerThe chief information officer is likely to have responsibilities with respect to:

Brand and Reputation. What cyber risks affect the image of the company in the marketplace?

Economic Trends. How does the overall direction of the economy affect decisions to invest in new technology? What technologies do we need to compete in emerging markets?

Reputation. What do our customers, suppliers, employees, and other stakeholders expect of us with respect to cyber risk management?

Risk Aware Culture. What do we have to do to reduce employee misbehavior or errors that create cyber exposures?

Chief Technology OfficerMany large organizations have created the executive-level position of chief technology officer (CTO). This is a position responsible for addressing scientific and technological issues in the company. The CTO typically reports to the chief operating officer (COO) or chief information officer (CIO). The person focuses on the big picture of cyber risk. The CTO position is accompanied by a diverse

70

background and skills. This is reflected in the profile of Craig Mccubbin, CTO of Southwest Airlines.

“I am essentially responsible for the operation of our technology. That includes all of our infrastructure services, which we define exactly as you would think: networking, computer, storage, end user computing, disaster recovery, environment management . . . how we handle incidents and problems . . . application and infrastructure quality . . . information security, which is an important task anywhere, but especially important at Southwest because we're an airline and because we have such good brand recognition.

The chief technology officer is likely to have responsibilities with respect to.• Business Disruption. How do we reduce downtime after a cyber attack? Data Restoration or Replacement. How do we reduce the cost of loss

from a hacking attack that destroys data or software? Network Security. How do we establish, maintain, and update a secure

and responsive computer system? Technology Financing. How do we ensure an optimal relationship

between cyber risk management and the total cost of risk?

Incident Response PlanNo area of operations for most companies needs a detailed crisis response plan more than information services. The plan should include the names of people assigned to respond to systems failures and the outside parties who can assist in mitigating damage. It also should include timely notification procedures to affected and interested parties to avoid damage and lawsuits derived from the direct system failure.

Many organizations have identified a group of individuals to design and implement an incident response plan. This organizational committee identifies safeguards to protect people, processes, assets, and technology and makes recommendations to reduce cyber risk. Its work is an integral component of the entity’s cyber risk management.

In formulating the incident response plan, we must recognize that cyber risk management is uncharted territory for many companies. Risk managers are asking specific questions:

Do we understand the exposure? What are we dealing with in each operating area?

Can we quantify the exposure? Do any of our historical models apply? Are consultants or other parties developing tools to evaluate frequency and severity?

71

Can we reduce the exposure? What actions are taking place in areas such as network security, authorization to access data, and safeguards to shut down compromised systems?

Can we incorporate more sophisticated risk management techniques? What are the best practices for security? What new risks are appearing in the technology environment?

What are our real exposures? What would be the impact of a privacy breach? How strong is our network security? What should be our response to “off-the-shelf” coverages available from insurers?

Do we have special needs that never existed previously? What are the new conditions for data restoration or indemnification to others for loss of their data? Do we have new media threats? Can outside parties steal and demand ransom or threaten extortion for its return?

Are the products being offered by insurance companies the products we need? How do we know?

Physical BreachThe incident response plan can start with policies to reduce the chance of a physical breach. This is defined as the theft of documents or equipment containing sensitive data such as cardholder receipts and files stored on personal computers, point-of-sale terminals, and other equipment. To prepare for a breach, we can take certain steps:

• Track Technology Assets. This means the firm keeps track of what it owns or uses and who has possession of the physical technology. The listing might contain laptop and desktop computers, servers, stand-alone-dial-up terminals, and other equipment that contains confidential data.

• Secure Technology Assets. Engrave or affix asset tags to laptops and any other equipment. Lock desktops and terminals to desks and install a policy to shut them down at the end of the work period. Lock the room with equipment when no one is present. Use lock boxes, safes or locking file cabinets to store sensitive hardcopy documents, especially credit card receipts.

• Monitor Physical Access. Restrict physical access to locations where technology is stored and processed.

• Install Cameras in Sensitive Areas. Define procedures to monitor the cameras and retain recorded footage for reference when a loss arises.

• Enforce Security Policies. Educate employees, require ID badges for access to sensitive data centers, and maintain a log of visitors and video recordings for entry to restricted areas.

Electronic Breach

72

The incident response plan also builds upon policies to prevent an electronic breach, defined as an unauthorized access or deliberate attack on equipment, a system, or network.

Secured Remote Access. Users, whether employees, customers, or vendors should not have access to information that they do not need.

Secure Network Configurations. The computer system should be configured properly including segregation of data, well-designed firewalls, and monitoring and control of access.

Strong Password Management. This is not a guarantee but is a starting point for building security for a system.

Proper Data Storage. Organizations must store what they need to know, protect it, and remove it when no longer needed.

Virus Protection. Without it an incident response plan can expect to be unsuccessful on a regular basis.

Access Restrictions. Restrict assess to users with a need to know and review access approvals on a regular basis.

THE CLOUDNo discussion of cyber risk management would be completed with addressing issues linked to the cloud. Basically, the Cloud is the Internet. More specifically:

It is all the websites you can access remotely using the Internet. It is all the data stored on servers instead of on your computer. It is the data stored on your computer if your computer is turned on and

connected to the Internet. A person can access email, files, calendars, and any other personal data from a home or office computer from any other computer or mobile device connected to the Internet.

We can take a more expansive view of the Cloud: It is a shared pool of configurable computing resources. It is a linkage of computing and storage solutions that provide users and

enterprises with various capabilities to store and process their data in third-party data centers.

It relies on sharing resources to achieve coherence and economies of scale.

It is the union of an infrastructure and shared services to facilitate electronic computing, data sharing, and telecommunications.

Cloud computing offers many benefits from shared resources. Hardware and Software. A system can be accessed by multiple users

that are adjusted to meet their different time demands. A computer can support the United States in its busy part of day, Asia later, and Europe

73

later still. Thus, it is utilizing resources around the clock to maximize the use of computing power while reducing the overall cost of resources.

Multiple Simultaneous Users. Many individuals can access a single server or system to retrieve and update their data without purchasing licenses for different applications.

Infrastructure Costs. Companies can avoid upfront infrastructure costs, and focus on projects that differentiate their businesses instead of on infrastructure.

Flexibility. Companies can scale up as computing needs increase and then scale down as demands decrease.

Security. Since the Cloud is managed by companies dedicated to dealing with large cyber risks, Cloud-based efforts should have more security and lower cost of protecting them from hackers.

The Cloud produces these benefits partly because of two relatively new approaches to using computers:

Virtualization. This occurs when software separates a physical computing device into one or more "virtual" devices, each of which can be easily used and managed to perform computing tasks. The process creates a scalable system of multiple independent computing devices. Idle computing resources can be allocated and used more efficiently. Virtualization speeds up IT processing and reduces cost.

Service-oriented Architecture (SOA). Cloud computing provides its resources as services, not equipment and software. This allows worldwide access to standardized problem solving tools and data storage and manipulation.

Software and the CloudCloud-based services enhance the traditional process for developing computer software. Essentially, software evolves. It goes through stages:

Achieves Goal. The software does what is expected. It takes longer on a stand-alone system as opposed to the Cloud.

Upgrades. Enhancement continues for awhile. Upper Limit based on the Technology. The stand-alone system

reaches a point where it cannot be expanded further. Continued Improvement. The Cloud based software does not reach an

upper limit as it can continue to grow indefinitely at reasonable cost and with new features. The stand alone system reaches capacity and must be used with limitations as it fails to meet new needs. At some point it must be replaced in a single expensive move.

74

The diagram shows software development in terms of product delivery and time. The Cloud goes further in terms of capability and faster to reach its goals. Not shown in the diagram, it also costs less to use Cloud development. On balance, Cloud developed software:

Is empowered by a powerful platform Offers rapid delivery of programming results Can more easily meet client specific configurations Offers painless upgrades compared to traditional systems Offers straightforward expansion of software capabilities. Offers virtually unlimited growth and expansion of a system

CYBER RISK QUESTIONS AND ANSWERSCyber risk management, like all risk management, requires us to ask the right questions. If we ask the wrong questions, we will get the wrong answers. Who should be asking? The chief executive officer, chief operating officer, chief financial officer, and chief information officer should all be involved. The first question asks, which of the following describes cyber risk?

75

Diagram of Software Evolution, Cloud versus Non-Cloud

ProductCapabilities

Cloud Developed

Stand Alone

-------------------------Upgrades

-------------------------------Achieves Goal

Time to Develop

• Is it Risk? This is that which can be seen or for which we have evidence. We can manage avoid, reduce, transfer or retain risk, if we identify it.

• Is it Uncertainty? This is that which is largely unknown. We try to identify it but may fail. In this case, cyber risk management means we prepare for a crisis. We put into place a team to respond when the crisis arises.

Another question to ask is what do we want to know about our own cyber risk? Two short answers to the question are provided by former risk managers.From Lance J. EwingLance was an experienced risk manager with several multinational companies. He was named a risk manager of the year. When he was asked to share some questions that should be asked by the CEO, he started with:

Have we used penetration testing both on line and in the real world?

76

Penetration testing occurs when an organization simulates cyber attacks to find security weaknesses in their technology. It is used on networks, operating systems, and software applications. The information technology staff evaluates hacking defenses and makes improvements.

QuestionShould companies always bring in outside security firms to do penetration testing for them?AnswerAccording to Lance it is a good idea. A company’s IT staff may assist with penetration, but “a prophet is not welcome” until an outside organization validates the suggestion.

Another question from Lance:

Have we chunked our sensitive data so that no one person or laptop has it all in one place?

A chunk is a fragment of information in a set of data stored on a computer or transmitted electronically. Each chunk contains a header indicating a start and finish. In the middle, is data that can be decoded by a computer program. Chunked transfer encoding speeds up data transfer and protects it from hackers. The basic rules:

• The size of each chunk is sent right before the chunk itself.• Code separates chunk size from the chunk.• Chunk length zero ends the transmission.

As an example, suppose we wanted to thank Lance for his help understanding cyber risk by sending the message: ”Hi Lance Thank you Jack” This message has 8 characters for “Hi Lance,” 9 for “Thank you, 4 for “Jack, The code \a\b separates each chunk and we use zero to end the entire transmission. The chunked message is:

• 8\a\b• Hi Lance\a\b• 9\a\b• Thank you\a\b• 4\a\b• Jack\a\b• 0\a\b

77

QuestionHow do I respond if a CEO says the question on chunking data is a CIO, not a CEO, question?AnswerAccording to Lance the CEO should ask it. He or she will be the CEO answering the question on the stand when the lawsuit happens. Lance continues, “. . . ...ask the CEO of Target who was there. CEO needs to know the answer to that question and had better get it in writing.”

A third question from Lance is:

Are we using honeypots related to hackers?

Finally, Lance suggests asking whether the information specialists are up to date on cyber attacks.

From Chris MandelChris was also an experienced risk manager and former risk manager of the yearHe would ask questions on social media, cyber weaknesses, monitoring tools, and technologies and metrics. He also wants to be sure that the organization is building on a culture that is aware of the risk from cyber attacks. Sample questions:

• Have we assessed social media and cyber vulnerabilities beyond reputation risk?

• Do we have expanded risk governance structures and activities so we include social media and cyber risk?

• Do we use advanced social media and cyber monitoring tools and technologies?

• Have we implemented enhanced performance management to analyze and act on cyber risk monitoring metrics?

• What do we have to do to design and deploy a more cyber risk aware culture?

Questions Every CEO Should Ask the IT GuyA number of other questions should be raised with respect to how an organization is managing cyber risk. The following questions were presented to the CEO Club of Rhode Island in a program sponsored by Rhode Island College. They provide additional thoughts on how to conduct cyber risk management.

What are we doing to protect ourselves from hackers that are motivated to damage or destroy our physical assets?

78

What motivates them? How can they do damage? What are we currently doing to protect ourselves? What can we do better?

What are we doing to protect ourselves from rogue employees and others who have access to our IT system and communications?

Who is authorized to access data? Who can change data? Who can share data? How do we decide who is authorized? What can we do better?

What are we doing to protect the proprietary intellectual property embedded in our business practices?

How do we identify it? Where do we keep it? Who has access to it? Who can share it? How do we safeguard it? What can we do better?

What are we doing to improve the processing of daily transactions? What can we do to make it more timely? To make it more accurate? To reduce the cost? To protect the data? To safeguard the data? What can we do better?

What are the biggest weaknesses in our IT system? Do we agree on what they are? How can we correct them? How long will it take? What will it cost? Who can get it done? What is a point of entry to start?

SummaryThe meeting at Rhode Island College ended with the question:

79

How can a company remove all worry from dealing with cyber risk?

The answer is it cannot. Cyber risk is a reality with the full scope of danger not necessarily yet realized. Cyber risk management is a changing landscape addressing a constantly shifting and mutating exposure. Insurance may help with the extreme dangers but all danger will be a problem for organizations in the near future.

CYBER RISK BUSINESS DISRUPTIONWe finish the discussion of cyber risk management with a focus on a single area. Of all the dangers of cyber attacks, business disruption has emerged near the top of the list. We may not be able to assess the impact of events that will cause a loss of reputation. We can foresee an interruption of our operations and its total cost of risk.

InfrastructureA cyber attack can damage the infrastructure of our business:

Destruction of the information systems data center by fire. Damage to a nearby electrical sub-station resulting in prolonged loss of

power to the data center. Theft of vital hardware or office equipment. Destruction of business records. Destruction of underground cables results in loss of voice and data

communications

Financial Material financial loss resulting in inadequate capital to maintain network

system security. Internal fraud or misappropriation of funds by a disgruntled employee

upsetting normal operations. Cyber attack by a third-party disrupting operations from forged contracts,

documents and invoices. Internal control breakdowns leading to data entry and accounting errors. System flaws leading to failed regulatory reporting of financial position and

suspended operations. Senior management fictitiously adjusting financial records to deceive the

board or improve stockholder view of operations. Insurance carrier rejecting business disruption claim for failure of

documentation.

Products and Services

80

Product tampering is not detected and subsequently disrupts operations. Lawsuit results from accusation by a customer or class of customers that

significant harm has occurred. Failure of a key supplier to update technology causing interruption to

product distribution. A new computer system fails to deliver expected benefits causing material

financial loss from lower sales. Security breach allows competitor to gains access to intellectual property

or other confidential information. Technology failure causes production line equipment or computers to fail

causing significant delay in providing products or services to customers. Distribution channel fails due to a major flaw in the computer network

supporting it.

Information Technology Disruption occurs from a security breach by an ex contractor whose

password still works on the network. Hackers release damaging confidential company information to public

websites. A disgruntled employee disrupts operations by placing passwords on

shared documents and deleting documents. A virus spreads over the entire network corrupting data needed for

continuing operation.

Resources A key technology employee leaves on short notice with no backup just

prior to a changing or peak business period A new system installation does not do what is supposed to do after the

old system is shut down. Disruption occurs at a workplace that cannot be overcome by flexible

response.

Regulatory Sudden regulatory change cannot be accommodated by existing

computer system or network. Government imposes new reporting requirements demanding data not

currently collected or formatted. Loss of reputation and disruption from system failure allowing violation of

U.S. agency restrictions on sales to embargoed countries. A major regulatory breach from a network failure.

81

System Disruption at a BankAn executive VP was presiding over a merger of two banks and was having difficulty integrating two computer systems that did not “talk” to each other. The problem was causing major disruption to business operations. He asked a systems consultant to examine the situation and make a recommendation on how many new people had to be hired and what the backgrounds they should have. What do you think was the recommendation?AnswerThe recommendation took place as follows:

Exec. VP: “So what do you think?”Reply: “I recommend that you terminate or transfer 10 percent of the 70 employees.”

Exec. VP: “Why?”Reply: “You have too many people. Instead of working out the new system, they are wasting each other’s time.”

Exec. VP: “Which 10 percent?”Reply: “It does not matter. If you remove people based on their attitudes, that might be a good way to do it.”

Exec. VP: “Will you put that in writing?”Reply: “No. I do not want that kind of consulting reputation.”

Epilogue. Some 15 percent of the people were removed in less than a month. In three months, the executive vice president reported most of the problems had disappeared. Sometimes network problems are self-organizing. Cyber business disruption does not always occur because of technology failure. Sometimes it is human error or lack of skills.

Information System FailureIn March 2000 I M Ericsson did not have a centralized computer network that shared data among various units. Purchasing was quite separate from marketing. The two units were involved in a project to launch a new generation of cell phones. Purchasing handled the inventory for production. Marketing handled the supply system for retailers.

A semiconductor fabrication plant provided the microscopic circuits for the cell phones. It experienced a small fire that caused minor damage. The existing stock of completed wafers was destroyed and production was interrupted. That

82

information was shared with purchasing at Ericsson. It was not shared with marketing.

As the business disruption delay became more prolonged, Ericsson began to search for an alternative source of microchips. It was too late. Nokia had a more comprehensive information system. Senior management learned of the fire immediately after it occurred and gave orders to lock up the purchase of all worldwide spare microchips for cellphones. The result was almost no disruption of deliveries to customers. Nokia experienced a minor disruption with additional costs that were largely offset by a rise in market share as it acquired Ericsson customers in some markets. Ericsson suffered a $2.3 billion loss in its mobile phone division and withdrew from the market. From The Resilient Enterprise, Yossi Sheffi, 2005

Dell Supply ChainA similar disruption occurred at Dell in 2010, Floods in Thailand disrupted Dell’s supply of components for computers, servers, and other products. Dell and other manufacturers could not meet customer needs on a timely basis. Deliveries were delayed causing serious problems for customers who needed new computing equipment or who wanted to repair installed Dell systems.

HealthCare.govHealthCare.gov is a health insurance exchange website operated by the U.S. federal government under the provisions of the Patient Protection and Affordable Care Act of 2010. The exchange facilitates the sale of private health insurance plans to residents of the United States. The website was launched on October 1, 2013 accompanied by staggering technological problems. It did not work.

The following parties were involved with the development of the website: U.S. Centers for Medicare and Medicaid Services. CMS was the

government agency that had overall responsibility for the website. CGI Group of Canada. CGI was hired to design and build the

healthcare.gov. system. CGI was the largest IT services provider in Canada with more than 10,000 employees and customers in more than 40 countries around the world. In 2010 the company had more than 30 years of IT experience serving Canada’s largest companies and many of the country’s federal agencies and provincial governments.

Development Seed. This startup company had the contract to build the front-end website. Although it was a small company, it employed experts using open data and open technology and was willing to tackle complex problems.

83

Subcontractors. Parts of the project were assigned by CGI to other companies.

The ProblemHealthcare.gov’s biggest problems were not in the front-end code of the site’s Web pages, but in the back-end code in the servers that handles the registration process.

You cannot see the problem from the site itself. Bugs are rarely obvious in a complex system. One visible flaw usually masks others.

The site’s front end, the actual Web pages, did not look bad. The back end, account storage, database lookups, and more, were not properly connected. After a week or so a user could reach the webpage and start the registration process. A “Please Wait” page would appear. After 10 minutes or so it would default to a page with the message:

“Sorry, we can't find that page on HealthCare.gov.”

The page was there, no doubt about that. The problem was the system could not sign up the user because the back-office server was offline, had too many requests to handle at one time, or was otherwise not available. A more accurate message would be something like,

“The system is temporarily down. Try again later.”

CausesOne cause of the failure of the front failure to link to the back end has been traced to the decision to employ two different contractors. Development Seed did the website. CGI did the registration. From all appearances the contracted developers worked in isolation from each other on two pieces of a system that had to fit together perfectly. This was the case even though most software engineers know that interactive coordination is crucial. They recognize that programmers may be skilled at testing their own code they are not prepared to make it work with code developed by someone else. Still another cause occurred because testing was not done at a heavy volume of users. No quality control activities were in place upon startup. When problems arose no help was available.

Still a third cause was overlooking small but important details, probably because no one was in charge of the total user experience. One example was that the username required a number as well as letters. No where on the website was this information revealed to individuals seeking to sign on. One blogger

84

reported this problem in a simulated conversation between a front-end and back- end developer.

Front-End Developer: Why does the username have to have a number in it?

Back-end Developer: it’s in the government username regulations. Didn’t you read them?

Front-end Developer: no, we don’t do accounts, we just hand the input to you.

Back-end Developer: and we told you your front-end the input was no good! See the error message?

Front-end Developer: fine, fine. Sigh. Nice to finally talk to you, by the way.

Back-end Developer: yeah, you too. Are you in D.C?

Front-end Developer: San Francisco.Back-end Developer: Know any good jobs in D.C.? I hate this place and

they’re furloughing me as soon as we fix this mess.

A second example of nontechnical weakness involved the “Please Wait” page. It had the message:

In a hurry? You might be able to apply fasterat our Marketplace call center.Call 1-800-318-2596 to talk with one ofour trained representativesabout applying over the phone.

Most users never saw this message because it was marked to appear only after a 10-minute waiting period.

The Bidding ProcessAn indirect cause of the failure might be linked to the government bidding process. It consists of five steps:

Planning and Research. Learn the rules of bidding on government contracts and registering as a federal contractor.

Invitation for Bid (IFB). The government sends out invitations to bid on jobs that it believes fit into the area where you are registered. Instead of an IFB, the government may send a request for proposal (RFP). This

85

indicates the government seeks help developing the strategy or implementation for a project.

Submit the Bid. The contractor shows the ability to perform the task and also offers a competitive price to do the job.

Oral Presentation. A contractor in the final running may be asked to make an oral presentation describing details of the bid and explaining how the work will be accomplished.

Contract Award. If the bid is successful, the government will award the contract.

Throughout the decision process the government agency may continue to ask for more information. This is a good sign - it means the agency is interested enough to know more. The bidder keeps providing whatever the agency needs. At some point, a decision will be made and the contract will be awarded.

The bid process for healthcare.gov involved a commitment of time and money that bidders were reluctant to undertake. Thousands of hours could be spent understanding what was needed. The labor costs for that time would not be recovered for the losing bidders. It is not clear that the proper amount of time was devoted by bidders to understand the task at hand. Nor is it clear that the government approach to bidding a contract produces the most capable party to deliver the program.

A sign of the failure to properly bid the project is the initial bidding price of $94 million. After receiving the contract, the government and CGI looked at it more seriously and revised the price to $292 million. By the launch date the cost rose to more than $500 million and the final cost has been estimated to be more than $1.7 billion.

QuestionIs the launch of www.healthcare.com an example of cyber risk?AnswerOf course. Sometimes losses are caused by accident or malicious intent. Sometimes they are caused by other factors.

QuestionIs the launch an example of insurable cyber risk?AnswerProbably not. The loss is not fortuitous.

ConclusionCyber risk management demands new perspectives and tools. The problem of cyber risk is challenging and a failure to deal with it can be devastating to an

86

organization. We also need to remember the importance of world-class electronic security. We saw an example of its value. After the exposure of documents by WikiLeaks, Visa, MasterCard, and PayPal severed links with WikiLeaks denying it access to funds. Anonymous attacked all three organizations. Because they had powerful security specialists and systems, they suffered only minor damage. With good security, Anonymous and others cannot do quite so much damage.

87

Chapter 5. Cyber Insurance.

NATURE OF CYBER INSURANCECyber insurance is a form of insurance that redistributes the costs of unexpected losses from cyber risk. Characteristics:

How? It combines the risks of many individuals and organizations into a group and then uses the funds contributed by group members to cover losses incurred when using the Internet and electronic technology.

Why? It is used by society to pay the costs of economic losses from damage to computers, other assets, and people when the source of the loss is an electronic, computer, or electronic system failure.

When? It is a mechanism to transfer cyber risk from parties that cannot absorb the potential loss to insurance companies that offer coverage for losses from electronic and telecommunications activities.

Cyber insurance can reduce uncertainty and some of the economic consequences of unexpected computer loss. It provides a means of sharing the risk of large hacking efforts. It provides funds to reimburse equipment, data, and liability losses. It does not prevent the non-economic consequences of a cyber attack.

Definitions of Cyber InsuranceThe term cyber insurance has multiple definitions depending upon the perspective of the party needing coverage:

Economic Viewpoint. A mechanism that transfers or finances cyber risk and thus reduces uncertainty.

Legal Viewpoint. A legal device that transfers cyber risk from one party to another through the use of a written insurance contract.

Social Viewpoint. A device that allows small payments by many parties to pay for large cyber attacks to a smaller number of parties.

Benefits of Cyber InsuranceCyber insurance makes many contributions to economics and a modern Internet society including:

Security. A source of funding to cover a portion of economic loss. It gives a certain peace of mind that the insured can handle serious adversity.

Resources. The funds to restore a situation to normalcy when accidents or other harmful events cause economic losses. A transmission system destroyed by an electric surge initiated by a hacker can use insurance

88

funds to help restore the network. A computer program destroyed by malware can have funds to redo the code or restore lost data.

Safety. Cyber insurance offers an incentive to encourage individuals and organizations to be safety conscious. Working with the insurance company, an insured examines cyber exposures, perils, and hazards and take steps to eliminate or reduce them. Such loss prevention reduces the number of losses as well as the cost of insurance.

Pooling of Losses. Cyber insurance brings together individual exposures and combines them into a collective entity. Many parties pay small sums to cover large losses of a few parties. Each party pays a premium that is small compared to the possible loss. When a loss occurs, money from the premiums reimburses losses.

Cyber Insurance FrameworkAll insurable risks will not meet the standards to become an insurable loss under a policy of indemnification. We have already seen that insurable losses must be financial, definite, and fortuitous. In addition, other requirements must be met including the following.

Loss not Trivial. An insurance company incurs administrative and marketing costs prior to accepting a risk. These involve advertising and selling insurance, evaluating whether the risk is insurable, and drafting and issuing a policy. Subsequently, the carrier must pay for damages and the cost of investigating the claims after a loss. As a result of these expenditures, the company cannot insure trivial losses. For small policy limits, the costs would make coverage prohibitively expensive.

Affordable Premiums. A premium is the payment given by an insured person or organization in return for insurance coverage. An insurance company will not issue and a potential insured will not buy insurance if the premium is not affordable for the kind of coverage. In most cases, this means a chance of loss must be quite low and even remote. As an example, a company may purchase insurance for a factory’s computer system. For a million dollars of coverage, an insurer may charge a premium of $6,000. If the company decides to move the business operation to a low-lying coastal location that is frequently threatened by hurricanes, the increased risk may cause a rise in the premium to $100,000. The insurance company may decline to offer the coverage or the company may decide that the policy is not affordable.

Acceptable Policy Limit. An insurer should not accept risk that is greater than its ability to survive. To increase limits without raising their own insurance exposure, insurance companies reinsure their large risks. This mechanism spreads large exposures over a number of companies and

89

even around the world. For some exposures, the entire insurance industry does not have sufficient capital to provide coverage. An example would be the losses resulting from a major cyber attack launched in a political conflict between nations.

Acceptable Cyber ExposuresInsurance companies pursue a large potential market for coverage. They identify different acceptable exposures:

Similar Risks. A large number of policies written to cover related risks can allow many parties to pay premiums and share losses. Statistics and loss records can help insurers determine the appropriate rates to charge for coverage.

Unique Risks. In some cases, the similar nature of risks is waived. An example would be a cyber attack that destroys the computer system controlling an attraction at Disneyworld. The insurance company recognizes that it is not possible to calculate the odds of such an occurrence. Still, it is quite unlikely to occur. By accepting many such dissimilar exposures, the insurer actually creates a large pool of insureds to spread the losses.

Calculations or Diversification. It is possible to use the large number of insureds either to accept similar or unique risks. In one case, we accumulate historical data, assess changing circumstances in the world, and assign probabilities to a pool of similar exposures. In another case, we simply diversify the insurance portfolio and accept unrelated risks that are unlikely to happen. Either we calculate or we diversify. They both allow us to offer cyber insurance coverage.

Insurer Relationship to Cyber LossAs we can see from the previous discussion, some cyber risks are quite large. The fact that they meet the requirements to be transferred is the first step in a process. The exposed party must still find someone who can accept the exposure. As a general rule, cyber risks are insurable when an insurance company can achieve the following:

Affordable Premiums. The insurer can offer coverage at a price that an insured can afford. An insurance company may quote premiums that are too costly for the risk appetite of potential insureds. In such a case, an insurance market will not develop.

Predictable Likelihood. The insurer must be able to estimate the probability of loss or decide a loss is not likely to occur. If an insurance claim is expected once in every 10,000 policies written, the insurer can

90

calculate a premium. The same is true if the probability is not known but the likelihood of loss is fairly remote.

