In 2019, ransomware and business email compromise emerged as some of the biggest cyber threats around. As ransomware attacks paralyzed public entities, such as the attack that crippled the Baltimore's government computer systems, and business email compromise and social engineering efforts targeted businesses from Main Street to Wall Street, the insurance industry has reacted with a host of new products and coverages.
However, by the very nature of the risk, yesterday’s cyber threat will not be tomorrow’s biggest danger. Here are four other cyber risks in the cyber liability space that will threaten businesses in 2020:
1) Vendors. In 2017, retail giant Target was ordered to pay an $18.5 million multistate settlement to resolve state investigations of the 2013 cyberattack that affected more than 41 million of the company's customer payment card accounts.
An investigation determined that cybercriminals gained access to Target's system through credentials stolen from a third-party vendor. Using the credentials, the attackers gained access to a customer service database, installed malware on the system and captured a host of sensitive data.
“When you look at the Target situation, the hackers got in through the vendor associated with the HVAC system,” says Ken Heebner, senior account executive, TrustStar Insurance Services, Inc. in Universal City, Texas. “Agents and insured don’t take into account the vendors, the risk exposure they bring to the table.”
“If something like that happens, that could fall on you or your client and it becomes a huge battle,” Heebner adds. “That vendor can be your best friend or your worst enemy. Agents have to have those tough discussions with their clients so that they understand the seriousness.”
2) Regulation. The California Consumer Privacy Act (CCPA) took effect on Jan. 1 and was seen as a victory for consumers to provide them certain rights over the data that companies like Facebook, Google and data brokers collect from them.
Most of the CCPA is based on the European Union’s General Data Protection Regulation (GDPR), except for one important issue. While GDPR requires individuals to provide consent before their data can be collected, CCPA instead assumes consent and requires it to be revoked if an individual wishes to opt-out. Either way, the regulations are something that could be somewhat of a back-door risk to commercial insureds.
“Data breach obviously still mainly affects industries that process or store sensitive information, such as retail, healthcare, hospitality and technology, but even in this area there is change underway,” says Jacob Ingerslev, Head of Global Cyber Risk, The Hartford.
“New regulations, such as GDPR in Europe and the CCPA in California, expand privacy regulation from traditionally being mostly a data breach issue to becoming a data collection and processing issue, with the potential for enormous fines and elevated litigation costs relating to non-compliance with those practices,” he says.
3) Manufacturers. Manufacturers are increasingly being targeted not just by traditional malicious actors, such as hackers and cybercriminals, but by competing companies and nations engaged in corporate espionage, according to Deloitte, where motivations range from money and revenge to competitive advantage and strategic disruption.
In today’s business environment of increased automation, connectivity and globalization, even the most powerful organizations in the world are vulnerable, which leaves the question: What happens to a manufacturing business when its production operations suddenly grind to a halt due to a cyberattack?
“Cyber insurance continues to be a dynamic area that requires all of us—carriers and agents alike—to work to keep up,” says Timothy Zeilman, HSB vice president, Global Cyber Products. “My suggestion would be to focus the continuing shift towards increased awareness of the cyber exposure of businesses that don’t necessarily have high personal information exposure but do have a significant business interruption exposure.”
“Businesses like manufacturers that have a lower personal information exposure, but a significant business interruption exposure may just now, with the rise of risks like ransomware be becoming aware of their need for cyber insurance,” he adds.
4) The digitally connected world. The average American household has six devices connected to the internet such as a security camera, smart home assistant, smart TV or baby monitor, according to a recent study by Grange. Any device connected to the internet is at risk of being hacked, which puts every type of business at risk. The example that Heebner utilizes a lot is “elevators that are connected through the internet.”
“If something happened on that elevator that was caused due to somebody hacking into the system, you now have removed the general liability coverage because it's not a covered peril on that policy,” Heebner says.
“Agents need to have discussions with their clients about risk management and what their exposures are so that you can get down to helping them identify a pain point with their cyber risk and exposure they might have missed,” he adds. “Claims due to first-party and third-party bodily injury, property damage and pollution could all be caused by a hacker controlling systems through the internet.”
Will Jones is IA managing editor.