A Call for Action and Education on a Sound Cyber Liability Policy

Jesse Lyon This is a guest blog post by Jesse Lyon, Associate Broker with AmWINS Insurance Brokerage of California. Jesse Lyon, who grew to maturity in northern California, was educated at Saint Mary’s College of California, Moraga where he took a double major in history and English.  Presently he lives in Reno, Nevada where he has worked in financial fields which involved retail banking, residential property valuation, and professional insurance.

Let us be clear on this point: the Internet is never going away.  The Internet is only going to reach more broadly and deeply into all of our lives.  What needs to happen today is for insurance brokers and underwriters to realize that what clients need is a Cyber Liability policy that remembers the past fifteen years and looks thoughtfully towards the future, because we already know what damage can be done with the Internet.  A Cyber Liability policy that provides clients with protective coverage while remaining affordable for them and profitable for insurance carriers is urgently required by businesses in general.

Concerns for the creation of an effective Cyber Liability insurance policy, however, must face the currently accepted international definitions of war and terrorism.  Any cyber attack that is nation-state initiated or sanctioned must be excluded.  In the 20th century there were helpful definitions for war and an Act of war in the Law of Armed Conflict (LOAC), but none of those definitions provide enough clarity in the 21st century when it comes to potential damage done in the cyber realm.  As an example of out dated language, the current wording in a Hiscox Cyber Liability policy for excluding war reads, in part: “based upon or arising out of any actual or alleged armed struggle, civil unrest or conflict.”  A cyber attack is not presently considered an armed struggle in LOAC, it is not civil unrest, nor is it considered a conflict, which means that every nation-state sanctioned attack must be covered.  A nation-state collecting e-mails, usernames, passwords, and using a company server as a command and control server can create financial havoc.  Such acts by a nation-state encounters the current wording in Cyber Liability policies which is focused on kinetic attacks only.  This must not be so.

The lack of clarity in current Cyber Liability policies also extends to a terrorist attack or terrorism.  The following is the current wording that Hiscox uses regarding terrorism: “based upon or arising out of any actual or alleged act or threatened act of terrorism, including but not limited to the use of force or violence.”  Stealing passwords, using a company server as a command and control server, and so forth fall outside of the Hiscox definition of terrorism, since violence and stealing passwords are in no way similar.  Moreover, the conditional phrase of “not limited to” does not reasonably stretch to passwords or command and control servers.  But Hiscox is simply an example as there are others, such as CFC, that either have out dated wording or are silent on war and terrorism.

Compensation for restoring an insured’s reputation after a cyber attack is a feature that more carriers are adopting today, but it is a feature that must be excluded from a Cyber Liability policy.  Cyber attacks will continue to occur with greater frequency and ever greater destructiveness.  Such organizations as Target, Anthem, JP Morgan, and numerous other companies will likely be attacked time and again.  To give an insured company millions of dollars each time to help restore their reputation is not practical nor sustainable for insurers.  If Cyber Liability insurers pay out tens of millions of dollars every five years just for repeated reputational claims alone, no insurer will financially survive the 21st century.  With cyber attacks becoming more and more common the attacks will shortly disappear from most, if not all, news publications, especially attacks against the same company.  As they fade from the news headlines so, too, will the consumer backlash against hacked companies diminish.  Therefore, reputational compensation provides no real value to the insurer or the insured company.

Insurers also need to become drivers of Cyber security instead of being unwitting passengers when it comes to such security.  In the 20th century insurers were encouraged to be passengers because they depended on the legal system in developed countries for determining how a policy was written and how a claim was best handled.  However, that is no longer enough to justify the focused actions of insurers in the 21st century.  Going forward there are three areas wherein insurers must concentrate their attention in order to best serve their clients and, ultimately, society at large.

First, if a person views the contributors to a publication like the “2015 Data Breach Investigations Report” from Verizon, there is only one insurer listed as a contributor to that report.  However, such a fact is not unique, as all other cyber security publications from organizations like McAfee, Symantec, FireEye, and so forth also reflect the same limited contribution from insurers, and insurers are not producing their own comprehensive reports to make up for that deficit.

Additionally, Cyber Liability insurers need to become more proactive on the computer hardware and software side.  First Cyber Liability insurers need to establish a baseline that the insured corporations need to meet.  On-site inspections need to be conducted to ensure that an insured company has a current and fully up-to-date anti-virus software, a POS system (if the insured is accepting credit or debit payments), a fully patched current computer OS, and such inspections would be wise to insist that the insured has an efficient backup plan already in place in case of a cyber attack.  Presently there is no industry-wide baseline that insured companies need to meet, which ultimately harms both the insured and the insurer.

