Category Archives: Reputational

Cyber Blackout Could Cost Insurers $71 Billion, Lloyd’s Reports

Posted on by

A cyberattack targeting the U.S. power grid would have widespread economic implications, resulting in insurance claims of between $21.4 billion and $71.1 billion in a worst case scenario, according to a report by Lloyd’s.

Lloyd’s and the University of Cambridge’s Centre for Risk Studies recently released “Business Blackout,” which examines the insurance implications of a major cyberattack using the U.S. power grid as an example. In the scenario outlined, malware is used to infect control rooms for generating electricity in areas of the Northeastern U.S. The malware goes undetected and locates 50 generators that it can control, forcing them to overload and burn out. The scenario, described as “improbable but technologically possible,” leaves 15 states in darkness, meaning that 93 million people are without power.

Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue for businesses and disruption to the supply chain. The total impact to the U.S. economy is estimated at $243 billion, rising to more than $1 trillion in the most extreme version of the scenario.

Claimant types fell into six categories:

Power generation companies

• Property damage to their generators.

• Business interruption from being unable to sell electricity as a result of property damage.

• Incident response costs and fines from regulators for failing to provide power.

buy xtandi online haveagreatsmile.com/wp-content/uploads/2023/10/jpg/xtandi.html no prescription pharmacy

Defendant companies

• Companies sued by power generation businesses to recover a proportion of losses incurred under defendants’ liability insurance.

Companies that lose power – companies that suffer losses as a result of the blackout.

• Property losses (principally to perishable cold store contents).

• Business interruption from power loss (with suppliers extension).

• Failure to protect workforces or causing pollution as a result of the loss of power.

Companies indirectly affected – a separate category of companies that are outside the power outage but are impacted by supply chain disruption emanating from the blackout region.

• Contingent business interruption and critical vendor coverage.

buy estrace online haveagreatsmile.com/wp-content/uploads/2023/10/jpg/estrace.html no prescription pharmacy

• Share price devaluation as a result of having inadequate contingency plans may generate claims under their directors’ and officers’ liability insurance.

Homeowners

• Property damage, principally resulting from fridge and freezer contents defrosting, covered by contents insurance.

Specialty

• Claims possible under various specialty covers, most importantly event cancellation.

 Other key findings of the report include:

• Responding to these challenges will require innovation by insurers. The pace of innovation will likely be linked to the rate at which some of the uncertainties revealed in this report can be reduced.

• Cyberattack represents a peril that could trigger losses across multiple sectors of the economy.

• A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.

buy inderal online haveagreatsmile.com/wp-content/uploads/2023/10/jpg/inderal.html no prescription pharmacy

• The sharing of cyberattack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

What to Do About Reputation Risk

Posted on by

Of executives surveyed, 87% rate reputation risk as either more important or much more important than any other strategic risks their companies face, according to a new study from Forbes Insights and Deloitte Touche Tohmatsu Limited. Further, 88% say their companies are explicitly focusing on managing reputation risk.

Yet a bevy of factors contribute to reputation risk, making monitoring and mitigating the dangers seem particularly unwieldy. These include business decisions and performance in the following areas:

Financial performance: Shareholders, investors, lenders, and many other stakeholders consider financial performance when assessing a firm’s reputation.

Quality: An organization’s willingness to adhere to quality standards goes a long way to enhancing its reputation. Product defects and recalls have an adverse impact.

Innovation: Firms that differentiate themselves from their competitors through innovative processes and unique/niche products tend to have strong name recognition and high reputation value.

Ethics and integrity: Firms with strong ethical policies are more trustworthy in the eyes of stakeholders.

Crisis response: Stakeholders keep a close eye on how a company responds to difficult situations. Any action during a crisis can ultimately affect the company’s reputation.

Safety: Strong safety policies affirm that safety and risk management are top strategic priorities for the company, building trust, and value creation.

Corporate social responsibility: Actively promoting sound environmental management and social responsibility programs helps create a reputation “safety net” that reduces risk.

Security: Strong infrastructure to defend against physical and cybersecurity threats helps avoid security breaches that could damage a company’s reputation.

But brand crises make headlines with increasing frequency, and companies are laying responsibility at the feet of the C-suite, particularly chief risk officers. Deloitte reports that respondents considered the primary responsibility to rest with: the chief executive officer (36%), chief risk officer (21%), board of directors (14%), or chief financial officer (11%).

What can they do? The study offered these key points to consider when crafting a crisis management plan:

  • Don’t wait until a crisis hits to get ready. Monitoring, preparation and rehearsal are the most effective ways to get ready for a crisis event. Organizations that can plan and rehearse potential crisis scenarios should be better positioned to respond effectively when a crisis actually hits.
  • Every decision during a major crisis can affect stakeholder value. Reputation risks destroy value more quickly than operational risks.
  • Response times should be in minutes, not hours or days. Teams on the ground need to take control, lead with flexibility, make decisions with less-than-perfect information, communicate well internally and externally, and inspire confidence. This often requires outside-the-box thinking and innovation.
  • You can emerge stronger. Almost every crisis creates opportunities for companies to rebound. However, those opportunities will surface only if you’re looking for them.
  • When a crisis seems like it’s over, it’s not. The work goes on long after you breathe a sigh of relief. The way you capture and manage data, log decisions, manage finances, handle insurance claims, and meet legal requirements on the road back to normality can determine how strongly you recover.