Insurer Strength. The insurer has enough financial resources to cover all losses and earn a return on its capital. If the financial exposure exceeds the capacity of a single insurer or the total insurance market, coverage will not be available.

INDEMNIFICATIONIndemnity refers to a reimbursement that compensates exactly for a loss. After a loss, an insured is returned to the approximate financial position prior to the loss. The insurer does not issue a policy limit that would allow an insured to make a profit from a claim.

An insured is not always indemnified for the full loss. Two situations: Retention. The insured can be required to retain a portion of a loss. This

is a deductible on the policy. Policy Limit. The insured can purchase inadequate insurance to be fully

indemnified for damages. If the policy limit is $1 million with a $200,000 deductible, a company that suffers a $2 million covered loss collects only $800,000, the policy limit minus the retention.

Cost of IndemnificationA research study examined more than 130 claims and showed the following:

Average cost per breach $3.7 million Lowest cost per breach $2 million Highest cost per breach $76 million Highest loss of data records 1.7 million Average settlement costs $2.1 million Average defense costs $582,000

Other costs included notification and credit monitoring, much of which is mandated by federal and state laws, forensics analysis and data services, and legal advice to prepare for the next cyber attack. These costs averaged almost a million dollars per cyber attack.

Cyber Indemnity CalculationThe concept of indemnity quickly becomes complicated. How much would indemnify an insured if a loss occurred? The magnitude of a loss requires the insurer and insured to recognize obvious and less obvious financial consequences. The calculation for indemnification considers three components:

Direct Costs. Damage or harm in its basic and most visible context. For the destruction of a computer server, direct costs are to repair or replace

91

the asset. For a loss of data, costs involved reconstructing it from other sources.

Indirect Costs. Financial damages that are not so obvious or visible. In the case of stolen credit card information, indirect costs can arise from many areas. One involves the cost of issuing new cards. Another involves stopping purchases with all the cards, notifying merchants or banks, and paying any losses from illegal purchases made by the hackers.

Consequential Expenses. Money that must be spent as the result of a loss. With the successful attack on a system, a company may decide to replace its operating systems with newer technology. Another possibility is to upgrade hardware with the purchase of newer systems that offer increased security.

QuestionA computer services company handles a multiple listing service for realtors in a six-state region. It keeps the hardware in a wooden shed behind the house of the company owner.

She purchased the hardware five years ago and paid $200,000 for it. It has a replacement cost of $300,000 today. The data on the system is backed up offsite. The loss of the data would

require $20,000 to restore it. The replacement of the data would require 10 days to install on a new

system. The loss of sales by realtors who cannot access data poses a legal liability risk for the owner.

The owner asked a syndicate at Lloyd’s of London to insure the hardware from cyber attack.

She wants a hardware insurance policy with a limit of $400,000. She wants extra expense insurance with a limit of $100,000. She wants protection from lawsuits with a policy limit of $5 million.

Is Lloyd’s likely to offer this insurance?AnswerYes. The tests are:

Pooling. The insurance meets this standard. Many small organizations need cyber insurance from Lloyd’s.

Physical Property. Lloyd’s would decline the $400,000 limit on the physical asset loss. The policy would indemnify only the replacement cost.

Extra Expenses. This policy would be issued. The company would have to document the expenses if a loss occurs and a claim is filed.

92

Liability Loss. Lloyd’s would probably cover the policy limit. It is high for the owner but not for a syndicate at Lloyd’s.

BUYING CYBER RISK INSURANCEThe task of deciding whether to add a cyber risk policy to an existing insurance program usually involves a joint discussion between a risk manager and the organization’s broker. They seek to determine the risks that are covered by various liability policies. Then, they assess how an unacceptable risk might be covered under a specialty cyber risk policy.

However the decisions are made, cyber risk policies should be coordinated with other property and liability policies. These include general property, boiler and machinery, and general and professional liability policies.

QuestionABC Computer Services has a long-term contract to manage the information systems activities of an exporter. As part of the agreement, ABC signed a hold-harmless agreement if the exporter is sued for data security or other information technology lawsuits. A data breach resulted in a $600,000 judgment against the exporter. Does ABC have to reimburse the exporter?AnswerABC may have to reimburse the loss. The answer depends on the details of the agreement including limitations of liability and the responsibilities of the exporter. The answer also depends on the details of the data breach with regard to factors such as negligence and user error.

QuestionWhich of the following risks identified for the 2016 Olympics are insurable cyber risks?

Physical attacks on computers or telecommunications. Destruction of the communications systems used by security officials. Electricity power blackouts. Malware attacks on computer systems.

AnswerAll of them could be covered by insurance. The Olympics Committee would be required to retain a large portion of each exposure and would take extensive risk management actions to avoid loss. These exposures would be covered in considerable detail in an incident response plan.

QuestionWhat coverages can be included in a comprehensive cyber policy?Answer

93

A cyber insurance policy could cover lawsuits, extra costs and expenses, intellectual property theft, privacy violation lawsuits, lost business, public relations fees, civil fines, and extortion demands.

QuestionWhat should underwriters look for with respect to the role of top leaders of a company in the area of cyber risk management?AnswerInsurable cyber risk decreases when top leaders are informed on:

The nature of cyber risk and recent developments in cyber exposures and techniques to manage them.

Specific risks identified by the cyber risk team. Actions being taken by the company to mitigate cyber exposures. Structure of the company’s property and liability insurance and the

protection they offer to protect the entity against catastrophic risk from a cyber attack.

Risk managers ask different questions with respect to the purchase of insurance to cover cyber risks. Are we interested in first-party, third-party, or both insurance coverages?

Do we need to protect our own equipment or the damage our systems can do to the systems of others?

What is covered? If we decide to purchase a policy, does it really do the job we need? What is the significant of the exclusions? Do we need endorsements for additional coverage? What are we buying? Are the products being offered by insurance

companies the products we need? How do we know? What are our real exposures? What would be the impact of a privacy

breach? How strong is our network security? What should be our response to the variety of “off-the-shelf” coverages available from insurers?

We cannot buy everything. Are we interested in first-party, third-party, or both coverages? Do we need to protect our own equipment or the damage our systems can do to the systems of others?

What is covered? If we decide to purchase a policy, does it really do the job we need? What is the significance of the exclusions? Do we need endorsements for additional coverage?

Do we have special needs that never existed previously? What are the new conditions for data restoration or indemnification to others for loss of

94

their data? Do we have new media threats? Can outside parties steal and demand ransom or threaten extortion for its return?

Risk Manager Technical ChecklistIn addition to the broad questions, risk managers need to answer the specific questions that must be answered for all insurance coverage. The answers can be more difficult to reach in a cyber environment. Technical questions include:

What should be my limits of liability? Should I buy retroactive or extended coverage? What are the exclusions? Should I accept the consent provisions? What is the allocation of defense costs? Should second-parties be insureds?

The technical questions are then matched against cyber insurance policies available in the market. These include:

Breach Response. Reimburses the costs of securing a system after a hacking attack. Effectively this is all the costs of a crisis management activity to overcome the specific damage to the system resulting from hacking by outsiders to the organization.

Employee or User Response. Covers errors or intentional misbehavior by employees or other authorized users when they lead to a data breach.

Cyber Liability Lawsuits. Separate coverage for outsiders that suffer a loss as a result of a cyber attack.

Business Interruption. Damage or temporary loss to hardware or a network can cause an insurable financial loss.

Regulatory Fines and Penalties. Losses imposed by the government. Statutes may bar insurance as a reimbursement for these costs.

Emergency Response Costs. Separate coverage for extra expenses not foreseen in other insurance purchased to reimburse cyber loss.

Bodily Injury and Property Damage. Physical harm directly caused by a cyber attack.

QuestionThe laptop computer of a senior vice president at a consumer credit corporation was stolen. Someone used the computer to download customer records. The result was the company had to pay damages and legal fees of $600,000. What kind of liability policy covers this loss?AnswerIt may be covered by a cyber policy or a general liability policy. The risk manager needs to examine the coverages and exclusions to answer the question.

95

LAYERING OF INSURANCEAvoid, retain, transfer, and reduce, the strategies for risk management, are also largely the structure of cyber insurance. They apply to the insurance company as well as to the insured. Both parties focus on reduction for all risks. Then, the transfer structure pursues the following goals:

Avoid. Do not accept any exposure that cannot be successfully retained or transferred.

Retain. Keep only the portion of an exposure that you can handle yourself without significant adverse impact on your company or its operations.

Transfer. Agree with other parties that they will cover a portion of the risk. Pay the parties for coverage of the transferred exposure.

Transfer strategies are implemented through a processing of layering. A layer refers to a level of retention or transfer of an insurable exposure in a structure where one layer occurs above a lower or underlying level. Each layer is the responsibility of a different party. In terms of increasing coverage and potential loss, insurance layers provide higher levels of coverage that might be obtainable without multiple parties.

Single Policy LayeringA large organization can purchase insurance from different insurance companies. The diagram shows the layers for three insured categories for one company:

Retention by the Insured. This is the first portion of any loss or aggregate losses. The insured accepts this exposure as a deductible on a single insurance policy.

Transfer to a Primary Insurer. The first layer of losses above the insured’s retention are the obligation of the primary insurer.

Excess Insurance #1. The organization purchases excess insurance above the policy limit for coverage by the primary carrier.

Excess Insurance #2. The insured purchases another layer above excess #1.

Umbrella. The insured purchases a high level of broad coverage that protects against losses across all three categories of underlying coverage.

Insurance Company LayeringSimilarly, the insurance company protects itself from excessive exposure. The diagram shows the structure for an insurer with three lines of business. The term reinsurance replaces one level of excess coverage as compared to the previous structure.

96

QuestionA company has cyber insurance coverage as follows. Is it a good structure?

$25 million replacement cost coverage for cyber attack loss to computer equipment and data.

• $8 million primary coverage with a $2 million deductible.• $5 million secondary above loss of $11 million.• $5 million excess above loss of $20 million.•• Answer• No. It has three gaps in coverage totaling $9 million. Unless this structure

somehow fits the company for other reasons, it is not a sound way to transfer risk.

•• Coverage Retention• Excess 5 million• Gap 4 million• Secondary 5 million• Gap 3 million• Primary 6 million• Retention ________ 2 million• 16 million 9 million•• Conclusion• The principles underlying the transfer of risk using insurance have

developed over a long period of time and are well understood in many parts of the world. They apply in a variety of circumstances but face many new factors when applying insurance principles to cyber risk. We can expect risk managers and insurance to constantly find new applications in a world of rapidly changing technology and accompanying new exposures. At the same time, we recognize that the consistency of risk management efforts depends upon an understanding of basic concepts. As we progress through later topics, we will see that we always refer back to insurance principles.

97

Cyber Insurance Layering for a Commercial Buyer.

Umbrella

$100M

Excess #2 Excess #2 Excess #2

$75MExcess #1

Excess #1 Excess #1

$50MPrimaryInsurer Primary

Primary Insurer$25M Insurer

Retained RetainedRetained

$0

Computer Loss of CyberEquipment, Software and Lawsuit& Servers Data Liability

98

Cyber Insurance Layering for an Insurance Company.

Umbrella

$100M

Excess Excess Excess

$75MReinsurance

Reinsurance Reinsurance

$50M

Primary PrimaryPrimary

$25M

Retained RetainedRetained

$0

Computer Loss of CyberEquipment, Software and Lawsuit& Servers Data LiabilityInsurance Insurance Insurance

99

Chapter 6. Insurance Law

THE LAW OF CONTRACTSAround the world we can find three different systems that create the legal environment of insurance:

Common Law. In this framework, also called case law, laws are created by the decisions of courts. The rationale is that it would be wrong for courts to be inconsistent on their rulings. With the same facts and situation, courts should reach the same decision. This legal system developed in Great Britain and was brought to the United States and other countries. Approximately one-third of the world’s courts are found in common law jurisdictions.

Civil Law. In this system, courts operate under written laws approved by a legislative body or central or local government agency. A federal, state, provincial, or municipal government may be the source of the law. Civil law is the most widespread system of law around the world. It traces its roots to Roman law and then spread throughout the countries of continental Europe. It is often identified with Italy, France, and Germany even though it is widespread across Europe, Asia, Latin America, and Africa.

Religious Law. Some jurisdictions have legal systems based upon or subordinate to laws that arise from religious beliefs. Court decisions and statutes can change the laws. Such change often comes slowly and cannot violate long-standing and traditional interpretations of the religious guidance. The major forms of religious law are Sharia in Islam, Halakha in Judaism, and canon law in some Christian areas.

Whatever the legal system, insurance law has developed along its own lines and many of the principles are applied in courts around the world.

Basic Requirements of ContractsInsurance is provided in contractual arrangements among insurance companies, individuals, and organizations. A starting point for understanding an insurance policy is to recognize the basic requirements of all contracts.

Offer and Acceptance. A contract is a legally enforceable agreement where two or more parties agree to exchange mutual performances. At some point, one party must make an offer. Another party must accept it.

Consideration. This is something of value that creates an inducement to enter into an agreement. To have mutual performances, each party must offer something of value to the other parties. Courts hold that the value

100

should be objectively determined. Competent Parties. The parties must have legal capacity to enter a

binding contract. A person is deemed legally capable in the absence of other factors. An exception is that legal capacity is restricted to persons of legal age, a requirement that varies from age 18 to 21 depending upon state law. Evidence can be introduced that an adult lacked legal capacity. A person judged by a court to be insane or physically incapacitated by drugs, alcohol, or other impairment will be released from a contract.

Legal Purpose. A contract is enforceable only if it complies with law. Agreements to perform illegal acts, whether criminal or civil, will not be enforced by courts. The same is true if an agreement is deemed to be contrary to public interest.

QuestionA company requested cyber insurance and was given a quote of $22,000 for the premium. The company provided additional information to the insurer and requested a reduction to $15,000. The insurer responded with an offer of $18,000. Before the company could respond, a cyber hack occurred that was covered by the policy. Does the insurer have to reimburse the company for the loss?AnswerNo. At the time of the loss, there was an offer but no acceptance.

QuestionA company purchased a $300,000 cyber insurance policy and paid a premium of $3,000. After binding the contract, the agent said the company would also cover $20,000 of data stored in a separate system. Later, a hacking damaged the separate system but not the first system. Does the insurer have to pay for the loss?AnswerNo. It appears that no consideration exists. If the additional coverage had been an inducement to sell future policies, the answer would have been yes.

Contract of IndemnityAn insurance contract is a contract of indemnity. The goal, as much as possible, is to restore the individual to his or her prior financial position before a loss. An effort is made to avoid moral behavior that would encourage individuals and organizations to seek profits from an insured loss.

The indemnity principle applies widely around the world. Three forms of indemnity contracts are:

101

Reimbursement Policy. The insured pays for a loss and then is reimbursed by the insurance company.

Pay on Behalf Policy. The insurance company adjusts a claim, pays legal costs and damages directly.

Indemnification Policy. The insurance company can choose to reimburse or pay on behalf of the insured.

Insuring a SupercomputerA computer technology company is about to deliver a new supercomputer to an owner who has applied for insurance to repair or replace it if it was the victim of a cyber attack. Replacement would be easy as similar computers are available in the market. Given the following data, how much insurance would be available under the indemnity principle?

Time for Manufacturer. It takes one year to build this kind of server. Prior Cost of Construction. The cost was $30 million. Current Cost of Construction. The cost today has risen to $33 million. Current Market Value: The computer could be sold today for $25 million.

Buyers and sellers are plentiful. Mortgage: The owner paid $2 million of the original cost and borrowed

the balance from a bank. A lien on the computer secures the bank loan which has a $28.5 million balance due payable in equal monthly installments.

AnswerThe owner could request and receive either $25 million or $28.5 million. The indemnity issue is, “What does it mean to restore the owner to the pre-loss position? The answers:

Market Value Limit. A payment of $25 million would allow the owner to buy a replacement computer. The owner would be restored to the original position in terms of having a similar asset and using it to earn funds to make future loan payments.

Mortgage Limit. If insurance paid $25 million, the $3.5 million loss would have to be reported to shareholders and the public. This could produce a drop in the price of the company’s stock.

Original and Current Manufacturing Cost. These are not relevant for insurance purposes. The market, not a cyber attack, caused the drop from $30 million to $25 million. It is not insurable. New manufacturing cost has no effect on the situation with the loss of the computer when substitute assets are available.

THE LAW OF INSURANCE POLICIES

102

To understand cyber insurance policies, we must first understand contract law. We can identify some key contract terms and categories.

Material Fact. Any item of information presented as having objective reality. A material fact is any such information that would be important to a reasonable person in deciding whether to enter into a legal contract.

Representation. A statement made by a party in the process of negotiating a legal contract designed to encourage another party to sign the contract.

Misrepresentation. A statement made by a party in the process of negotiating a legal contract that is false.

Concealment. A failure to voluntarily disclose a material fact in the process of negotiating a contract.

Warranty. A statement made to secure a contract that must absolutely be true if the contract is to be enforced.

Fraud. An intentional deception to cause a party to give up property or a lawful right. Committing fraud is both a civil and criminal illegal act.

Caveat Emptor and VenditorCaveat Emptor is a Latin term translated as "Let the buyer beware.” Caveat emptor is a legal doctrine in U.S. property law. After the sale of real property, a buyer cannot recover damages from the seller for defects that rendered the property unfit for ordinary use. Exceptions are when a seller actively concealed latent defects or made fraudulent material misrepresentations. The legal doctrine is often applied beyond real property contracts.

Caveat Venditor is a Latin term for "Let the seller beware.” Caveat Venditor is often applied to sellers of products that are either defective or fail to live up to representations or specifications. The doctrine allows the buyer to sue to void a contract. It is the exact opposite of caveat emptor.

These legal principles are widespread in business and social dealings in the developed countries of the world. They do not apply to the business of insurance.

Utmost Good FaithThis is the legal doctrine that applies to insurance contracts. It requires both parties to make a full and fair disclosure of all facts affecting an insurance contract. Insurance law is quite specific when dealing with material facts.

Representation. The insurer and insured must represent all material facts when applying for an insurance policy. The representation only has to be true to the best knowledge of the applicant.

Misrepresentation. If an individual or organization knowingly lies about a material fact, the policy can be determined to be void when the

103

misrepresentation is discovered.

Utmost good faith starts at the level of representations and covers misrepresentation and concealment, which can allow an insurer to void an insurance policy. It obviously applies to the more serious allegation of fraud. When negotiating insurance coverage, misrepresentation, concealment, or fraud by the applicant can allow the insurance company to void the policy in advance of a loss or deny benefits upon discovering the misbehavior after a loss.

QuestionA CFO answered questions as part of the application for a cyber risk policy. In an oral statement, she said the firm had only three employees who had master’s degrees in computer science or information systems. She identified the individuals and shared their employee records but the statement did not become part of any written agreement. As it turned out, the company had more than 25 such employees who joined the firm as the result of the acquisition of another firm 10 years earlier.

The insurer and organization signed a 3-year policy. During the second year of the plan, two of the 25 employees downloaded sensitive information and left the company. The insured sued to retrieve the information incurring legal and other fees. When the CFO filed a claim, the insurance company accused the CFO of misrepresentation and cancelled the plan. Will a court enforce the voiding of the policy?AnswerThe court will decide on the facts in the case. Legal issues are:

Was the statement a representation that affects the contract? If yes, it can be valid in either an oral or written form.

Was the CFO statement a representation of a material fact made with the intention to induce the insurer to provide coverage? If the CFO was unaware of the prior acquisition, the statement was not a misrepresentation.

If true to the CFO’s best knowledge? A court has to determine whether the CFO had the obligation to verify the statement.

QuestionA company operates refineries in Kuwait and Qatar. It applied for insurance coverage on the computer system at the Qatar facility and completed a 16-page form provided by the insurer. The form did not ask about the computers or data systems at other refineries and the company did not report a series of computer malfunctions and failures that disrupted refinery operations in Kuwait because the refinery failed to follow security protocols and usage errors by employees.

104

The insurer issued a 3-year policy covering the Qatar refinery. After the policy was in effect for one year, employee negligence contributed to an explosion and loss at the Qatar site that seriously damaged both computer hardware and software. After learning about the Kuwait history, the insurer voided the policy. Will a court uphold the insurer decision?AnswerThe court will make a decision based on its assessment of the facts. Issues are:

Is the information on a material fact related to the Kuwait refinery? Is it concealment to be silent on the Kuwait situation? Is a failure to add to the questions on the form a violation of utmost good

faith required for insurance contracts?

QuestionWhat is the legal standard if a company seeking cyber insurance coverage engages in concealment during the negotiation with an insurer?AnswerConcealment is an issue for a company or other insurance buyer:

Utmost good faith makes it unlawful for the company to suppress any fact or circumstance that in justice ought to be made known to the insurer.

The organization has the affirmative burden to disclose material facts that can affect coverage.

A policy can be voidable if concealment occurs.

QuestionA company president purchased three separate insurance policies. The policies applied to a single network connecting 24 embossing machines.

One policy covers the loss of hardware. The second policy covers hacking or other damage to the computer

software. The third covers liability exposure if the network is hacked or otherwise

fails.Some other key information:

Most of the machines were at the corporate headquarters. The president saw a watchman every evening when she left the office. At times, this was late at night.She told the insurer that she believed the office building had 24-hour security.

The operating system on four of the machines had been damaged three years earlier by an electricity surge and had not been repaired.

Five machines were brought to the home of the chief information officer. The president warranted that the CIO had a working alarm system installed at the house and it was connected to a local security firm.When

105

the CIO brought home the machines, he put four of them into storage in a small shed on the property.

The CIO and his family took a one-week vacation. On the third night of the vacation, a burglary ring broke into the corporate headquarters, the CIO’s house, and the shed.The group stole all the machines.Subsequently, the insurer learned:

The corporate headquarters had no security after midnight. The alarm system on the CIO house was not working because of a dead

battery. The shed had no lock. Last year, the president wrote a memo suggesting that insurance might be

a way to cover the repair of the machines that had been previously damaged.

The network software and confidential data of clients was lost and had to be repurchased or replaced.

Confidential client data stored on the network had been released to the Internet and clients were threatening to sue.

Does the property policy cover the loss of the machines? Does the cyber software policy cover the replacement of the software? Does the cyber liability policy cover the exposure from the loss of confidential data?AnswerThe issues are:

24-hour Security. Representation to the best of one’s knowledge for those machines in the office.

House. No coverage. Alarm system is a warranty. It must be true. Shed. No coverage. This might be an innocent mistake or could be

concealment of a material fact. Damaged Machines. Possible fraud. If provable, could invalidate all the

policies. Network and Liability Coverage. This will depend upon the wording in

the policies.

AssignmentThis is the right of a party to transfer a claim, right, or property to another party. The concept applies largely to contract and real estate law and has specific provisions for insurance agreements.

General Contract. Common law supports few restrictions on assignment. The assignor usually does not need to consult or even advise the other party to the contract. The assignment cannot change the agreement. It

106

must not affect the duties of the other party nor reduce the responsibilities of the assignor.

Personal Contract. Common law recognizes that certain forms of performance create a unique relationship between the parties to the contract. If a couple arranged for Taylor Swift to sing at their wedding, the singer’s agent could not assign the agreement to an unknown talent. If an experienced attorney agreed to present the case for patent infringement by a corporation, the task cannot be assigned to a lawyer not approved by the client. These kinds of agreements, called personal contracts, cannot be unilaterally assigned.

Consent. This term refers to permission to assign a contractual right. A personal contract can be assigned only with the permission of the other party. Insurance is a personal contract. Neither the insurer nor insured can assign the obligations under the policy to a third party without express written permission.

WaiverThe term waiver refers to the relinquishing of a known right. It can occur in two forms:

Intentional. An individual or organization can consciously surrender a right to which it is entitled.

Unintentional. By taking actions that the law or a court would consider the failure to protect a right, a party can waive the right without a conscious decision to do so.

When contract disputes arise, one of the parties may allege that the other party has waived its right to performance under the terms of the agreement. If the parties cannot work out a settlement, the disagreement can be resolved in a court of law.

QuestionA large airport is considering the purchase of a liability policy to reimburse it for lawsuits that allege disruption to travel as a result of interruption of its reservation system. The insurance company offered a lower premium if the airport would waive coverage for any interruption other than weather. Is this a good idea?AnswerNo. Computer systems can be disrupted by hackers, employee errors, equipment failure, power surge, and other causes. The coverage would offer limited protection.

Void and Voidable Contracts

107

The term void refers to anything that is not valid or legally binding. A void agreement or contract has no legal force. A voidable contract, unlike a void contract, is still valid. Both parties are bound to perform under its provisions. One party has the option to declare that the contract is void. If the other party accepts the action or if a court of law upholds it, the contract becomes void. A court makes the final decision if voiding is contested.

QuestionHow do we determine whether a contract is voidable? Whether it is void?AnswerVoiding is always at the option of one of the parities. It is not mandatory when a contract provision is violated. The option to void can arise from two situations:

Contingency Occurs. A contract is written imposing performance obligations on two or more parties. Sometimes external events create circumstances where one of the parties is willing to perform but is unable to perform. If such an event occurs, a party may declare a contract to be void and a court will uphold the voiding.

Permitted in Contract. In some cases, a contract will contain language that allows a party to declare a contract to be void if a specific condition is met. If a court agrees that the condition has occurred, the court will uphold the voiding of the contract.

Expectations PrincipleThis refers to interpreting a contract of adhesion to meet the expectations of the party that did not draw it up. The impact is that fine print or tricky language will not invalidate insurance coverage.

QuestionA city buys a cyber liability policy to cover its computer network. On page 19, the policy contains the wording “Coverage will not be provided if the organization hires anyone with a prior criminal conviction related to a computer system or network.” A disgruntled employee inserts malware and damages the system. It turns out that he was convicted of a similar act at a prior employer. Will the insurance company have to pay for the loss?AnswerYes. Under the expectations principle, the city purchases insurance separately from having to audit all its hiring practices. Insurance companies are not allowed to link insurance coverage to areas of operation that have nothing to do with the primary coverage sought by an insured.

Strict Compliance Rule

108

This is a legal doctrine that states that a contract is enforced in accordance with its terms. If terms are clear, meaning may not be distorted by interpretations. The rule covers insurance policies.

QuestionA company purchased network coverage for its computer center in an office building. The policy prohibited the use of any part of the building as a restaurant. When delivering the policy, the insurance agent ate lunch in a pizza parlor on the ground floor of the building. Nine months later, smoke from a fire in the restaurant damaged the operating system for the network. Can the insurer void the policy?AnswerNot likely.

Information given to an agent is notification to the insurer. Strict compliance can be waived in situations of factual conflict. The insurer probably waived its right to void by waiting 9 months. A court would probably deny a voiding of the policy.

QuestionA chemical company purchased a cyber liability insurance policy. During negotiations, the risk manager thought the policy covered a loss when an employee’s personal email account was the source of a lawsuit. After receiving the policy, the risk manager did not notice that personal email was an exclusion. When three employees exchanged information using personal accounts, client intellectual property was compromised and the client sued the chemical company. Can the insurer deny coverage?AnswerYes, but issues will arise. The company will argue for the expectations principle. The insurer will point out that contracts are interpreted on the basis of the terms and personal emails are an exclusion in the policy. A court probably will not enforce coverage.

Contract of AdhesionThis is an agreement prepared by one party and accepted or rejected by another party without modification. It is an agreement that has not been reached by negotiation. From the perspective of homeowner’s, auto, and individual medical insurance, courts treat the policies as contracts of adhesion. Many commercial policies also qualify under the definition.

Question

109

A law firm with six employees is seeking a cyber risk liability to protect against hacking of personal data stored on a server in its office. The managing partner knew of some material facts that would affect the policy and a loss occurred as a result of those facts. The partner did not reveal the information when completing an application for coverage. Can the insurer refuse to reimburse a covered loss?AnswerConcealment might not be an issue in this case.

The insurance company is expected to ask all relevant questions. This is likely to be viewed by the courts as a contract of adhesion. Misrepresentation or fraud responding to questions can void the policy. Concealment may not void the policy.

QuestionA hotel had labor problems and locked out employees. Union members picketed the hotel and engaged in aggressive actions with guests, security guards, and local police. After 23 days, a union employee accessed the company data base from a remote location and did considerable damage to the network. The insurer denied coverage because the loss was caused by intentional behavior of an employee of the insured. Does the policy cover the loss?AnswerYes. The insured does not benefit from a renegade employee committing a criminal act.

