Study 10: Emerging Trends in Liability Insurance - Summary Flashcards
Three general categories of cyber risk
- Deliberate and unauthorized breaches of security in order to access information systems (ex. ransomware, malware, phishing)
- Unintentional or accidental security breaches (ex. losing a laptop)
- Operational IT risks (ex. failing to install firewalls or keeping security software up to date)
Cyber risk loss exposures (6)
Situations that create a cyber risk for an organization:
- A rapidly spreading virus is released on the Internet and infects an organization’s system when an employee clicks on the link to the site.
- An employee’s laptop is stolen from his or her vehicle.
- Ransomware is embedded in the organization’s network, which shuts down access until a ransom is paid.
- Hackers set up a program to check the organization’s security and crack employee passwords, which allows them full access to the company’s system.
- A fake email is sent to the employees asking them to send the CEO all their research on a new technology the organization is developing.
- An email is sent to a company asking to pay a fake invoice. An employee pays the invoice to an untraceable account and the monies are gone.
Direct and indirect financial losses from cyber risk
Direct losses:
- Costs to fix and restore systems
- Ransom payments
- Funds lost due to fraud
- Costs to defend and settle lawsuits
Indirect losses:
- Extra expenses to manage crisis (i.e. public relations costs)
- Accounting and professional fees to determine extent of loss
- Loss of competitiveness, business, and opportunity
Two Key Areas for Managing Cyber Risk Exposures
-
Behaviour Management: Training should encourage employees to ask themselves three questions before they act
- Does it make sense?
- Does it follow an established process?
- Was I expecting it?
- Systems and Technology Management: Individuals and organizations should stay up to date with technology and security best practices. They can address vulnerabilities as they are discovered by software companies. As well, maintaining a consistent and clear approach to cyber security will help thwart unwanted attacks.
Cyber Risk Insurance
A number of insurers have developed cyber risk insurance package policies that include coverage for the following perils:
- Third-party liability
- Cyber crime
- Extra expense
- Business interruption losses (resulting from a cyberattack or data breach)
- Crisis–management consulting services (to guide the organization on how to manage communications after a loss)
Cyber Liability Coverage
Third parties may suffer damage as a result of a cyberattack or data breach. Cyber liability insurance typically covers legal defence costs and damages awarded for lawsuits arising from certain specified perils.
Exclusions to Cyber Risk Insurance
Cyber risk insurance typically excludes hard-to-quantify losses, such as reputation damage, lost intellectual property, some class action lawsuits, and future losses, such as the loss of competitiveness.
Cyber Risk Coverage in Property Insurance Forms
Property insurance policies often include some limited coverage for cyber risk. Coverage is typically limited to damage caused by computer viruses, harmful codes, or harmful instructions entered into a computer system or network.
Specialized Policies for Other Costs and Services
Specialized coverage is available to cover many other exposures that may result from a cyber attack, including the following:
- Loss/corruption of data
- Business interruption
- Cyber extortion
- Crisis management
- Data breach
- Identity theft (cost of setting up call center to address customer concerns)
- Social media/networking (online defamation, libel, slander)
9 Factors to Consider When Recommending Cyber Insurance
When it comes to cyber insurance, brokers will consider a number of factors about their clients:
- What security is already in place?
- What security needs to be in place?
- Where are their cloud accounts located?
- Which risks can be avoided, retained, or controlled?
- Which risks need to be insured (or transferred)?
- What kinds of personal information are being stored?
- How many records with sensitive information could be accessed?
- Do clients rely on third-party services or provide services to others?
- What are the possible outcomes if a data breach is not detected immediately?
The Sharing Economy Explained
The global sharing economy is expected to grow from $15 billion USD in 2015 to $335 billion USD by 2025. Entrepreneurs swiftly recognized the opportunity to commercialize the sharing concept. They began developing digital platforms and applications (apps) to make connecting and sharing convenient, simple, and secure.
Under the sharing economy, the following types of products and services are commonly shared:
- Automobile and transportation sharing
- Accommodation sharing
- Household items sharing
Automobile and Transportation Sharing
- Today, many drivers choose not to own cars. Reasons for this choice include wanting to avoid the costs associated with car ownership, living in congested urban areas with their associated lack of parking, living close to work to minimize commuting time and distance, or taking public transit instead of driving.
- Loaning vehicles or giving rides to other people is not without risk - automobile owner’s policy generally excludes using vehicles for commercial purposes, including carrying passengers for a fee
- Owners and drivers involved in a collision while using the car for ridesharing could be left with no coverage for damage to the vehicle, or for third party liability or accident benefits
Insurance for Ridesharing Drivers
- Ridesharing: Ridesharing apps (Uber, Lyft) link registered vehicle owners with riders.
- In Ontario, regulations refer to the use of private vehicles for hire that use an online-enabled application or system as “ridesharing services.”
- Alberta Treasury Board and Finance describes such services as transportation network companies (TNCs).
- Commercial vehicles (taxis and buses) are typically insured under a standard owner’s policy with the addition of a permission to carry paying passengers endorsement (OPCF 6A in Ontario or SEF 6 in Alberta). This endorsement removes the exclusion related to carrying paying passengers. Until 2016, this was the only way to insure a vehicle used for ridesharing. There are few markets writing taxi insurance, and rates can be two or more times higher than personal insurance rates.
Ridesharing Endorsement
Introduced by an Ontario insurer in 2016, these endorsements can be added to the standard owner’s policy to grant permission for the driver to carry paying passengers and to use the vehicle for commercial ridesharing activities.
- Coverage specifically extends to the periods when the driver has logged into the app, is waiting for a ride request, is going to pick up a passenger, and is carrying a passenger.
- Coverage does not apply to any other commercial activities and will not extend to provide coverage for any rides not arranged through the app.
Other Auto Sharing Activities
Other activities that can affect insureds’ personal automobile insurance are carsharing and deliveries.
- Carsharing aps, such as Turo and Evo, connect vehicle owners and renters.
- Numerous apps allow users to order services and deliveries from individuals, such as groceries or meals (UberEATS, Instacart, Roady, and Postmates).
- But providing a delivery service is considered commercial use in most cases, and owners will generally require a commercially rated policy.