Norcross, GA (October 24 , 2017) – INSUREtrust, a national insurance wholesaler focused on cyber liability insurance, announced today that Christiaan Durdaller, executive vice president at INSUREtrust, will be an Advisory Board member for Advisen’s Cyber Risk Insights Conference . Advisen is the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market. The conference will be held Tuesday, Feb. 13, 2018 – Wednesday, Feb. 14, 2018 in San Francisco, California.
On October 16, researchers at a Belgian University announced their discovery of a new vulnerability called KRACK that can affect any Wi-Fi enabled device. KRACK, an acronym for Key Reinstallation Attack, exploits a flaw in the WPA2 Wi-Fi encryption system, and can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, and photos.
Security researcher Mathy Vanhoef of Belgian university KU Leuven uncovered the vulnerability. He describes the danger of KRACK on his website: “This can be abused to steal sensitive information… The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The effects of KRACK will likely be seen for decades, given that KRACK could affect all aspects of the Internet of Things (IoT). IoT includes fitness trackers, smart speakers like Amazon Echo and Google Home, Bluetooth trackers, Internet-connected vehicles, and other smart devices.
Millions of routers and other IoT devices, such as internet-connected garage doors or security cameras, will probably never be fixed, since they don’t get the necessary software updates like other devices. Oftentimes, the best option is to buy new equipment once patched ones become available on the market.
It’s important to note that many businesses are now employing IoT devices, and that number is increasing all the time.
To protect yourself from the KRACK vulnerability, update your Wi-Fi devices and your router’s firmware when updates become available. Major platforms like iOS, macOS, and Windows have been already patched or haven’t been affected.
KRACK shows the impact of vulnerabilities and the importance of improving basic cybersecurity hygiene.
So, how does this affect insurance agents?
- IoT coverage is available, but isn’t necessarily always covered in cyber policies – so you have to know the needs of the insured and make sure you have coverage that actually includes IoT devices. It’s important to note how a given policy defines terms such as “computer system” or “computer program.”
- Robust, state-of-the-art cyber policies offer broad coverage at very reasonable prices, so there is no reason why your insureds should be without coverage for potential IoT-related losses.
- Potential costs from an IoT hack can include extortion, business interruption, and third-party lawsuits.
For more information about the KRACK attack and cyber insurance, contact INSUREtrust today at 888-932-7475 or info@INSUREtrust.com.
Norcross, GA (September 28, 2017) – INSUREtrust is pleased to announce that Will Tschetter has been recently promoted to Professional Lines Broker. In his new role, Tschetter will specifically focus on new broker production, and will be brokering cyber insurance, technology errors and omissions insurance (Tech E&O), and Miscellaneous Professional Liability (MPL) insurance.
In response to a security breach in 2000 at the State Department, then Secretary of State Madeleine Albright told her staff, “I don’t care how skilled you are as a diplomat, how brilliant you may be at meetings, or how creative you are as an administrator – if you are not professional about security, you are a failure.”
Albright’s remarks might as well have been directed at every company’s directors and officers. Among a host of other requirements, directors and officers are tasked with acting in good faith and using all available information to make the best decisions for the company. Gone are the days of invoking the business judgment rule as a defense and assuming that courts will not second-guess management decisions – including those related to cyber security and preparedness.
Private company executives face many of the same potential cyber claim scenarios as their public company counterparts, often without the resources to defend the claim or maintain operations after judgment. These suits can come from a variety of sources: regulatory agencies, shareholders claiming mismanagement (i.e., security breaches affect the company’s financials), clients/PE firms with a financial interest, etc.
Preparation is key in mitigating the exposures from a cyber-related D&O suit. Purchasing security products merely to satisfy a checklist will not be defensible in court. Directors, officers, board members, and others in key leadership positions should:
- Have a detailed understanding of the technology and system architecture of the company’s security
- Play a role in the development of customer-facing terms, conditions, and privacy policies
- Engage in vendor negotiations and breach planning
- Be involved in the training, testing, and rehearsal of system defenses
- Provide an adequate workforce dedicated to cyber security
- Invest not only company resources, but also company time.
A properly underwritten directors’ & officers’ policy can be just as valuable as a cyber policy in the event of a security breach. Historically (and by design), D&O policies were intended to cover the executives for claims alleging mismanagement of their company, with very few restrictions as to the type of mismanagement involved.
However, with the uptick in security breaches over the past ten years, many carriers have discreetly added a new exclusion to their policies removing coverage “based upon, arising out of, relating to, directly or indirectly resulting from, or in any way involving” cyber/security claims. This clause essentially removes coverage for management decisions related to the implementation and supervision of security protocols even when measures have been taken to protect the company (duty of care).
Sounds crazy, right? The exact exposure meant to be addressed by a D&O policy is no longer covered. While underwriters might occasionally have genuine concern pulling perceived cyber exposure into the D&O policy, most of these decisions are due to the lack of experience with cyber breaches.
There is good news though. A few markets will immediately remove this exclusion upon confirmation that the insured purchases a cyber liability policy. Others are agreeable to modifying the exclusion. This can be accomplished through alternate intro wording, by providing a carveback for individual directors/officers (Side A), or by removing the exclusion altogether. The standard exclusion noted in the paragraph above should only be accepted as a last resort.
Just as a company’s directors, officers and employees work together to prevent a security breach, the Cyber and D&O policies must work together in response to a breach. Understanding the exposures and having the proper policy language in place certainly helps.
Norcross, GA (October 2, 2017) – INSUREtrust is pleased to announce that Christiaan Durdaller has been recently promoted to Executive Vice President. In his new role, Durdaller will develop and grow INSUREtrust’s strategic partnerships in select cities across the country. “We are truly the cyber team for our strategic partners, with which we basically work as a member of their internal team. In 2018, we would like to add a few more strategic partnerships in select cities across the country and continue to serve our current partners with market expertise, resources and continued top of the line service,” Durdaller said.