Letter from Elizabeth Geary, Global Head of Cyber
“Only when the tide goes out do you discover who has been swimming naked.” -Warren Buffet
Cyber has been a profitable line of business so far, with low loss ratios in the US ranging from the mid-30s to 50s from 2015 through 2017. This profitability has resulted in capacity flooding the market. In the US, there are almost 200 companies now writing Cyber business in classic insurance market-cycle style. Supply has outpaced the growth in demand from consumers and has resulted in increased competition, lower prices and broadening cover to appeal to more buyers.
The relatively new, immature Cyber market is now faced with a hardening overall market. How will that affect the flow of capacity? We have seen cyber insurance grow when other lines were soft. Will we now see it shrink as they harden and cyber continues to soften? Will underwriters move cyber capacity back into lines they know so well? For example, primary D&O / E&O rate increases are currently in the double-digits for public, private and excess deals (per AIG). This is for a known product, with an extensive loss history, buyers and sellers that understand the product, a product whose coverage has been stable, with arguably less systemic risk and with similar correlation to Cyber.
Evidence of primary rate improvement in other lines of business were highlighted in first quarter 2019 industry earnings calls:
- Property “achieving low to mid-teens rate improvement”…. Casualty “achieving low teens rate improvement” (AIG)
- “…P&C pricing trends have continued to improve, particularly in North America, and if anything, have accelerated over the course of the quarter. Rate is clearly in excess of claims cost”. (Zurich)
- “A favorable pricing momentum is building across most lines”. (Axa / XL)
We see the same trend. Our primary rate analysis shows positive movement in almost every line of business, which is especially welcome for underperforming areas who suffered from attritional and cat losses as well as higher loss trend and development.
There are only three lines currently negative in our analysis – Terrorism, Workers Compensation and Cyber. Of the three, Cyber, on a risk-adjusted basis, has by far, the largest negative primary rate indicated.
We do not want to stifle market growth, and it is true that cyber has not had the losses seen in other lines up to this point, but there are a number of warning signs that the run in record profitability for Cyber may be nearing an end. Claims may catch up with the development of the product / coverages and there are growing concerns about the impact of a systemic Cyber loss:
Expanded Coverage – Systemic risk has grown dramatically due to coverage enhancements. We have seen Business Interruption deductibles as low as 0-4 hours. Dependent Business Interruption, System Failure – 1st and 3rd party, are nearing or at full limits – albeit with longer waiting periods; and full prior acts is consistently offered. At least one market is offering an infrastructure write-back.
Low Pricing – As towers continue to expand without appropriate adjustment of the primary layer, high layers can go for as low as $2-$3k per million of coverage.
Low Retentions – Relative to risk and revenue size. A company with revenues in excess of $1B in revenues should not have a retention of $5M.
Cyber Insurers who write medium-to-large risks recognize many of these issues. We meet with them regularly to discuss market conditions, and we hear the same themes – there is a push to expand coverage, standardize terms (on broad broker forms) to help consistency, and pressure to reduce rates. Insurers try to push back, particularly on coverages exposed to systemic risk and decreasing rates, but the pressure to conform is strong, especially if outliers might lose business flow from their distribution channels.
To turn the tide and to ensure we develop a sustainable product (the only sustainable product is a profitable product), we see four separate developments that are currently in motion:
Cyber Losses – There is an increase in frequency and severity in losses, outpacing the increase in relative growth. Business interruption losses are emerging – Norsk Hydro (Norwegian aluminum and renewable energy firm) has been commendably open about the ransomware attack (LockerGoga) and its associated costs ($35-$40M in Q1 2019, and an additional $23-$29M in Q2 2019).
Regulatory Requirements – Regulators, particularly in the UK, are asking pointed questions about cyber risk, with a strong focus on systemic risk. (They will be peeking under the water.)
Rating Agency Pressure – Innovation and expansion are important, but rating agencies want to understand the exposure and overall risk to the company (particularly as respects systemic risk).
Increased Demand Relative to Capacity – Headline losses drive demand. More companies are buying cyber cover and companies are buying more cyber cover. At the same time, companies are becoming more concerned with systemic risk and may soon have to curtail their writings.
Cyber insurance is a necessary product and an excellent service for clients. To ensure Cyber market sustainability, we need profitable growth. That means we keep systemic coverages under control, and we charge a price that reflects the risk and service we provide.
All lines of business need to show a balance of premium to risk before the tide goes out. Cyber is no exception. We can pretty much guarantee that nobody wants to see naked cyber writers.