SubrogationThis is the legal right of an insurance company to recoup the cost of loss and expenses for a claim it paid when another party should have been responsible for paying at least part of that claim. Common law allows the insurer to “step into the shoes” of an injured party and pursue legal remedies to reimburse it for benefits paid to the injured party. The amount of damages is limited to the money paid by the insurer.

QuestionA computer services company installs hardware and software for clients. One of its employees installs a system and fixes it with a backdoor. After the installation, the employee accesses the system from a remote location, steals a bank password, and withdraws money from the client bank account. The computer services company is sued and pays for the loss and then files for reimbursement from a cyber liability policy that covers the loss. Does the insurance company have to pay the claim?AnswerYes. The insurer can subsequently file a lawsuit against the man who stole the money.

110

QuestionIn the previous question suppose the computer services company refused to cooperate with the insurer in the pursuit of reimbursement for the loss. The company was afraid that testifying in court would anger the former employee and motivate him or his friends to hack the company systems in the future. In this circumstance can the insurer deny the claim?AnswerThe general answer is yes. Cyber policies require cooperation with subrogation. The actual situation is more complicated. The insurance company might not force testimony recognizing the danger of future losses. The insurer could pursue subrogation using police reports or other evidence to spare the possible harm to the insured.

QuestionUber Corporation offers ride services in competition with taxi and limousine firms. In 2015, a hacker stole 50,000 of its drivers' personal information records including names and license numbers. Almost immediately, a lawyer filed a class action lawsuit in California federal court accusing the company of negligence for failing to secure its drivers’ information.

Uber traced the hacker to an Internet address hosted by Comcast as the Internet service provider. Comcast refused to provide information about the identity of the owner or the online history of the hacker’s account. In an attempt to unmask the hacker, Uber subsequently filed a lawsuit against Comcast in San Francisco federal court. A liability insurance company suffered a loss as a result of the hacking. Does it have the right to subrogate its payout? If yes, which parties should be the target of a subrogation lawsuit?AnswerIt is obvious that the hacker should be a target. It is more difficult to collect from Comcast unless a legal or regulator authority or a court authorizes release of the personal data of the Comcast subscriber.

Note: Eight months after the attack Reuters reported that the Comcast Internet address could be traced to the chief technology officer at Lyft, a rival U.S. ride service. A Lyft spokesman said it had found no evidence the executive or any other Lyft employee was involved in the Uber data breach.

Lloyd’s of London and the BermudaAs the market for cyber insurance develops and grows, we can expect large amounts of excess insurance coverage to be placed in two markets where the insurance law is well established. This is a good place to introduce Lloyd’s of London and the Bermuda market. They are covered in appendices.

111

ConclusionThe distinctive nature of insurance law is highly developed over a long period of time. It provides a framework for addressing the new exposures, perils, and hazards of computer systems, networks, and telecommunications. The legal environment of insurance builds squarely upon common statutory law affecting all formal contractual agreements. At the same time, insurance legal principles are quite unique in many ways. It is not the ordinary business dealings where buyers and sellers must beware of the behavior of others. Rather, the goal of insurance is to protect people and assets. A higher standard of behavior is expected and required. This reality shapes all areas of insurance and uses it as a mechanism to transfer risk. It is quite suitable for transferring cyber risk in modern organizations.

112

Appendix 6a. Lloyd’s of London.

One of the great stories of underwriting involves Lloyd's of London. A well-known institution, Lloyd’s is a British insurance and reinsurance market located in a prominent facility in the City of London. It provides a physical location for the activities of insurance companies, financial organizations and individuals. The history of Lloyd’s over a 300-year period is also a story of accepting new risk and designing insurance to cover it. Let us take a look.

History of Lloyd’sIn 1687, Edward Lloyd opened a coffee house on Tower Street in London. His establishment was a popular place for ship owners and merchants. Participants in the shipping community discovered they could learn current developments in shipping by regular visits. The place became a center for business activity including insurance. In 1696, Lloyd posted Lloyd’s List with ship arrivals and departures and other maritime information. To improve available information, Lloyd developed relationships with agents in foreign ports. Eventually, the arrangement evolved into The Society of Lloyd's.

Lloyd’s During 1688-1988The period from 1688 to 1807, saw the growth of Lloyd’s into the most important insurance society on the planet. The market developed as Great Britain became the leading maritime nation. It is estimated that the participants at Lloyd’s paid for the losses of more than 1,000 vessels. Many of them were engaged in the slave trade between Africa and the new world.

Growth continued in the period 1807 to 1968, as Great Britain participated in the creation and expansion of the Industrial Age. The British Parliament passed the 1871 Lloyd's Act that formalized the legal status of the Society. The Lloyd’s business expanded into new areas beyond the maritime sector. The Lloyd's Act of 1911 identified the Society's objectives to provide insurance and collect and share information on risk. In 1968, Lloyd’s commissioned a report that reduced the capital needed to become a member and opened membership to investors.

In the 1970s, Lloyd’s took advantage of British tax laws to increase the after-tax profits of investors. The result was a large increase in the number of members who provided insurance coverage without any relationship to the underlying risks. Many investors took advantage of gaps in regulation and Lloyd’s experienced serious misbehaviors compounded by a lack of discipline in the evaluation and acceptance of risk. Lloyd’s was in trouble.

113

QuestionIn 1750, 200 ships sailed from London to the Far East. Lloyd’s insured half of the vessels. The other half had coverage under a pool of money provided by six English banks. Which group was more likely to suffer losses?AnswerThe banks. Lloyd’s had agents in foreign ports to assess damage and losses and ensure that they were covered losses. The banks, without such agents, had no way to know whether a loss should really be covered. Posting correspondents in foreign ports was a Lloyd’s practice to reduce risk.

The Lloyd's Act of 1982 attempted to address the problems. It created a new governing Council and separated broking from underwriting:

Syndicates. Syndicates that are actually serving as insurance companies would write insurance. Individual members would make up the syndicates, accept exposures, and pay claims. They would keep the profits above any losses or make up deficits if the syndicate experienced higher losses than the premiums it collected.

Brokers. They would bring coverage requests to the underwriting syndicates. Working for organizations or individuals that seek insurance coverage, a broker would help assess the risk and explain it to the syndicates. Only licensed brokers would be allowed to request and obtain insurance.

Lloyd’s During 1988-1996To understand Lloyd’s in this period we must understand how Lloyd’s historically was able to have the cash to pay claims. The structure was:

Name at Lloyd’s. A member at Lloyd’s was called a “Name.” The individual would be accepted in a syndicate after a careful appraisal of the person’s character and financial capacity.

Capital. Each Name would give Lloyd’s a sum of money to cover losses and expenses. It would be a relatively small amount of cash compared to the risks being accepted.

Unlimited Liability. The Names agreed to pledge all their worldly possessions to cover losses. This included their cash and securities as well as real estate or other illiquid assets.

One-year Membership. The Name would be a member of a syndicate for a single year. At the end of the year, the syndicate would dissolve. The Name could agree to serve on a new syndicate. Usually this was made up of most of the members of the previous syndicate.

Three-year Accounting. Lloyd’s would keep a syndicate’s accounting records for three years. As an example, a 1989 syndicate would close its

114

books at the end of 1992. At that time losses would be finalized and the Names would receive any profits or make up any losses.

Reinsurance. Any subsequent losses after three years were reinsured at Lloyd’s with the syndicates formed the prior year. Thus, even though it seemed that the risk of loss from a prior period was completed, it actually continued for the individual Name. As an example, a Name who served on 10 consecutive syndicates from 1980 to 1989 was liable for his or her share of the cumulative losses of all 10 syndicates.

This system worked fine prior to 1988, when large liability exposures manifested themselves. Largely in the areas of asbestosis, pollution, and health care, losses materialized many years after the initial exposure. Lawsuits were filed and courts held Lloyd’s syndicates liable for massive losses long after the syndicate was disbanded. The result was bankruptcy for many Names. A number of lawsuits were filed against Lloyd’s alleging misbehavior and even fraud. The courts rejected them in 2002, even as the judges criticized the Society.

QuestionIs a person’s hair insurable as property insurance?AnswerAsk Troy Polamalu of the Pittsburgh Steelers. He was a spokesperson for Head and Shoulders Shampoo. The company requested and received from Lloyd’s of London a $1 million policy covering damage to his hair.

Lloyd’s TodayAfter 1996, Lloyd’s made a number of changes that reformed the market. Key participants are:

Capital Providers. The number of Names with unlimited liability declined from a peak of 34,000 members to less than 1,000 Names by 2011. To replace them, more than 1,200 insurance companies and other corporations participate in the market with limited liability.

Managing Agent. These are some 50 or so individuals and organizations that form syndicates. They recruit capital providers, hire and train underwriters, and enforce compliance with sound underwriting practices and the rules of Lloyd’s.

Members Agent. These individuals represent Names and help ensure that they understand the commitment that is being made. It is mandatory that unlimited Names write through a members' agent. Many limited liability members also take advantage of their knowledge.

Syndicates. Some 80 or more syndicates offer insurance coverage with more than 1,300 underwriters who possess a wide variety of knowledge of

115

unique and unusual risks. The syndicates are particularly active in aviation, marine, energy, and motor insurance.

Coverholders. These are organizations that write business for Lloyd’s outside the London market. Some 2,500 coverholders produced up to 30 percent of Lloyd's premium income in 2012. A syndicate can give a coverholder full or limited authority to accept a risk.

Lloyd’s Brokers. Some 190 individuals and organizations bring business to Lloyd’s. The syndicates cannot accept business without the intervention of a knowledgeable broker who seeks to understand the risk and secure appropriate coverage for it.

Lloyd’s Lines of BusinessIn 2011, Lloyd’s was actively providing insurance coverage around the world. Some specifics are:

Number of Countries. Policies were issued to insureds in more than 200 countries.

Licenses. Lloyd’s was specifically licensed to directly do business in 75 jurisdictions.

Gross Premiums. Lloyd’s collected more than $30 billion in premiums and paid losses at approximately the same level.

Geographic Distribution. Lloyd’s provides insurance coverage around the world.

Lines of Business. Lloyd’s is involved in diverse markets and lines of business.

Lloyd’s Geographic Coverage and Lines of Business (2011).

Geographic Areas Percent of Premiums U.S. and Canada 41% United Kingdom 18% Rest of Europe 16% Asia 12% Latin America 8% Rest of World 5%

Lines of Business Percent of Premiums Reinsurance 38% Property 21% Casualty 18% Marine 8% Energy 7%

116

Motor 5% Aviation 3%Comparing Lloyd’s with Traditional InsurersLloyd’s is fundamentally different than most other insurance companies. Generally, an insurer has off-the shelf products that are designed by a chief underwriter. The company sells standard policies that can be adjusted by endorsements to fit particular needs. Corporate policies dictate what areas of risk are insurable. At Lloyd’s the situation is different. A syndicate can issue a bespoke policy, defined as coverage that is designed to achieve a specific goal. The underwriter makes the decision without rules and can accept risks under terms custom-made to the buyer's specification. This makes Lloyd’s the perfect market to find cyber risk insurance.

117

Appendix 6b. Bermuda Insurance Market.

Trends in BermudaBermuda is an important factor in world insurance markets.

Size. The market consists of 1,600 insurance companies with assets of $200 billion. The companies underwrite $50 billion in annual premiums.

Capacity. In some years, Bermuda companies account for 20 percent of Lloyd’s capacity. After the United States, Bermuda is the world’s second largest reinsurance market.

Capabilities. For a small geographic area, Bermuda has a large concentration of insurance management, underwriting, actuarial, and accounting services.

Captives. It is often cited as the model for captive insurance company operation and regulation.

Bermuda Market BackgroundThe insurance market in Bermuda developed around four events:

Captives (1960s). They started in Bermuda. In 2012, Bermuda had more than 800 captives and 16 percent of the world market.

Excess Liability Crisis (mid-1980s). Starting in 1985, the United States experienced a sharp rise in liability lawsuits and large judgments and insurance settlements. In response, Bermuda experienced a significant growth in reinsurance companies. New companies were formed including ACE and XL to meet new liability coverage needs.

Catastrophe Reinsurers (1993). Again after massive property losses, Bermuda attracted new capital to deal with weather and other exposures. Hurricane Andrew was the catalyst for this growth spurt.

Fresh Capital (2001). A third infusion of capital came from the inflows into Bermuda following the 9/11 terrorist attacks.

The growth of fresh capital following 9/11 had two components. It was a mixture of the following:

New Capital, Existing Insurers. The major insurance companies already established on the island raised new capital through debt and equity offerings.

New Companies. Insurers including Axis, Endurance and Montpelier joined the ranks of Bermuda companies.

Question

118

It may be argued that the new Bermuda companies formed after 9/11 have an advantage over companies with long-tail legacies of liability exposures. Thus, risk managers should place business in Bermuda to obtain lower insurance premiums. Do you agree?AnswerWhile it is not unanimous, we might disagree with the statement. Bermuda is a well-regulated and financed market with strong and reliable insurance companies. Those factors are the most important reason to consider the market as a source of insurance coverage.

Bermuda CaptivesTo many business people, their only knowledge of Bermuda business is that it is an attractive market for the formation of a captive. Many captives are incorporated in Bermuda because of a favorable regulatory climate including:

Limited Liability. Like corporations in most parts of the world, Bermudian law offers limited liability to local captives.

No Income Tax. Unlike many jurisdictions, Bermuda does not impose an income tax on its captives.

No Restrictions on Investments. In many countries regulators impose a variety of restrictions on investments that qualify for favorable tax or other treatment. Bermuda imposes no such restrictions on invested capital.

Close ties to U.S. Market. American corporations and financial markets know Bermuda well and are confident with respect to how the laws and economic conditions can work with business. Bermuda captives work easily with underwriting and claims around the world.

Can offer Insurance Globally but not in Bermuda. This is one of the minor restrictions on captives. It is not a problem, as the owners of most captives have no operations in Bermuda.

No Restrictions on Stock Ownership. Bermuda does not regulate the buying, trading, or selling of stock. It does not require local citizens to own a minimum percentage of the stock in a domestic insurance company.

119

Chapter 7. Cyber Insurance Underwriting

INTRODUCTION TO UNDERWRITINGInsurance underwriting is the process of choosing who and what an insurance company decides to insure. It is based on a risk assessment that determines the coverage that will be provided and the premium that will be charged for it. Underwriting also involves choosing what the insurance company will not insure and coverage that will not be offered.

The process of underwriting cyber risks is uncharted territory for insurance companies. Underwriters ask the standard questions but no one is really sure if they are getting the right answers. Is it clear that underwriters are asking the following questions?

Do we understand the exposure? What are we dealing with in each situation or coverage?

Can we quantify the exposure? Do any of our historical models apply? Are consultants, actuaries, or other parties developing tools to evaluate frequency and severity?

Can the insured reduce exposure? What actions are taking place in areas such as network security, authorization to access data, and safeguards to shut down compromised systems?

Can the potential insured incorporate more sophisticated risk management techniques? What are the best practices for security? What new risks are appearing in the technology environment?

Framework of UnderwritingAn insurance company cannot accept all risks and most insurance companies exclude coverage where data is not available on losses or frequency and severity forecasts do not match the level of risk acceptable to the insurer. To write coverage on individuals or organizations, the company must achieve the following:

Affordable Premiums. What is the premium needed to cover losses, claims processing, other administrative expenses, and provide a profit to shareholders? In some cases, the premium will be appropriately matched to the risk but potential policyholders will be unable to afford the cost of the insurance. In this situation, insurance will not be available.

Predictable Likelihood. The insurer estimates the probability and magnitude of losses and claims under a policy. If costs are too severe, the business will not be written. If losses and claims are too frequent, a negative decision will be made. In the absence of a good estimate of the probability, the insurer may simply decide a loss is not likely to occur. This

120

would be the situation for a new disease that has no statistical history and does not seem to affect the population targeted for insurance coverage. If the amount of the coverage is relatively small compared to the size of the insurance company, a policy will be issued.

Insurer Strength. The insurer must have adequate financial resources to cover all claims, expenses, and earn a return on its capital. Essentially, this means limiting the amount of the total cost of a single risk event. To achieve this goal, an insurer will often create a portfolio of insurance coverages and spread the risk among various geographic regions. In addition, the insurer can obtain reinsurance to cover an unexpected catastrophic event or series of losses.

Goals in UnderwritingWithin the underwriting framework, insurers pursue specific goals. These include:

Simplicity. The underwriter designs an insurance product so it is easy to understand coverage and rates and explain them to organizations, funding sources, and covered persons.

Consistency. It is important to create rates and premiums that are relatively stable over a period of time. Wide fluctuations when organizations or individuals are renewing policies cause a variety of problems.

Flexibility. Even as the underwriter pursues consistency, an insurance product must be adjustable if conditions change.

Loss Control. The underwriter will consider whether the new product can have a component to encourage mitigation of losses. The design of a health care product may consider whether an organization has on-site facilities to offer preventative treatment or encourage exercise or healthy eating.

Profitability. A final step in underwriting is to assess the product and the likelihood of its success. The underwriter seeks products aligned with the expertise of the insurance company, needed by insurance purchasers, and priced to earn an adequate return.

QuestionConsistency and flexibility sound good when underwriting cyber insurance but, in fact, they are exactly the opposite. An insurer can achieve one or the other. Do you agree?AnswerDisagree. A consistent pricing pattern over time is important to buyers who will not understand wide swings in premiums. At the same time, a major change in economic conditions or loss exposures must be reflected in the underwriting

121

process. In most lines, the insurer can minimize unnecessary adjustments that reflect short-term conditions.

Insurable InterestThis is a relationship where a person would be affected by a loss. Insurance may not be purchased without an insurable interest. Examples are:

Ownership. An individual or organization that owns an asset and must pay to replace it after damage or destruction.

Leasehold. A business that is leasing a building can be harmed if the rented assets are damaged.

Financial. When an organization takes out a loan or invests money, liquid cash is swapped for a longer-term obligation. Damage to illiquid assets or requirements to pay financial obligations can become an insurable loss when an asset is damaged.

Family or Oneself. We can insure family members or ourselves as common law and statutes recognize an insurable interest based on love and affection. We cannot insure our friends and associates to compensate for the emotional loss if they die.

Business. The financial consequences from a loss of partners, suppliers, or customers create an insurable interest through business ties.

QuestionA company keeps its data on the Cloud managed by a computer services firm. It seeks insurance to reimburse damage to the computer system and hacking of its data. Does it have an insurable interest that would allow an insurer to write a cyber policy?Answer

No on the damage to the system. It has no insurable interest. Yes on loss of data. It owns the data even though another party holds it. It has a financial interest in protecting the data even though the computer services firm has responsibility to protect it. It has negative business consequences if a data breach occurs.

QuestionA marketing, financial, and technical executive formed a company to develop a computer system for a hospital. In three years, the group plans to sell the finished system to IBM for $6 million. All three people are needed to build it correctly. The individuals want to purchase life insurance on each other to protect their financial interest. What is the insurable interest of each person with respect to each other person?Answer

122

Each person has a $2 million insurable interest in each other person. The loss of any individual causes a future loss of one third of $6 million for each insured. Without such insurance, the parties would have to deal with a variety of factors that endanger their financial position. Insurance eliminates dealing with issues such as:

Can a lost partner be replaced? Can the person be paid cash rather a partner share? How long will it take to find a new person? What is the impact of a delay?

Adverse SelectionThis refers to the tendency of persons with high chances of loss to seek insurance at average rates. A company that operates with exposed computer equipment, networks, or data must pay more for coverage than other firms that have strong hardware and software security. Insurance companies seek to identify cyber coverage requests where insurance is not possible or where higher premiums must be paid to avoid adverse selection.

QuestionA manufacturer of fishing and sailing vessels has a marketing team that travels to boat shows in 23 cities every year. On each site it establishes a secure computer connection to the home office network. It processes orders and transmits sensitive data using the local wireless Internet connection in each city. All connections are secured by passwords available only to vendors at the show. The company seeks cyber liability coverage. Will an insurance company provide it?AnswerMaybe not even with a high premium. This is a situation of adverse selection because of the wireless transmission of data. The situation is even more risky because multiple unrelated parties have access to the password for the system.

Steps in UnderwritingThe process to evaluate the viability of an insurance product includes a number of specific steps:

Evaluate the Request for Coverage. The underwriter will examine factors that affect severity and frequency. Examples include the nature of the business, the location of employees, legal and regulatory requirements, and historical losses. Personal characteristics of the applicant will shape the underwriter’s view of the exposure and needs for coverage.

Compare the Coverage Request with Guidelines. The company may

123

prohibit some exposures, restrict others, or limit coverages. Other corporate, government, or social considerations may restrict coverage or cause the insurer to deny the application.

Recommend or Deny Coverage. After assessing the situation, the underwriter will accept or reject the application. If accepted, specific conditions may be added or certain coverages may be denied.

INSURANCE RATEMAKINGThe task of establishing the rate for each policy is based upon a number of factors including:

Historical Data. What is the history with respect to prior losses and costs? Is the organization seeking new coverages or new conditions?

Frequency. What is the likelihood of receiving claims for partial or total losses?

Severity. What is the likely size of major claims? Workers in unhealthy industries or companies selling products and services where malfunctions or mistakes are costly will face difficulty when trying to purchase coverage at affordable premium levels.

Approaches to RatemakingWe can identify five basic approaches to calculating the rates for property or liability insurance:

Class Rating. A single rate for all policies, assets, or persons. In the absence of other factors, an organization with 16,000 computers may be seeking cyber coverage that will cost the insurer $75 per computer per year. Adding a percentage for administrative costs and profits, the class rate may become $90 per covered unit.

Schedule Rating. Adjustments made to a class rating because of specific perils or conditions. An example is a situation where a company seeks additional coverage for computers than are moved back and forth from the office to the home.

Experience Rating. A system where the class rate is adjusted by the prior history of the insured. An example is an adjustment when a factory’s extensive training requirements and safety procedures produce less computer downtime that can result in losses to customers.

Judgment Rating. In this situation, the underwriter may not know the long-term effect of an unusual requested coverage. If it appears that the frequency and severity of cyber loss are not likely to be major issues, the insurer may include cyber coverage as an endorsement to an existing insurance policy.

Retrospective Rating. In this case, the rate is partly based on actual

124

losses. At the end of a period of coverage, the insurer will assess claims. If the results are better than forecasted, the insurer will return a portion of premiums paid. With higher claims than estimated, the organization will pay an additional premium.

Merit RatingMerit rating refers to situations where the rate reflects an individual loss experience. It applies to the various approaches to ratemaking as follows:

Class. This effort does not involve merit rating. Calculations treat all individuals and units as being the same in terms of exposure.

Schedule. This uses an indirect and partial approach to merit rating. An organization can be charged lower premiums if it employs safe practices or has facilities in low-risk locations or designed with low-risk conditions.

Experience. This approach is solidly based on merit rating. Individuals and organizations with lower frequency or severity of losses are rewarded with lower premiums and expanded coverage.

Judgment. This form of underwriting is also largely based on merit rating. The factors to determine rates are past experience and qualitative factors considered to be important by the underwriter.

Retrospective. This is solidly merit rating. After the period of coverage, the insurer calculates the cost of losses and claims. If the insured did better than expected, the insurer refunds a portion of the premiums. Excessive losses require the insured to pay an additional premium.

Class RatingSome issues in class rating are:

Base Rate. A single rate for coverage of cyber loss with similar exposures reflecting losses for the entire pool of insureds.

Average Experience. The rate reflects the average losses and claims for the class.

Changes in Exposure Factors. The rate is often based on a belief that the future will resemble the past. With changes in technology or other areas, the base rate is usually adjusted on a regular basis. Sudden changes in conditions will create major changes in base rates.

Advantage. Class rating is a good starting point for pricing insurance coverage. It is also a simple way to underwrite. A junior underwriter can work from a checklist and approve coverages along with premium payments that match actuarial expectations.

Key Terms in Class RatingKey terms in class rating include:

125

Class Experience. An estimate of total likely coverage claims in a period. This is also called class losses.

Covered Units. The number of covered assets, accounts, locations, or other components of coverage.

Pure Premium. The premium per covered unit at a breakeven point with likely claims for reimbursement of losses.

Expense and Profit Ratio. A percentage charge added to the pure premium to get a rate.

Example of Calculating a Class Rate.

DataTotal cost of losses $48,000,000Number of servers 8,000Expense and profit ratio 40%

CalculationTotal cost of losses $48,000,000Divided by units 8000Equals pure premium $6,000Add expense and profit ratio 40% $2,400Class rate $8,400

Schedule RatingSome of the characteristics of schedule rating are:

Base Rate. It starts with a class rate. The underwriter assesses other factors to determine whether the class rate is high or low for the pool of covered individuals or assets.

Adjustment. The class rate is adjusted upward or downward based on the factors in the organization or individual pool compared to the general population.

Advantage. Schedule rating allows pricing to reflect conditions unique to each insured or group of insureds even though the insured fits into a class.

Experience RatingSome characteristics of experience rating are:

Base Rate. As with schedule rating, experience rating starts with a class rate.

Historical. The underwriter reflects upon the claims experience of the organization or other pools of insureds that have similar characteristics to

126

the assets or network to be covered. Period. The underwriter has to decide the time period to check for prior

costs. Losses over the past three years might be a good solution. Adjustment. As with schedule rating, the base rate is adjusted upward or

downward reflecting the prior experience. Advantage. Experience rating does two things. It encourages

organizations to work with operating units, suppliers, distributors, risk managers, auditors, and others to hold down insurable cyber losses and costs. It also allows pricing to recognize the past losses of the insured and either give credit for holding down costs of losses or produce additional payments when costs exceed expectations.

Judgment RatingSometimes an insurer does not have data on the individuals or entities in an insurance pool or a new coverage is requested that previously did not exist. This is a major issue with cyber liability insurance but also affect hacking and other damage to hardware and networks. In such a situation it is difficult to actuarially determine a class rate and the underwriter lacks any experience with prior costs. The underwriter can make a judgment based on factors that seem to fit in a schedule-rating program. In reality, the underwriter is mostly using judgment rating. It is often the only way to assess and cover cyber exposures.

QuestionPeabody Coal Company is the largest private-sector coal company in the world. An insurer is designing a liability plan for its cyber exposures. One insurer proposed an experience plan based on statistics while another offered only a judgment based on forecasts of hacking by Homeland Security and others. What would you recommend?

AnswerYou may need both for coal mining operations. The company will have data on past problems and regulatory fines, legal costs, and court judgments following computer system attacks. The company can also evaluate changes in the legal, technology, and regulatory environments. Whatever the final assessment, the risk manager should be certain to point out to the insurer any management efforts to avoid problems with cyber loss and liability.

Retrospective RatingSeeking to reward insureds for controlling computer hacking and mistakes, a retrospective rating system might be suitable. Characteristics are:

Provisional Rate. A rate would be set initially based upon class,

127

schedule, or experience rating using actuarial data. Final Rate. After the policy period is completed and all costs are known, a

final rate is calculated. Basis for the Rate. The final rate rewards the insured for holding down

computer security breaches and additional premiums for higher than expected costs.

Minimum and Maximum Rate. The final rate does not indemnify either party. That is, it does not give the party 100 percent of any savings or require additional premiums for 100 percent of higher costs. The insurer and organization would agree to a floor and ceiling on the rate.

UNDERWRITING CYBER INSURANCEWhile property and liability insurers have thousands of underwriters, the role of the chief underwriter for a line of business is critical to the success of an insurance company’s solvency. This individual plays a key management role across all lines of business for the company. The role can be particularly important as insurers assess the emerging world of cyber risk insurance.

Financial Issues in UnderwritingThe senior underwriter recognizes the importance of designing products with the right financial characteristics. Essentially this means three things:

Adequate Cash Flows. The insurance product must cover losses incurred, adjusting expenses, operating expenses, and provide a return on capital. This is a cash flow, not accounting, calculation.

Adequate Equity. The product line must have sufficient contributed capital and surplus to support the level of underwriting. This is an accounting calculation.

Adequate Profits. The product must generate an appropriate after-tax reported income. This is an accounting, not cash flow, calculation.

Desirable Product LinesInsurers pursue markets where they can earn an adequate return for the risk accepted. Senior underwriters understand the desirable features of an insurance plan. They are:

Sound Underwriting Practices. The insurer is confident that the premiums and other income will provide adequate funds to pay claims on a timely and consistent basis.

Sound Investments. After collecting premiums but before paying claims, the insurer can invest the funds on hand in a balanced relationship of risk and return.

Cost Control. The operations and claims departments have processes in

128

place to control marketing, administrative, and other costs. Internal Auditing. The insurer monitors payments and conducts routine

and surprise audits of policies issued and claims made by the organizations that purchase coverage.

