☰ Navigation

1-888-643-2217 Email ABEX
  • Home
  • Resources
Keeping you updated

How to Stay Safe Online

Posted on by

The last couple of years has seen a surge in cyber events affecting businesses of all sizes. With the growing volume and sophistication of online threats like viruses, ransomware, and phishing scams, it’s important to know the proper practices to stay safe online.

From paying attention to browser warnings to being mindful of app permissions, a few small changes can make a big difference when it comes to cybersecurity. That’s why CFC’s in-house cyber claims and incident response team has assembled this handy infographic, which contains oodles of easy, actionable tips on things you can do – today – to become more secure.

Click here to download the full infographic below.

Source: www.cfcunderwriting.com

Climate Change Litigation and D&O Insurance

Posted on by

See the source image

With climate change firmly at the top of the news agenda, companies with large carbon footprints are under pressure to dampen their impact on the planet.

Growing concern has led to an upsurge in the numbers of litigation cases centered on companies’ disclosures related to their potentially harmful practices, with lawsuits against companies alleging misleading statements regarding their environmental practices and commitments.

Litigation has, so far, focused primarily on energy companies and big-name polluters, but it’s not beyond the realm of imagination to expect manufacturers and other greenhouse gas emitting organisations to come under scrutiny, too.

Here’s what you need to know about climate change litigation and D&O insurance:

What could climate change litigation mean for businesses? 

Companies are under pressure to lessen their environmental impact, and any disclosures they make relating to their greenhouse gas (GHG) emissions and environmental exposures are being scrutinized more than ever before – boilerplate disclosures are not acceptable. Any challenges made to such disclosures can lead to expensive and high-profile lawsuits, as seen with ExxonMobil, 3M and Australia’s Commonwealth Bank.

Companies should also be mindful of the rise in remediation suits, similar to the ones brought by the State of Rhode Island and Cities of San Francisco and Oakland. These entities sought damages from energy companies to repair and rebuild coastlines as a result of rising tides brought about by climate change, for which these companies were deemed responsible. With the nationwide cost of building new or rectifying existing seawalls estimated at over $400 billion, companies may well find themselves caught in a storm of defending wave after wave of liability lawsuits.

But this litigation only concerns energy companies, doesn’t it?

Not exactly. While litigation has focused primarily on energy companies, this doesn’t mean that other industries are safe. Essentially any company that emits greenhouse gases could be in the firing line – like transportation companies, agricultural businesses or businesses that manufacture products that emit GHGs. Even financial institutions. In fact, Barclays recently came under shareholder pressure to reduce its investments in fossil fuel companies, and many of the big banks have notably declared their intentions to curtail investments and loans in the fossil fuel sector.

To settle or fight: What happens in climate change disclosure cases?

Now that the world’s leading GHG emitters are showing a desire to adapt and change, any company found guilty of not pulling their climate change “weight” would suffer considerable reputational harm. When cases like this are taken to court it can prove expensive and timely. Large corporations like ExxonMobil can clear their name, but this is not always true for smaller companies which may be constrained by their financial means. Not every business can afford a protracted and expensive trial to prove their innocence.

Companies that settle out of court may find this to be a quicker, cheaper or less disruptive route, but with no admission of guilt, question marks tend to hang over what might have been the outcome had the case gone to trial.

Are current D&O insurance policies likely to respond to climate change litigation?

Aside from the bespoke terms and conditions set out in your standard D&O insurance policy, there are a few exclusions which (depending on how they are negotiated) could come into play when dealing with climate change litigation:

  1. The conduct exclusionThis excludes claims arising out of the gaining of financial advantage, personal profit or by committing a fraudulent act or omission. The latter is the most pertinent here as plaintiffs may allege that a company’s directors and officers knowingly disclosed false or misleading information about their climate change statistics. Policies, however, would likely still look to defend the accused against these allegations during the litigation process, but if a guilty verdict was issued, then the exclusion would be brought into play.
  2. The pollution exclusionThis exclusion typically excludes claims relating to the discharge or release of ‘pollutants’. The language of this exclusion will differ policy to policy and the decision as to whether any substance released, discharged or dispersed by an insured can be defined as a pollutant will be a matter for interpretation. Other factors to consider will be if the language in the exclusion is the ‘absolute’ version or the softer ‘for’ language version or if the exclusion provides securities or non-indemnifiable claims carve-backs. It is, however, worth noting however that on a D&O policy, loss will not extend to clean up costs.
  3. The bodily injury / property damage exclusionThis looks to exclude claims involving damage to property and bodily injury, death and mental anguish. Depending on the policy, this exclusion might include ‘absolute’ language or the softer ‘for’ language and may include non-indemnifiable or securities carve-backs.

How can policyholders protect themselves?

It’s crucial that businesses maintain adequate levels of D&O insurance and environmental liability insurance. The size of the limit should be a consideration, as should the terms and conditions of policies. Additionally, companies need to take proactive steps to reduce emissions and/or by becoming ‘greener’.

