The Big I Virginia Summer 2020

THE NEW NORMAL: 4 PERENNIAL CYBER THREATS
By Will Jones
In 2019, ransomware and business email compromise emerged
as some of the biggest cyber threats around. As ransomware
attacks paralyzed public entities, such as the attack that
crippled the Baltimore’s government computer systems, and
business email compromise and social engineering efforts
targeted businesses from Main Street to Wall Street, the
insurance industry has reacted with a host of new products and
coverages.
However, by the very nature of the risk, yesterday’s cyber
threat will not be tomorrow’s biggest danger. Here are four
other cyber risks in the cyber liability space that will threaten
businesses in 2020:
1) Vendors. In 2017, retail giant Target was ordered to
pay an $18.5 million multistate settlement to resolve state
investigations of the 2013 cyberattack that affected more than
41 million of the company’s customer payment card accounts.
An investigation determined that cybercriminals gained access
to Target’s system through credentials stolen from a third-party
vendor. Using the credentials, the attackers gained access to
a customer service database, installed malware on the system
and captured a host of sensitive data.
“When you look at the Target situation, the hackers got in
through the vendor associated with the HVAC system,” says
Ken Heebner, senior account executive, TrustStar Insurance
Services, Inc. in Universal City, Texas. “Agents and insured
don’t take into account the vendors, the risk exposure they
bring to the table.”
“If something like that happens, that could fall on you or your
client and it becomes a huge battle,” Heebner adds. “That
vendor can be your best friend or your worst enemy. Agents
have to have those tough discussions with their clients so that
they understand the seriousness.”
2) Regulation. The California Consumer Privacy Act (CCPA)
took effect on Jan. 1 and was seen as a victory for consumers to
provide them certain rights over the data that companies like
Facebook, Google and data brokers collect from them.
Most of the CCPA is based on the European Union’s General
Data Protection Regulation (GDPR), except for one important
issue. While GDPR requires individuals to provide consent
before their data can be collected, CCPA instead assumes
consent and requires it to be revoked if an individual wishes to
opt-out. Either way, the regulations are something that could
be somewhat of a back-door risk to commercial insureds.
“Data breach obviously still mainly affects industries that
process or store sensitive information, such as retail, healthcare,
hospitality and technology, but even in this area there is change
underway,” says Jacob Ingerslev, Head of Global Cyber Risk,
The Hartford.
“New regulations, such as GDPR in Europe and the CCPA in
California, expand privacy regulation from traditionally being
mostly a data breach issue to becoming a data collection and
processing issue, with the potential for enormous fines and
elevated litigation costs relating to non-compliance with those
practices,” he says.
3) Manufacturers. Manufacturers are increasingly being
targeted not just by traditional malicious actors, such as hackers
and cybercriminals, but by competing companies and nations
engaged in corporate espionage, according to Deloitte, where
motivations range from money and revenge to competitive
advantage and strategic disruption.
In today’s business environment of increased automation,
connectivity and globalization, even the most powerful
organizations in the world are vulnerable, which leaves the
question: What happens to a manufacturing business when
its production operations suddenly grind to a halt due to a
cyberattack?
“Cyber insurance continues to be a dynamic area that requires
all of us—carriers and agents alike—to work to keep up,” says
Timothy Zeilman, HSB vice president, Global Cyber Products.
“My suggestion would be to focus the continuing shift towards
increased awareness of the cyber exposure of businesses that
don’t necessarily have high personal information exposure but
do have a significant business interruption exposure.”
“Businesses like manufacturers that have a lower personal
information exposure, but a significant business interruption
exposure may just now, with the rise of risks like ransomware be
becoming aware of their need for cyber insurance,” he adds.
4) The digitally connected world. The average
American household has six devices connected to the internet
such as a security camera, smart home assistant, smart TV or
baby monitor, according to a recent study by Grange. Any device
connected to the internet is at risk of being hacked, which puts
every type of business at risk. The example that Heebner utilizes
a lot is “elevators that are connected through the internet.”
“If something happened on that elevator that was caused due
to somebody hacking into the system, you now have removed
the general liability coverage because it’s not a covered peril on
that policy,” Heebner says.
“Agents need to have discussions with their clients about risk
management and what their exposures are so that you can get
down to helping them identify a pain point with their cyber risk
and exposure they might have missed,” he adds. “Claims due
to first-party and third-party bodily injury, property damage and
pollution could all be caused by a hacker controlling systems
through the internet.”
Will Jones is IA managing editor.
SUMMER 2020 THE BIG VIRGINIA 29