Yes, Even Insurance Agencies Suffer Cyber Attacks!

Imagine this…. a couple of your leading Insurers advise they’re aware of a cyber break-in involving your Agency – WHAT??? – you never thought this would to happen to you!

Recently a partner Agency faced just such a scenario. On Wednesday, Oct 19th, “name withheld” Insurance (a mid-size regional P&C carrier) called advising they knew the Agency Username, and Password for the company network had been stolen the previous week. The following day “not saying” Insurance (a super-regional P&C group) called advising Agency passwords to their network were out there on the Dark Web, for sale!

What would you do? – I think I’d panic, and then check everything!

Don’t panic! – Cyber attacks are more common than we think, and they’re not all catastrophic. In this case, at least for this Agency so far, it involves only two records. Yes, two insureds records may have been compromised. No big deal, right?

Here’s what has happened at the Agency to date:

– Their third party “IT guy” performed a special project on their entire network to update all software and anti-virus protections – cost TBA

– Disabled all applications that are not work-related (e.g., they’re not ordering Pizza online anymore!)

– Scanned all work related devices for viruses and malware infections (including everyone’s smart phones, IPads, and tablets)!

– Identify the attack – they did! – someone had clicked on an email link that loaded malware and subsequently monitored keystrokes and logs.

– Disable and replace affected devices – apparently only one hard drive involved.

– Co-operate with the Insurers. Firstly, the Insurers cut-off all Agency Management System interface, one was back up after two days, the other was off-line completely for two weeks (back to ‘old school’ processing, call it in!). Now it will only permit two workstations access while investigations remain on-going; each login must be pre-notified and is monitored.

– “Not saying” Insurance Company require a cyber forensics evaluation, initial cost $6,500 (read Your Agency agreements!), duration estimated 3-5 days – results pending @ 9.11.15

– Agency is not going to make a cyber claim, but to comply with cyber policy conditions “notified” their carrier.

What happens next depends upon the results of the forensic investigation – stay tuned, meantime, this is what they know:
The Financial Services – Information Sharing & Analysis Center (FS-ISAC) notified the two insurance companies that 225,000 accounts belonging to them had been stolen and were available on the Dark Web, so clearly other Insurance Agencies are involved.

This is not a serious breach for the Agency, in fact, technically not a network breach at all but an application breach – as far as we know so far! The impact has been disruptive to normal operations with still an uncertain outcome.

There are more than 30 people already involved with the Agency in responding to this incident; the Agency Manager, CSR staff directly affected, agency owners, Office Administrator, in-house claim co-ordinator, agency financial staff, their cyber insurance agent, the cyber wholesale broker, the insurer’s claims department, agency IT, third party forensics team and there may be several more before the incident is closed. Should the investigation uncover more ‘damage’, the scope of the clean-up will increase, involving perhaps legal consultants, counsel and regulators.

– Was the compromised data encrypted? – yes, and so were the passwords, but they were being sold!
– Is the network wireless? – no, it’s old fashioned, hard-wired, and should be safer!
– Do employees receive cyber security training? – yes
– Are there notification requirements? – the number of records compromised at the Agency appears to be less than required to trigger formal notification under Privacy Statues – however, the Insurers involved are not so fortunate.

– Someone else usually discovers the breach
– Even minor technology breaches are disruptive
– Any breach involves direct and indirect costs
– There will be the publicity
– It could happen to you!

What Can Insurance Agents Do About Cyber Crime?

“Obviously crime pays, or there’d be no crime.” ~ G. Gordon Liddy – jailed for his role in Watergate

Online crime is where it’s at for criminals, says Special Agent Corey Collins with the FBI’s Cyber Crimes Task Force in Columbus, Ohio. “Crime has moved online. It’s easier, cheaper, safer, and if caught the penalties aren’t too bad! For example, walk into a bank with a gun and get away with the average heist (approx. $2,000) = minimum 7 years in jail. Steal $250,000 online from the same bank. First offense = 6 months in jail”!

Commercial crime exposures for businesses are growing faster than traditional crime policies can respond. Phishing, spoofing, extortion, malicious employee conduct or theft, lost or leaked credentials, telephone hacking, and reliance upon a service, all may present an economic loss not covered by crime or other traditional P&C insurances. There’s an important role for Agents here, identifying, mitigating and transferring these serious business exposures.

Many cyber insurance policies do address forms of crime, after all, it’s typically malware infecting systems that permit data breaches, and it is a Federal crime to use a malware virus with the intention of harming a computer without authorization. However, other direct losses such as funds stolen with compromised passwords, extortion to restore your network or services it relies upon are clearly crime exposures not covered by ISO based crime forms, even the new ones!

