Cyber Perspectives on Coronavirus: Part 2

The second installment of Cyber Perspectives on Coronavirus focuses on the risks associated with the increase in the remote workforce and the role that HR can play in a company’s cyber risk culture. View the white paper written by one of the speakers, Tom Finan, here.

Listen here to the Cyber Perspectives on Coronavirus: Part 2 discussion:

Speakers:

Gail ArkinGail Arkin, SVP, General Counsel at Berkley Cyber Risk Solutions

Gail Arkin is the General Counsel of Berkley Cyber Risk Solutions, located in  Morristown, NJ.  Her responsibilities include the development of cyber insurance products and managing all regulatory, compliance, distribution and corporate legal matters. Gail has over 20 years of insurance experience, including over 15 years developing cyber products, and previously held the positions of senior vice president & general counsel for a financial lines division, general counsel for a wholesale and retail division, and a claims officer for professional and management liability lines of insurance.

T FinanTom Finan, Cyber Growth Leader at Willis Towers Watson

Tom Finan is a Cyber Growth Leader within Willis Towers Watson’s FINEX Cyber/E&O Practice.  In this role, Tom advances the company’s integrated approach to cybersecurity across all aspects of people, capital, and technology risk.  Tom previously worked as the Chief Strategy Officer of Ark Network Security Solutions.  He also served as Senior Cybersecurity Strategist and Counsel with the Department of Homeland Security’s National Protection and Programs Directorate.  While at DHS, Tom established and led the agency’s cybersecurity insurance initiative in support of implementation of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”  To advance that effort, he created DHS’ Cyber Incident Data and Analysis Working Group (CIDAWG), a private-public engagement forum that examined how a cyber incident data repository could help meet the information and analysis requirements of the insurance industry and technical cybersecurity professionals.  Tom previously served as the Staff Director and Counsel for the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment with the U.S. House Committee on Homeland Security.

James-J-GiszczakJames Giszczak, Member at McDonald Hopkins

James is a member at the law McDonald Hopkins. He is chair of the litigation department and  co-chair of the data privacy and cybersecurity practice group. He advises clients regarding data security measures and responding to security breaches involving sensitive personal information and protected health information. He works with clients in a myriad of industries to assess and implement appropriate data security safeguards. Jim also litigates matters involving data security and data privacy, including defending single plaintiff and class action lawsuits.

Cyber University and More: PLUS’s Virtual Education

Successful Turnout at PLUS 2020 Cyber University

Last week, over 100 PLUS members attended PLUS’s virtual Cyber University. While this event has been held in-person in previous years, this year’s Cyber University was part of PLUS’s 2020 plan to provide virtual education to broader audience. Attendance for Cyber U doubled this year, and the staff at PLUS is proud to provide quality education in virtual space, especially in light of current circumstances.

This is the third year of PLUS Cyber University and registrants attended six live sessions over three days.  “The program content is incredibly strong, so the focus was on how to take an in-person event and continue to make it meaningful as a virtual one,” said Megan Moore, Director of Education and Professional Development at PLUS. Topics included: legal foundations, evolution of cyber coverage, interplay among lines, underwriting, breach responses, 1st and 3rd party claims, risk management, and breach scenarios. Moore added, “As we transfer this program to virtual, we made sure to include opportunities for attendees to reflect on what they’ve learned and apply it to their own experience as well as connect with each other outside of the session.”

Continuing to Provide Remote Education

PLUS is continuing to expand its virtual education offerings for all members. In May alone there are three top-notch webinars on a variety of professional liability topics, from the Sciabacucchi court case decision, to resolving D&O disputes virtually, to social distancing and telehealth.  Additionally, on-demand presentations from the virtual Healthcare and Medical Professional Liability Symposium are available to view, as well as Online eLearning modules for the RPLU program available to purchase. You can work through module content at your own pace, and even complete the exam entirely online!

“Over the last few years, we have been ramping up our ability to provide online and virtual education,” said Robbie Thompson, CEO of PLUS. “While PLUS will always offer outstanding in-person networking and education events, we knew that focusing on other ways members can also get professional development was critical to PLUS continuing to serve the professional liability industry.” From webinars, to the RPLU online eLearning modules, to webinar, to in-person events moved to virtual like Cyber University, PLUS is working to make education accessible no matter the circumstances.

