20 | JANUARY 2018 | NATIONAL UNDERWRITER PROPERTYCASUALTY360.COM

MARKET FEATURE

ILLU

STR

ATIO

N B

Y P

ATR

ICK

FA

RIC

Y

PROPERTYCASUALTY360.COM NATIONAL UNDERWRITER | JANUARY 2018 | 21

When it comes to cyber threats and how they con-tinue to evolve, Adam Cottini, managing director of Gallagher’s Cyber Liability practice, offers a chilling assessment: “You have the known, and the massive unknown.”

The potential damages are at once serious and extensive: Physical loss. Financial loss, in myriad forms. Reputational loss. All of these perils are woven into a threat from which no insured is truly safe, regardless of their size or the indus-try in which they operate. As the digital frontier expands, every single client, to a greater or lesser degree, is exposed.

Acknowledging the intersection of Cyber Liability, Business Interruption and Property policies is particularly important when determining how clients may — or may not — be covered for a cyber-related loss, and just which policy is triggered depending upon how the incident occurred. As Laura Rieben, director of privacy for Independence Blue Cross’ internal audit division, stated during a panel at ALM’s CyberSecure conference in New York City last month, “The devil’s in the sublimits.”

Steve Anderson, vice president and product execu-tive in Privacy & Network Security at QBE North America, points out that 2017 saw seven of the top 20 all-time largest breaches in terms of the number of records exposed world-wide. He notes that many Cyber Liability forms now have

property elements that weren’t there a year ago; insureds are now asking for carriers to specifically include protections for commercial property in their Cyber policies.

Similarly, he adds, Property policies in many cases used to contain exclusions for digital threats; that’s no longer the case. Coverage for Cyber-based physical damage can be added as an endorsement to a Property policy, but depend-ing on the extent of the client’s needs, more comprehensive limits might be available through a well-crafted standalone Cyber policy.

Otherwise, the client — and the insurer — would be rely-ing on what’s referred to as “silent” cyber coverage (in which such losses are not explicitly excluded as part of a Property policy, for example), as opposed to affirmative, distinctly stated protections.

As is often the case with Cyber coverage, one size does not fit all. It’s become incumbent on brokers to ensure clients that all cyber-related potential losses are either covered by a specially tailored Cyber policy, or not specifically excluded in their other suite of policies — and even in the case of the latter, that the sublimits are adequate.

“Concurrent causes of loss may exist, but the direct cause is what triggers the policy,” notes Shiraz Saeed, Starr Companies’ practice leader, Cyber Risk. “You need to look at the wording.”

THE CYBER LIABILITY MARKET OFFERS EQUAL PARTS

PROMISE AND PERIL. AS CYBER THREATS MOUNT AND CAN

IMPACT AN INSURED’S ENTIRE RISK PORTFOLIO, GAPS

MUST BE ASSESSED AS COVERAGE CONTINUES TO EVOLVE.

BY SHAWN MOYINHAN

22 | JANUARY 2018 | NATIONAL UNDERWRITER PROPERTYCASUALTY360.COM

“We’re in the middle of an industrial paradigm shift,” says

Joshua Motta, CEO and co-founder of Coalition — a brand-

new cybersecurity firm/insurer that launched Dec. 5.

“Given the competitive benefits, it’s unthinkable for

a business not to digitize everything. However, this

puts them in a precarious position. Now they’ve got

troves of data to protect and myriad new risks

they must defend against.”

Still, technological solutions are available to

mitigate such risks, are they not? Motta says … not entirely.

“Cybersecurity is broken,” he says.

But what does that mean?

Digital threats, Motta explains, are so pervasive that

technology can be an “illusory solution” in the sense that that no

amount of technology will save an organization from a perpetrator bent on

compromising its security. That thinking, he notes, has to change, particularly from

an insurance standpoint, for a perpetrator need only be right once. Cyber risk, he says, is

“not a technology problem; it’s a risk management problem. There’s a human being at work, a

WHERE PROPERTY MEETS CYBERSPACEWhile perhaps not immediately appar-ent to some, the cyber-based threat to physical assets cannot be underesti-mated. Consider pharmaceutical giant Merck, which was dealt a serious blow by the Petya/NotPetya malware cyber attack in June 2017. (NotPetya was a virus that spread across computer networks and encrypted hard drives so that machines could not run.)

