Does Cyber Insurance Cost Too Much?

Posted on April 27, 2023 by Marijana Dabic

We often hear that cost can make cyber insurance a non-starter for businesses. We get it; broad coverage comes at a price given the value of services provided with a policy these days.

So, CFC has listed below the 5 key reasons a cyber insurance policy, is worth the financial investment.

Cyber is a business’ largest exposure
We’re in a digital age and businesses no longer rely on paper trails and filing cabinets. This digital reliance has shifted a business’ assets from tangible to intangible, making them wildly accessible and opening even the smallest of businesses to a whole new era of risk.

Subsequently, most companies today state that cyber risk is in their top three, if not their number one business risk given their reliance on technology. Since the frequency of loss is that much greater for a cyber event than traditional perils, such as a fire – it makes sense that the cost of cyber insurance today will mirror a business’ largest exposure.

CFC has created a cyber risk heat map, which explains the varying levels by industry. Hint, nearly no business is safe!

Premiums are a fraction of the cost compared to a cyber claim
The price of cyber insurance may seem higher than expected given many still consider it a discretionary purchase, but when you compare the thousands, hundreds of thousands, or even millions in costs that cyberattacks can incur for business, it’s an easy decision to make.

And the severity of those claims continues to rise. According to the latest Coveware report, it’s been noted that fewer victims are paying ransomware demands, so threat actors are demanding more money to compensate for the lower hit rate, making individual claims more expensive.

This lower hit rate on ransomware has also meant hackers are pivoting back to previous attack techniques, with the likes of business email compromise attacks showing an increase of 147% across the second half of 2022 (for SME businesses).

A good cyber policy should offer proactive protection from attacks
At CFC, from the minute the policy is bound, their cyber security team works around the clock to protect businesses against cyber-attacks.

This is a proactive, protective service that identifies potential threats using insights from a variety of sources, including public and private threat intelligence feeds that go well beyond the usual outside-in scanning tools available to insurers. If a cyber security issue is found, their team will reach out through their Response app to work with a potentially compromised business, to eliminate the threat before it can cause harm.

To pay for this level of monitoring externally, a business would need multiple providers, all individually costing upwards of thousands every year. Whereas, all of this work is done for free, as part of the standalone CFC cyber policy, as well as expert incident response and recovery.

Expert incident response and recovery
One of the other critical elements of a cyber policy is the availability of in-house cyber incident response. At CFC, their team of cyber threat analysts, digital forensic specialists and incident responders, CFC Response, is available 24/7 to triage incidents, contain threats, and repair networks if a cyber incident occurs.

Cyber policies cover a lot
A good, stand-alone cyber policy, such as a CFC cyber policy, includes comprehensive coverage.

Many small businesses do not have access to enterprise-grade security teams, threat intelligence feeds that can inform them of whether they are listed on a threat actor’s target list, or access to a multi-disciplinary team of experts who know how to respond to cyber-attacks and compliment existing IT personnel.

Equally, should the worst happen, cyber insurance policies cover cyber incident response costs, including IT forensics, legal, breach notification and crisis communications to cybercrime costs that include social engineering, theft of personal funds and cyber extortion.

All told, this can cost anywhere from thousands to hundreds of thousands, and there is no limit to the range of support required during a cyber incident. CFC’s security team estimates that the average downtime following a ransomware attack can be up to 2-3 weeks, and that’s only with the expert assistance of a cyber incident response team provided by an insurer. With a broad policy, the insured can focus on getting their business back up and running, rather than worrying about what will and won’t be covered by their insurer.

It is estimated that that cyber-attacks will cost the globe $8 trillion dollars in 2023. Yet, we estimate, only less than 20% of businesses have taken out a cyber insurance policy as of today. Cyber insurers are not just there to step in after an attack has taken place, ready to pay the many external teams a business needed to pull in to recover.  Instead, coverage from a cyber insurer like CFC protects and prevents attacks on businesses from the minute they bind a policy.

Cyber insurance is not expensive, cyberattacks are. And with the right cyber insurance product, it should be the easiest purchase a business has ever made to cover its largest exposure.

Source: www.cfcunderwriting.com

Uncovering Liabilities for Canadian Physicians

Posted on March 31, 2023 by Marijana Dabic

Technology advancements have allowed the number of Canadian physicians providing remote care to skyrocket. This is great news for patients, but when faults arise, this can blur the lines as to who is responsible.

The increased usability and adoption of digital tools such as AI, telehealth and remote patient monitoring has been a complete game changer for the healthcare industry. Physicians can treat patients remotely, wherever they are, meaning less time, money, and stress.

Cover for physicians & surgeons by the Canadian Medical Protective Association (CMPA)

Physicians providing in-person care to patients residing in Canada are eligible for assistance from the Canadian Medical Protective Association (CMPA); which provides medico-legal advice and assistance.