PLUS Membership for the Win

Membership is an important aspect of PLUS, and PLUS staff has been working tirelessly (and remotely!) to provide new ways to engage members virtually.  If you are a PLUS member, you can register for any or all of the May webinars for free! If you aren’t a member yet, become one now to register for webinars, gain access to an archive of PLUS virtual education, and more. Check out previous posts on this blog to listen to PLUS’s PL Perspectives on Coronavirus podcast, and stay tuned for even more distance education offerings in the future.

From Stephanie Lynch: Summary of New Cyber Insurance Study

In this post, Stephanie Lynch provides an excellent summary of the recent Guy Carpenter and CyberCube study “Looking Beyond the Clouds,” which looks at potential U.S. cyber insurance industry catastrophes and their financial fallout. You can download the study itself at here the Guy Carpenter website.

It is crucial that we, as the cyber insurance market, put in the work to understand the characteristics of catastrophic cyber events and the financial impact they could have on our industry. Guy Carpenter and CyberCube Analytics have collaborated on a study to quantify cyber risk, specifically looking at potential U.S. cyber industry catastrophic and systemic loss events.

The study is done on a synthetic cyber portfolio representing the U.S. standalone cyber market, informed by Guy Carpenter’s view of the market. GC started with a base portfolio of just over 6k policies with a combined premium of $285m, estimated to represent about 10% of the U.S. cyber market. It was tested and extrapolated out using a proportion of risk sizes seen in underlying exposure dataset, to create a total market view of $2.6b and about 55k policies. It’s important to note that this study does not contemplate endorsements, package policies or non-affirmative cyber within other lines of business, but exclusively looks at standalone cyber policies.

CyberCube had developed 23 catastrophic loss scenarios on their platform, ranging from attacks on critical infrastructure, to large scale cloud ransomware at a leading cloud service provider, to widespread theft from a major email service provider.  The unique characteristic about CyberCube is that they have access to data from both inside and outside the firewall, which builds a more unique and complete view of the risk, due to their exclusive access to information from Symantec, the world’s largest cybersecurity firm.

All modeled results are based on 10k simulations run on the synthetic portfolio through these 23 loss scenarios in the CyberCube platform. The analysis and results can be found in much more detail within the study itself, but a few key takeaways:

  • The costliest cyber catastrophe scenario modeled was widespread data loss due to zero-day vulnerabilities within a leading operating system, which caused a $23.8b insured loss to the market. The likelihood of this event is also the lowest (beyond the 1:300 year return period), but it is similar to what occurred with the NotPetya attack that was mostly uninsured.
  • The most likely loss scenario was widespread data theft from a major email service provider.
  • The second most likely was large-scale ransomware at a leading cloud services provider.
  • Companies with revenues greater than $1b, regardless of industry, represent about 75% of the insured loss.
  • Financial firms were most impacted by these systemic events, accounting for ~20% of the insured loss. This isn’t all too surprising due to the larger insurance takeup rate in the cyber market by these firms.
  • While the loss drivers of each of these scenarios are different, it is important to note that Business Interruption costs, caused often by supply chain delays, are a big part of these catastrophic loss costs. The BI component of cyber insurance has evolved rapidly over the last few years, and we have seen waiting periods and sublimits erode considerable over this time as well.

Rebecca Bole of CyberCube Analytics says, “Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”

Hopefully this study has got the conversation started within the businesses with these exposures, insurance carriers covering them, and reinsurers backing them. Since there hasn’t quite been a U.S. insured catastrophic, systemic cyber loss yet, it is a challenge for (re)insurers to estimate the size and scope of what such a loss would look like on their balance sheets. It is encouraged to read through the article and the details of the top 5 catastrophic loss drivers. It is important for us all to analyze our portfolios with these catastrophic scenarios in mind, and this study is a great place to start.

SLynch_HeadshotStephanie Lynch is a treaty reinsurance underwriter and account executive with 5+ years of full time industry experience. She is responsible for developing, growing, and managing treaty reinsurance broker and client relationships and underwriting proportional and non-proportional professional liability programs.

Her treaty reinsurance background began on the actuarial side of the business, working on the reserving team at Arch Reinsurance. After a few years, she made the transition to underwriting, working with the professional liability treaty reinsurance group. Stephanie joined the professional liability underwriting team at Safety National Re in September of 2017 working on both medical and non-medical professional liability.

Stephanie is a graduate of The College of New Jersey with a Bachelor’s degree in Mathematics and a minor in actuarial science. She has achieved the CPCU, RPLU, CYB, ARe, AINS designations and is a licensed NJ producer in property, casualty and surplus lines.