Notable Breaches
Latest Instagram Hack Exposes 49 Million Accounts
In the most recent attack, the Facebook subsidiary exposed telephone numbers and email addresses. Combined with recent research by cyber security firms to demonstrate potential weaknesses, there are reports that privacy concerns may be driving lower usage statistics and recruitment practices.
Spyware Targets WhatsApp Users
The messaging app WhatsApp discovered a vulnerability that could expose users to malware. A bad actor could transfer the malware to a users phone simply by calling it, without even requiring the user to answer. The spyware was allegedly developed by Israeli company NSO Group. WhatsApp alerted US law enforcement agencies, issued a CVE notice to the cyber community, and notified and its users. WhatsApp is used by approximately 1.5B people worldwide.
Source: The Guardian
Data Breach Targets Australian National University
The Australian National University (ANU) has been hit by data breach exposing personal data going back 19 years. Credit card details, medical records and research work were all unaffected.
Source: ABC
Attack on Graphic Design Platform Canva
Australian based graphic design platform Canva has confirmed that it detected and stopped a malicious attack on its systems in May. 139 million users’ personal information, including partial credit card data, was exposed on the company’s profile database.
Source: Canva
Cyberattack earlier this year contributes to Norsk Hydro’s fall in 1Q underlying profit.
Source: Yahoo Finance
Large-scale Retailer Uniqlo Hack Affects 460,000 Online Accounts
Japanese retail company Uniqlo was hacked from April 23rd to May 10th. Uniqlo believes 460,000 accounts were accessed, and hackers gained personal information such as credit card numbers and purchasing history of shoppers. This attack was limited to Japanese websites yet hackers could use potential overlap in user login information to gain access to other accounts.
Source: Bloomberg
A hacker has received a four year custodial sentence following his involvement the 2015 attack on Talk Talk Telecom.
Source: BBC
"Smart" Cities More Susceptible to Ransomware
With more city governments incorporating technology into their daily operations, opportunities for hackers to breach local databases are increasing. The most common method is ransomware, which encrypts stolen data and keeps it locked until a ransom is paid. San Francisco, Albany, New York, and a city in Maine (Ed. Note: add to this list three towns in Florida, as discussed elsewhere in this issue) have all been affected by data breaches of this nature. For instance, the city of San Francisco lost millions when the Municipal Transportation Agency was unable to accept money from passengers due to a cyber-attack. In 2018 Atlanta had to pay $50,000 in ransom along with millions of dollars to recover from a breach.
Source: AV Club
Ransomware Attacks Airplane Parts Maker ASCO
A ransomware attack occurred on June 7th against Belgium-based airplane parts maker ASCO Industries. AT&T Alien Labs believes the same ransomware used in the Norsk Hydro event - dubbed LockerGaga – may have been used here as well, however, the event is still under investigation. There has already been cases of manufacturing companies being attacked by ransomware, and it is believed that many more will come. Co-founder of Nozomi Networks, Andrea Carcano, said that paying the ransom is not ideal and organizations should have contingency plans in place to minimize damages.
Source: SC Media
An international crime gang with over 40,000 victims and criminal proceeds of over $100m has been dismantled. The gang operated by infecting computers with GozNym malware.
Source: BBC
Target Customers Unable to Make Purchases
Target customers around the country were at a halt on two days in a row. On June 15th and 16th, registers were unable to process any card payments. More than 1,800 stores were affected. On both occasions, Target was able to solve the problem within hours. Target sent a few tweets related to the issue, one of them stating NCR - a vendor that helps accept payments - had a problem at one of their data centers. The malfunction was apparently not related to any data breach or Target’s technology system.
Source: Tech Crunch
Third Florida City Targeted By Ransomware
Lake City, FL was recently forced to pay nearly $500k in Bitcoin to hackers less than a week after another Florida town, Riviera Beach, had to pay a $600k ransom to hackers. The IT department in Lake City was able to shut down computers within minutes of the hack; however, employees were not able to access their email and residents could not make municipal payments on the website until the ransom was paid. The attacks did not stop there, as Key Biscayne has become the latest to be hit. All of these ransomware attacks were caused by city employees clicking on an email that released malware.
Source: New York Times
Regulatory and Legislative
Washington and New Jersey Pass Breach Notification Legislation
Washington and New Jersey recently passed laws expanding and refining their rules for breach notification. Although both states had existing rules on the books on the issue, the new rules reflect the growing regulatory attention being paid nationwide, the increased governmental understanding of what the meaningful issues are, and a rising threshold of what an adequate response to a breach is.