Underwriting RisksInsurance underwriting is the accepting of risk in order to obtain a return appropriate to the risk level in each product line. The underwriter considers risk from a variety of viewpoints:

Underwriting Risk. The act of issuing an insurance policy is preceded by careful estimates of costs and potential claims.

Investment Risks. Working with actuaries and the asset management department, the chief underwriter understands expected earnings on the investment of premiums and how such earnings affect cash flow, profit, and capital.

Changing Circumstances. The underwriter assesses and periodically reviews assumptions about economic levels, climate change, droughts, pollution, and other factors that affect property or liability in different regions and among varied organization categories.

Changing Legal Conditions. Federal and state legislation, state insurance departments, court decisions, and other legal developments can dramatically affect insurance markets. Underwriters must have current knowledge on regulatory and legal changes that affects the rules of providing coverage and the level of payments made to reimburse losses and legal expenses.

Financial RisksIn their assessment of the risk from new or existing products, underwriters address financial risk in each product line from two viewpoints:

Liquidity. This viewpoint seeks to ensure that the insurer always has highly safe and liquid assets to cover claims, and meet other obligations for issuing and serving policyholders and paying or otherwise resolving claims.

Profitability. This viewpoint encourages the insurance company to monitor its ability to achieve adequate returns for accepting risks.

Underwriting ConsiderationsInsurance companies examine every high-limit application for cyber insurance carefully comparing the organization with specific checklists individually developed by each carrier. Questions included:

129

What is the organization’s philosophy with respect to enterprise risk management?

Comment: This may be the most important question of them all.What is the composition, volume, and sensitivity of the data stored on the

organizational system or under the control of the organization on the Cloud?

Comment. Some organizations have data that would be devastating to release. Others have very little.

How often and how serious are security tests and audits conducted and who performs them?

Comment. The insurer wants to be sure that the system is monitored constantly and vigorously by highly-skilled experts on viruses and hacking.

What is the level of technology, specifically with respect to updated network security and firewalls?

Comment. Insurers recognize that yesterday’s technology is today’s successful cyber attack.

Where is the data stored?Comment. Insurers know in-house data is often more exposed than data

outsourced to firms that spend hundreds of millions of dollars annually on network and system security.

What are the organization’s encryption of data practices?Comment. Unencrypted data is much easier to use for criminal purposes

after hacking.

Most Important Factors Affecting Underwriting of Cyber LossCyber insurance underwriters identified the most important factors affecting premiums and coverage for cyber risks. They matched them as follows:

Factor Affecting Underwriting Level of ImportanceNature of records or data stored Very HighEnterprise risk management philosophy HighUpdated network and firewall security Medium-highFrequency of tests and audits Medium-highCompliance with PCI* data security standards MediumWhether its services are in-house or outsourced MediumVolume of records or data stored MediumLevel of encryption Medium

*PCI means payment card industry.

Cyber Loss Underwriters

130

Insurance companies divide underwriters into categories reflecting the vast range of knowledge necessary to underwrite property and liability coverages. Cyber risk, as a relatively new business line, is often matched with underwriters by category. A survey of carriers revealed the business line unit that writes cyber coverage. The results:

Property Insurance. Cyber insurance coverages were fairly widespread in three quarters of the companies.

Professional Liability. Coverage was available from about one quarter.Specialty Lines. About a quarter also offered coverage in this unit.More than one Line. Less than 20 percent offered multiple coverages from

different units.Stand-alone Cyber Insurance Department. Less than 10 percent had such

a unit.

Sources of Cyber Risk InformationRisk managers and insurance companies gain knowledge of new developments in cyber risk management from a variety of sources. A survey of the importance of different sources of information revealed:

Source of Information Importance of InformationTrade Media Most important.National News Very importantLocal News Somewhat important.Cybersecurity Firms Important.Cybersecurity Blogs Important.Other Not important.

U.S. UNDERWRITERSIt is estimated that more than 100,000 individuals work as underwriters in the United States. Two-thirds of underwriters work for insurance companies, mostly in the process of approving policies for lines of business or issuing policies to businesses or organizations. The balance of professional underwriters provides services to carriers and policyholders. They work independently or in agencies or departments owned and operated by banks, mortgage companies, and real estate firms.

Cyber Underwriter RoleThe task of issuing cyber risk policies is fairly complex and ranks as one of the more sophisticated underwriting judgments in the insurance field. By consensus of many observers, the role of cyber risk underwriter has four components:

131

Sales Executive. The perspective of a skilled underwriter can improve the process of identifying customers who have Internet or other exposures and help them understand why they need specific cyber coverage. The underwriter can collaborate with agents, brokers, and risk managers to offer generic and customized policies.

Innovator. It is not enough to identify the customized coverage. The underwriter also must design policies and endorsements that meet changing and emerging needs and exposures.

Decision Scientist. Much of the information on the total cost of cyber attack or data loss can be accessed, manipulated, and understood from massive data bases using statistically-based algorithms. The underwriter must be comfortable with the data and processes provided by decision-science tools.

Customer Advocate. The underwriter role is not limited to the sale of a policy but extends to the activation of the right coverage. The process demands an understanding of the nature of the specific cyber risk for each customer and the tailoring of coverage to that situation.

Senior Underwriter BackgroundA senior underwriter may have a variety of backgrounds. Based on estimates from industry observation, it appears that the prior significant experience of senior underwriters might break out as follows:

Work Area Percent Insurance carrier 60% Insurance broker 10% Other insurance service 10% Consultant 10% Finance 10%

QuestionWhat is the area of prior work experience for an individual hired as a senior underwriter in the field of cyber insurance?AnswerIndustry executives believe senior underwriters come from a variety of backgrounds but are largely drawn from insurance, finance, and actuarial science areas. An understanding of information technology and prior experience assessing risks in that area are a major plus for cyber insurance underwriters.

Senior Underwriter MobilitySenior underwriters have some mobility as they advance in their careers. Once again based on observation, we see the following picture:

132

Years at Current Firm Percent Up to 5 years 15% 5 to 10 years 30% 11 to 20 years 20% Over 20 years 35%

QuestionWhat is the significance of the estimates on the years at the current firm for a cyber insurance underwriter?AnswerUnderwriting is a long-term commitment and career field. Senior underwriters, particularly those with a variety of experience, are likely to have contacts in different departments to help them understand cyber risks.

Senior Underwriter EducationSenior underwriters have certain education credentials. One estimate is that the education of senior underwriters might look something like the following:

Credential Percent Undergraduate Degree 100% Graduate Degree 70% Professional Designation 90% Continuing education seminars in past 3 years 80%

QuestionWhat is the significance of the estimates on the educational credentials of senior underwriters for a cyber insurance underwriter?AnswerThe estimates seem to justify these conclusions:

Educational Credentials. Successful underwriters have them. It is understandable that the complex world of assessing risks and creating insurance policies that transfer them require advanced knowledge of practices and theories.

Continuing Education. They try to keep up with new developments. In a changing world, underwriters must be cognizant of current trends and best practices. This is particularly critical in cyber risk areas with rapidly changing technology.

Graduate Degrees. Many have them. Credentials are an indication of the desire to understand risk at an advanced level.

Advanced Underwriting Skills

133

As an individual advances in an underwriting career, the process of continuing education combined with experience should create a skilled senior underwriter. Some of the more advanced skills:

Financial Qualifications. A full understanding of cash flow management, profit planning, and the investment of capital in a risk and return framework. It is essential to know how to calculate the financial impacts of retaining or transferring risks.

Technical Skills. An understanding of the role of probability and statistics to improve underwriting recommendations and decisions. This could reach the level of an actuarial certification.

Broad Business Skills. An understanding of management, marketing, and business operations. Obtaining an MBA, specialized MS degree, or law degree commonly enhances an underwriter’s broad business knowledge.

Underwriter CompensationUnderwriting is a career field that holds promise for advancement and relatively good salaries and benefits. A visit to www.payscale.com gives information on pay rates for underwriters.

QuestionWhat do large insurance companies seek when they hire entry-level underwriters in the area of cyber risk insurance?AnswerThey do not hire entry-level underwriters. The area is too complex for inexperienced underwriting. For selecting experienced underwriters, they seek college graduates with a strong work ethic and a degree in business, finance, information systems, or actuarial science. The degree would usually be supplemented by an MBA.

STRUCTURE OF A CYBER INSURANCE POLICYWe have already seen that cyber insurance contracts are governed by general contract law and, further, that they are unique under separate insurance law.

Key Policy TermsThe field of insurance, like most professional disciplines, has its own language. Key terms include:

Insured Party. The individual or organization that the insurance company will indemnify, provide benefits, or render services after a loss covered by the policy. More than one individual can be an insured party.

134

Premium. The money paid by the insured and collected by the insurance company in order to obtain coverage against a loss.

Policy Limit. The maximum amount an insured may collect or for which an insured is protected, under the terms of an insurance policy.

Deductible. A specified amount of money that the insured must pay after a loss before an insurance company will pay on a claim. Assume a policy with a $5 million policy limit has a $3 million loss and a $500,000 deductible. The insured retains the first $500,000 of the loss and the insurer will pay the balance of $2.5 million.

Percentage Participation Clause. This is a variation of the deductible. It is a requirement for the insured to pay a specified percentage of any loss. As an example, a contract may provide that the insured will pay 25 percent of a covered loss up to a limit of $50,000.

Exclusion. This is any loss or cause of loss that is not covered under an insurance policy. As an example, a policy covering bodily injury to customers may exclude losses when customers are injured in the areas with dangerous machines. This exclusion encourages the company to deny admission to areas where serious harm is possible.

Role of DeductiblesDeductibles and percentage participation clauses are included in insurance policies to achieve several goals, including:

Reduced Premiums. An insurance policy that contains a deductible provision will cost less than a similar policy with no retention by the insured. The larger the deductible, the greater will be the savings on the cost of the policy.

Reduced Administrative Costs. Small dollar losses involve processing costs similar to those of larger losses. As a result, the proportion of dollars available to pay claims is higher if smaller claims are excluded. As the deductible omits all losses below a certain dollar level, it also eliminates the processing.

Reduced Moral Hazard. The deductible tends to reduce the temptation to intentionally cause a loss and benefit from it. Suppose, for example, an individual has an insured car worth $6,000 that needs a major repair. The owner may consider setting it on fire to replace it with insurance money. With a $1,000 deductible, the insured would not get the full replacement cost of a loss. This could cause the individual to reconsider his options.

Reduced Behavioral Hazard. People may be more careless when losses are fully insured. If the insured must pay for part of the damage to an asset, the financial loss may encourage additional safety practices.

135

Contract PartiesInsurance contracts are a sub-set of contract law but specific provisions apply to them. An insurance contract is a legal device that permits the transfer of risk from one party to another through the use of a formal agreement. Three parties to the process are:

Insured. The party that has coverage for personal, property, liability, or other unexpected loss under the terms of the policy.

Insurer. The insurance company that provides coverage for the exposures specified in the policy.

Premium Payer. This party pays for the promise of compensation by the insurance company for future benefits if a loss occurs. Most commonly, this is the individual or organization that is insured. In many cases, the payer will be a government agency, employer, parent or other relative, or other party that agrees to provide insurance coverage.

Named InsuredProperty insurance is an agreement between an insurer and one or more insureds that must be named in the policy. Two choices are:

First-named Insured. The party responsible for managing a property policy on the behalf of the insured organization. This individual agrees to the terms of the policy and sends and receives correspondence to and from the insurer.

Other Insureds. Partners, associated companies, and other entities with an ownership or leasehold interest in the property. They are reimbursed if the property suffers a loss but are not active managers of the insurance arrangement.

QuestionA group of investors purchased a hotel and owned it in a stand-alone corporation. Each investor owned stock in the company. One investor, the first-named insured, cancelled the policy without notifying the other insureds. A fire damaged the hotel. A minority owner demanded reimbursement for his share of the damage directly from the insurer. Does the insurer have to honor the request?AnswerNo. The insurer only has to deal with the first named insured for:

Negotiation of the policy terms and changes in coverage. Payment of premiums. Cancellation of the policy.

Standard Structure

136

We gain a better understanding of insurance policies when we recognize that many of them follow a standard structure. A common structure consists of seven distinct parts:

Declarations. A declaration is defined as any statement that provides information about the person or asset covered by an insurance contract.

Definitions. This section defines key terms used in the policy. Insuring Agreement. This is a summary of the major requirements that

the policy imposes upon the insurance company. Exclusions. This section itemizes any losses or causes of loss not

covered by the insurance policy. Conditions. In this section the policy identifies any provisions that change

the scope of coverage. Miscellaneous. Most policies contain other paragraphs or clauses that

affect covered risks, required or expected behaviors of the insurance company or insured, or administrative issues.

Endorsements. These are written clauses that expand, reduce, or otherwise modify the coverage. In some policies, this section is identified as riders.

DeclarationsTypical information found in the declarations section includes:

Identity of the Insurer. The name, address, and other information specifying the party that provides coverage and will receive and process claims for losses.

Identity of the Coverage. The name of the asset or system covered by the policy.

Named Insureds. The identity of parties covered by the policy. Time Period. The specified period of coverage of the policy. Amount of the Premium. The amount of money per specific time period

that must be paid for insurance coverage. Limit of Coverage. The policy limit. Deductible. The money the insured must pay for a loss as a reduction of

the amount the insurance company pays on a claim.

DefinitionsMost insurance policies contain a separate section defining key terms used in the policy. This can include

Additional Insureds. In addition to the primary insured named in the declarations section, other parties may be named as insureds.

Property or System Identifiers. A policy may contain additional identifying terms to clarify the insurance coverage.

137

Parts of Speech. The definitions section clarifies verbs or other parts of speech. A policy may define an “occurrence” as all damage from a single source or all damage within a 72-hour period.

Restrictions on Broad Terms. The policy may provide definitions of terms that otherwise are not clear.

Insuring AgreementThis is a summary of the major obligations imposed on the insurance company under the terms of a policy. Common components are:

Payment for Losses. An insurer agrees to pay for losses arising from covered causes. The source of the loss can take either of two formats:o All Risk. With this approach, all losses are covered except for those

that are specifically excluded.o Named Perils. With this approach, a policy covers only those losses

that are specifically listed. Coverage Restrictions. The insuring agreement may contain a variety of

limitations on the payments in the event of loss. Services Provided. A policy may require an insurer to take actions in

addition to paying for losses.

ExclusionsThis section limits the scope of an insurance policy. Two major categories of exclusions are:

Excluded Losses. Insurers will carefully delineate the losses covered by an insurance policy.

Excluded Perils. Insurance companies routinely exclude perils for two reasons. First, they may be impossible to cover. Second, a peril may be more appropriately covered in a separate insurance policy. These exclusions are consistent with the nature of insurance. The first category excludes losses that would be catastrophic for insurers. The second category excludes perils that do not apply equally to all potential insureds under a policy.

ConditionsA condition is a provision of a policy that changes the scope of coverage. Typical conditions include:

Insurable Interest. This is a relationship where a person would be affected by a loss.

Duties After a Loss. These are requirements to protect hardware or a network from further loss after an incident.

138

Loss Settlement. These are conditions for settling a disagreement and resolving disputes after a covered loss.

Cooperation with the Insurance Company. The policy will require the insured to cooperate with the insurer to settle the claim.

Miscellaneous Provisions.Most insurance contracts contain other clauses, paragraphs, or sections that affect the scope and conditions of coverage. Examples are:

Relationship Between Insurer and Insured. This spells out how the insurer and insured will deal with each other under special circumstances.

Cancellation of Policy. Both parties to an insurance policy have the option to cancel it.

Transfer of Interest. This clause discusses any options to transfer rights under a policy. A clause can forbid this or spell out a method to do it.

Local Requirements. This covers any statutory conditions that must be included in an insurance policy

EndorsementsAn endorsement or rider is a written provision that modifies coverage in a policy. Some common endorsements are:

Expand Coverage. This endorsement can cover perils that are not included in the basic coverage.

Delete Coverage. Endorsements can be used to reduce or eliminate coverage.

Add Provisions. An endorsement can be used to add a clause of any kind that is not included in the basic policy form.

Modify Provisions. Similarly, an endorsement can take precedence over the basic terms of a contract. Riders can be devised to meet special circumstances that affect individual insureds. Insurers can agree to accept them for additional premium payments.

QuestionIn which section of an insurance agreement will this statement be found?

We will pay those sums that the insured becomes legally obligated to pay as damage to the computer network covered by this policy.

AnswerInsuring agreement.

QuestionIn which section of an insurance agreement will this statement be found?

Endorsements attached to this policy:

139

#4122 Nuclear and Radiation Exclusion.#2650 Additional Reporting Requirements.

AnswerIt could be found in either declarations or conditions.

QuestionIn which section of an insurance agreement will this statement be found?

“Computer network Under Construction” means any computer network not connected to the main system and not operational for a period of 72 hours or 100 successful transmissions.”

AnswerIt will probably be in definitions, although sometimes terms are defined elsewhere.

QuestionIn which section of an insurance agreement will this statement be found?

We do not insure for loss caused directly or indirectly by an unauthorized user provided a temporary password. Such loss is excluded regardless of any other cause or event contributing concurrently or in any sequence to the loss.

AnswerIt will probably appear in exclusions, although sometimes exclusions are identified elsewhere.

QuestionAn insurance policy states that the insured will pay the first $5,000 of any covered loss. What is this provision called? In which section of an insurance agreement will this statement be found?AnswerIt is a deductible. It is likely to be found in declarations under coverage amount or other information.

QuestionAn insurance policy states that the insured will pay 25 percent of any covered loss up to the limit of the policy. What is this provision called? In which section of an insurance agreement will this statement be found?AnswerIt is a percentage participation clause. It is likely to be found in declarations under coverage amount or other information.

Question

140

A computer hacker accessed the computer system of Designer Shoe Warehouse (DSW) and downloaded credit card and checking account information from 1.4 million DSW customers. Following the data breach, DSW incurred losses, legal fees, and expenses of $5 million. DSW sought coverage for the losses under a commercial crime policy. The company argued that coverage existed under a policy endorsement providing coverage for "loss from the theft of any Insured property by Computer Fraud." The insurer denied the claim. DSW filed suit in Ohio federal court seeking coverage for the damages. Is it likely to win the lawsuit?AnswerDSW did win. The U.S Court of Appeals ruled that losses resulting from the theft of customers' banking information from a retailer's computer system are covered under a commercial crime policy.

ExclusionsCyber insurance policies vary widely when they are available at all. Many of the provisions are built upon general liability and other liability policies. Provisions from those policies are transferred and inserted as broad exclusions.

QuestionA hospital collects and stores information from patients and doctors. It has a cyber risk liability policy that covers damages and defense costs for a security breach. The policy excludes coverage for a breach of contract. A security breach occurs that creates lawsuits from patients and doctors. Does the policy cover losses?AnswerIt may not cover lawsuits filed by doctors as it excludes coverage for a breach of contract. This would be the case if the doctors have confidentiality agreements included in their employment or services contracts. In that case, losses would be a contractual failure to maintain confidentiality of records.

Consent ProvisionsCyber policies frequently are issued in conditions where time is of the essence. A damaged data or communications system often needs to be repaired or restored to avoid large negative consequences and related indirect losses. A point of contention may occur during the processing of claims as insurers weigh the cost of emergency actions versus less-costly slower resumption of services. Care must be taken by all parties to understand and accept restrictions for actions after claims are filed. Emergency repairs paid by the insured may be denied if outside the pre-approved conditions.

141

QuestionAn insured had a data security policy with a pre-approved consent list. It had a data breach from an unknown party in South Africa. It received a ransom note to return the data. It hired a local lawyer who paid the ransom and took back the data. It filed for reimbursement of legal fees and damages. Is the reimbursement covered under the policy?AnswerIt depends upon a number of factors. Did the insured have contractual permission to hire someone off the list under certain circumstances? What is the wording of the consent provision? Desirable wording for all policies is consent “not unreasonably withheld.” This is especially important in cyber risk coverage.

Second Parties as Additional InsuredsMany cyber policies involve risks where other parties can effectively cause the insured to suffer a loss. They can suffer a loss themselves. The risk manager and insurer may want to include second-parties under a policy. An example would be officers of a company or nonprofit organization. Vendors and suppliers with access to the data or communications system could become targets of lawsuits. Even customers may have exposure because they are integrated with purchasing or other activities.

ConclusionUnderwriting is and will continue to be a critical function of insurance operations. Operating at junior as well as senior levels, individuals who understand exposures, make judgments about their frequency and severity, and determine appropriate pricing for policies will be key players in the success of insurance companies and their ability to provide insurance coverage for commercial buyers.

In some ways all insurance contracts follow the same basic design and this will prove useful in developing new forms for cyber risk. The sections have been created over many years and have been tested in courts so that we understand the likely interpretations under common law. In other ways, they vary so that they can be adapted to new and changing conditions and unique situations. One of the advances occurred when insurers and organizations increased their emphasis on risk management to reduce the cost of insurance and likelihood and severity of losses. These efforts led us into hazard risk management and can be tailored to meet new cyber exposures.

142

Chapter 8. Brokers, Agents, and Claims

PARTIES INVOLVED IN CYBER INSURANCETo manage the use of cyber insurance for commercial entities, four parties help insurance companies and insurance buyers to evaluate needs and arrange to transfer exposures to insurance companies. These are:

Retail Broker. This party performs services related to arranging for insurance and advising on risk management. When the party provides a wide range of property and liability services, it is known as a retail broker.

Wholesale Broker. This party, also called a specialty lines broker, performs only a limited range of services in a specialized area. Cyber insurance coverage begins with the retail broker and often involves a cyber specialty lines broker.

Agent. This party performs many of the same services as are provided by brokers.

Claims. This consists of adjusters, lawyers, engineers, and others who investigate insurance claims filed by policyholders who seek reimbursement for losses under their cyber insurance policies.

Characteristics of a BrokerTo understand the brokerage function, we can identify major characteristics including:

Licensed. Insurance regulators in each U.S. state must approve brokers. That means the broker is authorized by a jurisdiction to place insurance.

Independent. When operating as a broker, a licensed intermediary can work with a variety of insurance buyers and insurers.

Representative of Buyer. The broker is accountable to the buyer and accepts responsibility, legal as well as ethical, to understand the risks facing organizations seeking insurance.

Characteristics of an AgentAgents perform the same services as brokers but there are differences:

Representative of Insurance Company. An agent represents one or more insurance companies and is accountable to the insurer. Although an agent helps clients understand the risks they face, an agent is not legally accountable to identifying the best insurance coverages for specific risks.

Exclusive Agent. This category of agents works for a single insurer. It may be an employee of the company or it may be an independent agency that is paid to find customers and sell them insurance.

Independent Agent. This category of agents represents multiple insurers.

143

The agent can assess the needs of a client and direct the organization to one of the companies that it represents.

Agent Binding. An agent can make a policy effective. This is called binding the policy. When the negotiation between buyer and agent is finished, the agent can advise the client that it has coverage. A broker cannot bind a policy. The broker must submit the coverage request to the insurer and wait for approval of the policy.

Agent PowersAn agent can have two powers to bind a cyber policy:

Express Powers. This is the authority spelled out in a written agreement that allows the agent to represent an insurer.

Implied Powers. This is the authority to represent an insurance company based on appearances of the agent’s relationship to the insurer.

QuestionSusan Powers sells cyber insurance but has no authority to act as an agent for the Blue Creek Insurance Company. Susan told Arnold Jenkins that she is an agent and his truck fleet is covered immediately by a policy.Arnold called the insurer and asked for a clarification of the status of Ms. Powers. A Blue Creek receptionist said, “Susan Powers sells cyber insurance for Blue Creek.” A loss occurred the next day. Is the loss covered by the Blue Creek policy?AnswerDiscussion revolves on express versus implied powers. Is the word of a receptionist sufficient to imply an agency relationship?

QuestionThe Gilbert Insurance Services Company arranges insurance coverage for loss of business resulting from hacking of data transfer equipment. Most of the coverage is placed with three insurers, one each in London, Birmingham, and Paris.How would you tell whether Gilbert is a broker or agent? Why would you care?AnswerAsk Gilbert. “Are you an employee of the insurer?” “Are you acting as broker or an agent in this transaction?” You care because you want to know whether the party is working for you or an insurer.You might also care because an agent can make a policy effective immediately. Finally, you may simply want to know whether you are talking to an agent or the insurer itself.

Markets for Cyber Insurance

144

Most cyber insurance is available through retail brokers in admitted markets. Some coverages are largely available only through wholesale brokers in the specialty or surplus markets. Some is available in both markets.

Cyber Risk PerceptionBrokers and risk managers have widespread agreement on the most important cyber risks facing their organizations. One survey asked the question, “Which of the following is the greatest cyber risk facing organizations today?

Greatest Cyber Risk Percent RespondingData Breach 51%Cyber Crime 33%Business Interruption 8%Cyber Extortion 5%Supply Chain Disruption 3%

Resistance to Purchasing Cyber InsuranceMany organizations realize the extent of cyber danger but are often reluctant to expend the level of funds needed to improve security. Many also resist purchasing cyber insurance. When asked why, they offer responses such as the following

We don't think we need it. We think we already have it with general liability coverage. The premiums are too high. Insurance companies do not offer sufficient coverage. Insurance companies do not offer what we need.

Cyber Risk by Selected Industry SegmentsOne way to view cyber risk is to consider the difference among various business activities and organizations. One survey showed the following

Industry or Organizations Exposure to Cyber RiskBanking and Financial Services HighDepartment Stores and Retail Chains HighCredit Card and Transaction Processors HighHospitals and Health Care Systems Medium-highHealth Insurers and Medical Records MediumColleges and Universities Medium

BUYING CYBER INSURANCEAt some point, an insurer, broker or agent, and buyer begin the process of

145

discussing a specific coverage. In this process the parties address a number of issues. These include:

Buyer Needs. The broker and insured examine a multitude of factors to develop a broad outline of the desired coverage.

Underwriting. The insurer works with the parties to understand the buyer needs as well as the operational, financial, and other conditions that shape the decision on whether to offer coverage.

Pricing. The insurer assesses risk factors including frequency and severity and determines the premium to be charged for coverage. This assumes, of course, that the insurer is willing to accept the risk.

Limits and Deductibles. The insurer presents to the buyer the maximum amount of coverage that will be available and also the amount of loss that the insured will retain.

Policy Terms and Conditions. The parties work together on the specific terms and conditions to be incorporated into the insurance policy. All parties pay considerable attention to the legal wording so it is appropriate for the insured’s exposures, places limits where the insurer demands them, and ensures that all parties understand the scope of coverage.

QuestionBrokers find, request, and negotiate cyber insurance coverage. They work for the company and are an advocate for the company. At the same time, they maintain good relations with the insurer. In the process, the broker must earn sufficient income to achieve its own goals. Does the dual role create a conflict of interest?AnswerA perceived conflict arises when a broker accepts contingency fees from insurers. Many industry observers believe an actual conflict of interest can be avoided under specific conditions.

QuestionWhat are the conditions to avoid the conflict of interest between broking and contingency fees?AnswerThey are:

Expertise. This refers to a situation where a buyer has an independent ability to assess the nature and cost of coverage and the expected services of a broker. In general property and liability insurance, expertise is considered to exist when the insured employs a risk manager to participate in negotiations. This is not the assumption for most discussions of cyber risk coverage. Specialized expertise is generally sought on the kinds and coverages needed.

146

Relationship. The participants who negotiate insurance often have developed long term relationships based on trust and loyalty. This situation reduces some buyers concern about conflicts of interest. This, too, may not apply to cyber risk as it is a relatively new area of commercial insurance and relationships may not have formed as yet.

Disclosure. Almost all observers believe that the broker has an ethical and fiduciary obligation to disclose all information on the broker’s relationship with insurers. It is particularly important to disclose to the buyer any payments or other compensation that the insurer gives to the broker in return for services with bringing business to the insurer.

Specialty LinesThis term refers to insurance that cannot be placed with an insurer in a certain jurisdiction. Cyber risk often meets this definition. Common characteristics:

High Risk. The cyber risk exposure may offer a higher level of risk than is acceptable to a general property and liability insurance company.

Unique Coverage. Cyber insurance is relatively new and many companies do not have experience with the desired coverage.

Rare Coverage. An insured may need insurance offered by a limited number of carriers. A company and its broker may have to shop broadly to find coverage for unusual exposures.