With its computer networks frozen, the drug manufacturer was unable to produce vaccines and medications in normal volumes while its produc-tion facilities were affected, and its delivery and distribution, back-office, research and sales operations also took a hit. When reporting its third-quarter financial results, Merck said its sales were down by $240 million after it had to borrow that amount of stores of its star HPV vaccine, Gardasil, from the Center for Disease Control’s stockpile just to fulfill orders. Merck reported an additional $135 million in lost sales

that it claims related to the attack. The result? An estimated $275

million hit for its insurers — and that’s just for the insured portion of Merck’s larger loss. “Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement in October.

Yet a client doesn’t have to be a ma-jor drug company to suffer a crippling physical loss; the remote manipulation of a sprinkler system, for example, could destroy a manufacturer’s inven-tory. Temperature controls could be compromised and set high enough to ruin the entire in-house stock of a food company. A rogue nation could hack into a utility company and shut down electricity or cause a power surge that fries a transmission line, or open up a dam and put a community under water.

Although there haven’t been a great number of

such cases reported in the U.S. yet, Cottini says that engenders a sense

of complacency: “We’re sitting on a precipice of the next concern. We need to align policies to make sure the client is covered.” The insured’s General Liability or Property coverage might not respond in such cases.

Some in the industry thought Property underwriters would add ap-propriate limits to meet cyber threats, but the aforementioned major ransom-ware events have made them seriously reconsider, says Cottini: “Now, the Property market is looking at whether they want to provide current limits with regard to cyber, tailor it back, or not offer it at all.”

“The Property market has a major problem in that it carries a silent cyber exposure,” says Michael Palotay, chief underwriting officer for NAS Insurance Services in Encino, Calif. Clients, he notes, are “very concerned about what their potential loss is in the event of a [cyber] attack that causes property damage.”

Currently, insurers can offer property damage in the event of an attack, and “the cyber market is better equipped to manage the aggregates of

IF CYBERSECURITY IS ‘BROKEN,’ IS COALITION THE FIX?

PROPERTYCASUALTY360.COM NATIONAL UNDERWRITER | JANUARY 2018 | 23

that exposure,” Palotay explains. He’s concerned, however, that there hasn’t been a major event to make the threat of property damage “real” to insureds.

“There hasn’t been a lot of cyber aggregation until recently,” Palotay notes, referencing Petya and the worldwide May 2017 WannaCry ran-somware attack. “Those events added fuel to the fire about how we’re going

to manage aggregated risks.”

BUSINESS INTERRUPTION AHEAD Shiraz Saeed, Practice Leader, Cyber Risk for Starr Companies, says that when most people hear the phrase “cyber attack,” they think of thieves trying to steal information. But cyber events go far beyond that, and more often than not they mean a hard stop

for an organization’s business. “People think it’s about data,” he

says, and the business-interruption aspect can get short shrift — yet the BI part is the most critical to small to midsize businesses, which can’t afford to have their operations shut down for a week.

Attention to the risks posed by ransomware becomes critical for these

criminal, who’s the perpetrator. We wanted to rethink how we solve

that risk.” And Motta’s company is looking to put its risk selection

where its mouth is.

Backed by Swiss Re Corporate Solutions and Argo Group,

Coalition possesses a deep bench of expertise: Motta was instru-

mental in the founding and growth of Cloudflare, a privately held

$2B security company where he was the CXO and Head of Special

Projects; he’s worked for the CIA, Honeywell, Sprint and Micro-

soft, the latter of which he went to work for at age 14. Coalition

co-founder John Hering is the founder and executive chairman

of Lookout, a Silicon Valley-based global leader in cybersecurity

technology that’s been recognized as a Technology Pioneer by the

World Economic Forum and serves over 75 million users globally.

But here’s the key differentiator. Coalition possesses a power

that could make other cyber writers green with envy: the ability for

brokers to quote a Cyber policy and have it bound in minutes.

After the broker submits the application, Coalition checks the

client’s cyber exposures and vulnerabilities, running the prospect

through an application programming interface (API) against a vari-

ety of online databases to gather data “in the background” on the

potential insured’s e-mail systems, prior breaches and other vital

information, checking them against vulnerability databases to see

just how severe their risk profile is: Have any documents been lost

by this company? Is their information being traded?

Those algorithms determine what a hacker would see, what cyber-

security controls a company has in place, and ultimately the expected

probable loss. “We believe you have to take a novel approach —

underwrite it like an adversary would view that company,” says Motta.