Source: Saul Ewing Arnstein & Lehr
California Data Privacy Law Update
California’s upcoming Consumer Protection Act (CCPA) will be one of the farthest-reaching in the country when it takes effect on January 1, 2020 – but its final form remains uncertain, as a number of bills seeking to alter the law in a wide variety of ways. Although the two most-talked-about amendments - which would expand the private right of action under the upcoming law - appear to have stalled, a number of other amendments are likely to move forward, including among others:
- The definition of “de-identified” information is clarified, “reidentification” is prohibited, and the definition of personal information is narrowed.
- Job applicants, employees, contractors, and agents are excluded from the definition of “consumer.”
- Business required to provide “clear and conspicuous” notice that they are using facial recognition technology.
Source: Lewis Brisbois
Nevada Adds State Privacy Law to Growing List
Nevada has already passed their own data privacy law, currently referred to as SB220, styled after the CCPA. The Nevada law was signed by the governor on May 29, 2019, and while it is not as broad as California’s proposed Consumer Protection Act, it goes into effect more quickly, in October 2019.
Source: Sidley
ICO Issues substantial GDPR fines
In breaking news the UK’s Information Commissioner’s Office (ICO) has announced its intention to issue substantial penalties to British Airways (£183.39m) and Marriott (£99m) for their respective post GDPR data breaches. In doing so the ICO stressed the legal duty organizations have for the security of the personal data they hold and that message is sure to hit with these proposed fines. More generally the commissioner concluded that the high number of personal data breach reports along with the low percentage of cases requiring action suggests that businesses are taking the GDPR seriously a year after its implementation by the European Union. The ICO received 41,000 data protection concerns from the public compared to 21,000 in the prior year. While only 12,000 of the post GDPR cases have been closed, only 0.5% of these resulted in either an improvement plan or a civil monetary penalty. The EU Data Protection Board (EDPB) indicated that there were 240,000 cases reported across the EU in the same period.
Regulator Criticism of Cathay Pacific Following Breach
Hong Kong data protection commissioner orders Cathay Pacific to appoint an independent data security expert to overhaul its personal data storage systems due to a ‘lax attitude towards data governance’ following unauthorized access to the data of 9.4 million passengers last year
Source: Reuters
Hong Kong & Singapore Cooperate on Data Protection
The data protection authorities of Hong Kong & Singapore have signed a Memorandum of Understanding (MoU) to strengthen cooperation.
Source: PDPC
EU Targets Attackers with New Sanctions
The Council of the European Union has established a framework to impose ‘sanctions targeted restrictive measures’ to deter and respond to cyberattacks which constitute an external threat to the EU or its member states including third states or international organizations. Sanctions will target those responsible for attacks or attempted attacks which have potentially significant effect. Restrictive measures include travel bans and asset freezes.
Source: Europa
ICO Levies Large Fine Under Old Data Protection Act
Pregnancy and parenting support group, Bounty (UK) Limited has been fined £400,000 by the ICO for sharing in excess of 34 million records comprising personal data of 14 million individuals to third party companies. Data subjects included potentially vulnerable new mothers but also young children.
Source: ICO
Touchstone Medical Imaging Agrees to $3M Fine
Touchstone suffered a breach affecting over 300,000 patient records in 2014 and has now agreed to pay a $3M fine. In what was likely a key factor in the size of their settlement, they initially claimed that no patient PHI was exposed. OCR investigated and found that Touchstone had not timely look into the breach, their investigation was inadequate, and their notifications were untimely. The HHS OCR “Wall of Shame” continues to keep a running tally of healthcare breaches in the U.S.
Global Cyber Security
United States - Russia Cyber Skirmishes Heat Up
The United States Cyber Command took an offensive tack against Russia by deploying a code inside Russia’s power grid. Once deployed, the code is invisible and so the extent of its penetration into the Russian system will remain an unknown unless it is activated. No special presidential approval is needed to deploy the code, and it is believed that Trump was not briefed about the implant ahead of time, in line with broad hesitation from the Pentagon and intelligence community to go into detail with President Trump over concern he may publicly divulge classified information. Russia has a history of cyber-attacks, including against both the U.S. power grid, and U.S. election equipment.
Source: New York Times
Cisco Router Found to Have Significant Vulnerabilities
Cisco 1001 – X router was discovered to be vulnerable to cyberattacks. Researchers from the firm Red Balloon found ways to gain full control over the Cisco’s IOS operating systems, bypassing the Cisco’s Trust Anchor security protection. This would allow a hacker to gain access to all devices connected to the router, including those with potentially sensitive information. Cisco is creating a patch to fix these issues, however, it will take a few months to develop fixes and will need to be installed onsite. Red Balloon also commented on the core of the Trust Anchor called “field programmable gate array” (FPGA). They stated that FPGA is unsafe and was able to modify it to override the stop and kill switches.