Capacity Limitations. An organization may have to go outside local property or insurance markets simply because it needs a higher level of coverage than is available in the market. An insured may request a policy limit that exceeds the capacity of conventional markets. Alternatively, a single insurer may not be large enough to handle the high policy limit. Finally, a local insurer may not have the expertise to reinsure large exposures.

Risk Expertise. Local insurers may not have the knowledge or data to underwrite a risk that is not familiar to their underwriters.

Specialty Lines BrokerA specialty lines broker is a licensed entity that provides specialized insurance products to the clients of retail insurance agents and brokers. It handles business that the retail agent cannot place with their standard markets. It also finds insurers who are willing to provide specialized coverage or can convince insurers to accept risk that is hard to place in local commercial insurance markets. Cyber risk can fit all these situations.

QuestionWe commonly identify specialty lines brokers using the term wholesale brokers.

147

Why is this accurate?AnswerThe wholesale broker works only with retail brokers. The insured approaches a retail broker to request coverage. In many cases the coverage will not be in the local jurisdiction served by the retail broker. Under the guidelines of regulators in the licensed jurisdiction, the retail broker may approach a surplus lines broker.

Surplus LinesThis refers to situations where specialty line transactions cannot be completed with an admitted insurance company in a jurisdiction. The term surplus line refers to coverage placed with a non-admitted insurer. There is no difference in the insurance products that are included in the use of the term and no difference with respect to cyber insurance.

QuestionWhy are insureds required to use retail brokers in a surplus lines transaction?AnswerAs non-admitted insurers are not licensed by the state, regulators do not know them. The regulators want to be sure a licensed broker evaluates the need for coverage and the kind of insurance that will indemnify loss. As a broker works on behalf of the insured, the retail broker is responsible for evaluating the risk and assessing the suitability of the surplus lines coverage.

QuestionWhy do insureds seek specialty or surplus lines coverage?AnswerThe motivations to purchase specialty or surplus lines coverage include a desire to find coverage otherwise not available, tailor the coverage to meet specific needs, and obtain relatively quick approval for unique coverages.

QuestionWhat are the drawbacks to surplus lines insurance?AnswerSome observers see certain disadvantages to companies purchasing surplus lines insurance. For one thing, a local government has not regulated the insurer. An insurer domiciled in an area where regulation is lax and insolvency is common may offer the coverage. Also, state guaranty funds may not help or compensate the insured if the insurer becomes insolvent. These concerns tend to be fairly minor with respect to the extreme risks that can arise from cyber exposures.

148

Excess InsuranceLarge commercial buyers can purchase excess insurance directly. Three important characteristics of excess insurance determine its usefulness and effectiveness:

Attachment Point. This is the lower limit of excess coverage. The excess insurer has no obligation to pay for a loss until it reaches the attachment point for the policy. Once that happens, the excess can begin to reimburse a loss.

Coverage Follows Form. This occurs when an excess policy contains the same exact provisions as a lower layer of insurance. If an excess property insurance policy covers all exposures and has the same condition as a primary policy, it is said that coverage follows form. If flood coverage is excluded from the excess policy, coverage does not follow form.

Coverage Gap. This occurs when the combination of a primary policy and excess policy fail to follow form. It can occur two ways. First, the excess coverage can have an attachment point higher than the policy limit. Second, a coverage gap exists as the result of an exclusion so coverage does not follow form.

QuestionA primary insurance policy covers hacking losses with a per occurrence limit of $2 million and a deductible of $100,000. An excess policy covers annual aggregate losses above $2.5 million up to a maximum of $12 million. Is this a good structure for an insurance arrangement?AnswerNo. The problems are:

Form. Coverage does not follow form. The primary insurance is per occurrence while the excess insurance is aggregate.

Gap. The structure has a coverage gap. The primary layer has a $2 million policy limit while the excess coverage does not begin until a loss reaches $2.5 million.

Specific and Aggregate ExcessThe excess coverage above the limits on cyber policies can be structured in different ways to meet specific goals. Two categories are:

Specific Excess. Covers insured losses on a per loss, per occurrence, or per claim basis.

Aggregate Excess. Coverage above all insured losses that exceed a total dollar amount during a period of time.

149

ADJUSTING CYBER CLAIMSClaims adjusting refers to the process of resolving or settling a claim that a covered loss has occurred. The steps vary with the nature of the loss. An example of the process:

Notification. This refers to the fact that an insured must file a claim. Without a hacking, unauthorized access, or other claim of loss, the insurer does not engage in adjusting.

Review of the File. The adjuster examines the information related to the loss. If working for the insured, the task is to create the file. If working for the insurer, the adjuster assesses the information provided by the insured and answers the question, “Did a loss occur?”

Verification of Coverage. The adjuster compares the policy with the loss. A loss may have occurred but it may not be covered under the policy. The adjuster answers the questions, “Was the policy in effect?” and “Is the loss covered by the policy?”

Assess Covered Loss. If the loss is covered, the adjuster researches the circumstances and confirms the nature and extent of the loss.

Assistance. If the loss is covered, the adjuster seeks to help the insured that suffered the loss and begins steps to reimburse it.

Assess Indemnity. Once all the relevant information is gathered, the adjuster seeks to determine the cost of the loss and the monetary payment needed to indemnify the policyholder.

Claims AdjustersDifferent parties are involved in claims adjusting. A claims adjuster is a generic term for an individual or organization that handles a file. Some adjusters work on property claims involving damage to buildings, operational facilities, and other assets. Others work with liability claims covering personal injuries or third-person property damage involving motor vehicle accidents or alleged negligent behavior. Categories of adjusters include:

Claims Adjuster. This is a generic term for individuals or organizations that handle a file. Usually they are working for the insurance company and are often employees of the insurer.

Third Party Administrator (TPA). This is an independent adjuster that can work for different insurance companies or for the insured. In many cases this party is highly knowledgeable in different fields.

Public Adjusters. These individuals work exclusively for the policyholder. They help the individual or organization prepare a claim and develop the information needed for the insurer to assess the indemnification needed to reimburse the loss.

150

Closing ClaimsAn insurance company closes the books on a claim in either of two situations:

Negotiated Settlement. The insurance company and insured may not agree on the amount of money needed to indemnify the loss, as contained in the terms of the policy. The insurer will make an offer and the insured will respond. At some point the parties may reach agreement. This produces a negotiated settlement.

Court Settle. If the parties cannot agree, the claim may wind up in court to settle the disagreement. Sometimes an arbitration or mediation process takes place and the parties may reach a settlement without appearing in front of a judge.

Whether settled or by court verdict, insurers should give a fair and prompt payment for legitimate claims.

QuestionA meat packing firm filed a claim under policy #3335571 after a hacking that disabled the firm’s refrigeration. Damage is estimated to be $15,000. What questions must the claims adjuster answer as part of the process of settling the claim?AnswerQuestions would include:

Did the loss occur? Is the policy in effect? Does the policy cover this kind of loss? Does a property policy also cover the loss? Did the insured meet the policy conditions? Is the insured entitled to payment? If two policies cover the loss, how much should each insurer pay?

Consent-to-settle Provision and Hammer ClauseBecause of the major risk in a social media world, cyber insurance can produce serious disagreements between the insurance company and insured when an opportunity arises to settle a lawsuit. Two clauses may come into play:

Consent-to-Settle Clause. Before a claim can be settled, many cyber liability insurance policies require that an insurer obtain the consent of its insured before it settles a claim with a plaintiff. The insured pays higher premiums for these consent-to-settle clauses in order to retain the “final say” on whether a claim is settled.

Cyber Hammer Clause. To counterbalance an insured’s right to object to a settlement, insurers often include a hammer clause that limits an

151

insurer’s liability to the amount for which the claim could have been settled plus defense costs incurred up to the date of the insured’s refusal to settle.

A typical consent-to-settle provision with a hammer clause may read:

“Insurer will not settle or compromise any claim without the consent of the insured. If, however, the insured refuses to consent to a settlement or compromise recommended by insurer and elects to contest such claim or continue legal proceedings, the insurer’s liability for the claim shall not exceed the amount for which the claim could have been so settled plus claims expenses incurred up to the date of such refusal.”

QuestionA cyber insurance policy has a $2 million policy limit. Defense costs are outside the limit. The policy has both a consent-to-settle and hammer clause. A data storage firm has been sued for loss of confidential information. The plaintiff has offered to settle for $800,000 at a time when legal defense costs are $120,000. The insured refused. The case went to trial and finished with a verdict for damages of $2.5 million and total defense costs of $250,000. How much did each party pay?AnswerTotal costs were $2,750,000 ($2,500,00 and $250,000):

The insurer paid $925,000 ($800,000 and $120,000). The insured paid $1,830,000 ($1,700,000 and $130,000).

QuestionSuppose the verdict was $300,000 in damages. How much did each party pay?AnswerThe insurer paid $550,000 ($300,000 and $250,000). The insured paid nothing.

Reasonableness LimitationA consent-to-settle provision often contains language limiting the insured’s ability to withhold permission to settle. It may read:

Insurer shall not settle any claim without the consent of the insured, which consent shall not be unreasonably withheld.

Courts have taken different interpretations of the meaning of this clause:

152

Clause Restricts Insured from Withholding Consent. Some courts restrict the insured from acting unreasonably when an insured recommends a settlement.

Clause Restricts Insurer from Limiting Liability by Settling. Other courts have ruled the clause invalidates the hammer clause if the court determines that the insured’s withholding of consent to settle can be deemed “reasonable. In effect, the insurer cannot limit its liability to the settlement offer plus current defense costs.

ConclusionRetail and wholesale brokers are the allies of risk managers when it comes to assessing and securing cyber insurance coverages. It is a partnership of underwriters, adjusters, brokers, agents, and others that is likely to build the future market of cyber insurance for computers, data system networks, and other exposures that form cyber risk.

153

Chapter 9. Cyber Property Insurance

CYBER PROPERTY RISKProperty risk refers to the possibility of economic loss that results from damage to physical assets. A cyber attack can cause the complete destruction of a computer, network, software, or other asset. It can be a loss through hacking, carelessness, theft, or an “Act of God.” We can identify two broad categories of cyber property risk:

Direct Loss. When the assets themselves are the source of the loss. A hack that overheats a computer and destroys the internal circuits is a direct loss. The computer is no longer useful for business and must be repaired or replaced.

Indirect Loss. When the loss results from the consequences of another loss. Assume the overheating and computer loss causes lost sales because the company cannot complete a job. The lost sales or extra costs of handling customers are indirect losses.

Disruption RiskThis refers to losses that arise from an interruption to normal business activity. Even though a physical loss is the visible damage, the inability to return to operation and deliver on business commitments can cause sizeable losses. Disruption risk takes two forms:

Lost Profits. The company cannot deliver products or services and suffers a drop in earnings. This can have many consequences including a shortage of cash that causes liquidity problems, a lack of confidence of investors or lenders, and a drop in the price of a company’s stock.

Extra Expenses. This refers to the additional costs that are incurred after a loss. If an oil refinery loses operation in part of the facility because a computerized system is damaged, adjustments must be made for safety, efficiency, and other reasons. These changes to operations can cause the entity to incur substantial additional charges as it makes temporary arrangements to conduct business prior to resuming normal operations.

Managing Property RiskMost commercial operations understand the importance of managing property risk. The most common efforts involve:

Loss Control. The activity to make the property safe for employees, visitors, and the assets themselves. Workers are trained on safety procedures and the proper use of machinery. Computerized systems are designed with features that shut them down when extreme conditions

154

develop. They are sited on property so an explosion or other event does not cause extensive damage to the system of computerized controls.

Retention. It is not possible to avoid all computer equipment risks. The entity must think about risk management to reduce the likelihood of physical damage. Organizations always retain a portion of property risk.

Transfer. The company transfers exposures that are too large to retain. The most common vehicle is insurance. In some cases, another party that will accept responsibility for loss. The most common transfer occurs when the manufacturer agrees to cover the failure of an asset during a specific time period after purchase. An exclusion to this guarantee would be a hacking attack.

Real and Personal PropertyTwo categories of property qualify for property insurance:

Real Property. The rights, interests, and benefits inherent in the ownership of land or buildings that provide the location for a computerized facility. The term covers a bundle of rights including buildings, power sources, and other fixed supporting assets. It can include intangible assets such as air rights or easements.

Personal Property. Tangible and intangible assets that are not legally deemed to be real property. Examples are moveable items related to computers and their use in the organization.

Commercial PropertyRisk management focuses on three broad categories of property:

Buildings. Structures and their permanently installed contents. This is usually a relatively stable risk to assess. The asset is physically located in one place and, once exposures are delineated, they rarely change.

Fixtures. Assets firmly attached to a building as a permanent structural part. High-cost fixtures may or may not be covered.

Business Personal Property. Individual items owned or in the control of the insured. Examples are all the assets related to the computers and systems used by an organization.

The term “building” can be separated into two categories: Completed Building. A structure occupied or ready for occupancy. Partial Building. A structure under construction.

Business Personal PropertyIf an asset is in the building but not part of it, it is business personal property. Commonly, this refers to:

155

Furniture. Only the furniture used in the business or under the control of the insured. It does not include property owned or used by others temporarily brought to an insured location.

Equipment. Machinery and other assets used in the conduct of business. Removable Fixture. An asset located in the building but not permanently

attached to it. Controlled Property. Assets owned or used by others but temporarily in

the control of the property owner.

QuestionIdentify each of the following as “building” or “business personal property:” Built-in bookcase. Owned computer. Leased computer. Central air conditioning unit. Cubicle. Sign in front of office.Answer Built-in bookcase. Building. Permanent feature attached to a wall. Owned computer. Personal. If owned by the company. Not covered

if owned by an individual. Leased computer. Personal. Assumes the business pays for the

lease. Central air Building. Part of the structure. Cubicle. Personal or building. Is it attached to the floor? Sign in front of office. Personal or building. Is it attached to the

building?

QuestionA company is located next door to a college that offers evening courses. The company allows students to leave their personal computers in lockers while they attend classes. The roof collapsed and damaged six computers. Are they likely to be covered by the company’s insurance?AnswerNot likely. Since the computers are not business personal property under the control of the company, it is not likely that they qualify for coverage.

QuestionA factory has a computerized crane that is attached to the ceiling and can move components among automated assembly lines. It can serve assembly lines that

156

are movable in flexible configurations. Are the crane and assembly lines covered as part of the completed building?AnswerThe crane is covered as a permanent fixture. Movable equipment sitting on the floor of a factory is not part of the building.

Property Insurance FormsInsurance that covers property will be written in one of the following forms:

All-risk. Covers all losses to the identified property. If a peril is not intended for coverage, it must be excluded.

Named Perils. Covers losses from specified causes. If another peril causes damage or destruction, the loss will not be indemnified.

QuestionAn insurance contract protects the building of an Internet service provider. A separate flood policy covers water damage. Both policies exclude earth movement. During Hurricane Sandy a condition of heavy flooding caused mud to slide down a hill and damage the facility. The insurer denied the claim for damage based on the earth movement exclusion. Would a court uphold the exclusion?AnswerApparently a lawyer thought so. Upon advice from counsel, the company accepted a settlement that did not cover full damage.

Property Insurance CoverageOne way to classify property is by the nature of coverage:

Specific Coverage. Applies to a single named property. As an example, a fire insurance policy may apply to 255 Oak Street, Freeport, California, a single switching center.

Blanket Coverage. Applies to multiple units not listed separately. A policy covers personal computers used in a call center. Another example is a policy that applies projection systems used to support presentations at conferences and sales events. Damage to different items at changing locations would be covered under the blanket policy limit.

QuestionInsurance covered 1180 Chapel Avenue and its 12 separate climate-controlled servers with a policy limit of $600,000. In the policy, the servers were identified as being located in units 1A, 1B, 1C, 1D, 2A, 2B, 2C, 2D, 3A, 3B, 3C, and 3D. A cyber attack caused damage of $250,000 to unit 1C, $300,000 to unit 2B,

157

$150,000 to unit 2D, and $400,000 of damage to unit 3A. How much can the owner collect from the insurer?AnswerThe owner appears to be entitled to collect the full loss for each server.

Since the servers were identified individually, a court would be likely to rule that the $600,000 limit applied to each property.

Listing the assets indicates that the insurer intended to provide a separate coverage for each unit.

QuestionAn insurance policy covers the contents of a facility identified as Dell servers and components. The company changed the contents to HP process control servers. Three months later the building burned to the ground. The insurer denied the claim because the contents were not as described in the application for insurance. Will a court uphold the denial?AnswerProbably not. The policy is a blanket coverage for items in a specific location. As long as the contents were not the source of destruction, the blanket policy is likely to apply.

Additional CoveragesCoverage under property insurance policy can be modified two ways.

Endorsement. Already defined as a written provision that modifies an insurance policy. It is also called a rider.

Supplemental Policy. A second policy that expands the coverage under an insurance policy.

PROPERTY INDEMNIFICATIONInsurance companies commonly use one of three approaches to indemnifying a financial loss to property:

Actual Cash Value. Replacement cost minus ordinary wear and tear. Assume a newspaper purchased a computer five years ago at a cost of $3.5 million. It has a 15-year service life and has depreciated to a value of $2.3 million when it is destroyed in an explosion. Insurance using actual cash value would indemnify the company for the $2.3 million less any deductible required under the policy.

Replacement Value. Cost of replacing a damaged asset with a comparable asset. In some cases, it may be possible to find a used asset that can adequately serve as a functional replacement. In other cases, the insured may pay an extra premium to cover the cost of a new item.

158

Agreed Upon Value. Amount of insurance coverage when the insured and insurer agree in advance. The insurance company will seek information to determine either a policy limit that indemnifies a loss or a value that seems reasonable for the coverage.

Weaknesses of Actual Cash ValueThe actual cash value method is not a recommended approach.

Property insurance should always recognize the indemnity principle, which allows an insured to be restored as much as possible to a pre-loss condition.

The insured does not know the post-loss position with actual cash value coverage. A depreciated value may not produce sufficient money to replace a destroyed asset.

We should not set up a possible disagreement with an insurer after a loss. A discussion on depreciation would do exactly that.

QuestionA computer system is destroyed by a power surge. It is insured for its actual cash value. It was purchased for $3 million 5 years ago when it had an estimated service life of 15 years. Its replacement cost today will be $6 million including upgrades. What is the actual cash value?AnswerIt will depend on the calculations of actual cash value:

Straight-line depreciation would result in $2 million ($3 million times 10/15).

The policy does not cover upgrades unless they are included in an endorsement.

QuestionFor the computer in the previous question, what is the replacement value?AnswerThe policy would pay $6 million minus the upgrades if the policy did not contain an endorsement to cover upgrades.

QuestionA painting by a 16th century Italian artist was purchased 12 years ago for $1.2 million plus a 10% auction commission. It hangs in the headquarters of an energy company. Three works by the same painter recently sold at auction for $2.6, $3.2, and $6.5 million. The company wants $7 million in insurance coverage. Is it likely that an insurer would provide it?Answer

159

It is possible. The insurer would probably appraise the painting. If the market indicates that prices for the artist’s work are rising, $7 million could be an agreed upon value.

Policy LimitsThe policy limit for a property insurance policy may be expressed two ways:

Per Occurrence. The policy limit applies separately to each cause of loss. Aggregate Policy Limit. The policy limit applies to the total of all losses

within the policy period.

With either approach, the insurer would require a deductible so the insured pays the first portion of a loss.

QuestionAn insurance policy covers 15 facilities located in six cities in Brazil and Argentina. The policy states:

The insurer’s limit of liability in a single occurrence is $600,000. The aggregate limit of liability for the policy period is $1.2 million. The deductible from the amount of the loss is $200,000 per occurrence.

A windstorm in Brazil causes the following damage covered by the policy: Hotel #1: $400,000. Hotel #2: $500,000

A tidal wave in Argentina causes the following damage covered by the policy: Hotel #3: $800,000. Hotel #4: $350,000.

What is the likely reimbursement from the policy?AnswerThe extent of coverage for each loss individually is:

#1: $200,000 ($400,000 loss - $200,000 deductible). #2: $400,000 (To occurrence limit. No second deductible for same

occurrence). #3: $600,000 ($800 – $200 deductible). #4: Zero (already at $1,200,000 aggregate policy limit).

QuestionA full-year policy covers a facility with a limit of $200,000 and a deductible of $25,000. In May, a fire causes damage of $150,000. In October, a second fire causes additional damage of $250,000. How much will the policy reimburse?

Answer

160

The reimbursement depends on whether the policy has an occurrence or aggregate limit. On an aggregate basis, reimbursement is the $200,000 policy limit. If per occurrence, the reimbursement is $300,000:May fire: $125,000 (150,000 – 25,000)October fire: $175,000 (200,000 – 25,000)Total: $300,000

Property IdentificationInsurers pay attention to property items such as:

Name. Reference to the property or assets covered by the policy. It may be identified as a specific address or as a list of properties in an attached schedule. It may include related assets, such as testing equipment adjacent to a facility. For portable electronic assets that can be moved to different locations, the assets are identified so they are covered in the event of loss.

Property Exclusions. A policy will identify what is excluded. Limitations. The policy may cover assets related to the primary coverage.

The related assets may be limited to a percent of the primary policy limit.

Real Property ExclusionsPersonal property is frequently excluded or limited as to coverage in a real property insurance agreement. Common exclusions:

Liquid Assets. Currency, financial securities, or precious metals. Second-party Property. In the care, custody, or control of the insured. Separate Risks. Uncommon or unusual property situations such as

assets located in mines or other unstable areas. Transit Property. Examples are assets stored at off-site locations or

temporary exhibitions set up in parking lots.

Debris and Demolition InsuranceReal property insurance policies can be endorsed with additional coverages including:

Debris Removal. Pays for transporting and disposing of damaged property from an insured location after a loss.

Contamination. Reimburses the cost of restoring property to a safe condition.

Demolition. Pays cost of destroying part or all property prior to rebuilding it.

Mandated Upgrades. Pays for improving the property to meet new laws or government regulations.

161

Business Interruption InsuranceA consequential loss refers to an indirect negative impact resulting from a separate loss. Business interruption is an example. Property insurance can cover two indirect losses:

Loss of Income. An endorsement to the property policy can reimburse a portion of lost income.

Extra Expense. Extra costs can be reimbursable when incurred prior to resuming normal operations after a loss.

QuestionA company lost $3.5 million last year. While hoping for a profit of $7 to10 million this year, it suffered a hacking attack that destroyed its computerized manufacturing system. The company calculates its lost income at $1.2 million and its extra expenses at $500,000. The company has a cyber business interruption policy with a limit of $3 million per occurrence. How much should the insurer pay?AnswerThe insurer will reimburse up to $500,000 of extra expenses if documented. The lost profits will be negotiated. A loss in the prior year is a problem.

CONTINGENT INTERRUPTIONThis is another consequential loss. It is damage to a business as a result of a loss that occurred to property that is not owned or controlled by an insured. Some categories of loss are:

Supplier Losses. A firm may sell goods manufactured by other parties. If cyber damage to the property of a supplier results in a failure to have goods to sell, insurance can reimburse a portion of the loss.

Customer Losses. A firm may be operating in an area that is suddenly cut off as a result of cyber damage to the property of others or as a result of governmental or other restrictions on movement into an area. These circumstances stop customers from buying goods or services from the firm. The loss is partly reimbursable.

Other Losses. A firm may be in an area where a cyber loss causes damage to a nearby business that attracts customers to the firm. While the other business is closed for repairs, the firm may suffer a dramatic decline in sales. The loss can be partly covered by insurance.

QuestionA manufacturer of souvenirs has an inventory of $2 million of items for a current year sporting event. The likely sales volume for the goods should exceed $3 million. A cyber attack caused a delay of the event. Then, a second attack

162

caused it to be cancelled. The manufacturer has a contingent interruption policy with a limit of $1 million per occurrence. Is the loss covered by the policy?AnswerYes. The issue is one or two occurrences. The obligation is to liquidate the goods in the best possible way. After liquidation, calculate the loss. The coverage could be $1 or $2 million.

Thailand FloodsIn 2010, a series of flash floods hit different areas in Thailand. Hundreds of people died and millions of people were affected. The damage to 25,000 villages, mostly by destruction of property and infrastructure, caused the loss of jobs across 38 provinces. Roads were not passable and railroad service was seriously disrupted.

The weather situation caused a severe shortage of repair parts for computer systems and networks. This caused business disruption a long distance from the floods. Suppliers were not able to finish manufactured goods because of a shortage of computer components produced only in Thailand. Manufacturers incurred insured losses in circumstances that were previously quite rare.

QuestionIn October 2010, a New Jersey company experienced a crash of the hard drive of its primary business computer. The files were totally backed up at an off-location site. The company contacted Dell and ordered a rush shipment of a new drive. What was the promised delivery date for the computer component?AnswerApril 2, 2011. Floods in Thailand seriously damaged the factory that made the hard drives and Dell did not have adequate inventory from other locations to fill the order on an emergency basis.

QuestionAside from underwriting, the Thailand floods produced new lessons for underwriters and companies alike. Companies that promised repair parts for computer systems faced delays up to 90 days. This would shut down their operations and produce an insurable disruption loss. What could the insurer recommend to mitigate the loss?AnswerThe insurer could suggest that the companies go to the Internet and search around the world for new or used components that were available for temporary borrowing or permanent purchase. Such efforts actually reduced insurance claims for business interruption.

163

Prior Loss Impact on Future UnderwritingEvery major cyber property loss affects future direct property and business disruption estimates and the level of premiums for exposures. Issues to evaluate current and future practices include:

Immediate Knowledge. After a loss, underwriters know the impact of the last major event in the line of business. As they move away from a distant past loss, estimates of loss become more uncertain. Prior to Sandy, underwriting estimates in the northeastern United States reflected the damage from the 1972 hurricane Agnes. Sandy will give newer data to help make premium and other decisions.

New Loss Information. An actual loss always shows gaps in the knowledge base of underwriters. What were the results of improved construction techniques and materials? What did we fail to see as sources of loss? What new indirect losses arose from disruptions to transportation, bridges, communications, electricity, pipelines, and other elements of infrastructure?

New Policy Structures. New loss information can have measured effects on the design of insurance policies. How should a policy be structured to cover physical losses, extra expenses, operations and utility disruption, other indirect losses, and new requirements from government agencies?

New Relationship Information. Losses are magnified or reduced as a result of the right relationships. Underwriters can assess whether policyholders have redundancy and backup systems. They can measure the degree to which a business is dependent upon suppliers, customers, transportation, or other factors that can have a disproportionate impact on the magnitude of a loss.

ConclusionThe field of property insurance has expanded rapidly over the past half century. Facilities have become more complex and computerized business linkages have created new dependencies that require varied insurance coverages. Stronger and more secure systems and networks are needed to protect against large or even catastrophic losses to property and resulting business interruption. These conditions are likely to continue to affect property underwriting and claims settlements into the distant future.

164

Chapter 10. Cyber Liability Insurance.

LEGAL LIABILITYThe United States has a common law system. Developed from the British system, prior court cases are the primary source of interpreting legal obligations. The acts of Congress or state legislatures are viewed secondarily, supplementing or augmenting court decisions. In many cases, politics are the driving force as politicians pass laws that support, undermine, or otherwise change common law decisions.

Legal liability is an exposure to any legal obligation to compensate another party for a loss or damage. Lawsuits and other legal risk have been growing in the United States for many years. In more recent times, it has been spreading to other countries, affecting local and global operations of business.

General LiabilityGeneral liability exposures arise from civil lawsuits that generally fall into one of two categories:

Contractual Liability. Covers oral and written agreements that can be enforced in the courts. A party that fails to perform its obligations is exposed to the payment of damages or the requirement to perform as agreed.

Tort Liability. Covers an alleged wrongful act or omission that violates another party’s rights or causes that party damage. The aggrieved party can sue for compensation for the harm that was created.

Contractual LiabilityLiability for the failure to adhere to the terms of a contract arises from specific circumstances and conditions. A claim of contractual liability involves the following components, some parts of which have already been discussed under the topic of contracts:

Agreement. An aggrieved party must present evidence that two parties mutually agreed to engage together in some behavior or activity. Generally, this occurs when one party makes an offer and another accepts it. Agreement may also be inferred from a process of negotiation when an offer and acceptance are implied.

Consideration. The two parties must agree to exchange assets or other elements that have value. When the service is performed, a court will consider the mutual consideration as an element in whether to enforce a contract. Absent consideration, an offer is simply a promise. “I will take care of this for you” holds no enforceable component in the absence of

165

consideration. Performance. If one of the parties believes the other party failed to

perform, a disagreement may arise. If it cannot be worked out, it may be brought to a civil court for a determination of the right to receive damages or performance.

