Major Cyber Attacks Crippling Private Insurance Firms

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pymnts.com/news/2015/we-cant-cover-cyberattacks-says-lloyds-of-london-insurer/#.VNlBGPnF-So

Just hours after Anthem, the second-largest U.S. health insurer, announced
it had suffered a massive security breach, the largest Lloyd’s of London
insurer said cyber attacks are now too big for private insurance companies
to handle, according to the Financial Times.

Catlin Group CEO Stephen Catlin told an insurance conference in London on
Thursday (Feb. 5) that governments should take over risk coverage for
hacking and malware. “Our balance sheets are not large enough to pay for
that,” Catlin said, adding that cybersecurity was the “biggest, most
systemic risk” he had ever seen.

Some governments have established risk pools to handle coverage for
terrorist attacks, including the Terrorism Risk Insurance Program in the
U.S. and Pool Reinsurance in the U.K. But Catlin said cybersecurity was an
even bigger problem.

Insurance companies have previously pointed out that traditional risks,
such as natural catastrophes, are more contained than cyberthreats.
Earthquakes in Japan do not cause hurricanes in Florida, the FT noted, but
a vulnerability in widely-used software or Internet architecture — both of
which are turning up more and more frequently in cyberattacks — can bring
down systems globally. That could leave insurers faced with simultaneous
multibillion-dollar claims.

“It’s possible that you can have the same loss happening around the globe,”
Catlin said.

While that’s not a completely unfamiliar scenario for both insurance
companies and insured businesses — it’s exactly what the Y2K “millennium
bug” threatened — the Y2K risk was specific, technically well understood,
and had a firm deadline of Dec. 31, 1999. Security vulnerabilities in
widely used software are typically unknown until a breach occurs, and
attackers frequently hit a few targets at a time, leaving many companies
unaware that they too are at risk. In the case of Anthem, for example, the
breach came after a series of attacks on smaller health insurance companies.

Some insurers offer cyberattack policies to help companies meet the costs
of forensic investigations and lawsuits if they are attacked. But those
policies come with high premiums and serious coverage restrictions, the FT
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!