If eligible for CMPA cover, there are no financial limits to the legal assistance given to members or to the damages paid to patients.

Where the lines blur

However, when conducting digital care, or via telehealth the lines begin to blur as to how the CMPA applies.

The CMPA cover does not generally extend to Canadian physicians residing abroad, and these members have previously found it difficult to find another suitable insurer to provide the professional liability cover they require.

Not having the necessary cover invalidates a member’s practice permit, creating an extremely serious issue.

The CMPA accepts that physicians or patients who are out of the country on a short-term basis need to engage with each other e.g., on holiday or during an emergency. But also states it is not set up to assist with medico-legal problems and legal actions that arise outside of Canada, or that result from care given outside of Canada.

In these situations, where a claim arises out of telehealth care given remotely, the CMPA will consider giving assistance, but on a case-by-case basis.

Non-Canadian residents who receive treatment also have to meet a multitude of criteria before the CMPA cover will respond.

This ambiguous cover leaves practitioners unclear as to the level of cover they have, and the help that is available to them.

Clarity in cover

As technological capabilities extend, exposures can increase, especially when care is given outside a practitioner’s jurisdiction. Healthcare providers will need to protect themselves in the event the CMPA coverage does not apply due to any of the above circumstances.

CFC can help to create peace of mind with the ‘wrap around’ intention of their digital healthcare form that encompasses anything which would traditionally fall outside the CMPA cover, with respect to telehealth. This provides comfort to physicians that wherever, and however, they deliver healthcare services they will be covered.

Understanding exactly when their liability cover will respond, and having confidence in the protection in place, will enable physicians to focus on treating their patients – wherever either party is located.

Source: www.cfcunderwriting.com

Top 3 Tech Exposures in Design and Construction

Posted on February 24, 2023 by Marijana Dabic

The construction industry is in the midst of a technological boom. It doesn’t matter whether you’re a large design build firm or a small artisan contractor, technology exposures – like software and cyber related errors, are becoming inescapable.

As the construction insurance industry continues to grasp this boom in tech, many insurers are neglecting the traditional construction errors and omissions (E&O) exposures in favour of technology E&O, and vice versa. CFC has looked into some top tech tools in the design and construction industry that may be more exposed than you think.

Software platforms

Construction software platforms, such as Procure or Autodesk are growing in popularity because they can solve a wide array of challenges like improving connectivity, project management, data collection and key processes all in one centralized place.

With this heavy reliance on technology, it’s important to also consider what happens if the platform fails. What happens if there’s an error in the platform software itself resulting in incorrect construction drawings being sent, or even a cyber breach resulting in loss of sensitive data?

Even a contractor using the software is not immune to these exposures. Disclaimers used by several major platforms deny liability for E&O as a result of their software. Providers are not often likely to leap to a construction manager’s defense if the platform fails, or if it is disrupted by a cyber-attack on your business.

Contractors can take some refuge by their insurance provider trying to rectify any damage caused to their project and reputation, or respond to an ongoing cyber breach in order to minimize further losses.

Generative design

Generative design utilizes artificial intelligence (AI) technologies to generate and explore multiple design options and to optimize project solutions. The AI learns what design elements work and what doesn’t using pre-set rules, parameters, and design preferences.

Generative design software is being used increasingly as part of the design build process. While human beings may still be involved in the sign-off processes for these AI-generated designs, the exposure to a business using a technology platform to create drawings in the first place will mean that anyone working with this software should have construction E&O in place. Broad coverage for technology errors should be included, otherwise they could risk technology claims falling through the gaps.

Modelling and virtual reality

While use of computer-aided design (CAD) and building information modelling (BIM) for construction dates back to the pre-2000s, digital visualization in construction is heading to new, complex heights. There are an increasing number of tools for contractors, construction engineers, planners, or safety personnel to plan and visualize construction activities. Some platforms enable project stakeholders to visually explore assets in full virtual reality (VR), even when still under construction.

The reality is though, whether it be CAD, BIM, or even VR, errors and costs can always occur, from an incorrect rendering of plans, to broken contractual clauses as a result of a data breach. A huge variety of construction personnel utilize 2D or 3D electronic renderings in some form or other and therefore, technology errors coverage is essential to take into consideration.

There are many more technological advances and investments being made in the construction industry today. 3D printing of building materials or even programmed robot constructors could be a common practice in the future. As well as the multitude of construction E&O exposures faced by the construction industry, they are also faced with growing technological and cyber event exposures too.

Source: www.cfcunderwriting.com

The Real Story around Risk Reports

Posted on January 27, 2023 by Marijana Dabic

Risk reports and vulnerability scans can only tell you so much about the level of security across a network. Often having insufficient reach, these overviews can be misleading and result in a far more positive picture than what’s really going on under the hood.

