Last week, over 100 PLUS members attended PLUS’s virtual Cyber University. While this event has been held in-person in previous years, this year’s Cyber University was part of PLUS’s 2020 plan to provide virtual education to broader audience. Attendance for Cyber U doubled this year, and the staff at PLUS is proud to provide quality education in virtual space, especially in light of current circumstances.
This is the third year of PLUS Cyber University and registrants attended six live sessions over three days. “The program content is incredibly strong, so the focus was on how to take an in-person event and continue to make it meaningful as a virtual one,” said Megan Moore, Director of Education and Professional Development at PLUS. Topics included: legal foundations, evolution of cyber coverage, interplay among lines, underwriting, breach responses, 1st and 3rd party claims, risk management, and breach scenarios. Moore added, “As we transfer this program to virtual, we made sure to include opportunities for attendees to reflect on what they’ve learned and apply it to their own experience as well as connect with each other outside of the session.”
“Over the last few years, we have been ramping up our ability to provide online and virtual education,” said Robbie Thompson, CEO of PLUS. “While PLUS will always offer outstanding in-person networking and education events, we knew that focusing on other ways members can also get professional development was critical to PLUS continuing to serve the professional liability industry.” From webinars, to the RPLU online eLearning modules, to webinar, to in-person events moved to virtual like Cyber University, PLUS is working to make education accessible no matter the circumstances.
PLUS Membership for the Win
Membership is an important aspect of PLUS, and PLUS staff has been working tirelessly (and remotely!) to provide new ways to engage members virtually. If you are a PLUS member, you can register for any or all of the May webinars for free! If you aren’t a member yet, become one now to register for webinars, gain access to an archive of PLUS virtual education, and more. Check out previous posts on this blog to listen to PLUS’s PL Perspectives on Coronavirus podcast, and stay tuned for even more distance education offerings in the future.
In this post, Stephanie Lynch provides an excellent summary of the recent Guy Carpenter and CyberCube study “Looking Beyond the Clouds,” which looks at potential U.S. cyber insurance industry catastrophes and their financial fallout. You can download the study itself at here the Guy Carpenter website.
It is crucial that we, as the cyber insurance market, put in the work to understand the characteristics of catastrophic cyber events and the financial impact they could have on our industry. Guy Carpenter and CyberCube Analytics have collaborated on a study to quantify cyber risk, specifically looking at potential U.S. cyber industry catastrophic and systemic loss events.
The study is done on a synthetic cyber portfolio representing the U.S. standalone cyber market, informed by Guy Carpenter’s view of the market. GC started with a base portfolio of just over 6k policies with a combined premium of $285m, estimated to represent about 10% of the U.S. cyber market. It was tested and extrapolated out using a proportion of risk sizes seen in underlying exposure dataset, to create a total market view of $2.6b and about 55k policies. It’s important to note that this study does not contemplate endorsements, package policies or non-affirmative cyber within other lines of business, but exclusively looks at standalone cyber policies.
CyberCube had developed 23 catastrophic loss scenarios on their platform, ranging from attacks on critical infrastructure, to large scale cloud ransomware at a leading cloud service provider, to widespread theft from a major email service provider. The unique characteristic about CyberCube is that they have access to data from both inside and outside the firewall, which builds a more unique and complete view of the risk, due to their exclusive access to information from Symantec, the world’s largest cybersecurity firm.
All modeled results are based on 10k simulations run on the synthetic portfolio through these 23 loss scenarios in the CyberCube platform. The analysis and results can be found in much more detail within the study itself, but a few key takeaways:
The costliest cyber catastrophe scenario modeled was widespread data loss due to zero-day vulnerabilities within a leading operating system, which caused a $23.8b insured loss to the market. The likelihood of this event is also the lowest (beyond the 1:300 year return period), but it is similar to what occurred with the NotPetya attack that was mostly uninsured.
The most likely loss scenario was widespread data theft from a major email service provider.
The second most likely was large-scale ransomware at a leading cloud services provider.
Companies with revenues greater than $1b, regardless of industry, represent about 75% of the insured loss.
Financial firms were most impacted by these systemic events, accounting for ~20% of the insured loss. This isn’t all too surprising due to the larger insurance takeup rate in the cyber market by these firms.
While the loss drivers of each of these scenarios are different, it is important to note that Business Interruption costs, caused often by supply chain delays, are a big part of these catastrophic loss costs. The BI component of cyber insurance has evolved rapidly over the last few years, and we have seen waiting periods and sublimits erode considerable over this time as well.
Rebecca Bole of CyberCube Analytics says, “Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”
Hopefully this study has got the conversation started within the businesses with these exposures, insurance carriers covering them, and reinsurers backing them. Since there hasn’t quite been a U.S. insured catastrophic, systemic cyber loss yet, it is a challenge for (re)insurers to estimate the size and scope of what such a loss would look like on their balance sheets. It is encouraged to read through the article and the details of the top 5 catastrophic loss drivers. It is important for us all to analyze our portfolios with these catastrophic scenarios in mind, and this study is a great place to start.
Stephanie Lynch is a treaty reinsurance underwriter and account executive with 5+ years of full time industry experience. She is responsible for developing, growing, and managing treaty reinsurance broker and client relationships and underwriting proportional and non-proportional professional liability programs.