Source: Wired
Beazley has reported a 105% rise in the number of ransomware attacks in 1st quarter with a shift in focus to larger organisations and higher ransom payments.
Source: Slipcase
Hiscox Reports Jump in UK Cyber Attacks
Insurer Hiscox surveyed 5,400 business across seven European countries, finding 55% had been targeted by a cyber attack in the last year – a significant increase over the 40% who had the year before. In addition to the increase in number of attacks, the cost of those attacks also jumped roughly 61% year-over-year. (Ed. Note: for additional detail see the full report linked below.)
Source: BBC
No Honor Among Cyber-Thieves: Dark Web Targeted
Three of the largest crime-focused marketplaces on the dark web were targeted by significant DDoS attacks earlier this year. Dream Market, Empire Market, and Nightmare Market – all known for selling drugs, guns, malware, and hacked data – were targeted, with Dream Market actually planning on shutting down after being cripple by 7 weeks of sustained attacks. The alleged source of those attacks demanded a $400k ransom to stop them.
Source: ZDNET
Bug Bounty Program Reveals Unique Insight Into Hacking
HackerOne is a program that pays rewards (bounties) to hackers who find exploits in corporate systems and report them so they can be fixed. Programs like this – referred to as “bug bounties” – have proven to be great successes over the years, but the newly released data is a rare look into what types of bugs are most commonly found, in what industry, etc. Many large corporations like Apple and Google run their own independent bug bounty programs.
Source: Gizmodo
Litigation News
Kronos Pays $1.6M for Violating Privacy Law
Smith’s Senior Home, Kronos located in Chicago violated the Biometric Information Privacy Law (BIPA) on May 10th. Kronos uses a biometric timekeeping device which scanning employees fingerprints. The employees never gave informed consent, therefore, violating BIPA regulation. Smith’s employee Cynthia Dixon claimed that the employee's fingerprints were also shared with Massachusetts bases Kronos. Kronos is now paying $1.55 million to settle this claim. Employees who were employed on September 28, 2015 to when U.S District Judge Matthew Kennelly approved will be receiving $1,000.
Source: Law360
This is but one example of a large and increasing number of lawsuits filed under BIPA, particularly since the Rosenbach v. Six Flags Illinois Supreme Court decision discussed in the last newsletter.
Source: TransRe
CJEU to Hear Facebook Case
Facebook has failed in an appeal to the Irish Supreme Court to prevent the High Court from referring a number of key questions pertaining to transfer of personal data directly to the Court of Justice for the European Union (CJEU). Concerns relate to the adequacy protections afforded to data transferred outside the EU and an adverse ruling by the CJEU could have significant implications for businesses doing so.
Source: Reuters
Morrisons Given Permission to Appeal
UK Supermarket chain Morrisons has been granted leave to appeal to a ruling that it was vicariously liable for the acts of a disgruntled employee who released the personal data of 100,000 employees online.
Source: Financial Times
Marriott Data Breach Litigation Update
Litigation resulting from the late-2018 Marriott breach affecting approximately 383 million customers is currently under way. U.S District Judge, Paul Grimm, ordered the case to be processed quickly and closed by the end of the year. There are over 100 class action law suits being overseen by Judge Grimm, including those filed by consumers, financial institutions, and municipalities like the City of Chicago. Investigations into the exact nature and extent of the breach and its consequences remain ongoing.
Source: Cohen Milstein
FedEx Not Petya lawsuit
A securities class action has been filed against global logistics company FedEx for allegedly not fully disclosing the extent of the disruption to the company following the 2017 Not Petya cyberattack.
Source: GlobeNewsWire
CryptoCorner
India Proposes Jail Time for Cryptocurrency Users
India has proposed a law that would prohibit holding, selling, or dealing in cryptocurrency with penalties of up to 10 years in prison. The rationale for the law refers to the “high chances” that cryptocurrency will be used for money laundering, etc. The chances of the bill becoming law are unknown, as are the realistic effects as tracking and attributing bitcoin transactions is notoriously difficult.
Source: India Today
Crypto Pricing Remains Volatile
Bitcoin and several other leading cryptocurrencies have rebounded in value since their 12/2018 lows (1 BTC = $7,792; 1 ETH = $239). Pricing remains incredibly volatile compared to both traditional currencies and mainstream investments. Warren Buffett recently commented on Bitcoin, referring to it as a “gambling device” and “not an investment.”