Another tech enabled crime is fraud by credit card, read this blog article by Chris Christian, U.S. Risk. She poses an interesting question as to whether certain types of credit card fraud are insurable. After all, cyber policies are insuring other forms of fraud.

For insights about the information, criminals are targeting from us, read this article.

Obviously we’re all destined to trade even more via the internet, whether it’s direct buying online or just using a credit card, and of course, it’s inevitable criminals will always be around so long as crime pays (G. Gordon Liddy still has a career!). Becoming cyber vigilant and educating commercial customers about their cyber risks is a new and vital role for Insurance Agents. As scores of cyber security experts and pundits have said, it’s not a question of whether you will be a victim of a cyber loss, it’s just a matter of when!

Cyber Insurance Sales and Marketing Tips

With daily news of cyber breaches and hacks, it’s remarkable Agents still report of customers who say “we’re too small, and it just won’t happen to us.” If you’re marketing or selling cyber insurance to first-time buyers, always include relevant loss and claim examples. The following breach sources help you locate real incidences that have occurred in virtually every type of organization:


Another objection reported from prospects is “we’re too small, we couldn’t have a big loss.” Most prospects, even most insureds who already have cyber insurance, have little knowledge of all the ways they could sustain a loss, the amount of that loss, nor the cyber perils a good policy will cover. The following coverages are available for virtually every organization, and none of these losses was ever intended to be insured by property, CGL, E&O or umbrella forms. So a cyber policy is the best option for:

Your First Party Costs:
 Business Interruption and Extra Expenses
 Dependent Business Interruption
 Extortion & Terrorism
 Data Reconstruction and System Damage
 Reputational Harm and Public Relations
 Funds stolen from your online bank accounts

Your Third Party Liabilities
 Tort Liability—Privacy Liability coverage
 Contractual Obligations—vendors, suppliers, customers, PCI compliance
 Regulatory Obligations—Regulatory Response coverage
 Media Liabilities—Defamation, Intellectual Property Infringement, Invasion of Privacy, Content liability

Your Breach Response & Mitigation costs
 Network Security coverage
 Notification costs and Credit Monitoring
 Forensic expenses
 Call Centers
 Consumer Redress Funds
 Public Relations.

Recently we learned a so-called “discrete dating website”, Ashley Madison was hacked. This involves up to 37 million individuals, granted, there’s no relevance to your average SME (small medium enterprise), but it’s simply titillating and maybe something certain prospects can identify with. 🙂

For more resources, tools, reports and advice about marketing cyber insurance, consider joining the cyRM – Cyber Risk Manger Group on LinkedIn. You’ll need to complete the cyRM Course first – if you’re an Agent in the ARM network, email us for complimentary access.

Everything is Digital but I Want My Analog World Back!

Let’s be honest, technology has already overwhelmed some of us. For example, do you understand all the Settings in your smartphone? I’ll admit it, I don’t, but I know I should because inevitably I’m losing functionality or performance and could suffer something worse. That same phone, we’re told, has 10 times more advanced technology than put Neil Armstrong on the moon, so in theory, we could use our IPhone to visit another planet!

The point is; technology is complicated. Few of us understand code, or even what it is, but according to this Bloomberg article being able to create code will be elemental to living in a tech-dominated world. Have no doubt, we’re increasingly becoming a tech-dominated world.

The article is long but a really good attempt at explaining code for us laymen. Frankly, even after reading it three times, I’m even more overwhelmed! I can’t see how I’m ever going to start coding, but at least I now have a better idea of how it all works. I hope you gain insights too.

Cyber Insurance Has a Trust Problem and Only Agents Can Fix It

Trust – it’s a fundamental trait for insurance professionals, much like Utmost Good Faith (Uberrima Fides), Fidelity (Fidentia) and Honesty. So when a KPMG report concludes the main barrier to purchasing cyber insurance is ‘trust’, make no mistake this is a lack of trust in the insurance industry and its sales representatives. It’s time to rethink what we’re currently doing.

In an article commenting on the report, one of the main claims is insurers would not pay out on cyber claims. Perhaps they’ve been swayed by reports of insurers fighting cyber claims, which of course they are, but only because the claims are under insurance policies that were designed to cover other perils.

Perhaps they’ve been influenced by reports of firms who bought cyber insurance but discovered it did not pay for what, in retrospect, seemed obvious cyber loss costs (theft of funds, system interruption, prior acts, unencrypted mobile devices, etc). As Agents it’s our role to change this perception, fundamentally, our reputation relies upon it.