Coalition provides a suite of cybersecurity products for small

to midsize businesses (SMBs) and comprehensive cyber and

technology E&O insurance of up to $10 million in coverage. One

of the challenges in selling to this sector, Motta says, is that “small

to medium-sized businesses don’t know what to ask for. There are

a not a lot of policies that are both comprehensive and modular,

where you can pick what you want.”

Clients, Motta added, need to be able to select the coverage

they want and need; he joked about how Cyber insurance needs

to move away from what he called the “Henry Ford approach,”

where you could have any color you want, as long as it’s black.

“You have to let people break away from that,” he said. “You

have to let people select their own limits. You have to let people

choose the coverage they need.”

What Cyber coverages are NEW and RENEWAL buyers most interested in purchasing?

Cyber-relatedBI

Funds transfer fraud/socialengineering

Cyber-relateddependent BI

System failure coverage

Regulatoryfines/penalties

Datarestoration

Internet media liability

Cyber-relatedbodily injury

and/or property damage

Other0%

10%

20%

30%

40%

50%

60%

70%

PartnerRe and Advisen surveyed 270 brokers/agents and 125 underwriters who are directly involved in Cyber insurance business. Interestingly, respondents said requests for cyber-related bodily injury/property damage were relatively low.

Cyberextortion

Data breach

SOURCE: Advisen 2017 Survey of Cyber Insurance Market Trends

SOCIAL ENGINEERING COMES OF AGEMeanwhile, social engineering or “phishing” attacks continue to grow not just in number but also in polish. Palotay notes how perpetrators will now not simply hack into a company’s e-mail system and try to convince a subordinate to wire money to their boss, for example, but rather, first monitor that boss’ e-mails to better copy their writing style in order to make the eventual request far more believable.

When in doubt, experts say, if it looks fishy, it’s probably phishing.

“Information is the new gold at all types of companies, and employees need to understand what that means,” says Christina Terplan, a partner at Clyde & Co. who practices in the areas of technology, intellectual property and privacy law, representing insurers in is-sues ranging from coverage evaluations

24 | JANUARY 2018 | NATIONAL UNDERWRITER PROPERTYCASUALTY360.COM

types of clients. Greg Vernaci, head of Cyber, U.S. & Canada, for AIG, says ransomware attacks (in which one’s systems are held for ransom by a per-petrator) have been trending steadily in last year or two. This includes cyber extortion, which from a claims-han-dling standpoint often gets tangled up with business interruption, he says, be-cause the insured can’t access their as-sets and can suffer a business-income loss. “No industry is immune to it.”

What many insureds — and brokers — may not immediately know is that unless your business is interrupted for at least 10-12 hours, you might not have a claim; that threshold of time is different for different insurers, but in some cases cyber losses covered under a Property policy can’t be triggered until 24 hours’ worth of interruption. (Again, analyzing one’s terms here be-comes critical if you’re a policyholder.)

Matt Prevost, senior vice president

of Financial Lines at Chubb, agrees that small business is and should be fo-cused on business interruption, versus data breach exposure. Regardless of industry, he says, all have recognized the importance of security — and that creates positive momentum around clients wanting to make themselves better risks. “Those conversations are happening all over, which is a good sign,” he adds.

“Those small business owners understand that to spend $5K to $10K on a $1 million policy is a smart move for them,” says Anderson. “That’s the space that has the largest potential for growth, and carriers are starting to give them applications that aren’t 20 pages long.”

In terms of the risk-management ser-vices offered, he adds, “it’s a no-brainer.”

Vernaci adds, “Just because you’re small doesn’t mean that you’re not going to be targeted. You are.”

In PartnerRe/Advisen’s survey of 270 brokers/agents and 125 underwriters who are directly involved in Cyber insurance business, news of cyber-related losses by others was the largest factor in product sales.

What are the biggest obstacles to writing/selling this coverage?

Notunderstanding

exposures

Notunderstanding

coverage

Different policy forms/coverages

in market

Applicationprocess

Scope ofcoverage

Lack of value added products/

services

Capacityconstraints in

market

0%10%20%30%40%50%60%70%80%90%

Cost

“THINK ABOUT HACKING & WHERE IT CAN GO — LET

YOUR IMAGINATION RUN WILD. BECAUSE IT’S ALL

POSSIBLE.”