For boards of directors this might mean the nomination of a board member or establishment of a separate committee with clear responsibility for the company’s climate change objectives.

For energy companies, diversifying into cleaner energy or investing capital into negative emissions technology would strongly help in placating go-forward concerns.

Other steps might be to review fossil fuel operations and/or set emissions targets – Rio Tinto, for example, has put a stop to its coal mining operations altogether, while the world’s largest shipping company Maersk has committed to net zero emissions by 2050 (per Climate Action 100+’s progress report). Working with organizations such as the Institutional Investor Group for Climate Change, or Climate Action 100+ would show a further commitment to achieving their objectives.

What impact will climate change cases have on D&O insurance rates?

We may see an increase in the cost of D&O insurance on a case by case basis, but it’s more likely that insurers will be looking to mitigate exposures via exclusionary language, unless they are entirely confident in a company’s eco-friendly credentials.

Every move and declaration made by these companies will be under scrutiny, so any perceived inaction, false statement or dragging of heels will likely bring about a fierce reaction from investors, lobbyists, social movement organisations and government bodies alike. Should this ultimately turn into litigation, companies will likely incur sizable legal costs – whatever the outcome of the litigation.

Source: www.cfcunderwriting.com

Anatomy of a Cyber Policy

Posted on by

Cyber insurance policies tend to be modular in nature, meaning that they consist of a variety of different coverage areas and, for many, that has led to confusion around how exactly this cover fits together to create a uniform whole.

To help explain this further, CFC has dissected their cyber policy section by section to show how each part of this body of coverage functions.

Click here to download the full info-graphic below.

Source: www.cfc.com

 

Hard Market Survival Tips

Posted on by

Once upon a time, the insurance market cycled from hard to soft and back to hard again in a pattern that was reasonably predictable—about every 5 to 7 years. For the past 25 years or so, however, there has been no discernible pattern, and soft, or buyers’, markets typically last much longer than hard, or sellers’, markets. We recently entered a hard market for most commercial lines of insurance, characterized by significant increases in rates and reductions of coverage with much tighter scrutiny by underwriters. Hard markets are much more difficult to navigate for insurance buyers, agents/brokers, and even underwriters.

With lengthy soft markets the norm, many younger risk professionals have never experienced a hard market, and those who have may still find themselves brushing up on the fundamentals. With that in mind, Jack Gibson, President & CEO of IRMI, offers a few tips below:

  • Verify the accuracy of current loss reports, and make sure any discrepancies are corrected. Develop a written narrative explaining actions taken to address negative trends or large losses.
  • Review reserves on open claims, and meet with adjusters to make sure they are reasonable and accurate.
  • Prepare an in-depth description of safety and other risk control programs and evidence of top management’s commitment to them to provide to underwriters.
  • Review the organization’s capacity to retain loss, and think through areas where it will make sense to retain more risk in return for reductions in premiums.
  • Establish a game plan for insurance renewals, identifying which markets to approach, what risk financing options to consider, and what steps to take in the event proposed terms are unacceptable.
  • Begin the renewal process at least 4 months prior to a program’s expiration.
  • Prepare a well-organized, high-quality underwriting submission that will help distinguish your account from others.
  • If possible, arrange to meet underwriters in person to showcase the organization’s risk management program, financial position, and future business plans.

These are some of the basic steps that will help any organization better navigate the rocky waters of a hard market. What additional advice would you like to share? Please add your suggestions to the discussion in the IRMI LinkedIn Group and check out the tips provided by your fellow readers.

Source: www.irmi.com

Small Retailer Loses Business-Critical Data after Cyber Attack

Posted on by

Over the past two decades, technology has transformed the way businesses operate, and most depend on their computer systems in one way or another. Even traditional businesses, such as retail stores and wholesale distributors, utilize computer systems and the data held on those systems to ensure the day-to-day running of their operations. If those systems become unavailable or cease to function properly as a result of a cyber attack, it can have a detrimental impact on the business in question and result in substantial financial harm.

One of CFC policyholders affected in such a way was a home improvement store, which operated from a single store. The store sells a wide range of domestic goods, including outdoor furniture and sheds, garden equipment, kitchen utensils, bathroom fixtures and fittings and DIY tools and equipment. Customers can buy in-store or have larger items delivered to their houses upon request. The business has a large warehouse connected to the retail store which is used to store stock that can then be used to replenish stock on the shelves, or in the case of larger items, brought out for customers to collect or have delivered.

Employee falls hook, line, and sinker

The incident began when an employee fell for a phishing email. The email stated that there was a financial statement attached that needed to be verified. Even though the email was not directly addressed to the employee, had numerous grammatical errors and appeared to come from a suspicious email address, curiosity got the better of the employee and he clicked on the attachment. Upon clicking on the attachment, a ransomware variant was downloaded onto the business’s server and began encrypting files and programs across the network, including the insured’s back-ups, which had not been stored externally.