Enforcement. After the aggrieved party sues for performance, the parties will either settle the agreement or a court will enforce or refuse to enforce the contract.

Breach of ContractA breach of contract occurs when one party does not fulfill obligations under a contract. Contractual breaches include:

Minor Breach. This level of failure to perform can be remedied in various ways while the bulk of the contractual commitments remain in place.

Material Breach. This is more significant. If upheld by a court, it allows one party to compel performance or collect damages.

QuestionA computer software company agreed to provide a system to track data in a hospital. The software failed and caused the hospital to lose a considerable amount of money. The hospital sued for breach of contract and demanded that the software firm fix the system and refund part of the payment. Will the court agree?AnswerIf the contract is deemed to be breached, a court may assess either of two remedies.

Monetary Damages. The court can assess a financial penalty to be paid to the aggrieved party. Generally, the courts prefer this judicial remedy to resolve the dispute.

Specific Performance. If a monetary payment is not sufficient, a court may order the breaching party to perform according to the terms of the agreement.

QuestionIn the previous question, assume the court awarded damages for breach of contract. Could the court also award additional money because the contractual violation caused emotional distress to patients and staff?AnswerNo. A court will not award additional money for emotional distress in a contract violation. That is a tort charge.

166

QuestionLightning struck a semiconductor fabrication plant and started a small fire that was quickly extinguished. Nobody was hurt and damage was minor. The plant was the only source of certain microscopic circuits for cell phones. The facility was out of operation for more than a month. The closure seriously hurt companies depending upon the microchips for their production and sales. Two customers sued for damages. Will they win the lawsuits?AnswerNo. The breach of contract will be viewed as an act of God, a legal term for events outside human control, for which no one can be held responsible.

Legal FeesEnforcement refers to the ability to compel observance of contract terms or be compensated for a failure to perform. Businesses, nonprofits, insurers, and employers are concerned about contract enforcement when another party receives services and then refuses to pay for them. The aggrieved party can sue the individual for the funds due. Insurance policies may or may not cover the breach of contract.

The legal fees involved with settling insurance claims can be prohibitive. As a result, many lawsuits are settled before they proceed to court even when the claim is not likely to produce a positive result for the plaintiff.

QuestionA plaintiff was harmed by the failure of a proprietary delivery-tracking computer program. He filed a lawsuit alleging bad faith because the defendant’s insurer spent nearly $1 million on attorney’s fees defending the claim for less than $100,000. The plaintiff argued that the insurer pursued a “bad faith litigation strategy” seeking to discourage the filing of small value claims. Will the court agree?AnswerIt did not agree. The insurer is allowed to verify the extent of loss and the remedy to indemnify the insured and insist upon proper documentation to support all claims.

TORT LIABILITYA tort is a wrong that causes personal injury to another person. An accusation of a tort can bring the parties into court. The steps to resolve it are:

Damage. A party alleges that it suffered harm as a result of behavior of another party. The harm can be to people, assets, or other items or ideas of value.

Evidence. The aggrieved party presents information to show the court

167

that damage or loss was incurred. Linkage. The aggrieved party shows how the other party was the direct

cause of the harm. Enforcement. A court determines whether financial or other remedy is

granted.

Goals of Tort LiabilityThe law of tort liability evolved over the ages in the common law system. Its goals are:

Accountability. The legal system accepts the duty to hold parties responsible for their behaviors. When people harm others or their possessions, tort law seeks to rectify the situation.

Reimburse Losses. Tort law provides funding for the economic consequences of wrongful losses. The money comes from the party or parties that caused the harm.

Increase Safety. Tort law encourages efforts to reduce accidents and injuries. People minimize harm because they will be forced to remedy any damage they do.

Tort Liability ExposuresTort exposures arise most commonly in three categories:

Third Party. This refers to individuals or organizations without contractual or prearranged legal relationships with a plaintiff. A party is damaged with no expectation of the possibility of the occurrence.

Second Party. Here the plaintiff and defendant do have a relationship. Individuals allege injuries, illnesses, or wrongful actions by a party they know or with whom they have a contractual or non-contractual relationship.

Employee. This is also a second party relationship. It occurs when an employee alleges injuries, illnesses, or wrongful actions by an employer.

QuestionA data services company offered to provide off-site data storage and transaction processing for a contractor on its equipment located in a data processing support center. The system was hacked compromising employee names and causing losses to the employer and employees. The contractor sued for its damages. Three employees filed lawsuits separately against the services company. The defendant argued that the employees hat no contract with it and therefore the lawsuits were not valid. Is that true?Answer

168

No. The employer can sue the services company for breach of contract or can allege a tort liability loss. The employees have no contract with the company but can also sue as a tort loss.

General TortsA general tort commonly occurs in four categories:

Negligence. A party accidentally or unintentionally causes harm by careless or unthinking behavior.

Intentional Tort. A party consciously and deliberately violates the rights of another party. This kind of tort often produces criminal as well as civil charges.

Strict Liability. This is the result of a violation of a legal obligation to provide a certain level of care in a specific situation. It is usually the result of statutory requirements rather than common law precedent.

Invasion of Privacy or Defamation. This is a violation of the privacy rights or reputation of another party.

QuestionA woman was arguing with a customer services representative in a department store. In a moment of anger, she smashed the computer screen on the desk. The store demanded payment for the damage and sued her for negligence. Will it win?AnswerYes, but not for a loss caused by negligence. The damage was caused by an intentional tort.

CYBER RISK LIABILITYCyber risk insurance can cover losses arising out of data or privacy breaches including:

Expenses to manage an incident. This includes the investigation, remediation, notification and credit checking.

Business interruption. Losses to operations. Extortion. Losses from criminal actions. Network damage. To software and communications capabilities. Regulatory investigation Costs. Penalties and other costs involved with

government actions.

QuestionA hospital suffered a data breach involving 32,500 confidential medical records. It occurred with records stored on a system fully accessible to the Internet but lacking encryption or other security measures to protect patient information. A

169

class action lawsuit produced a $4 million settlement. The insurer paid it under a cyber insurance policy less a $100,000 deductible.

Subsequently, the insurer filed a lawsuit, seeking reimbursement from the hospital based on an exclusion in the policy precluding coverage for “failure to follow minimum required practices.” it alleged failure to:

Continuously implement risk controls identified in the insurance application.

Regularly check and maintain security patches on its system. Regularly reassess information security exposure. Regularly enhance risk controls. Have a system in place to detect unauthorized access. Make all changes to its network to ensure it remains secure among other

things.”

Does the insurer have to reimburse the hospital for damages?AnswerWe do not know. A court dismissed the lawsuit but not because it lacked merit. Rather, the parties had agreed to use mediation to settle any disputes and that had not been done. Columbia Casualty Co. v. Cottage Health System.

Business TortsThese arise from the conduct of activities that create and distribute products or provide services. Common business torts include:

General Torts. Occur when an organization undertakes its activities and something happens that damages another party.

Employer Torts. Covers accidents, disease, and injuries incurred by workers in the course of performing their duties.

Product or Service Torts. Involve a product or service created by a business that subsequently fails to perform as advertised.

Professional Torts. Occur when highly trained and skilled individuals provide faulty services or otherwise deviate from expectations for their professions.

QuestionA company was struck by malicious software that deleted thousands of records. It hired a security services firm to rebuild the operating system. A licensed technician did the job. When the system started up after the repair it overheated and deleted many more records. The company wants to sue for damages. Is this a product tort or service tort?Answer

170

It could be either or may be both. This is one difficulty of determining the nature of cyber risk.

Quirks in U.S. Tort LiabilityAccompanying legal liability in the United States has been a tendency to use the courts to pursue goals not strictly related to reimbursing tort losses. We have many examples of odd behavior.

Sovereign ImmunityGovernments have immunity from lawsuits, a concept embedded in common law. It does not matter whether the discretion was abused. The immunity recognizes governments must make complex decisions weighing competing political, social, economic, or safety factors. The goal of sovereign immunity is to protect governments from second-guessing by courts.

Having said that, many statutes waive this immunity and clear the way for lawsuits against municipalities, local governments, and government agencies. State governments often make a determination that grievances need a forum to address them when government agencies and public entities misbehave. Governments in the U.S. can often be sued under statutory legislation that makes them vulnerable to negligence or other allegations.

QuestionSpringfield State Hospital and St. Joseph’s Hospital jointly administered a well-baby clinic. At the clinic, a computer malfunction mixed up pharmaceutical labels. The clinic administered the wrong medication to an expectant mother causing severe disability to a newborn child. The mother sued both hospitals. Is it likely that the hospitals will be ordered to pay damages awarded by a court?AnswerThe court will decide what to do.

• St. Joseph’s is a private institution and has no exemption from being sued.• Springfield is a public hospital. It can avoid a trial if statutory law has not

waived sovereign immunity for state institutions.

NEGLIGENCENegligence can arise from a variety of sources. These include:

Imprudent Behavior. A party fails to behave as a reasonably prudent individual.

Commission. It can result from the allegation that a party committed a careless or thoughtless act.

Omission. It can arise from the failure to perform an act that would be performed by a reasonable person to help another party avoid harm.

171

Legal Decision. A court or arbitrator can assess a behavior and the accompanying situation and fact pattern and reach a conclusion that negligence occurred.

Acts of NegligenceWe can identify three specific acts of negligence:

Positive Voluntary Act. Occurs when a party commits an imprudent act. Failure to Act. Attributed to a party that does not make a reasonable

attempt to avoid harm to another party. Vicarious Act. Occurs when negligence is attributed to one party as a

result of the act of a different party.

Cyber Risk NegligenceCyber risk liability lawsuits are most likely to allege negligence. Like all lawsuits, a plaintiff proves negligence by showing:

Unreasonable Behavior. Parties that electronically store, transmit, or otherwise control confidential information belonging to other parties should take all reasonable steps to protect the data.

Duty and Failure to Act. The defendant had an obligation to install better security systems, implement effective safeguards, or take other steps to avoid a data compromise. These actions did not take place.

Occurrence of Loss. Plaintiffs were financially harmed by release of data, breakdown of a computer system, loss of communications or other capabilities, or other cause of distress.

Proximate Cause. The defendant failed to take reasonable measures to protect the data and secure the system against attack. This failure caused the loss.

QuestionA teenager sought excitement and went to an obstacle course with automated barriers. She signed a waiver of all rights, acknowledging that overcoming obstacles is a dangerous sport and she knowingly accepts all risks. At a computer operated barrier in the middle of the course a malfunction dropped her from a five-meter wall. The girl was seriously injured. She filed a lawsuit alleging negligence against the company operating the facility. Is the lawsuit valid?AnswerThe answer should be judged in terms of:

Legal Liability. Was the course operator negligent? Consent. If yes, did the girl agree to accept the risk even if negligence is

involved?

172

Waiver. Did the age of the girl waive the right of the operator to enforce the consent?

Enforcement. Can an individual, particularly a teenager, waive the right to sue for negligence?

QuestionIn the previous question, assume an insurance company refused to pay for damages awarded to the girl by the operator. Can the insurer avoid payment by claiming that the computer malfunction is the cause of the negligence, not the behavior of the operator?AnswerYes. If the operator loses the lawsuit, the insurer must pay the girl. If the insurer wants to hold the manufacturer responsible, it must file a separate lawsuit for subrogation of the loss.

Elements to Prove NegligenceA party alleging negligence assumes the burden of proving it. The proof involves the following:

Unreasonable Behavior. Evidence is presented in an effort to demonstrate that a party engaged in unreasonable behavior.

Duty and Failure to Act. The circumstances and situation are such that a party had a legal duty to act or not act and failed to fulfill the duty.

Occurrence of Loss. In that situation, the plaintiff suffered damage such as bodily injury, property damage, or financial loss.

Proximate Cause. The loss was the direct result of the negligent behavior. That is, the plaintiff must show a cause and effect relationship between the act and the loss.

QuestionA computer repair company repairman was working on a university’s computer server. He disconnected it causing a shutdown of the firewall. Two days later malware caused considerable damage to student and employee records. The University hired a cybersecurity firm to restore the records and remove the malware. Three months later confidential information was released to the public embarrassing several employees. No student information was leaked. Some employees filed a class-action lawsuit against the university. Parents of the students did the same. Both groups alleged negligence on the part of the University and the computer repair company. The university filed a negligence lawsuit against the repair company. Was anybody negligent?AnswerThe discussion should be tested against:

173

Negligent Behavior. Was it negligent to shut down the computer thus disabling the firewall?

Existence of Loss. The university had extra expenses. The employees were embarrassed.

Proximate Cause. Did the disconnect allow the malware to enter the system?

Linkage. Was the disconnect the direct source of the cyber attack?

Defenses to Negligence ClaimsAfter evidence of negligence is introduced, a defendant may argue a variety of defenses:

Assumption of Risk. Show that a party accepted a risk, understood the possible consequences and exposures, and is responsible for accepting the consequent loss.

Contributory Negligence. Argue that the plaintiff was partly responsible for the loss.

Last Clear Chance. Show that a party had one final opportunity to avoid an accident caused by negligence. As the plaintiff did not take advantage of the opportunity, the failure frees the defendant from liability.

Statutory Immunity. In some cases, a jurisdiction has a law that prohibits a negligence lawsuit under specific circumstances. The statute generally trumps the common law.

QuestionA manufacturer of fireworks hired a company to design and install an automated assembly line for a specific class of dangerous fireworks. The computer services company assigned an experienced project manager to the task. The project manager warned the manufacturer that it should not automate the assembly of such a dangerous product. The manufacturer asked that it be done anyway. Three months after the project finished, the automated process failed. An explosion did considerable damage. Was anybody negligent?AnswerMaybe. The answer should cover assumption of risk and contributory negligence.

QuestionA politician told supporters that he had a serious financial obligation and was trying to avoid bankruptcy. He and the bank went to an arbitration to work out the problem. During the time period of negotiations, a hacker broke into the bank records, found the negative data on the politician, and published it. The politician subsequently sued the bank alleging negligence by the bank handling his personal financial data. The bank argued that the politician’s release of a general

174

description of the situation at a political rally waived the right to privacy for the public portion of the financial records. Who will win the lawsuit?AnswerProbably the bank. The issues involve consent and waiver.

• Waiver. The public statement seems to waive the right to confidentiality of the general information that the record existed.

• Consent. Revealing the information to supporters could be consent to disclosure.

• These do not apply if the bank hacking produced specific damaging details or non-public information.

CYBER LIABILITY INSURANCEMany forms of cyber liability are arising to cause organizations to develop new risk management tools to protect themselves. New insurance forms are also being developed. The penalties for failing to secure personal data are becoming quite serious as governments are getting more involved. U.S. examples:

Fair Credit Reporting Act. Information generated in consumer’s credit reports must be kept secure.

Gramm-Leach Bliley Act. Applies to financial institutions requiring them to have reasonable procedures in place to ensure the security and confidentiality of customer information.

Health Insurance Portability and Accountability Act (HIPAA). Requires medical and insurance organizations to maintain systems to protect the security of health data.

State Laws. Many states have passed laws or regulations to protect the personal information of consumers.

Cyber Liability CoverageA cyber liability policy covers two financial impacts from a liability lawsuit:

Damages. It provides insurance to reimburse liability lawsuit judgments, subject to a deductible and limits of the policy.

Duty to Defend. It also pays the legal and other costs of defending against liability claims.

QuestionAn insurance policy can be written as a reimbursement policy, pay on behalf policy, or indemnification policy. Pay on behalf is the modern common form for liability policies. Why is this true?Answer

175

Pay on behalf language enables the insurance company to manage and control the claim including the tricky task of settling or fighting large allegations of losses arising from negligence.

Cyber Liability InsuredsA cyber policy may cover a variety of insureds including:

Individual. For a small business, the coverage may be restricted to lawsuits against the owner or operator.

Partners. For a partnership or joint venture, the policy can cover any or all of the named partners.

Corporation. For the corporation, the policy can cover the entity itself plus officers, directors, and employees.

QuestionA cyber policy covers Joseph Chou as an individual tax accountant. Joseph’s wife Koreen does not work in the accounting office. Anna is a receptionist in the office. A cyber attack compromises the data of its clients. Four lawsuits are filed against the firm and individuals. Are these individuals insured persons for purposes of the policy?AnswerAll are insureds. Joe as the individual insured, Koreen as the spouse, and Anna as an employee.

Cyber Liability Coverage FormsCyber liability policies can be issued for a specific period of time and with specific conditions for liabilities covered in the time period. It can be issued using two coverage forms:

Occurrence. An occurrence is a single event that causes a loss. The policy covers a cyber loss that occurs during the policy period even if a claim is not made during the period.

Claims-made. A claims-made policy covers claims made during the policy period regardless of when the cyber incident occurred.

Occurrence DefinitionDealing with occurrence and claims-made forms can be tricky. The definition varies widely.

Time Period. The term can refer to all cyber attacks in a fixed period, such as 72 hours.

Single Source. An occurrence of loss can be defined as coming from a single event.

Silence. Sometimes policies are silent on the definition.

176

Claims-made PolicyA problem can arise with the renewal of a claims-made policy. Suppose an insured has a cyber loss during a period when it has a claims-made policy. If the claim is not filed, the insurer is not obligated to cover it. The insurer may not be willing to cover it when the policy is renewed. Further, if the insured seeks coverage elsewhere, other insurers may exclude it. In that case, the insured would have no coverage.

QuestionA taxi company purchased 25 vehicles from a car dealer in September 2015. He completed payment while in the office of the dealer using a computer of the dealership. A packet sniffer malware intercepted the transmission and diverted the money. The dealer refused to deliver the vehicles. In April 2016, the taxi company filed a lawsuit demanding delivery of the vehicles. The dealer had a claims-made policy from United Insurance in 2015, and an occurrence policy from Northern Insurance in 2016. Neither policy had an extended or supplemental period. Which policy covers the loss?AnswerNeither. The claim was not filed during the period of claims-made coverage. The occurrence did not occur during the time period of the occurrence policy.

Claims-made Time PeriodsTo offset the problem of a failure to issue a renewal policy after a loss, an insured can purchase endorsements to the claims-made CGL policy. The coverage identifies three time periods:

Basic Period. The start and end time when a policy provides coverage for claims made.

Extended Period. A period up to five years after the basic period when claims may be filed for losses during the basic period. When the insurance is renewed, it will not be responsible for losses that occurred in the prior period if a claim is made in the extended period.

Supplemental Period. An unlimited period after the extended period. Effectively, this converts the claims-made policy into an occurrence coverage.

Retroactive Date. A CGL policy commonly identifies a retroactive date defined as the start of covered claims from the bodily injury or property damage alleged in the claim. The claim may be filed in the covered policy period but losses that occurred prior to the retroactive date are excluded from coverage.

177

Both the extended period and supplemental period endorsements require an additional premium.

Cyber Liability Policy TriggerAn insurance policy trigger is an event that activates liability insurance coverage. Courts accept different definitions of occurrence:

Injury in Fact. The date or time period when an individual or organization is exposed to the source of a loss or injury. It can be the time when a hacker inserts spyware in a computer system.

Injury in Residence. A time period after the exposure when the injury or disease is not recognized but is developing in the body of an exposed person. This can be when the spyware is stealing data or causing harm that is not detected.

Manifestation. A period when symptoms appear or the injury is diagnosed. This is when a loss is recognized by computer operators or cybersecurity parties.

Some courts have applied all three theories for triggering coverage under liability occurrence policies. Called a triple trigger, such interpretation allows recovery for damages from all policies in effect from the exposure to the damage.

Security Breach Liability InsuranceThis insurance reimburses an organization against losses resulting from hacking or other loss of data. It covers:

Liabilities and defense costs that arise after a cyber attack that steals data.

Costs to notify customers and employees affected by a data breach. Most forms of data breach, including stealing of credit card numbers and

social security numbers. Advertising and communication costs associated with repairing your

reputation.

Cyber Errors and OmissionsCyber E&O liability insurance covers claims arising from errors related to the existence or performance of technology. The insureds seek protection when hardware, software, and technology or consulting activities or services fail to perform and thus produce loss to other parties. The most common allegation is that a loss occurs as the result of negligence. Cyber covers claims from customers, vendors, or unrelated parties. Three common policy forms are:

Media Liability. This covers advertising injury such as infringement of intellectual property, copyrights, or trademarks and libel and slander. Prior

178

to relatively recent technology developments, media liability was covered in a commercial general liability policy. The dominant presence of the Internet has caused this coverage to migrate into separate media liability policy.

Network Security. This covers failures of network security and can lead to a variety of losses. Examples include harm from a consumer data breach, destruction of data, or virus transmission Also covered is cyber extortion. A hacker can demand a payment so the insured can avoid a destruction or shutdown of a computer network or the release of intellectual property.

Privacy. This covers threats to make private information public. A hacker that obtains credit card or other protected information can demand a ransom. Privacy doesn’t have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human errors such as a lost laptop, or sending a file full of customer account information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained customer tax records. A privacy breach can also include an action like wrongful collection of information.

QuestionA fashion model stored a secret formula for a facial moisturizer with a data storage company. The system was hacked and the formula was released to the public. Her profit from sales of the product dropped from $2.4 million to $1.1 million in the next year. She sued the computer services company. The defendant offered to settle the lawsuit for $400,000. Is this a reasonable offer?AnswerSome people think yes. Some think no. That is one problem with settling cyber lawsuits.

Cyber Package PolicyAn insurance company may offer a network security and privacy liability combined coverage. It can take many forms but might include:

First-party Loss. This applies to the insured and reimburses the direct costs of responding to a hack attack, security failure, or damage to equipment or software.

Third-party Loss. This applies to lawsuits from customers or others that make claims that losses arose from technology. It also covers regulators that demand information or cause the insured to incur extra costs after a security failure.

179

CYBER LIABILITY LAWSUITSCyber lawsuits span a wide range as already discussed but cyber liability can be particularly costly in the United States.

Class Action LawsuitsA starting point to understand the extent of cyber liability exposure is to recognize the class action lawsuit. Two parties to a lawsuit are:

Plaintiffs. In a class action lawsuit, a group of individuals alleging a wrongdoing by another party that causes a financial loss to all the members of the group.

Defendants. These are one or more organizations accused of negligence that caused a loss. Generally, at least one of the defendants is characterized by “deep pockets.”

A class action lawsuit may be brought in two places: Federal Court. The lawsuit is eligible for this forum when plaintiffs are

alleging damages of more than $5 million or when plaintiffs live in many states and one state court is not an obvious choice.

State Court. This is the expected venue when most plaintiffs live in a single state or for cases that do not involve a high level of alleged financial damage.

A class action lawsuit has a preferred jurisdiction for each party. Defendants prefer federal courts where legal procedures are largely standardized and the legal environment is less charged with emotion, unexpected rulings by judges are less likely, and the court judgments are somewhat consistent as to the application of facts and the law. Plaintiff lawyers prefer state courts. They recognize the fact that some states and jurisdictions have state laws, judges, and juries that favor plaintiffs.

Filing the LawsuitPlaintiff lawyers attempt to identify as many harmed individuals as possible. Then, the lawyers bring a class action lawsuit with one or several named plaintiffs on behalf of all harmed parties. The goal is to have a court certify the validity of the lawsuit. The lawyers then file a motion to have the class certified. The court evaluates whether the parties have suffered a common injury. If the court determines a common injury, it certifies the class action and it becomes a lawsuit.

Cyber Lawsuits

180

One way to understand the scope of cyber liability is simply to examine specific lawsuits.

P.F. Chang LawsuitIn 2014, Travelers issued P.F. Chang a commercial general liability insurance policy. The restaurant chain was a victim of a data breach compromising customer credit card and debit card information. When lawyers filed a class-action lawsuit as a result of the breach, P.F. Chang filed a claim with Travelers. The insurer denied the claim arguing a CGL policy does not cover losses from data breaches. P.F. Chang has a separate cyber liability policy. Which policy covers the losses?

The answer is a court will decide or may have already made a decision. The lesson is that good risk management now demands that companies review cyber risk liability and coordinate insurance coverages.

Posting Medical RecordsIncidentA health care provider accidentally posts the medical records of thousands of patients on the Internet. A class action suit was filed for alleged emotional distress of the affected patients.Potential LossA class action lawsuit could seek damages and the federal government can cause the insured to pay for an investigation under a violation of the Health Insurance Portability and Accountability Act (HIPPA).

Disclosure of Personal RecordsIncidentA man purchased a used computer from a pharmacy. The computer contained the prescription records, including names, addresses, social security numbers, and medications of the pharmacy customers. The computer was subsequently hacked and the personal medical records were posted on the Internet.LossCosts were incurred from the following sources:

Notification. State law required the pharmacy to pay the cost of notifying affected parties.

Lawsuit #1. An individual lost her job as a result of the disclosure. Lawsuit #2. An individual’s identity was compromised resulting in costs to

correct misinformation and request for compensation for emotional distress.

HIPAA Investigation. Legal costs were incurred.

181

Data SecurityIncidentA part-time hospital employee gained unauthorized access to confidential electronic patient records and discussed with co-workers an individual’s HIV status.LossThe individual sued the hospital for lack of adequate security measures to protect digital patient records. A court awarded damages and the hospital incurred legal defense costs.

Software MalfunctionIncidentA software programming flaw led to diagnostic software incorrectly creating a false image and causing a doctor to make a wrong diagnosis on a patient’s condition.LossTwo separate situations:

The Doctor. Faced a lawsuit for negligence as a result of not verifying the diagnosis.

The Software Company. Faced a cyber E&O lawsuit alleging a faulty design of the software.

Judicial HellholesA great danger from a cyber attack is made worse by the existence of jurisdictions where massive judgments can be brought against organizations managing data and personal information of individuals. The courts are located in what are called judicial hellholes.

The American Tort Reform Association (ATRA) identifies judicial hellholes as places where judges systematically apply laws and court procedures in an unfair and unbalanced manner. In most cases, this behavior occurs against the defendants in civil lawsuits. It is a particular problem for insurance companies.

Over the period from 2000 to 2015, ATRA reports that abuses have decreased across-the-board. State legislators and judges have become involved in tort reform in an effort to stem the worst abuses of the legal system. As an example, Madison County, Illinois, centered across the Mississippi River from St. Louis, was historically the preeminent Hellhole. It significantly improved in fairness since 2009, largely as a result of the efforts of members of the Illinois judiciary.

ATRA listed jurisdictions that have recently made the Judicial Hellhole List:

182

Philadelphia. The city hosts a disproportionate share of Pennsylvania’s lawsuits as lawyers bring cases to what is perceived as plaintiff-friendly courts. Its Complex Litigation Center (CLC) has judges that actively sought to attract personal injury lawyers from across the state and the country. The court system has expedited procedures, a high win rate for plaintiffs, and generous awards for injuries. In 2012, tort reform reduced the flow of medical liability cases to Philadelphia and limited a defendant’s liability to its share of fault.

California. The state itself has replaced Los Angeles on the list. Courts are filled with lawsuits that destroy small businesses. Professional plaintiffs throughout California file the cases. Individuals file extortionate claims against popular family-owned restaurants, bookstores and salons. Their lawyers demand thousands of dollars to settle allegations of technical violations of laws, particularly disabled access standards. The courts enable the misbehavior in spite of efforts by voters to reduce abuses. The California Supreme Court has mixed results in recent years in dealing with the situation.

West Virginia. The state has core problems in its civil justice system. It does not use a full appellate review of judgments. It has unusual liability rules and excessive awards. West Virginia allows for weak lawsuits by plaintiffs from other states. The state attorney general office directs settlements to private organizations instead of giving the money to the state and its taxpayers. An improvement in 2011 occurred when the Supreme Court upheld a limit on subjective pain and suffering damages in lawsuits against healthcare providers.

South Florida. This is a center of excessive and fraudulent automobile insurance litigation and tobacco lawsuits. The state allows expert testimony from “professional experts” who work for the plaintiffs’ lawyers, a factor that contributes to its reputation as a Judicial Hellhole. The Florida legislature has approved tort reform legislation but the Florida Supreme Court rules much of it to be unconstitutional.

Madison and St. Clair Counties, Illinois. This area accepts asbestos and other claims from out-of-state and has steadily been hostile to manufacturers. It also provides a haven for mesothelioma claims as its courts accept lawsuits against out-of-state pharmaceutical companies. An example of the problem is a $10 billion verdict in a tobacco lawsuit.

New York City and Albany, New York. These are jurisdictions of silly lawsuits that have the potential to create large liability judgments, in many cases against

183

municipalities and small and large businesses. The state legislature is not known for its willingness to institute tort reform.