Taking a lead from pioneering pollster George Gallup, who made his name almost 100 years ago by proving that quantity is a distant second to quality when it comes to the value of data.

Gallup surveyed 3,000 people ahead of the 1936 US election. He forecast a win for democrat candidate Franklin D Roosevelt, despite a Literary Digest survey that had canvassed 2.5 million people and predicted a republican landslide.

Gallup was correct and Literary Digest – its credibility shot – was out of business within 18 months.

Data quality

So, how does this relate to cyber insurance? Well, the point is that across the cyber market, vulnerability scans are being given too much weight, first as a measure of an organization’s cyber security, and second as an indicator of their likelihood to have a cyber claim.

Vulnerability scans or risk reports, aim to identify your internet-facing assets and any insecurities they have. Initially, they were used as a means to highlight potential problems and to suggest remedies. This was a good thing. But more recently they’re being used as de facto assessments of a businesses online security rating.

The problem is that these scans or reports produce data that is often limited. For example, they should locate internet-facing servers and identify the software running, but they’re unlikely to pick up all the services, especially those outsourced to third-party cloud providers.

Nor can these scans see inside your network therefore can’t assess the internal safeguards and protocols that may or may not be in place. In short, they’re seeking to provide a definitive assessment of your cyber security credentials on limited data. And that’s not a good basis on which to assess cyber security or to try and predict future attacks.

The good news is that huge strides are being made in the area of threat intelligence, with CFC leading they way, which does offer the ability to prevent attacks and make effective forecasts on likely cyber claim events.

Threat intelligence

While a vulnerability scan provides a survey of an organization’s internet-facing assets, threat intelligence builds up a dynamic picture of the attacks to which your organization is most susceptible.

CFC has established close working relationships with government bodies, law enforcement agencies, private sector organizations and our own proprietary sources. This network gives them access to the online platforms and markets used by criminals to trade data and exchange information.

Their network provides details of companies that have been compromised. It offers information on what’s been stolen and where backdoors have been left open on a system. Is this company on a threat actor’s list? Have their passwords been traded online?

Access to this type of information allows them to be very certain about the likelihood of an organization coming under attack and allows the threat analysis team to be definite about the actions they take to shore up defenses and to keep that system safe.

Cyber criminals are extremely dynamic and continually change both their point and method of attack. Understanding how attacks are evolving and uncovering where they’re likely to be targeted makes it possible to take swift and effective preventative action.

Just as George Gallup discovered in the 1930s, it’s the quality of your data that determines its value. The number of attacks prevented by CFC’s threat intelligence service is beginning to tell its own story on the scale of that value.

Source: www.cfcunderwriting.com

Product Recall Lessons from Big Brands

Posted on December 22, 2022 by Marijana Dabic

Nestlé, Clorox and Unilever all made headlines due to recall incidents. What are some key takeaways for small businesses?

Product recall events can span across a wide range of industries due to errors in processing, contaminated ingredients, faulty machinery or accidental human errors. In the last month alone, we’ve seen no less than three high profile food and beverage and consumer goods recall incidents from leading global brands.

Less than a week ago, Nestlé USA issued a recall on its chocolate chip cookie dough over potential presence of foreign material in the form of soft plastic film within the product. This comes less than a month after a recall of the fudge flavor cookie dough for another foreign body issue.

In the same month, British multinational consumer brand Unilever recalled 19 aerosol dry shampoos from brands including TRESemme, Suave and Dove. This was due to elevated levels of benzene – a chemical that can cause leukemia and blood cancers through skin contact.

Clorox similarly recalled 37 million units of scented surface cleaners and all-purpose cleaners containing bacteria which could pose a risk of infection for people with weakened immune systems. Customers were asked to apply for a reimbursement online.

All manufacturers have product recall exposures, and multinational corporations like Nestlé and Unilever are no strangers to recall incidents. In fact, product recall incidents are more common than not. In Q1 of 2022, the US hit a 10-year record high with over 900 million units of recalled goods across all industries. Studies show both frequency and severity of recalls are on the rise due to the ongoing supply chain issues and cost of living crisis.

It’s important to keep in mind that recall costs – such as the cost of getting the goods off shelves or back from customers – only make up a small percentage of the average loss. When an error or fault is discovered during production, investigations must take place to determine the reason.

Ultimately, recalls of any kind impact cash flow. Smaller businesses often have less financial leverage and are therefore more vulnerable to damage to brand reputation and loss of sales. In many cases, there will also be rectification costs to re-manufacture the products, clean down and repair of the production lines, and re-design the manufacturing process.

They can be one step closer to preventing a crisis by creating recall plans, crisis management plans and conducting mock recalls that are well laid out and frequently tested and ensuring business continuity and balance sheet protection with a product recall policy.

Source: www.cfcunderwriting.com