— Shiraz Saeed, Practice Leader, Cyber Risk for Starr Companies

SOURCE: Advisen 2017 Survey of Cyber Insurance Market Trends

PROPERTYCASUALTY360.COM NATIONAL UNDERWRITER | JANUARY 2018 | 25

and disputes to litigation management. Terplan says she’s seeing a huge

uptick in social engineering fraud and an increase in the level of sophistica-tion in those attacks: “It’s scary now, how much they know about their targets.” Law firms can be penetrated, their settlement funds wired to a differ-ent entity. In real estate transactions, one of the parties involved in the deal’s closing can be compromised and the money disappears.

“The best way to avoid litigation is to make sure you don’t have an incident, which boils down to practices and procedures,” says Terplan. In many cases, she adds, someone who ends up being negligent in unwittingly aiding a phishing scam could have saved a lot of heartache by simply calling the person requesting a funds transfer to verify the request.

“In those cases,” she says, “old-fashioned modes of verification work the best.”

Palotay says that many hackers have moved from trying to steal private information to cyber extortion for two reasons: The payoffs are bigger, and the price of personal payment infor-mation has gone down on the black market with the advent of chip technol-ogy and more sophisticated encryption. Credit card information now has a shorter shelf life than in recent years.

Previously, social engineering losses were in some cases considered a crime loss; now it could be a financial loss, depending on the insurer’s terms & conditions. Again, carriers are looking

to make sure these gaps are being cov-ered, or at least explicitly excluded.

In any case, Vernaci says in the event of a loss, policyholders should not wait to notify their carriers: “These types of incidents don’t age well, and it’s better to address them right away.”

“The fact that social engineering loss-es are common doesn’t change the level of damage that can be done,” Palotay adds. “If you’re looking down the barrel of a million-dollar loss when you’ve got only $5 million in total revenues, you’re really going to have a problem.”

ADVICE FOR BROKERS“The broker with a team to actually dissect forms and not just beat some-one else on price is the type that insur-ers want to work with,” says Saeed at Starr. Delving into the details of forms that can become highly complicated is a must for brokers wanting to do busi-ness in this sector.

“One of the difficulties we have in our space is that the policies can be very confusing,” says Anderson. “With Cyber, we can have anywhere from two to 21 insuring agreements, broken down to first- and third-party liability risks.”

It helps, he says, that insurers now do a much better job of offering risk management services on the front end — assessments, tools and other assistance to make sure guideposts are in place prior to a breach. The entire approach has become less reactionary and more proactive.

Midsize businesses in particular can be sold on the value of pre-inci-

dent services and education, such as employee-awareness training for no additional cost. Those services help to drive the sales conversation and articu-late the insurer’s value proposition.

“Something as straightforward as a password manager is still foreign to [small businesses],” says Prevost. “Culturally, we do need to take this very seriously, but there are people out there still using ‘PASSWORD’ for their password. What are the best-in-class controls, and what mistakes have been made that we can learn from?”

He adds that brokers need to focus more on the impact of cyber risk across the client’s entire portfolio —how it crosses other coverage areas — “instead of focusing on one policy in their relationship.”

AIG’s Vernaci says that for new clients, “it needs to be an open-ended question. What does the client consider their greatest risk? Ask them what they believe their key exposure is. How do the client’s existing P&C policies re-spond to it? Are they silent, or affirma-tive?” From there, he adds, a standalone Cyber policy can be thoughtfully crafted.

In terms of who’s driving the buy for Cyber coverage, Anderson says that pat-tern has shifted. Three to five years ago, he explains, “it was a trickle-up from the broker to the risk manager to the CFO to the CEO, then to the board. Now, that’s reversed. Now, the board is asking com-panies how well they’re protected.”

Vernaci also sees an increasing trend for the C Suite to be involved. When making the case for cyber protections to an organization’s top management, brokers can stress the availability of pre-incident services, which offer the client “far more value than just a risk-transfer solution.”

Cottini says that ultimately, it’s a question of how much revenue the client is willing to risk losing in a cyber incident versus what they think they could or should pay.

At the end of the day, “recognize your client’s risk and understand their exposures,” adds Saeed. “Think about hacking and where it can go — let your imagination run wild. Because it’s all possible.”

Cyberattacks by industry, 2010-2016

Data as of August 1, 2017

Professional, scientific and technical services 12%

Finance and insurance 17%

Healthcare and social assistance 16% Other 54%

SOURCE: Insurance Information Institute