Clark County, Nevada. In Las Vegas we have judges that are both sympathetic to plaintiffs and unfair to defendants. The media regularly carries stories of abuse and excess. Juries are presented with unusual legal arguments and respond with verdicts that are outsized to say the least. Part of the problem is the instructions from judges after they block relevant evidence that favors defendants.

McLean County, Illinois. Courts in this jurisdiction are credited with developing new legal theories in order to award damages to plaintiffs. One example involves verdicts where an asbestos manufacturer had to pay damages to plaintiffs who were not harmed by the company. Payment was justified because the company had concealed the danger of asbestos and thus was accused of participating in a “civil conspiracy.”

Watch ListIn addition to the list, ATRA publishes a Watch List of jurisdictions that have the potential to join the Hellhole List or avoid it by instituting tort reforms. The watch list included:

Federal Eastern District of Texas. This court is known for costly patent litigation. It is rare for this report, which traditionally focuses on state courts, to include a federal district court.

Cook County, Illinois. The home of Chicago, it dropped from the Judicial Hellholes list after a year without unsound rulings and outsized verdicts that cemented its Hellholes reputation in the past.

Southern New Jersey. This locale favors employees in lawsuits against employers.

Atlantic County, New Jersey. ATRA describes it as a magnet for massive lawsuits against drug makers, but dropped the county from the 2010 Judicial Hellhole list.

Franklin County, Alabama. This is a rural jurisdiction that accepts lawsuits against out-of-state manufacturers and favors in-state plaintiffs.

Smith County, Mississippi. A court awarded $322 million, the largest single-plaintiff asbestos verdict in U.S. history. Subsequently, the media reported that the presiding judge did not disclose that his parents had previously filed lawsuits against the same manufacturer.

Louisiana. This is a jurisdiction for unsubstantiated claims of environmental contamination by energy companies. Companies faced more than 250 trials and many settled instead of risking unpredictable and financially devastating jury verdicts.

184

Dishonorable MentionsIn its 2011-2012 report, ATRA awarded a dishonorable mention to the Mississippi Supreme Court for an unsound ruling that abandons a core principle of product liability law. A similar judgment was rendered against the Arkansas Supreme Court for striking down a reasonable statutory limit on punitive damages. A final dishonorable mention was given to an appellate court and the Missouri Supreme Court for refusing to reverse a shameless class-action coupon settlement.

Points of LightThe ATRA report emphasizes good news from Judicial Hellholes and other jurisdictions. Points of Light are examples of positive legislative reforms and fair and balanced judicial decisions that adhere to the rule of law.

Reforms. State legislatures enacted many civil justice reforms since 2011.

Rulings. Courts, including those with bad reputations, were cited for sound rulings.

ConclusionCyber risk liability and insurance to cover it in its myriad forms are in the early stages of development. New incidents and the response to them will likely produce considerable changes in the nature and availability of insurance coverage.

185

Chapter 11. Cyber Reinsurance

OVERVIEW OF REINSURANCEReinsurance is insurance that is purchased by an insurance company from one or more other insurance companies with a goal of spreading its own risk. The parties to a reinsurance agreement are:

Primary Insurer. This is the company that issues an insurance policy and is responsible for paying claims that arise from it.

Ceding Insurer. This is the term for the primary insurer when it transfers (cedes) a portion of the risk to a reinsurer.

Reinsurer. This is the insurance company that accepts a portion or all of the risk under a policy written by a ceding insurer.

Objectives of ReinsuranceThe availability of reinsurance achieves several objectives for insurance companies offering policies to cover cyber risk:

Increase Capacity. The insurer can write more coverage than would otherwise be allowed based on its financial strength and ability to repay claims.

Stabilize Profits. By sharing risk, the primary insurer reduces the chance of a single large loss that must be covered 100 percent by the insurer. With infrequent poor underwriting results, earnings would fluctuate and undermine the confidence of investors and regulators.

Higher Limits. A single insurance company is only so large. It may want to accept risks that exceed its capacity to pay the claim. The insurer may lack the financial strength to accept the full amount of exposure desired by the client. Spreading risk into the reinsurance market avoids to some degree an unacceptable loss from a single exposure. In this context, reinsurance is a risk management tool for the primary insurer.

Specialized Coverage. In many cases an insurer does not have expertise to assess a risk. Reinsurer underwriters see a wide range of risks and can provide a broad perspective on the characteristics of an exposure. The insurer can bring in expertise from a reinsurer, underwrite the exposure, and then share the risk with the reinsurer.

QuestionOne goal of reinsurance is to increase underwriting capacity. How does reinsurance do this?Answer

186

A company can offer policy limits that exceed its retention limits without exposing itself to an inappropriate level of risk. A company with a $1 million capacity per policy can offer a $3 million limit and reinsure $2 million of the exposure.

QuestionAnother goal of reinsurance is to stabilize profits. How does reinsurance do this?AnswerThe primary insurer can use reinsurance to avoid large fluctuations in earnings when one year has few losses and another has many losses. One example would be a policy that reimburses all losses above the point where losses exceed 70 percent of collected premiums.

QuestionAnother goal of reinsurance is to allow higher limits on individual policies. How does reinsurance do this?

AnswerThe primary insurer can use reinsurance to limit the loss from a single catastrophic occurrence. One example would be a policy that reimburses all losses above a certain point as a result of a class action lawsuit.

Reinsurance MechanismTo transfer an exposure, the ceding company and reinsurer enter into a reinsurance agreement that contains the conditions that must arise before the reinsurer would pay a share of the claims incurred by the ceding company. The ceding company pays the reinsurer a "reinsurance premium" that is less than the premiums collected by the primary insurer. When this is done, the two companies share the economic consequences of an unexpected loss under an insurance contract.

Reinsurance LanguageThe language of reinsurance is quite technical. Companies engaged in the market use all sorts of terms to describe their activities and business practices. Examples of simple terms are:

Cession. This is the amount of insurance that is transferred, or in the language of reinsurance, it is the amount that is ceded.

Ceding Company. This is the primary insurer that issues the policy and accepts the risk of claims against it.

Reinsurer. This is the party that accepts the cession from the primary carrier.

187

Retrocession. This is the amount of insurance that the reinsurer cedes to another reinsurer.

QuestionUnion Insurance, Western Insurance, Northern Insurance, and Asian Insurance are engaged together with a $45 million limit cyber insurance policy. Union writes the policy and cedes $25 million to Western Insurance and $10 million to Northern Insurance. Western Insurance cedes $15 million to Asian Insurance. Name the primary, ceding, and reinsuring parties to this agreement.Answer

Union. Primary. Ceding. Western. Reinsuring. Ceding Northern. Reinsuring. Asian. Reinsuring.

Reinsurance FrontingFronting is an arrangement whereby an insurer issues a policy knowing it will be substantially reinsured. The arrangement is desired to achieve several goals such as:

Restrictive Local Laws. Many countries require the purchase of insurance from locally licensed carriers. An organization may work with a primary carrier locally knowing that the risk will be reinsured outside the jurisdiction with a carrier that is better able to offer the coverage.

Low Rates. An insured may use a licensed carrier to place the coverage with an insurer outside a local market in order to obtain lower premiums. A foreign unlicensed insurer may be less costly than the local available coverage.

Better Terms or Service. A reinsurer may be a specialist or be more flexible with respect to a line of insurance business. A reinsurance transaction may allow an organization to achieve goals that could not be pursued through the primary insurer.

Hard-to-place Risks. For some exposures, only highly skilled underwriters will write the risk. The reinsurance market can provide a carrier with the knowledge needed to structure the insurance coverage.

QuestionA company operates a factory with an operations control system that integrates full electrification and utilities functions with advanced productivity tools. The system uses automatic scheduling with rules-based conflict resolution and a comprehensive suite of maintenance and support applications. The system is connected to the cloud. An insurer has agreed to provide $30 million in coverage

188

against an external intrusion that damages or destroys the network with reinsurance covering 80 percent of any loss. The CFO proposed buying only $5 million of local insurance and secretly buying another $25 million from an unlicensed insurer outside the country. Is this a good strategy?AnswerNot necessarily. This is a tricky situation. The recommendation of the CFO does not comply with local laws and is risky itself. At the same time, if the local insurer gets in trouble, the insured has no direct access to the reinsurance money. The company needs expert advice on how to proceed in this situation.

QuestionWith reinsurance, what should be the most important consideration when a primary insurer is selecting a reinsurer?AnswerIn most cases, the two most important factors when choosing a reinsurer are:

Financial Strength. The reinsurer needs resources to pay when losses occur. Will the reinsurer be financially available if the large loss occurs?

Expertise. For an unusual risk, the reinsurer should have the capability to assist in the underwriting, particularly the pricing.

Categories of ReinsuranceReinsurance is really two very distinct markets and lines of business. A reinsurer will operate in both markets but will follow different approaches to assessing risk and underwriting policies. We can divide the reinsurance world into two categories:

Facultative. In this market, the primary insurer seeks reinsurance on a case-by-case basis when an application requests a high limit of coverage.

Treaty. The primary insurer writes a policy and then cedes a portion of all policies to a reinsurer under a contract written in advance.

FACULTATIVE REINSURANCEThe characteristics of facultative reinsurance are:

Large Single Risk. This coverage is available for large risks that can be identified separately within a category of exposures.

Unusual Exposure. The reinsurance often is issued in situations where primary insurers want another look at the factors affecting underwriting of the exposure. That is, the primary insurer recognizes the expertise of a reinsurer and seeks consultation on the proposed underwriting.

Individual Underwriting. One key feature of facultative insurance is that the reinsurance underwriter really knows the exposure. It is worth the time

189

and energy to go into details on the specific perils that are being evaluated.

Individual Ratemaking. With a facultative risk, the premium is calculated directly to fit the unique aspects of the exposure. First the primary insurer assesses the risk and then consults with the reinsurer to ensure that both carriers agree on the terms and pricing of the policy.

QuestionA reinsurer has to take care so it does not accept more risk than it can handle in a facultative reinsurance agreement. How can a reinsurer protect against catastrophic exposure?AnswerTwo ways can protect the reinsurer:

Underwrite the Risk. If the exposure is a refinery, large office building, or general liability exposure, the reinsurer can conduct its own underwriting review to ensure it is accepting a sound risk.

Reinsure the Risk. Just like the primary insurer, a reinsurer can shift a portion of a reinsurance agreement to another reinsurer.

TREATY REINSURANCEWith treaty reinsurance, a primary insurer and reinsurer sign an agreement that covers policies and shared exposures over a period of time. The characteristics of treaty reinsurance are:

Broad Coverage. The agreement states a category of risks rather than a single asset.

Exclusions. As with all insuring agreements, the treaty states assets, perils, time periods, locations, and other exclusions outside the scope of the document.

Shared Premiums and Losses. The treaty spells out the rights and responsibilities of the two parties.

No Advance Approval by Reinsurer. Once the treaty is in effect, it applies to all policies written by the primary insurer that fit the description of the agreement.

Maximum Liability per Treaty. The agreement may call for a limit on the maximum exposure for the reinsurer for all losses under the agreement.

Minimum Retention by Primary Insurer. The treaty will provide for a substantial retention of risk by the primary insurer. This provision is designed to ensure that the primary insurer does not relax underwriting standards for property or exposures within the scope of the agreement.

Question

190

A reinsurer has to take care so it does not accept more risk than it can handle in a treaty reinsurance agreement. How can a reinsurer protect against its own catastrophic exposure?AnswerTwo ways can protect the reinsurer:

Advance Approval. One way would be to require that the reinsurer approve all policies in advance of accepting them. This is impractical for thousands of policies. This approach works for facultative agreements where single large exposures are involved. It cannot work for a treaty. The policies are written covering too many properties, other assets, or risks for an individual evaluation to be made of each exposure.

Limitations and Boundaries. Instead of advanced approval, a treaty agreement applies to all policies that fit a specific description. As an example, a treaty can cover all the hurricane coverage an insurer provides in Florida up to $1 million per occurrence. It also can specify a maximum reinsurer liability on total exposures in a single time period.

QuestionA primary insurer asked a reinsurer to accept a treaty where the primary insurer accepted five percent of a loss and the reinsurer would cover 95 percent. The reinsurer could then reinsure its portion with another reinsurer. Should the reinsurer agree to the treaty? Why or why not?AnswerThe reinsurer should not accept the agreement. It should require a larger retention by the primary insurer. Otherwise, the primary insurer could be tempted to relax underwriting standards and accept risks that are excessive or underpriced.

QuestionIs cyber risk suitable for facultative or treaty reinsurance?

$20 million coverage for an authorized user destroying a firm’s entire computer network.

$10,000 per occurrence liability coverage for loss of data on 15,000 customer accounts.

Losses to computer equipment and electronic records in the Philippines resulting from insurgency.

Liability coverage against faulty design of software to prevent the meltdown of a nuclear power plant.

Theft of 200,000 credit card numbers and passwords stored on the Cloud.Answer

$20 million user misbehavior. Facultative.

191

$10,000 liability for data loss. Treaty. Losses from Philippines insurgency. War risk. Too uncertain. Liability coverage nuclear meltdown. Facultative, with limit. Faulty design. Facultative, with limit.

Pro Rata TreatyThis refers to an agreement where the primary insurer and reinsurer share premiums and losses according to a formula. Also known as proportional or participating reinsurance, the formula covers premiums and losses. Two forms of proportional treaties are common:

Quota Share. The sharing of premiums and losses by each party uses a formula. As an example, the primary insurer retains 60 percent and the reinsurer accepts 40 percent.

Surplus Share. With this structure of a treaty, each party’s portion is expressed as a multiple of “lines.” This is explained below.

Quota Share TreatyThe characteristics of the quota share approach are:

Fixed Percentages. This is the formula for sharing premiums and losses. In the example above, the percentages were 60 percent for the primary insurer and 40 percent for the reinsurer.

Variable Dollar Commitment. The amount of premiums and payments for losses vary with the size of each policy. The dollar commitment changes with volume. In a year of large losses, both parties pay more. In a year of rising premiums, both parties receive more.

Reinsurer Stated Limit. Most treaties specify a maximum that will be paid by the reinsurer. As an example, the parties may share 60 percent and 40 percent up to an aggregate limit of $50 million in a year. Above that number, the primary insurer either retains additional losses above $50 million or enters into another agreement to share or transfer losses above $50 million.

Ceding Commission. It would not be fair to simply share losses at the same percent as the share of premiums. The primary insurer has expenses from marketing the insurance program, underwriting policies, and settling claims. To cover these costs, the reinsurer pays a fee called a ceding commission to the primary insurer.

QuestionA quota share treaty specifies that a primary insurer will retain 30 percent of premiums and losses. The reinsurer will pay a 15 percent ceding commission. During the policy period, premiums were $14 million and total claims cost $9

192

million. How much does each party receive for providing coverage and pay on the losses?Answer

Insurer Share of Premiums Share of Losses CommissionPrimary $4.2 million $2.7 million $2.1 millionReinsurer $9.8 million $6.3 million -$2.1 million

The primary insurer receives premiums and commissions of $6.3 million (4.2 plus 2.1) and reinsurer receives $7.7 million (9.8 – 2.1).

QuestionA quota share agreement has a reinsurer percentage as shown. The treaty covers two policies with limits of coverage as shown. What is the maximum reinsurer exposure under each policy?

Policy #1 Policy #2Policy Limit $60,000 $250,000Reinsurer % 60% 60%Limit of Coverage 600000 600000

AnswerBecause the treaty limit per policy is higher than the loss in each case, the reinsurer share of the exposure is 60 percent of each loss or:

Policy #1 Policy #2Reinsurer Share of losses $36,000 $150,000

QuestionFor the treaty in the previous question, what is the maximum exposure for the reinsurer under a policy with a limit of $1.2 million?AnswerPolicy Limit $1,200,000Reinsurer limit $ 600,000Reinsurer Share 60%Reinsurer Exposure $360,000

Surplus Share TreatyThis treaty takes a different approach to how an insurer and reinsurer share risk under an insurance agreement. The primary insurer pays the full loss up to a specified limit. Reinsurance takes over above that limit. Characteristics of a surplus share treaty are:

193

Primary Line. A “line” is a dollar amount of exposure to the primary insurer. The treaty identifies the “line” as the full retention and thus exposure for the primary insurer under a policy.

Upper Limit in “Lines.” The reinsurer has an exposure expressed in terms of the number of “lines.” A four-line reinsurance agreement has a primary insurer retention of one line and has three lines ceded to the reinsurer. Assume the four-line policy has specified a “line” of $200,000. The primary insurer has an exposure for the first $200,000 (one line) and the reinsurer covers the next $600,000 (three lines) up to the policy limits of $800,000 (four lines).

Ceding Commission. Like the quota share treaty, this is a fee paid by the reinsurer to cover primary insurer marketing and administrative costs.

QuestionA 5-line surplus share treaty covers policies with losses as shown. What are the insurer and reinsurer shares of each exposure?

Policy #1 Policy #2 Policy #3Policy Limit $ 60,000 $250,000 $700,000Line 100,000 100,000 100,000Treaty Limit Lines 5 5 5Limit of Coverage 500,000 500,000 500,000AnswerInsurer Share 60,000 100,000 100,000Reinsurer Share 0 150,000 400,000

CYBER INSURANCE HIGH LIMITSIn addition to reinsurance, other forms of coverage can handle the high limits that might be demanded in a cyber liability situation for a large organization.

Excess of Loss InsuranceFor the insured, excess insurance has already been defined as coverage for a portion of a loss or damage that exceeds a specified amount in a primary insurance policy. It is triggered only when the underlying insurance policy limit has been exceeded. As with the earlier discussion, an attachment point is the lower limit of excess insurance coverage. It may be expressed as a dollar amount or in terms of financial ratio. In the insurance market, this is often called excess of loss reinsurance.

Characteristics of ExcessExcess insurance can be defined several ways including:

194

Excess per Risk. In this case, the attachment point occurs in an individual policy. It is applied to the loss for an individual, organization, or property.

Excess per Occurrence. This is insurance attached for each separate event as defined in the policy. If the limit is $30 million per occurrence and three separate losses occur in the policy period, the limit applies to each occurrence.

Aggregate Excess. This form of excess insurance applies to the total of all losses covered by an agreement. It is also called stop loss insurance.

Stop Loss InsuranceThis coverage protects against losses that are truly remote for an insurance company. In most cases the underwriters do not expect claims. To provide relative certainty of payment in the most unlikely situation of loss, the insurance provides broad and simple coverage. Characteristics are:

No Cession to Reinsurer. None of the underlying risks are transferred to the reinsurer. The excess loss carrier simply agrees to indemnify another carrier if losses meet the attachment point.

No Pro Rata Retention. No sharing takes place. The underlying insurer simply retains all risk until the attachment point. Then, the excess coverage begins.

No Pro Rata Sharing of Premium. The excess carrier agrees to an attachment point and policy limit. The underlying carrier is charged a negotiated premium.

No Ceding Commission. A commission is not needed because the premium is negotiated.

QuestionAn excess of loss treaty covers cyber liability losses The attachment point is $5 million and treaty limit is $15 million. Three lawsuits producing losses as shown. What kind of treaty is it? What is the insurer and reinsurer share of each loss?

Loss #1 $4 million Loss #2 $6 million Loss #3 $8 million

AnswerIt is an excess per risk treaty. The share of loss for the insurer and reinsurer is calculated:

Total Loss at Event $18 million Attachment Point $5 million Treaty Limit $15 million

195

Insurer Share $8 million * Reinsurer Share $10 million

* $5 million retention plus $3 million above limit.

QuestionAn excess of loss treaty covers cyber liability. An insurer has three policies with losses of $1 million, $7 million, and $15 million. The attachment point is $2 million and treaty limit is $10 million. What kind of policy was issued? What is the insurer and reinsurer share of each loss?Answer

It is an excess per occurrence policy. The share of loss is:Occurrence #1 Occurrence #2 Occurrence #3

Loss $1 million $7 million $15 million Attachment Point $2 million $2 million $2 million Treaty Limit $10 million $10 million $10 million Insurer Share $1 million $2 million $7 million * Reinsurer Share $0 $5 million $8 million

* $2 million retention plus $5 million above limit.

QuestionAn excess of loss treaty covers insurer losses above $100 million to a limit of $150 million. An insurer had losses as shown. What kind of policy is it? What is the insurer and reinsurer share of the losses?

Total breach liability losses $60 million Total network losses $80 million Total data losses $40 million

AnswerIt is a stop loss or aggregate excess policy. The insurer and reinsurer share of the losses are:

Total losses $180 million Attachment Point $100 million Insurer Share $130 million * Reinsurer Share $ 50 million

* $100 million retention plus $30 million above limit.

Umbrella InsuranceWe have already described umbrella insurance as the highest layer of coverage.

196

We noted that commercial umbrella insurance usually does not have an upper limit.It does not contain exclusions that are found in lower layers. It can drop down to fill gaps in coverage in lower layers.

Aggregate LayeringReinsurance plays a key role in the layering of insurance. The diagram repeats an earlier layering discussion showing the primary insurer is responsible for aggregate losses above the insured’s retention.

Role of the Capital MarketsA question arises as to whether the insurance industry alone has enough capital for the largest conceivable losses. Industry leaders and analysts increasingly are looking to capital markets for additional financing of catastrophic risk including cyber liability.

To deal with the threat of excessive losses, insurance companies can be expected to increasingly turn to the capital markets. As an example of the size of such markets, consider the following:Financial Market Amount of Capital

Global insurance companies $600 billion U.S. property values $30 trillion Global capital markets $50 trillion Derivative markets $550 trillion

Derivatives MarketsA derivative is a security whose value derives from another security or asset. Derivatives can be used to cover insurable exposures. In periods when few losses occur, investors earn a high return on their capital. When a covered loss must be paid, the capital is at risk and may even be lost entirely. The decision to invest involves the trade off between risk and return.

197

Reinsurance in the Layering of Cyber Insurance Coverage.

Umbrella

$100M

Excess Excess Excess

Gap$75M

ReinsuranceReinsurance Reinsurance

$50M Gap

Primary PrimaryPrimary

$25M

Retained RetainedRetained

$0

Data System NetworkBreach Restoration Liability

Insurance SecuritizationThis refers to the use of derivatives for purposes of risk management and reimbursement of losses. It occurs when an insurance company transfers underwriting risks to the capital markets. The steps are:

Create a Derivative. An insurance company creates a security offering much as a corporation creates common stock for shareholders. It can be a tradable security that can be divided and sold initially to investment banks.

Sell Derivatives. The banks can further divide the security into smaller tranches that can be sold to investors in capital markets. Organizations,

198

pension funds, banks, wealthy individuals, and others can purchase the securities and share in the profits and risks of the underlying insurable exposure.

Contingency. Investors agree to waive principal repayment and interest payments if a contingent loss occurs during the period of the investment. The loss and time period are spelled out quite specifically in the prospectus for the security.

Interest Rate. The security pays above market rates of interest to holders of the portions of the security. If no contingency occurs, investors receive interest on their money. Interest can be paid either periodically or at maturity of the security

Principal Repayment. At maturity, the original principal is returned to the investors.

Insurance Securitization TermsThis approach to using insurance securitization from capital markets is described by multiple terms including:

Alternative Risk Transfer. This term refers to traditional insurance and insurance securitization components in new or creative forms of risk transfer.

Catastrophe Bond (“Cat” Bond). This is a security issued to transfer massive loss from smaller insurance markets to larger capital markets. It is commonly identified with losses from large weather events such as hurricanes and earthquakes. It is a viable tool to cover cyber liability risks.

Reinsurance Sidecar. This is a catastrophe bond that is linked to a reinsurance structure for covering large risks.

Catastrophe BondsTo illustrate a catastrophe bond, let us consider an insurance company that fears a $300 million loss if a coordinated hacking attack targets multiple insureds. The insurer can choose reinsurance or a catastrophe bond to transfer the risk to the capital markets. It chooses a $300 million cat bond as follows:

Cat Bond. The insurer creates a 2-year catastrophe bond with 15 percent annual interest. The insurer sells the bond to an investment banker and invests the cash received in secure and liquid assets approved by the government regulator.

Investors. The investment bank slices the bond into tranches and sells them to investors. The investment bank collects interest from the insurance company and distributes it, minus the bank’s fees, to holders of the cat bond.

199

No Contingency. Let us assume that no hacking attack causes losses in the two-year period. In that case, the bank collects interest during the two years and returns the principal at maturity when it receives the money from the insurance company.

Contingency OccursA different scenario arises when covered losses occur. If the holders of the $300 million catastrophe bond are responsible for a $175 million loss, the losses are covered from the principal of the bond. The investors who were hoping for a return of $300 million maturity will get back only $125 million of the principal.

For a catastrophe bond, the absence of loss can offer a higher return than other less risky investment options. Occasionally they are needed to pay losses. In 2005, the holders of the Olympus Reinsurance catastrophe bond lost its entire $650 million in capital as a result of a covered loss.

Future of Insurance SecuritizationAs potential losses seem to be growing larger, some conclusions seem to be justified with respect to catastrophe bonds and other insurance securitization:

Derivatives. They will continue to be used. Investors will seek profits based upon payments that protect insurers against their own catastrophic loss.

Insurance. A derivative can actually be a form of insurance. It can provide money to pay insurable losses if they occur.

Trouble. An insurer is not likely to get into trouble with catastrophe bonds and other insurance securities if they are designed properly and issued in a cost-effective manner.

ConclusionInsurance markets would not work effectively without reinsurance. Primary insurers must accept insurable risks. Then, they must be able to distribute losses among other participants in the market. Considering the degree of risk inherent in cyber attacks and modern computer networks and systems, it is difficult to imagine how business could be conducted with a vibrant market without insurance companies underwriting large exposures and sharing the risks and returns generated in insurance and reinsurance agreements.

200

Chapter 12. Captives and Cyber Insurance

OVERVIEW OF CAPTIVESA captive is an insurance company that provides insurance coverage and services to one or more organizations that own it. Captives play an important role in the insurance market. First, they are a form of retention. In effect, all risks of the captive are retained risks of the insureds. The financial success or failure of a captive affects the financial position of its owners. Second, they give options that may not be available elsewhere to their owners who need insurance. This is particularly true with respect to cyber risk.

Purpose of CaptivesAn organization can use a captive insurance to meet specific needs of risk management. These needs include tailored coverage that meets the exact needs of owners, a lower cost of insurance, and filling in gaps in coverage from policies that are available in the commercial insurance market.

Tailored CoverageA captive can solve risk management problems and answer questions as to how to handle special purpose situations. Examples are:

Unique Conditions. The insured may have situations where conventional insurance markets are not willing to offer the insurance it needs. As an example, an insured may purchase properties with potential residual lawsuits or claims against them. The property may not be insurable in general property markets.

Expertise. A captive is a partner in the assessment of risk. It can be staffed with industry professionals who understand a company’s risk transfer and retention tradeoffs. Thus, a captive might offer a better understanding of the firm’s specialized risks.

Claims. A company may seek claims servicing that cannot be provided by a commercial insurer. The captive may be able to offer streamlined investigation and claims management services. It may be able to work more closely with human resources and other departments to resolve disputes when lawsuits are filed.

Lower CostA captive can save money for the owning companies that use it to provide insurance coverage. Some sources of savings are:

201

Lower Taxes. Insurance is taxed in different ways in countries around the world. An organization can take advantages of differences in tax policies to lower the income and taxes it pays related to its insurance activities.

Administrative Costs. A captive can establish procedures to reduce the costs of underwriting, processing, and resolving claims. The captive can offer labor or regulatory advantages that reduce costs.

Claims. A captive can be coordinated with a home office to produce a smoother operation when settling claims or participating in lawsuits.

Coverage GapsWe have been introduced to coverage gaps as exposures not covered by insurance. Captives can deal with them as follows:

No Coverage. This is a situation where a company cannot insure against an exposure. Such situations arise when coverage is not available from primary insurers. A captive can offer the chance to fill such a gap, perhaps by reinsuring part of it.

Inadequate Coverage. This is a gap between the maximum potential loss and the insurance in place. Sometimes primary insurers will decline to offer sufficiently high limits. A captive may be able to issue policies and reinsure them.

Fill in an Exclusion. A policy may have an exclusion that is not acceptable to the insured. A captive may offer coverage to close this kind of gap.

Retention Gap. This is a conscious decision to accept a gap. A captive may provide surrounding coverage to mitigate the extent of damage caused by such a gap.