With the server encrypted, the business wasn’t able to access any of the systems that it used every day, including the point-of-sales system and information relating to sales, deliveries and stock management.

Urgently needing to regain access to these systems and databases, the policyholder reported the matter to CFC’s cyber claims and incident response team. With the insured’s back-ups having been encrypted by the ransomware, our claims and incident response team considered the other options available. The first step was to establish which ransomware strain had been used in the attack by looking at the ransom note and a sample of encrypted files. In this case, the ransomware used was a well-known and well-established strain and the team was able to find a freely available decryption key online. Using the decryption key, the team began the process of decrypting the business’s programs and files.

In most cases involving ransomware, once a business’s data and programs have been decrypted and the ransomware has been removed, the business can continue to use its computer systems as normal.

However, things aren’t always as straightforward as this. Unfortunately, cybercriminals don’t have the same approach to product due diligence that law-abiding businesses do, and those who create ransomware won’t have gone to the effort of testing how compatible their ransomware strains are with every conceivable type of file or program. As a result, ransomware can lead to unintentional and sometimes irreparable damage to electronic files and computer programs.

In this case, although the majority of the business’s data was accessible following the decryption process, a database containing six months’ worth of information relating to stock levels and delivery statuses was corrupted. In spite of numerous attempts to reconfigure and restore the database, the files were deemed to be beyond repair, rendering them inaccessible to the business.

Corrupted database causes long delays

Without access to the database, the business faced numerous difficulties. Staff on the shop floor were unable to check the most up-to-date database to see if a particular item was in stock. So in the event that a customer asked if an item was available, the only option was for a member of staff to contact a member of the warehouse team and ask them to trawl through the warehouse to see if the item was there, leading to significant delays to the service. The lack of information on stock levels also meant that the business didn’t have an accurate overview of which items were low in stock and needed to be re-ordered from suppliers, resulting in a shortage of popular items. In addition, without access to delivery information, the business lost track of the delivery status of certain items, which resulted in items either not being delivered to the customer on time or in some cases being delivered twice.

The only way to tackle this issue was to manually re-create the current stock inventory. In order to do this, employees had to go through each item in stock, both in the warehouse and on the shop floor, create an identification number for each item and then scan it back onto the database. The business also needed to gain a better understanding of the delivery status of all items. To avoid delays and duplication, staff were required to go through all open sales and see how these corresponded with hard copies of delivery receipts to establish which items had been delivered and which items were still awaiting delivery.

Given the size of the store and the amount of stock and sales data this involved, this was a significant undertaking and staff were required to work overtime, but this alone wasn’t sufficient. The business also had to bring in contractors to assist with the task. In total, it took two weeks for the business to fully rebuild this database. This came at a cost of $20,858 made up of employee overtime and contract staff costs.

Although the store remained open during the entirety of the recovery period, disruptions to the service did result in a reduction in sales. For the month in question, the business had forecasted sales of $460,031, but the actual sales for the month only came to $353,611, a shortfall of $106,420. Applying a rate of gross profit of 20% to the shortfall, the insured’s business interruption loss was calculated at $21,284.

The role of human error and other lessons

This claim highlights a few key points. Firstly, it illustrates how human error plays a key role in many cyber incidents. Lots of businesses refuse to buy cyber policies on the basis that they have good IT security in place. But this reasoning doesn’t take into account the fact that the majority of cyber incidents are the result of human error. In this case, the incident was triggered by an employee clicking on a malicious attachment. Businesses should look to ensure that employees are educated about the risks posed by phishing emails and are made aware of how to spot them.

Secondly, it highlights how dealing with a ransomware incident is not always a straightforward matter of carrying out the decryption process and the business in question automatically regaining access to their systems and data. In reality, there can be all sorts of unforeseen complications. In this instance, even though the data and applications were decrypted using a freely available decryption key, the ransomware itself had corrupted one of the business’s key databases, which had a detrimental impact on the insured’s operations.

Thirdly, it demonstrates the importance of having data re-creation cover on a cyber policy. Many cyber policies only provide cover for the costs to recover or restore from back-ups, but not the costs to re-create or re-enter lost data from scratch. A sizable portion of the insured’s claim came about from the labour costs associated with staff and contract workers having to manually scan and re-enter data to ensure that the stock inventory was correct and up-to-date, and brokers should be sure to check that their clients have this important cover in place on their policies.

Finally, it reveals how almost all modern business have some form of cyber exposure. Even though the business in question was a household goods store that did not solely rely on its systems for the business to operate, the business still relied on its computer systems and data to manage the store effectively and to provide efficient customer service. When some of the business’s data was corrupted, it had a negative impact on overall operations and having a cyber policy in place provided a valuable safety net for the company.

Source: www.cfcunderwriting.com

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN