Insurance Rate Declines Moderate as Cyber Shines

Global insurance rates declined for the 15th consecutive quarter, remaining competitive for most of 2016, according to the Marsh Global Insurance Market Index, Q4, 2016, which tracks industry data.

Insurance rate decreases moderated in the fourth consecutive quarter as global property rates continue to drop at a greater rate than other lines, mainly due to overcapacity and a lack of insured losses, according to the report.

“The last quarter of 2016 marked the 15th consecutive quarter in which average rates declined, largely due to a market with an oversupply of capacity from traditional and alternative sources and a lack of significant catastrophe losses,” Dean Klisura, global industry specialties and placement leader at Marsh, said in a statement.

After peaking at a 5% global quarterly rate of decline during the fourth quarter of 2015, that rate moderated throughout 2016. “The fourth quarter of 2016 marked an entire year (four consecutive quarters) in which the average rate of decline for global insurance rates moderated—a first since Marsh initiated the index in 2012,” says the report.

Worldwide, rates declined by 3.1% while the U.K. and Continental Europe saw the greatest regional drops at 4.8% and 4.2% respectively. Latin America saw the smallest regional drop at just 0.5% as the U.S., Asia and Pacific regions hovered midway with declines of 3.0%, 2.7% and 2.2%, respectively.

By business line, global casualty lines had the slowest rate decline at 1.9%, followed by Marsh’s Global FinPro (financial and professional) at 3.0% and then global property with the largest decline of 4.2%. U.S. rate declines reflected global figures with U.S. casualty rates declining in the fourth quarter at a rate of 2.1%, U.S. FinPro at 2.5% and U.S. property at 4.8%.

By contrast, the Marsh report tracked rising U.S. cyber liability rates, up 1.4% for Q4 2016, which was actually the smallest increase since rates started rising in Q3 2014 at a rate of 4.8% before peaking at 20.0% in Q2 2015, then beginning a steady decline toward the latest quarter. Despite steadily rising cyber liability rates, the report notes that “the number of clients purchasing cyber insurance increased 25% from 2015 to 2016 across all industries, with the greatest overall take-up in healthcare, communications, media and technology.”

Insurance markets in the U.K. and Continental Europe remain competitive, the report said, as Latin American casualty and financial and professional liability rates increased. Casualty rate increases were largely due to rising auto insurance prices, particularly in Colombia and Mexico, where Marsh says it has a large market share.

Some rates in the Pacific region notched increases, with casualty rates up 0.4% and financial and professional liability rates up 1.7%. Asia’s commercial insurance market remains competitive, according to the report.

While the report appeared to paint an overall picture of industry-wide softness, there was some suggestion of a turn in the tide. “Early indications that capacity may be moderating and that combined ratios may be increasing could be harbingers of looming rate increases as carriers seek to boost profitability and keep combined ratios below 100%,” Marsh says in its report.

In addition to looking back with its rates report, Marsh also takes a look forward in its “U.S. Financial and Professional Market in 2017: Our Top 10 List.” The company states that decreases in the directors and officers insurance market, continue “nine straight quarters of rate decreases.”

The Top 10 list goes on to say that cyber insurance will evolve as “risk professionals will need to address evolving cyber risks across multiple platforms,” and adds that financial and technology industries are converging at an increasing pace. “Financial companies will increasingly see exposures that were historically the domain of the technology industry,” it says.

In its “Casualty Insurance Outlook: Good News for Buyers in 2017,” Marsh says 2017 is “generally a buyer’s market for casualty insurance buyers, who typically are seeing strong competition and ample capacity for most casualty lines.”

New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.

Bribery and Corruption: What’s the best approach?

On Feb. 17, Samsung empire’s heir Lee Jae-yong was arrested on corruption and bribery charges connected to a nationwide political scandal in South Korea. While this is unlikely to directly impact the global tech behemoth in day-to-day matters, it is important to investigate how firms and governments can work together more successfully to combat white collar crime and corruption.

An international affair
The fight against bribery and corruption has historically been led by the United States, the first country to implement tough legislation with the Foreign Corrupt Practices Act of 1977. The federal law was enacted to address accounting transparency requirements and to make bribery of foreign government officials illegal.

Europe is not far behind with a range of legislation designed to prosecute and punish corporate crime. Other emerging market governments are finally cracking down as well, holding both domestic and foreign businesses and their senior management, to account.

Tackling bribery and corruption requires prosecutors and regulators that are properly equipped to investigate and deal with complex factual and legal issues. It also requires a judiciary that is impartial and can operate without political interference.

The United Kingdom’s Bribery Act of 2010 is a good example of tough new legislation that regulators and prosecutors can rely upon when investigating such crimes. It has extra-territorial reach both for U.K. companies operating abroad and for overseas companies with a presence in the U.K. It also introduced a new strict liability offence for companies and partnerships of failing to prevent bribery.

The law is not enough
Unfortunately however, even the best legal framework in the world is insufficient on its own.

Companies need to understand exactly how to go about preventing unlawful behavior, particularly in new and distant markets that their headquarters may not clearly understand. Ultimately, the real responsibility and accountability remains with the business to ensure compliance.

Countries with robust criminal and anti-corruption laws might be able to prosecute those individuals or businesses that commit offences within or outside the jurisdiction but the problem will continue until international businesses rigorously apply universal global standards to tackle corruption across emerging markets.

It’s Still about the culture
In short, this issue is about corporate culture. The following are fundamental steps for fine-tuning your organization’s approach to corruption:

• Develop a culture through education, where turning a blind eye to unlawful activity is not an option. Staff should feel comfortable with speaking out if they see anything potentially suspicious. Anti-bribery and corruption training needs to be repeated and made relevant to the day-to-day scenarios employees at different levels might face.

• The tone must be set at the top. For instance it can be useful to educate your firm’s directors with formal governance training, such as from the Institute of Directors (IoD) in London. This level of top-level attention to corporate compliance programs, including training, should be the norm.

• Proper dialogue needs to be established with regulators—not just a one-way stream of new laws and compliance requirements. A regulator should seek the views of those it is regulating. This two-way approach really does work.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.