Arms-length SetupA captive is set up as a separate corporate entity with the stock owned by the party or parties that receive insurance coverage. Captives must be established on an arms-length basis. That is, the owners and captive are independent and on an equal footing. Such a transaction is known as an "arm's-length transaction". This arrangement is legal even though the parties have shared interests and are closely related.

Favorable Conditions for CaptivesThe decision to form or not form a captive considers a variety of factors. As a general statement, captives work best when the following conditions exist:

Predictable Losses. Captive managers should be able to gather reliable data with respect to historical trends and patterns. This data should help

202

captives to underwrite risks to produce stability for the financial reporting of their owners.

Diversity of Risks. The risks accepted by captives should involve multiple locations of assets or a variety of people or situations. A captive that provides property insurance for a single large facility might face a high loss of disaster if the facility is suddenly destroyed.

Financial Strength. The captive needs resources to cover losses. This is a combination of premiums, investment income, and capital contributed by its owners.

Strong Loss Control Program. The captive should be dealing with owners that have sophisticated approaches to mitigating risks. Effective loss control programs tend to reduce sudden and unexpected losses.

Secondary Captive ConsiderationsIn addition to a relatively stable operating environment, companies should assess other factors prior to setting up a captive. These include:

Underwriting Expertise. Do the owners know and can they attract managers who understand the risks in their enterprises?

Claims Management Costs. Will a captive raise or lower such costs considering the particular operating conditions of the owners?

Administrative Costs. Will a captive be cost-effective compared to going to the market to insure against loss?

Captive CategoriesWe can identify different categories of captives based upon the structure and business purpose. These are:

Pure Captive. This is an insurance company that provides coverage only to a parent company and its affiliates or subsidiaries. This is also called a single parent captive.

Broad Captive. This captive has a parent company but also offers insurance to other companies. These entities may be operating in the same business environment as the parent and need the same lines of business coverage.

Association Captive. This captive is formed by a group of companies, frequently in the same line of business, to meet specific needs of their industry. No single parent owns or manages it. This kind of captive is often called a risk retention group (RRG).

Rent-a-Captive. This is a captive owned by an outside organization and open to participants for a fee. Members “rent” licenses and capital from the rent-a-captive owner. The rental captive is commonly used by entities

203

that do not need their own captive or in situations where needed coverage does not justify the energy and expense of managing a captive.

Fronting Captive. This captive writes policies in a jurisdiction where its owners have operations but immediately reinsures the exposure with another insurer outside that area. It is commonly used as a result of the risk transfer restraints from legal regulations or economic conditions in the local country.

QuestionsThe following insurers can be identified as being in a category of captives.

Amico Insurance. This company operates in Brussels. All of the cyber risks it accepts are located in Belgium. The company does not retain any of the risks that it insures. What kind of captive is it?

Caravan Insurance. The business of this captive is to provide cyber coverage only to Sterling Corporation and its worldwide subsidiaries. What kind of captive is it?

Sterling Insurance. This insurer provides authorized user insurance for colleges and universities throughout the United States. All of its insureds are members of the American Council on Education. What kind of captive is it?

Volta Insurance. This company provides cyber coverage for 17 organizations. Approximately 85 percent of its premium volume comes from a single company in Detroit. The other 15 percent is derived from the 16 other companies. All insured are in the automotive business. What kind of captive is it?

Answers Amico Insurance. Fronting captive. Caravan Insurance. Pure captive. Sterling Insurance. Association captive. Volta Insurance. Broad captive.

Categories of LossCompanies can consider creating captives only to cover a single category of loss. In this context, we can identify two categories of risk:

Expected Business Risk (EBR). This refers to hazards with low severity and high frequency. They arise from losses that occur as a result of operational problems. They essentially are expenses of a business. They are suitable for retention in a captive. Examples are minor losses of credit card data and employee errors operating computer systems.

Catastrophic Occurrence Risk (COR). This category contains the unexpected low frequency, and high severity losses. They cannot be

204

retained in a captive. It is too risky. If they are insured through a captive, they must be reinsured to protect the parent from suffering a loss that exceeds its financial strength. An example is a major hacking that causes the loss of sensitive data for many customers.

Qualifying as a CaptiveCompanies form captives to receive tax and other benefits that are not otherwise available with respect to insurable losses they might incur. Regulators have created standards to measure whether a captive is an independent insurance company operating at arms-length from its owners. To qualify as a captive under U.S. laws, the structure must meet the following tests for risk shifting and risk distribution:

Acceptance of Losses. The captive must be set up so it is accepting risk. Using actuarial and other measures, regulators must believe it can make a profit or suffer a loss.

Third-party Business. One way to demonstrate the acceptance of loss occurs when a captive offers insurance services to multiple parties. If the level of such business is significant, the captive may be deemed to be accepting adequate risk.

Adequate Capital Base. Another test is whether the captive has been established with sufficient capital to survive as a separate insurance entity. Without such capital, a single year of high losses can force the captive into bankruptcy or require the owners to rescue it. If survival depends upon the owners, regulators will judge the captive to fail the test of independence.

Premiums Negotiated at Arms-length. Regulators will assess whether the premiums are adequate to cover likely losses and administrative expenses of underwriting and resolving claims. If premiums are either too low or too high, regulators may decide that the captive is set up for tax or other purposes as opposed to being a qualified insurance company.

Financial Services CompanyThe term financial services encompasses a broad range of organizations that manage money. They include commercial banks, investment banks, credit card companies, consumer finance companies, investment funds, and insurance companies. Of this category of business, only insurance companies qualify for tax and other benefits of managing risk. If a captive fails the tests to qualify as an insurance company, regulators will deem it to be a financial services company only and deny it the benefits of being an insurance company.

Question

205

Does this captive meet the standards for qualifying as an insurance company? Assets. The money it has to pay claims is $2.2 million. Reserves. These liability accounts show the company has set aside $1.8

million as its obligation to pay losses it has recognized but has not paid. Premiums. In the current year, the company collected $2 million in

premiums from its owner. Loss Limit. The owner has contractually agreed that it will be reimbursed

for any annual losses that exceed $2.3 million. Premiums. The captive accepts business from unrelated third parties. In

the current year, this amounted to $200,000.AnswerThis captive may have trouble meeting the standards of regulators. It could be judged to be solely a financial services company. Issues are:

Risk Shifting. Is it enough? The problem is that the limit of losses at $2.3 million is close to annual premiums of $2 million.

Risk Distribution. The company has only minor business aside from its primary owner. Is it really taking enough risk to meet the test of independence?

Adequate Capital Base. This is a problem. Capital may be adequate but the captive has a high level of reserves compared to the assets to liquidate them when claims are eventually paid.

INVESTING IN A CAPTIVEThe decision to start a captive involves a multiple-step process for its owner. From the finance perspective, two issues are important:

Regulatory Accounting. What impact will conservative regulatory accounting for the captive have on the company’s financial reporting? This is an area where the owner would receive serious legal and accounting advice.

After-tax Return on Invested Capital. Will the company receive an adequate return for its invested capital? Most companies have a variety of projects competing for capital. Can the captive be a viable source of profit as a result of lowering the total cost of risk?

Financial Analysis of Captive DecisionMany factors go into the decision of whether to use a captive in a cyber risk program that protects both hardware, software, computer systems, networks, and liability lawsuits. From simply a financial perspective, we can consider four questions.

What is the cost of retention/insurance? What would be the cost of a captive?

206

What is the captive net present value? What is the total cost of risk?

An approach to answering these questions follows:

Cost of Commercial InsuranceLet us select a four-year period to evaluate the cost of using commercial insurance. We obtain estimates of losses and adjusting expenses. We buy excess insurance to protect us above policy limits. We identify the time value of money at eight percent. We use monthly discounting of future cash flows. We calculate a present value of the option. The numbers are:

Year 0 Year 1 Year 2 Year 3 Year 4Losses/Adjusting Expenses -3500 -3500 -3500 -3500Retention Administrative -800 -800 -800 -800Excess Insurance Premiums -500 -500 -500 -500Cash Flows -4800 -4800 -4800 -4800Present Values* 8% -4594 -4237 -3905 -3599Present Value -16336

* Monthly Discounting factors 0.57 1.62 2.68 3.74

Cost of a CaptiveWith this alternative, we must invest capital at the start of the period. We assume we can take it back at the end. We estimate premises at arms length. We have our own administrative costs. We forecast a tax savings and lower claims costs. We pay a deductible for losses. We calculate the present value of the captive option. The numbers are:

Year 0 Year 1 Year 2 Year 3 Year 4Invested Capital -1200  1200Captive Premiums -4850 -4850 -4850 -4850Admin with Captive -400 -400 -400 -400Tax Savings 6% 291 291 291 291Reduced Claims 5% 243 243 243 243Parent Deductible -300 -300 -300 -300Cash Flows -1200 -5017 -5017 -5017 -3817Present Values 8% -1200 -4801 -4428 -4082 -2862Present Value -17373

Captive Net Present ValueThe captive will cost us money as just calculated to pay for losses. It may also make a profit. We analyze its business model. It will earn a return on the invested

207

capital. It collects premiums but must pay for losses. It has administrative expenses and pays reinsurance premiums. It collects a deductible from its owner. We calculate both a net present value of return and also its internal rate of return.

Year 0 Year 1 Year 2 Year 3 Year 4Invested Capital -1200 1200Captive Premiums 4850 4850 4850 4850Losses/Adjusting -3500 -3500 -3500 -3500Parent Deductible 300 300 300 300Captive Admin -600 -600 -600 -600Reinsurance Premiums -500 -500 -500 -500Cash Flows -1200 550 550 550 1750Present Values 8% -1200 526 486 447 1312Net Present Value 1572Internal Rate of Return 56%

Total Cost of RiskAs a summary, we compare the cost of retention with the cost and profit of a captive. The numbers show a net benefit is gained from the captive decision.Cost of Retention -16336

Cost of Captive -17373NPV of Captive 1572Net Cost of Captive -15801

Difference 535

Sensitivity of Total Cost of RiskWe begin discussions on the validity of the financial model. As an example, suppose someone disagrees with the 5 percent used for the reduced claims costs. If the person asks what would happen at 15 percent, a quick adjustment of the electronic spreadsheet file allows the following comparison:

Claims 5% Claims 15%Cost of Retention -16336 -16336

Cost of Captive -17373 -15723NPV of Captive 1572 1572Net Cost of Captive -15801 -14151

Difference 535 2185

208

Non-financial AnalysisOnce we have the financial picture, we can discuss other issues. We might ask questions such as the following:

What happens in a hard market? What happens in a soft market? Who covers catastrophic hacker attacks? What specific coverages make sense? What happens if the tax position changes? How do we work with financial markets?

QuestionWhich of the following most accurately describes the decision to establish and run a captive insurance company?

An insurance decision. A risk management decision. A tax decision. None of the above.

AnswerThe decision to establish a captive is primarily a financial decision with nonfinancial factors. As a result of providing needed coverage and taking advantage of tax and other savings, the decision is a combination of lower costs and taxes and a return on the invested capital.

Captive ExampleTo understand the process of assessing a captive, consider a company that is evaluating establishing a captive to insure losses arising from the Internet and the Cloud. It does not want to accept more than $5 million a year in total losses. It expects claims from computer and related systems to approximate 200 per year with an average loss of $11,000. Let us answer some questions:

What are our expected losses? The answer is $2.2 million ($11,000 times 200 claims).

What should be the policy limits? How about paying $3 million per year in premiums to the captive knowing that it will reinsure losses up to $10 million?

What should we use for attachment points on the reinsurance? How about attaching at $100,000 per occurrence and $3 million aggregate?

How should the captive share losses above the attachment points? One possibility is 20 percent for the captive and 80 percent for the reinsurer.

Are these the right answers? Perhaps there are no right answers. We do the analysis according to the company’s financial strength and appetite for risk.

209

ConclusionCaptive insurance companies have become a big player in meeting needs that are not available to organizations in the commercial insurance market. A captive decision starts with a recognized need and a financial analysis to understand the cost of risk associated with the insurable risk. Once the numbers are presented, the discussion expands into bringing together the financial picture, market conditions and trends, and the viability of establishing a captive operation. Cyber insurance is a prime area where a captive can prove to be particularly useful.

210

Chapter 13. Cyber Risk Insurance Policy

CYBER RISK POLICY FEATURES

A cyber risk policy has specific features that are covered in a framework of first-party and third-party discussions.

Policy PeriodThe period of coverage contains dates.

Inception Date. The first date of coverage for a claim filed in writing with the insurance company.

Expiration Date. The last date the insured may file a claim to be covered under the policy.

Retroactive Date. This provision bars coverage for claims resulting from wrongful acts that took place prior to the retroactive date. This is the case for claims filed during the coverage period on a claims-made policy.

Extended Reporting Period. This can be identified as a period beyond the expiration date when the policy will cover losses. The insured will pay an additional premium for this endorsement.

PremiumThe policy premium is expressed in annual, semi-annual, or quarterly periods

LossesThe policy identifies:

Policy Limit. The maximum amount the insurer will pay for a covered loss. Deductible. A specified amount of money that the insured must pay before

the insurance company will pay a claim. This can be based on the aggregate limit of the policy or can be applied to each occurrence.

Defense ExpensesThe insurer is obligated to cover the cost of defending against a lawsuit. The policy identifies:

Reimburse of Loss. An insurer's obligation to pay losses and defense cost as a result of claims made under a liability insurance policy.

Duty to Defend. An insurer's obligation to provide an insured with a defense against claims under the policy.

Defense Within Limit. All defense costs including attorney’s fees, court costs, investigation, and filing legal papers are deducted first from the

211

policy limit. This reduces the amount of reimbursement available to pay for monetary damages awarded by a ruling.

Defense Outside Limit. Separate limits available for legal defense costs and court-awarded damages. The cost of defending the case does not erode the policy limit available to pay settlements or judgments.

Duty to Indemnify. An insurer’s obligation to reimburse an insured for the cost of settlements or judgments made under a liability insurance policy that covers the loss.

Duty to Defend. An insurer's obligation to provide an insured with defense to claims made under a liability insurance policy.

Cyber Risk Policy DefinitionsThese are some definitions used in cyber risk policies.

First, Second, and Third Parties. The policy distinguishes the insured as the first party, insurer as the second party, and someone else as the third party.

First-Party Coverage. The insurer reimburses the insured for a loss whether caused by itself or someone else.

Third-Party Coverage. The insurer reimburses the insured for a loss suffered by someone else. The insured is responsible for its own damages or losses whether caused by itself or a third party.

Incident Coverages. This is a guarantee by an insurance policy that losses will be paid by the insurance company. The losses are paid after any deductible included in the policy up to the stated limit of coverage for the policy.

Limit per Occurrence. Coverage may be limited for each occurrence of a loss.

Aggregate Limit. Coverage may be limited for the total losses during the policy period.

Examples of First-party CoveragesThe first party is the insured. First party coverages reimburse the insured for financial cyber losses. Examples:

Data Breach Expenses. This covers expenses incurred by the insured from a data breach.

Data Restoration or Replacement. This covers the cost of restoring data or replacing software damaged in a cyber incident.

Business Interruption Losses. This covers lost profits and added expenses resulting from a cyber incident.

212

Public Relations Expenses. This covers costs associated with informing customers, regulators, or the media to fulfill obligations to inform other parties or to meet legal requirements.

Cyber Extortion. This covers losses and costs to stop destruction or shutdown of a computer network when a third party demands a payment to avoid the action.

Cyber Reward. This covers ransoms paid to avoid or reduce future or increased loss.

Examples of Third Party CoveragesThe third party brings allegations of cyber harm caused by the insured. The insurance company reimburses the damage when the insured agrees to settle or when a court awards damages. The insured is covered only for defense costs associated with the claim. Examples:

Data Breach Liability. This covers losses and costs from a network security or other electronic failure that releases to the public private information, including personal, credit card, medical, intellectual property, or other protected data, it also includes the wrongful collection of information on the system.

Network Security Liability. This covers failures of network security, including data breach, destruction of data, plagiarism, or virus removal on a network or system owned or controlled by the insured.

Technology Errors and Omissions Liability. This provides coverage for losses suffered by third party from a failure of technology services. It is a form of errors and omissions insurance. Examples of covered parties are data storage companies that lose data and website designers that create faulty websites. It does not cover technology products such as computer software and hardware.

Funds Transfer FraudSpecialized and restricted cyber insurance coverage is being developed as needs arise. An example is funds transfer fraud insurance that reimburses losses from direct loss of money and securities in the insured’s account at a financial institution. The fraud must be committed by a third party directly by one of three actions:

Electronic or telephone instruction falsely transmitted by someone pretending to be the insured.

Electronic or telephone instruction sent to the insured and paid because it appears to be a valid transaction.

213

Written instruction issued by the insured and then altered by someone else without the insured’s knowledge or consent.

Computer FraudThis is another specialty insurance that reimburses a direct loss of money, securities, and other property resulting from the use of any computer to fraudulently transfer insured property from the insured premises or bank premises to a third party.

Privacy LiabilityThis specialty coverage reflects federal and state legal obligations to keep employees' and customers' personal information private.

Cyber Professional LiabilityThis covers claims because of failures by companies that offer electronic media services such as Internet advertising. Examples:

Negligent Act. An example is to post damaging information about a client on a public distribution list. The damage can cause measurable financial or reputation loss.

Negligent Failure to Act. An example is failing to post information the client paid you to post. The damage can be loss of sales or extra expenses that must then be incurred by a client.

Electronic Media LiabilityThis covers accusations of misbehavior or failure by companies that electronically publish, disseminate, collect, produce, or otherwise distribute content on the Internet on behalf of themselves or others.

Information Security LiabilityThis covers lawsuits where a firm has a legal obligation to keep third-party information secure. It is triggered by losses that occur when firewalls, antivirus software, and other security system safeguards are breached and data is lost.

CYBER RISK POLICY STRUCTURE

DeclarationsThe Third Party Liability Insuring agreements cover only claims first made against insureds during the policy period.

Policy Period Inception date: January 1

214

Expiration date: December 31 Retroactive date: January 1

Policy Premium $165,000Retention per occurrence 20% of limit

Defense ProvisionsDefense expense coverage outside limit.Defense expenses will be applied against the retention.Insurer has duty to defend.The company may waive its duty to defend in writing.

Coverages Limit of CoverageAggregate Limit $10 million

First-party CoveragesData Breach Expenses $1 millionData Restoration or Replacement $4 millionBusiness Interruption Losses $4 millionPublic Relations Expenses $1 millionCyber Extortion $2 millionCyber Reward $1 millionComputer Fraud $2 million

Third Party CoveragesData Breach Liability $4 millionNetwork Security Liability $4 millionTechnology Errors and Omissions Liability. $3 millionMedia Publishing Liability $1 millionSocial Media Liability $1 million

Extended Reporting Period: Up to 5 yearsAdditional Premium Percentage: 1% per month

QUESTIONS AND ANSWERS

QuestionAn employee of a manufacturing company fraudulently gained access to the insured’s computer system and invoiced a customer using the bank routing number on the employee’s personal account. The customer sent a large sum of

215

money to the employee instead of the company. What kind of cyber insurance covers this loss?AnswerFunds transfer insurance.

QuestionTrading on the New York Stock Exchange was halted for three hours in July 2015. An official statement explained, “The issue we are experiencing is an internal technical issue and is not the result of a cyber breach.” On the same day United Airlines and the Wall Street Journal also suffered strange technical glitches, with all United Airlines flights temporarily grounded nationwide. What kind of cyber insurance would cover the cost of the shutdowns?AnswerDepending upon the exact nature of the damage, losses could be covered with data breach expenses or business interruption loss insurance.

QuestionA former employee used his supervisor’s password to enter the insured’s building and gain access to the supervisor’s computer. Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers. What kind of cyber insurance covers this loss?AnswerComputer fraud.

QuestionA 2015 cyber attack stole 80 million personal and medical customer records of the Anthem Health Care Group. The attack was among the largest in corporate history. The information taken includes names, birthdays, medical IDs, social security numbers, street addresses, and employment information, including income. What kind of cyber insurance would cover the loss of the data?AnswerData breach expense and data restoration or replacement insurance could cover first-party losses. Data breach liability insurance would cover lawsuits.

QuestionChipotle Mexican Grill’s twitter was hacked in 2015, and was used to post racist, homophobic, and anti-government tweets. If racial and gender groups were offended and threatened class-action lawsuits, what kind of cyber insurance would cover the legal judgments and defense expenses?Answer

216

Two possibilities are media publishing liability and social media liability.

QuestionIn 2015 a hacker gained access to the email account of one employee of the Sacred Heart Health System. Using the information an unauthorized user stole billing information for 14,000 patients. If Sacred Heart incurred costs to restore the system, notify patients, and explain the hacking response in advertisements, what kind of cyber insurance would cover the breach?AnswerThe hospital may have claims under data breach expenses, data restoration or replacement, and public relations expenses cyber insurance.

QuestionA group of hackers took control of 20,000 computers and exploited a vulnerability in Windows to cause the crash eBay and several other sites. What kind of cyber insurance would cover losses from denial of service while eBay restored the site?AnswerData breach expenses and business interruption are the most likely coverages.

QuestionA former employee used his supervisor’s password to enter the insured’s building and gain access to the supervisor’s computer. He created transactions to pay vendors but sent the money to his own bank account. What kind of cyber insurance covers this loss?AnswerFunds transfer insurance.

QuestionAn employee of a vendor fraudulently gained access to the insured’s computer system and changed the bank routing number from the vendor to the employee’s bank routing number, causing a large sum of money to be transferred directly to the employee instead of the vendor. What kind of cyber insurance covers this loss?AnswerComputer fraud.

217

Cyber Insurance Products

Insurers are developing cutting edge products to respond to the need for a tool to manage a portion of cyber risk. We will examine some of the recent developments for cyber risk transfer.

Excess Differences in Conditions Cyber CoverageCyberEdge focuses on potential losses from a cyber risk.

Excess Coverage. Adds cyber loss coverage above the attachment point of underlying insurance programs.

Differences in Conditions. Fills in gaps in property and liability insurance when the policies exclude losses from the failure of computers and networks.

Nature of Loss. Provides reimbursement when cyber risk causes bodily injury, property damage, and financial loss.

Insurer ServicesAn insurance company can provide specific support in the areas of underwriting and claims for the CyberEdge insurance policy, including:

Risk Management Expertise. The cyber underwriting team can provide knowledge on how to prevent and detect o cyber risk event.

Customization Expertise. The insurer can help tailor coverage options to any unique conditions that confront a particular insured.

Crisis Response Expertise. The cyber claims team can provide knowledge of how to respond to a cyber risk incident.

Liability Expertise. The insurer can activate legal, forensics, and public relations specialists who can assist in handling cyber-related claims.

Innovation. The insurer can share new cyber risk management developments, tools, and technology, tools, and behaviors to help the insured monitor the cyber environment and remain at the forefront of risk management as cyber risks evolve.

Cyber CoverageA Cyber policy can include the following coverages:

Third-Party Liability Loss. Resulting from a data breach Direct First-Party Costs Resulting from a data breach Lost Income & Operating Expense. Resulting from a data breach Extortion. Resulting from threats to disclose data or attempts to extort

money after a data breach.

218

Defamation. Claims alleging slander or libel via social media, email, or other electronic transmission using the Internet.

Intellectual Property Liability. Claims alleging misuse of copyrights, images, or intellectual property of third parties.

ConclusionInsurance companies are developing new cyber insurance policies as they gain more knowledge on the nature of risk with modern technology. This is likely to become an expanding area of business for the near future.

219

Appendix 13. Sample Cyber Insurance Excess Policy

The following is an example of the major provisions in a cyber policy with three coverages. The policy is edited to improve the meaning of the clauses. It does not meet the legal language requirements commonly found in cyber policies.

DECLARATIONS

COVERAGE MINIMUM EVENT AGGREGATETYPE ATTACHMENT LIMIT LIMITCyber Event Response $4 million $12 million

Cyber Follow Form Excess $4 million $10 million

Cyber DIC $4 million $8 million

All Policies $15 million

UNDERLYING POLICY SUMMARYUnderlying Limit of Policy PolicyPolicy Insurance Start EndFreedom Insurer $4.2 million January 1 December 31Asylum Insurer $5.5 million July 1 June 30Refuge Insurer $2.5 million January 1 December 31Shelter Insurer $7.5 million April 1 September 30

1. INSURING AGREEMENTIn consideration of the payment of the premium, the Insurer and the Insureds agree as follows: For any Triggering Event that takes place during the Policy Period, this policy will provide the following coverage:

Cyber Event Response. This policy will pay Event Response Costs incurred in response to a Security Failure that an Insured knows caused, or Suspects is likely to have caused, a Triggering Event.

220

Cyber Follow Form Excess. For each Coverage Type, this policy will provide coverage excess of the Underlying Limits for Loss caused by a Security Failure.

Cyber Difference in Conditions (DIC). For each coverage type other than Cyber Event Response, this policy will drop down and pay Loss caused by a Security Failure that would have been covered within an Underlying Policy,

2. DEFINITIONSComputer System means any computer hardware, software, or any components thereof, that are linked together through a network of two or more devices under ownership, operation or control of the Insured.

Electronic Data means any software or electronic data stored electronically on, or that forms part of, a Computer System, but excluding Personal Information.

Event Response Costs means the reasonable and necessary expenses and costs incurred by an Insured in A. investigating (including forensically) the cause of the Security Failure; B. a targeted public relations response to the Triggering Event, including, without limitation, the costs of crisis management services; and C. restoring, recollecting or recreating Electronic Data.

Event Response Costs shall not mean (i) compensation, fees, benefits, overhead or internal charges of any Insured; or (ii) any costs or expenses relating to advertising, promotion or publicity, other than those necessitated as a direct result of a Security Failure.

Followed Policy means the policy identified in the Underlying Policy Summary.

Loss for Cyber Event Response means Event Response Costs. For each other Coverage Type i t means bodily injury, property damage or other loss, costs or expenses including those covered within an Underlying Policy. “Loss” does not mean, costs or expenses arising out of upgrading any computer system, unfavorable business conditions, the removal of software program errors or vulnerabilities, or any insured cost to prove loss.

Security Failure means a failure or violation of the security of a Computer System, such as unauthorized access or use, denial of service attack, receipt or transmission of a malicious code, theft of a password or access code by electronic or non-electronic means.Security Failure does not include earth movement, flood, explosion,

221

seismic event, lightning, fire, smoke, wind, water, other acts of God, satellite, or infrastructure failure.

Successive Policy means a policy successively issued by the Insurer that provides the same or comparable coverage.

Triggering Event means, the action that first triggers coverage. It does not mean the Security Failure itself.

3. EXCLUSIONSThis policy shall not cover the defense or any loss or costs from:

Acts of War. Advertising/ Personal Injury. Dishonest, Fraudulent, Criminal or Malicious Conduct. Government Action. Intellectual Property. Invasion of Privacy.

4. ATTACHMENTSCyber Event Response Coverage. A single Minimum Attachment shall apply to all covered Event Response Costs.

Cyber Follow Form Excess Coverage. The risk of failing to collect any part of the Underlying Limits is not insured under this policy.

6. OBLIGATIONS OF THE INSUREDS Notice and Reporting. The Insurer must be notified of any Triggering Event as soon as a Security Failure is likely to cause a loss.

Cooperation. The Insureds have the same obligation to cooperate with the Insurer under this policy as they have to the insurer of the Followed Policy. Such rights include the right to enforce any legal rights necessary to secure such rights.

Proof of Loss. The insured must be provided with a written, detailed proof of loss no later than 90 days after it is likely that this policy may make an Event Response payment.

No Duty to Defend. The Insurer does not assume any duty to defend under this policy.

222

Right to Tender Defense. The insured has the right to tender in writing to the Insurer the defense of any suit or formal legal proceeding, including any administrative proceeding, mediation or arbitration, but not any investigation or inquiry, arising out of such Triggering Event.

Insurer Withdrawal. Once any Limit or the Policy becomes exhausted by payment of covered amounts, the Insurer shall have no further obligation to provide such defense or pay any attorneys’ fees, costs or expenses.

Underlying Insurance Coverage. The Insured agrees that during the Policy Period A. each Underlying Policy will be kept in full force and effect, the limits and conditions of the Underlying Policy will not materially change, and any renewals or replacements of an Underlying Policy will provide equivalent coverage to the policy being renewed or replaced.

http://www.aig.com/chartisint/internet/US/en/files/CyberEdge PC Policy Final 2014_tcm1247-595896.pdf

http://www.aig.com/chartisint/internet/US/en/files/

CyberEdge PC Policy Final 2014_tcm1247-595896.pdf

223