But the real objective should be preventing these potential crises to begin with. Deloitte recommends exploring the possibilities of “risk sensing” – using real-time data to monitor the issues that might impact a company’s reputation:

Crisis management for C-suite executives

Check out the infographic below for more insights from the Deloitte Reputation@Risk survey:

Deloitte Reputation@Risk Global Survey

Lessons Learned from Data Breaches

Posted on by

Recent data breaches have left some large organizations reeling as they deal with the aftermath. They include the Target data breach, compromises at Home Depot, JP Morgan, USPS (which exposed employee Social Security Numbers and other data) and, most recently, Sony Pictures. The Sony hack also proved to be embarrassing to some of the company’s executives, as private email correspondences were exposed.

Collateral damage from data breach is significant: one in nine customers affected by a data breach stopped shopping at a particular retailer. According to LifeLock, a recent survey of corporate executive decision-makers found that while concern for a breach is 4 or 5 on a 5-point scale, only 10% to 20% of their total cyber security budgets go to breach remediation. Establishing an incident response plan in advance can reduce the cost per compromised record by $17.

While strengthening cybersecurity is important, the impact on breached organizations shows that preparing a response must be part of the breach-management equation. These breaches present an opportunity for business leaders and risk professionals to learn important lessons about how to protect their companies, customers and employees if a breach should occur.

Below are steps companies can take to establish a response plan, as well as information on the data breach landscape.

 

 

 

The Impact of Collaboration in Cyber Risk Insurance

Posted on by

Former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” This is the environment in which risk managers must protect their businesses, and it isn’t easy.

Cyber risk is not an IT issue; it’s a business problem. As such, risk management strategies must include cyber risk insurance protection. Until recently, cyber insurance was considered a nice-to-have supplement to existing insurance coverage. However, following in the wake of numerous, high-profile data breaches, cyber coverage is fast becoming a must-have. In fact, new data from The Ponemon Institute indicates that policy purchases have more than doubled in the past year, and insiders estimate U.S. premiums at around $1 billion today and rising.

But is a cyber policy really necessary? In short, yes. As P.F. Chang’s China Bistro recently discovered, commercial general liability (CGL) policies generally do not include liability coverage to protect against cyber-related losses. CGL policies are intended to provide broad coverage, not necessarily deep coverage. Considering the complexity of cyber risks, there is a real and legitimate need for specialized policies that indemnify the insured against cyber-related loss and liability.

The fact is, cyber risk is a problem all its own.

buy rybelsus online thecifhw.com/wp-content/uploads/2023/10/jpg/rybelsus.html no prescription pharmacy

The cyber threat is pervasive, and attacks are increasing exponentially. Cyberattack trends are also shifting constantly. An attack can come from multiple directions and in multiple forms, targeting different information and outcomes: an attack launched by a hacker group intent on making a political statement, malware that enters the network through a third-party service provider to steal credit card information, or a data breach perpetrated by a trusted insider seeking competitive intellectual property (IP).

In this complex, dynamic threat landscape, the ability to accurately assess risk becomes a monumental undertaking. If we accept that every organization has been hacked or will be again, it’s clear that prior incidents are no longer relevant or legitimate indicators of a company’s risk. Similarly, stagnant security checklists required by many insurers are hardly representative of actual, ever-changing cyber risk. Traditional risk assessment methodologies that rely on these elements to determine pre-binding risk simply have no place in today’s world.

Risk Assessment for the Cyber Era

The industry needs assessment methods consistent with the changing threat landscape. That means real-time, active assessment of an entity’s entire business ecosystem including upstream and downstream threats, as well as the often overlooked insider threat. What this provides is a holistic understanding of an entity’s vulnerabilities, high priority risks and security maturity.

In the current cyber environment, it’s implicit that every organization will be the victim of a cyberattack and that there will be some cyber loss as a result. Thus, savvy underwriters are looking beyond mere ticks on a checklist to determine insurability; rather, they’re looking for security maturity and cyber resilience.

The more cyber resilient an organization, the faster it can identify a cyberattack, stop it and recover from the impact. Data loss is expected. It’s the severity of the data loss that will impact the company’s business, damage its brand and customer loyalty and erode investor confidence.

buy advair online thecifhw.com/wp-content/uploads/2023/10/jpg/advair.html no prescription pharmacy

Those organizations that can quickly and effectively minimize the risk and get back to business are generally considered a safer bet.

buy paxil online thecifhw.com/wp-content/uploads/2023/10/jpg/paxil.html no prescription pharmacy

This is where organizations can realize the benefits of holistic cyber insurance assessment. All too often, critical data is uncovered after a breach occurs. By implementing a proactive risk assessment before an attack occurs, the organization can gain in-depth intelligence about its highest priority risks before an incident, not years later when it’s too late to do anything about it. A pre-binding assessment provides the right data at the right time to inform risk management decisions and align resources with an organization’s highest priority risks.

Additionally, organizations that adopt continuous proactive assessment and ongoing risk mitigation demonstrate mature security practices, which indicate an organization’s ability to return to regular operations faster following a cyber incident.

Partners Against Cybercrime

Historically, there has been an antagonistic relationship between the insurer and client, but in the wake of catastrophic data breaches, these two sides are now finding common ground. For instance, several insurance brokers today are requiring a holistic, pre-binding risk assessment before a company can receive a policy. This benefits both the insurer and the pre-insured by providing invaluable insights about the company’s security, often revealing unexpected weaknesses and new priorities. Some policies also tie risk assessment to financial incentive to encourage ongoing risk mitigation. This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.

For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk. In this way, cyber insurance becomes an avenue for companies to improve cybersecurity, not to simply offset risk.