There’s no secret cyber sauce to fix our customers mindset on this issue; we’re going to have to earn respect through imparting valuable knowledge. And in one regard it’s not so hard because there is no lack of information, resources and evidence that cyber perils are the most riskiest of insurable perils.

The challenge is making sense of it all, and here’s the rub, it’s really not that easy even if you receive so-called leading edge training from an insurer or broker. After all, they’re only supporting their own products and services! The answer is each Agent must adopt their own targets for demonstrating proficiency with cyber risks.

The very nature of cyber, let’s use ‘digital’ perils, is they’re interconnected in ways we never imagined in the analog world. Traditional insurance training and education hasn’t prepared Agents to cope with the array of new digital exposures. The cyber market, in its teenage years at this point, is all over the place with carriers using the same words differently, carving out a handful of exposures to insure, or exclude or ignore. There simply isn’t a standard to aim for, or is there?

A fundamental standard we all hold ourselves to is doing our best. When you see someone doing their best, it shines through, on a certain level you know you can trust them, their commitment and attitude earns our trust.

Agent’s in the ARM network appear much like the rest of the agency community, behind the 8 ball on the cyber issue. The KPMG conclusion should be a wake up to us all.

For assistance with cyber insurance education, consider starting with – designed for ARM agents it’s the only online academy certifying proficiency with cyber insurance risk perils.

Cyber Insurance Needs Agents to Start Thinking Digital Not Analog

In the last 20 years, we’ve connected everything of value in the world via the internet. It’s really astonishing if we think about it. It’s fundamentally changed EVERYTHING! Except, that is, insurance. We’re still selling fire and liability coverage’s and asking the same questions we have for decades. While we’re adopting digital technology we’re still mired in an analog mindset, because that’s how insurance was developed. Yes, there’s a burgeoning cyber insurance market, but in the overall scheme of things it’s miniscule compared to the total of commercial premiums.

This simply can’t last for long folks! The worst perils are now ‘cyber risks’, in fact, cyber insurance is the future of insurance.

They tell us everything we make in the future will have connectivity built into it, but think about it, we’ve already connected everything of value. 100 years ago we connected water to our buildings, then power, then the telephone, and pretty much that’s how it was until cable arrived and now look at the buildings we’re in and what we do inside. Technology has changed transactional activity for every organization and individual, and everything is connected in some way to the internet. Remember that the Target data breach was from a wireless controlled HVAC switch.

Here’s some really good news; the future is already here! It’s right under our noses, fingertips actually, just like everything else!

There’s a robust and growing cyber insurance market; it’s surprisingly exciting (to an insurance junkie) to realize all the options and new forms of coverage that are already available. Every agent has access to cyber products, although most will tell you they sell very little. And that’s perhaps the most worrisome risk for us in the industry. We’re not doing a good job of identifying our customer’s exposures and matching them to insurance products and risk management services. Nor are we convincing them about the value of cyber insurance.

Before it’s too late and we discover we didn’t buy enough E&O to leave our customers uninsured for digital perils, Agents need to jump start their cyber awareness. We must acquire cyber risk management knowledge and skills, start navigating the complicated world of cyber insurance policy forms and language, and adopt a continuous learning posture about the perils of digital technology.

If you’ve read any of the other articles on this blog you can’t help notice they all say essentially the same as this one – so my apologies if you were looking for something new. We do have new cyber Resources, connect with the ARM Ohio office for information.

If you’ve not yet considered taking the Cyber Insurance Training course (cyRM – Cyber Risk Manager), do it soon! Agent graduates report it’s been essential to their cyber insurance education, and for most the post-graduation Resources now form core elements of their cyber insurance practice.

Why Insurance Agents Need to KISS with Cyber Liability Insurance

Someone quipped, “The fastest way to learn about cyber is to be the victim of a cyber-attack!” Perhaps a better alternative is an informed Insurance Agent.

Information about breaches and cyber is pervasive, but what are the most effective facts for discussing cyber perils with prospective insurance customers? Here are just a few statistics:

  • 40% of breaches happen to businesses with less than 1000 employees
  • The average data breach loss cost is $3,500,000
  • Breaches usually cost around $200 per person

This VerizonData Breach Investigation Report and this PCI ComplianceReport are full of facts, stats, data, and advice, but for the first time cyber insurance customer, you may have more success following the KISS principle.