Lastly, as technology companies implement new versions of software, or create new protocols, insurers need to proactively work with software technology companies so as to provide better defensive capabilities to the insured.  There are many organizations right now, not least of all institutions like MIT, the NSA, Lockheed Martin, or even a small company like SRI International, that are working on next generation computer encryption software.  RSA, and encryption algorithms based on RSA, such as OpenPGP, are on the cusp of being rendered largely useless by the coming quantum computing revolution, and this year there have been a number of serious discussions regarding quantum computing and the impact it will have on encryption.  But these discussions have taken place without the involvement of insurers.  However, given the immense amount of Internet traffic that depends on encryption protocols, insurers cannot afford to be left out of the discussion of which techniques are used in the future to secure Internet communications.  If insurers continue to ignore the issue of encryption, it will only increase the difficulty of helping to protect companies as well as offering financially sound Cyber Liability policies.  Insurers need to work along with technology companies to ensure that the best and most useful hardware is created for use on the Internet.  For instance, on the mobile side Apple, Qualcomm, and Samsung have their own finger print hardware scanners.  Yet, of the three Apple’s is presently considered the best.  But with no consensus among technology companies and no involvement from Cyber Liability insurers, there is no reason for Qualcomm or Samsung to work with Apple and thereby increase the likely hood adoption of Apple’s finger print scanner hardware, or to work on a more robust finger print scanner, like the one from Next Biometrics.

Presently insurers are unwisely leaving security standards up to others who are unable to appreciate the nuances involved with insurance and who do not have the same responsibility to clients and society that insurers do.  Too many professional insurance brokers and Cyber Liability underwriters are unfamiliar with terms like APT, public key, or RATs.  Going forward insurers need to be passionately involved in the creation of hardware and software security standards, since it will be those standards that will help insurers educate and better equip insured organizations against cyber attacks.

The passive mindset of cyber insurers is not only hurting clients in the aforementioned areas, but it is also hurting them in much more mundane ways.  PCI fines are an area where insurers and credit organizations need to come together.  It is helpful for a Cyber Liability policy to cover PCI fines, but presently those fines can vary widely from one credit organization to the next.  How PCI fines are applied can vary significantly as well.  And, perhaps worst of all, it is far too easy for a business to fall out of PCI compliance.  Unless Cyber Liability insurers work proactively and thoughtfully with credit organizations, Cyber Liability insurers will only be able to offer a feature that, at best, helps a firm to avoid bankruptcy and, at worst, only enriches credit organizations.

This present day attitude of the passive and unwitting insurance passenger must stop!  Cyber Liability insurers must be the drivers of computer hardware and software security standards, comprehensive cyber security reports and must ultimately become deeply involved in the monitoring of the cyber realm.  In the 20th century insurers appeared after a mess was created, and they helped to make the insured company whole, again.  In the 21st century insurers should focus on preventing damage done to insured clients through the Internet.  The 21st century needs insurers to be powerful advocates both for the insured and a safe cyber realm as a whole.

In the near future Cyber Liability policies must be sharply designed to help an insured company to mitigate the aftermath of a cyber attack by criminals, rogue or disgruntled employees (including former employees), and unintentional mistakes by any form of employee.  And the word “mitigate” is the correct word since Cyber Liability insurance, for the most part, does not follow the principle of indemnity.  (After all, how can anyone ever truly know the cost of a data breach, and therefore, how can an insurance company make an insured whole, again, when the cost of the damage is unknown?)  For such a policy to cover the damages of war or terrorism, to repair damaged business reputations, or to hedge against poorly applied standards or fines, like the current PCI fine, will result in unsustainable losses for insurers, losses that will forever negatively affect all Cyber Liability insurance companies for years to come.

Jeb Bush on Education

Former Florida Governor and 2013 International Conference Speaker Jeb Bush recently sat down with ABC News “This Week”.

Here is the link to the full interview.  In it he states: 

“If you measure it by outcomes, 25 percent of kids pass all of the four segments of the ACT Test which means that they’re college or career ready . About a third or be generous and say 20 percent don’t graduate at all, that’s failure.

I think higher standards is really the element of this that’s most important. If you dumb down the standards everybody feels good. Little Johnny can get a piece of paper that says he graduated from high school, but this massive remediation that’s necessary to access higher education is evidence that we’re not bench marking ourselves to college readiness or to the best in the world. So higher standards matter. The commonality of them, in this case 45 states voluntarily creating them.

The common core standards in language, arts and math  is important because it creates greater transparency. Curriculum is developed, my guess is, in this kind of system where there is common expectations.

You’ll have 1,000 different flowers blooming as it relates to curriculum. It will be diverse and alive which is what we need. There will be a lot more innovations.”

Register today for the 2013 PLUS International Conference: “Uncharted Waters of Emerging Risk: Knowledge is Power” to see Governor Jeb Bush and leading-edge panel discussions with thought leaders and industry experts that will debate and discuss the emerging risks of the professional liability industry.

See you in Orlando.

Chris Duca
2013 PLUS Conference Chair

William Cohen on Syria

The news headlines of late have been dominated by the conflict in Syria.  Former Secretary of Defense William Cohen sat down with Bloomberg Television’s ”Political Capital with Al Hunt” to share his views and outlook for U.S. military action against Syria.  Here is the video clip of the interview.

Register today for the 2013 PLUS International Conference: “Uncharted Waters of Emerging Risk: Knowledge is Power” to see William Cohen and leading-edge panel discussions with thought leaders and industry experts that will debate and discuss the emerging risks of the professional liability industry.

Sponsorship opportunities remain open for the 2013 PLUS International Conference.  Put your organization in front of the almost 2,000 industry professionals.  Sponsorship information is available here.

I look forward to seeing you in Orlando.

Christopher Duca
2013 PLUS International Conference Chair