Sources: Coinbase, Yahoo Finance
Aon & Guy Carpenter have announced a collaboration to bring greater efficiency to reinsurance placement through distributed ledger technology.
Source: AON
Cyber Reports
The Anatomy of a Computer Virus
By Neil Inskip VP, IT Manager
Hopefully our readers enjoy my little anecdotes- please be sure to post negative feedback if you don’t, and I’ll attempt to trim things down for future. Alternatively, (and a more desirable outcome,) feel free to provide the business equivalent of a “thumbs up.”
Showing my age, I purchased my first computer back in 1992/93 so that I could use it for typing up university assignments and for computer programming. I should admit that much of the time, it was also used for gaming. One day, I borrowed a game from a friend on a floppy disk. The objective of the game, as an eight-bit caveman, was to club as many eight-bit dinosaurs as you could. I played it for a while, but being a conscientious student, I thought I’d better type up my assignment as it was getting close to 3am. I took the disk out and restarted my PC to get back into windows, but at that point two blocky marijuana leaves popped up on either side of my screen. In the middle were the words, “Your PC is now stoned” in magenta. It was a very annoying boot sector virus that later morphed into the even more infamous Michelangelo virus. The virus was transferred from the disk to my PC hard disk by altering the boot sector, which is the piece of software designed to load your operating system. Back then, no expensive antivirus products meant the average Joe was stuck with no alternative but to format their PC and rebuild it.
All viruses operate by inserting or attaching themselves to a legitimate program or macro and are designed to spread from one computer to another. Viruses will lay dormant until a computer or device creates the circumstances for them to execute their code. Another classic example was the Friday the 13th virus. The trigger was the date, and I still remember one of my lecturers announcing back then that he’d found the solution – he just wouldn't switch his PC on until Saturday the 14th.
Since the 90’s, anti-virus or anti-malware packages have been largely signature-based, which means they are “trained” to recognise the code attempting to be inserted and block it. In 2012 Symantec antivirus was blocking over 17 million virus and virus variants. At this point I should say “other anti-malware products are available”. Clearly if you need to know what a virus looks like if a new one is released, your antivirus provider must be quick off the mark to write the new defence; during that lag, you are totally exposed. Another headache for IT is that the packages have a large “foot print” in terms of disk, memory and CPU cycles as it checks inbound file activity against that massive list.
That all sounds a bit dated, and it is, so enter Next Generation Anti-Virus (NGAV). Its been said that, like jokes, there are not that many types of virus, and the rest are just variations on a theme. What NGAV attempts to do is use behavioural analysis/AI to spot the behaviour by monitoring the activities, events (or streams of events) and processes running on a computer. NGAV uses very advanced algorithms to analyse the event streams, and despite the complexity of those algorithms, they still provide coverage while having less resource requirements. Anything untoward will be blocked. The major difference is they can provide visibility into all types of malicious behaviour, not just malware. For many companies, NGAV is working well for them, but most companies are still running signature-based software alongside it, which is a sensible idea for a layered defence.
In case you were wondering, I did complete the assignment after taking a couple of hours to get my PC back on its feet, and even back then I backed my data up to diskette, so I was adequately covered. By backing up I was covered for a ransomware attack many years ahead of them being invented.
Contacts
Disclaimer
The material and any conclusions contained in this document are for information purposes only the authors offer no guarantee for the completeness of its contents. The statements in this document may provide current expectations of future events based on certain assumptions. These statements involve known and unknown risks, uncertainties and other factors which are not exhaustive. The authors of this document undertake no obligations to the publicity revise or update any statements, where as a result of new information, future events or otherwise and in no event shall TransRe or any of its affiliates or employees be liable for any damage and financial loss arising in connection with the use of the information relating to this document. Although TransRe makes reasonable efforts to obtain reliable content from third parties, TransRe does not guarantee the accuracy of or endorse the views or opinions given by any third party. This document may point to websites or other documents; however TransRe does not endorse or take responsibility for the content on such websites or other documents.
To unsubscribe please email cybernewsletter@transre.com
Click here for more Information on our privacy policies
Credits:
Created with images by Tumisu - "cyber security hacker security" • geralt - "mobile phone smartphone keyboard" • Michael Geiger - "untitled image" • witwiccan - "law books legal" • succo - "hammer court dollar" • axonite - "cyber security network" • Giammarco Boscaro - "untitled image" • MichaelWuensch - "bitcoin cryptocurrency digital" • Daniel Korpai - "untitled image"