If fire insurance is vital for anyone with a building, then Cyber insurance is vital for any business or organization with data and if they have:

  • Employees
  • A bank account
  • Connection to the internet
  • Accepts credit cards (PCI)
  • Involved in healthcare (HIPPA)

Buying cyber should be like buying fire insurance, in fact it should be an even simpler decision because for many insureds cyber insurance premiums are significantly less, while there’s an even greater chance of a cyber loss than a fire loss. (this emphasis added to the original article to make clear that cyber losses are more likely than fire losses while cyber insurance costs less!)

Anecdotal evidence makes this clear, to demonstrate go to all of your favorite News sources, search for news about fires. Ok, now search for news about data breaches and cyber perils. Did you catch it? Cyber stories dwarf fire stories (if you even found any fire stories!).

Now look at fire insurance rates based on fire limits, and cyber premiums versus cyber limits, cyber insurance is …well, way cheaper! This cannot last for long, Agents, when you’re uninsured customers finally purchase cyber insurances it will be Insurers paying the losses!

Many organizations are unaware of all the cyber coverage parts available under a comprehensive cyber policy. “It appears many insurance companies are not either,” quipped another Agent, “because, what else explains many have limited and restrictive coverage parts or ignore obvious cyber risks such as theft from bank accounts, system interruption costs, and business income loss?” Of course, the real answer is they’re not sure how to price for the risks, but these and other cyber loss expenses are available under comprehensive low-cost policies from leading cyber insurance markets.

We continue to press Agencies to study cyber insurance and work with cyber insurance specialists. As Agents become proficient with cyber perils and cyber coverages, they’re effective at putting it in simple terms for customers and prospects. Consider for elemental cyber education, and remember – KISS
KISS = Keep it Short & Simple 🙂

Why You Should Be Talking About Cyber Insurance

“If you’re not talking about cyber insurance to all of your commercial customers when a loss happens, your E&O may be the only coverage that responds.”

We stole that idea from Chris Bunbury at eRMI, he was talking about environmental insurance, but it’s relevant for both classes of coverage.

Cyber risks are everywhere. Take 5 minutes to Google or Duck Duck Go the topic and you’ll find thousands of countless cyber risk articles and horror stories to supplement the articles linked on this website. Virtually every business uses the internet, has employees and a bank account and thus is at risk. Operating without robust cyber insurance or the equivalent in spare cash, is an unbelievably risky decision.

No informed business owner would fail to incorporate, consider and purchase property and liability coverages, and work to reduce business risks. However, with cyber perils many owners are still in the dark, and it’s your responsibility as an Agent to inform them. If you fail to do so, and your E&O may be the only coverage they have!

Contact ARM for more information, and encourage every Agent you know to take as a first step to getting up to speed with cyber insurance. It may save your Agency, or at the least an embarrassing, or deadly, E&O claim.

6 Things To Do When Clients Don’t Want Cyber Insurance

Agents offering cyber insurance are having a tough time – one recently said “The customers just don’t get it!”.

Well, I don’t sell insurance for a living, so take my advice for what it is. However, here’s my advice for an insurance guy who’s working with the guy who “just doesn’t get it”. Here goes!

  1. If the client won’t buy cyber insurance, refuse to be their agent for anything else. I’m serious, this is the 21st Century, get with it.
  2. At least require them to sign off on something that looks like this Declination Statement.
  3. Be a bit sarcastic. Mention that they’re right! Organizations don’t need cyber insurance and it really is an unnecessary expense; unless they have a website, use the internet, collect credit cards, have employees and a bank account.
  4. Was that too sarcastic? Well, maybe tell them that not buying cyber insurance when you’re part of the connected world is like not buying fire insurance on the house you live in. It’s just too risky!
  5. Measure their security score. Another tactic is measuring their security score, which you can do for free with an account here at Cyberfense.
  6. Use a data breach calculator. Here are are useful too, half a dozen calculators linked here.

Oh, and how would I do it? I’d challenge them to find stories about fires on the internet. See how many fires completely devastated businesses. The I’d wade them through all the data breach stories out there on Google. Then we explain that we’re canceling their fire coverages because we think cyber is a better alternative.

However, if they still won’t even sign the Declination Letter, at least get them to admit to one of the following:

  • Practicing willful blindness
  • Taking the ostrich approach
  • Ignoring the obvious
  • Turning a blind eye to the issue
  • Missing the elephant in the room

I was challenged earlier this week by the President of ARM International, Priscilla Hottle, to become a Sales Agent. She suggested I find out if I’m good enough to compete in your world. Well, based on some these suggestions I look like a pretty poor prospect, but hopefully there’s some stuff here stimulates you to find ways to sell cyber insurance to every customer and prospect.

For more about ARM’s cyber resources, please reach out and contact me!