Her treaty reinsurance background began on the actuarial side of the business, working on the reserving team at Arch Reinsurance. After a few years, she made the transition to underwriting, working with the professional liability treaty reinsurance group. Stephanie joined the professional liability underwriting team at Safety National Re in September of 2017 working on both medical and non-medical professional liability.
Stephanie is a graduate of The College of New Jersey with a Bachelor’s degree in Mathematics and a minor in actuarial science. She has achieved the CPCU, RPLU, CYB, ARe, AINS designations and is a licensed NJ producer in property, casualty and surplus lines.
In the following guest post, Kurtis Suhs explains how general counsel is crucial in managing cyber risk before a cybersecurity breach occurs. This article was originally published in CyberInsecurity News in October, 2019. Thank you to Kurt for his insight on this important topic.
The general counsel’s role in managing cyber risk should start well before a cyber incident. From projects that may range from compliance work, third-party contract reviews and vendor due diligence to employee training and tabletop exercises, in-house counsel can be prime contributors to cyber risk readiness.
As the threats of significant financial loss and reputational damage continue to grow, lawyers can help drive the process to elevate their organization’s cyber risk readiness. In the past three years, the role of in-house counsel has greatly expanded in response to increased civil litigation, regulatory scrutiny and a steady stream of new international, federal and state laws.
General counsel are often well positioned to help coordinate the efforts of their colleagues. That is because cybersecurity is not just an IT issue, but a business strategy that may create legal obligations for the organization. And no one group can build cybersecurity alone. This is definitely a team sport, and it requires a roster that is wide and deep. Let’s review some of the players.
Board of Directors
Boards of directors are ultimately liable for a company’s missteps and responsible for its survival, and in today’s interconnected world, cyber resilience is a big part of that responsibility. General counsel today are seen as trusted board advisers who wield influence over their companies’ legal and business strategy. Instead of reactively analyzing an issue from a purely legal perspective, GCs help remove obstacles and foster business objectives in a proactive manner. Meanwhile, they are expected to ensure that the organization maintains the highest standards of legal and ethical behavior, adroitly balancing the dual imperatives of company performance and corporate integrity.
The importance of the law department is reflected in the second of five principles listed below, which spell out what all corporate boards should consider as they seek to enhance their oversight of cyber risks. These appeared in the Director’s Handbook on Cyber-Risk Oversight, published by the National Association of Corporate Directors (NACD).
Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT
Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the Board meeting
Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and
Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
In-house counsel should have a relationship with a law firm that has expertise and experience with data breaches, privacy laws and regulations. One of the most difficult challenges in responding to an incident is deciding whether it triggers statutory or contractual notification obligations that involve employees, customers, vendors, insurers, regulators and law enforcement.
But just as important, outside counsel should be hired by the company that has suffered the potential attack to retain the third-party vendors it will need to work with. This could ensure that discussions and work product are subject to attorney-client privilege. Without this attorney-client privilege, any third-party work product may be subject to discovery by the plaintiffs bar for use against the entity or the organization’s directors and officers.
In conjunction with their information security teams and other personnel, the general counsel can help develop key aspects of a cybersecurity program. These should include data inventories, risk assessments, compliance strategies and incident response plan testing through tabletop exercises and breach simulations. With guidance from the information security team, in-house counsel should ensure that the written information security plan is achievable and has a buy-in from all stakeholders. Furthermore, general counsel should ensure that it complies with and meets the minimum standards required by relevant states.
In-house counsel should work closely with their organization’s risk management team to protect the company in the event of an attack. Insurance brokers and outside counsel should also be consulted to best match the types of coverage and policy terms that the organization needs. They can also help risk management evaluate cyber risk within each property and casualty insurance policy, examining for affirmative coverage, excluded coverage, sub-limited coverage or silent coverage (where cyber risk is neither affirmed nor excluded).
Given that a number of cyber incidents emerge due to the actions of an organization’s own workforce, in-house counsel can play a crucial role in managing those risks. The lawyers can assist the human resources department to ensure that an organization’s policies are not only drafted but followed, and that disciplinary measures are taken in the event of a violation. The areas covered should include cybersecurity, physical security, data security, security training and employee conduct.
Physical security is a vital part of any written information security plan. Getting the right people involved will save valuable time and effort as plans and strategies are developed for new and existing resources. From the initial point of physical entry to the protection of an asset, general counsel can take an active role by offering oversight, marshaling resources and serving as an advocate for key stakeholders.
Organizations should also develop relationships with law enforcement before a cyber incident. General counsel can often serve as the initial point of contact and help agents access documents and witnesses. Time is of the essence, particularly with business email compromise through hacking and phishing attacks. If victims contact their local FBI field office within 48 hours of a loss, the FBI’s Recovery Asset Team has a 75 percent chance of recovering those funds.
The Bottom Line
Just as technology, advanced persistent threats, litigation, legislation and the regulatory landscape are rapidly changing, so is counsel’s role within the organization. By actively managing decision-making throughout the risk assessment and compliance process, counsel can help prepare their organizations to detect risk and effectively respond when threats arise.
Kurtis Suhs is the Managing Director of Cyber Special Ops, LLC, a Georgia-based company that he founded to advance cybersecurity by using specialized teams and risk management techniques to prepare for and respond to a cyber event. He has over 33 years of experience in the insurance and financial services sectors, and helped launch the first cyber insurance product in 1997.
Using the concierge medicine model, Cyber Special Ops provides guaranteed access to highly credentialed third-party providers for a modest annual membership fee.