Catastrophic Cyber Risks:
A Growing Concern

In this document, Chubb discusses the increasing threat of large-scale cyber incidents and their potential impact on businesses and the insurance industry.

Growing Cyber Risks

• The frequency, severity, and sophistication of cyber incidents are increasing as the world becomes more digitized.
• Due to greater interconnectivity, vulnerabilities and exposures are multiplying, creating systemic risks that are difficult to detect or control.
• Recent cyber incidents have caused billions of dollars in economic losses, demonstrating the potential for a catastrophic attack.

Cyber Insurance Evolution

• Cyber insurance has become more widely adopted, with nearly 50% of U.S. businesses now covered.
• While cyber insurance provides important risk transfer and management solutions, the ability of insurers to absorb the total loss potential in the long term is uncertain.

Escalating Threats

• Over 18,000 new software vulnerabilities were published in 2020, nearly tripling from 2015.
• Nearly 1.2 million new malware threats were identified in 2020, more than double the number from 2015.
• Recent high-profile incidents like Solorigate and Hafnium have affected hundreds of thousands of organizations worldwide.

Potential Catastrophic Cyber Risks

The document outlines several types of events that could lead to catastrophic cyber incidents:

1. Severe known vulnerability exploits
2. Severe zero-day exploits
3. Software supply chain exploits
4. Infrastructure outages
5. Other widespread events
6. Ransomware encounters

Strengthening Cyber Resilience

• Organizations need to improve preparations for potential cyber catastrophes by understanding their specific exposures and committing resources to improve cyber defenses.
• The government and private sector collaboration is necessary to address global cyber threats.

Insurance Industry Response

• The insurance industry may need to adapt by offering coverage for catastrophic events separately from core coverages, similar to how property insurance handles catastrophic risks.
• This approach aims to ensure the long-term sustainability of the cyber insurance market while continuing to provide innovative solutions for policyholders.

This document emphasizes the critical need for organizations to enhance their cyber resilience and for the insurance industry to evolve its approach to cyber risk management in the face of growing catastrophic cyber threats.

What All Cyber Criminals Know:
Small & Midsize Businesses With Little or No Cybersecurity Are Ideal Targets

This document discusses the cybersecurity risks faced by small and midsize enterprises (SMEs) and provides strategies for protection.

Cybersecurity Threats to SMEs

Cybercriminals increasingly target SMEs due to their often inadequate security measures. Over half of all cyberattacks are directed at SMEs, with 93% of affected businesses reporting severe impacts. These impacts include financial losses, reputational damage, and operational disruptions.

The Domino Effect

Cyberattacks can trigger a cascade of negative consequences for SMEs:

1. Website/system outages leading to lost business
2. Data breaches causing customer attrition and brand damage
3. Ransomware attacks resulting in costly recovery efforts
4. Potential lawsuits from affected parties

Common Attack Methods

Cybercriminals typically gain access through:

• Physical system vulnerabilities
• Weak authentication and privilege management
• Denial of service attacks
• Malicious content (e.g., ransomware, phishing)

 Protection Strategies

SMEs can enhance their cybersecurity by:

Implementing strong password policies

1. Educating employees on security best practices
2. Updating IT equipment and deploying security software
3. Creating a cyber incident response plan
4. Purchasing cyber insurance

Importance of Cybersecurity for SMEs

Despite the high risk, only 3% of SMEs have cyber insurance, compared to 40% of large businesses. Many SMEs lack adequate resources for cybersecurity, with 67% having no data security policies. Given the potential for severe business impacts, implementing basic cybersecurity measures is crucial for SME survival in today’s digital landscape.

By adopting these strategies, SMEs can significantly reduce their cyberattack vulnerability and protect their business continuity.

Cyber COPE® Transforming Cyber Underwriting

In this Document, Chubb introduces Cyber COPE®, a new model for cyber underwriting developed to improve the assessment of cyber and privacy risks. The model adapts the traditional COPE (Construction, Occupancy, Protection, Exposures) framework used in property insurance to the cyber domain.

Key Components of Cyber COPE®:

1. Components: Objective data elements about a company’s cyber “structure,” such as the number of computers, user accounts, and Internet connections.
2. Organization: Objective data providing a board-level view of the company’s cyber vulnerability, including industry, security standards, and budget allocation for cybersecurity.
3. Protection: Subjective data on security controls within a company, focusing on essential measures like awareness training, authentication, and encryption.
4. Exposures: Subjective data on potential cyber vulnerabilities generally beyond a company’s control, such as targeted attacks and common software vulnerabilities.

Benefits and Implementation

Cyber COPE® aims to simplify and improve cyber risk assessment by:

1. Providing a balance of objective and subjective data for underwriters.
2. Fostering information sharing among organizations to mitigate future losses.
3. Offering a framework that both technical and non-technical individuals can understand.

Chubb implemented Cyber COPE® as the basis for their Global Cyber Facility insurance application. The model presents opportunities for innovation in cyber underwriting, particularly in the Components and Exposures categories.

Importance and Future Outlook

The document emphasizes the growing need for effective cyber risk assessment due to increasing cyber threats and high potential losses. By adopting a standardized approach like Cyber COPE®, the insurance industry can:

1. More accurately assess and price cyber risks.
2. Provide better coverage and solutions to protect organizations.
3. Promote collaboration and data sharing to improve overall cybersecurity.

As the model evolves, ongoing collaboration with industry leaders is crucial to refine measurements and identify impactful ways to reduce cyber attack risks.

Guarding Against Email Social Engineering Fraud:
Re-examining a Global Problem

In this document, Chubb discusses the growing threat of email social engineering fraud and outlines strategies for businesses to protect themselves against such attacks.

Email Fraud Statistics and Risks

• An estimated 300 billion email messages are exchanged daily by businesses and individuals.
• Cybercriminals stole over $28 billion through email fraud from 2016-2020, with an average loss per incident exceeding $150,000.
• Cyber security risks have increased due to remote work and increased e-commerce during the COVID-19 pandemic.

Common Social Engineering Schemes

• Impersonation of executives, vendors, and suppliers to request fraudulent wire transfers.
• Hacking into vendors’ email accounts to alter invoices and redirect payments.
• Exploiting weak security in vendor management portals to change payment information.

Preventive Measures: Technology Solutions

• Implement email authentication techniques like Sender Policy Framework (SPF), Domain-Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).
• Use Multi-Factor Authentication (MFA) to add an extra layer of security.

Preventative Measures: Procedural Changes

• Establish a strong wire transfer authority policy requiring multiple approvals for large transactions.
• Implement a “four eyes” principle for reviewing and authenticating payment requests.
• Develop a robust vendor management process to verify changes in supplier information.
• Work with solution providers that authenticate information provided by vendors.

Response to Fraud

If a business suspects it’s a victim of email fraud, it should:

1. Contact the originating bank to recall the wire transfer.
2. File a complaint with the FBI at www.ic3.gov.
3. Preserve all records of the incident.
4. Contact the insurance carrier.

This document emphasizes the need for businesses to continually adapt their processes and procedures to address the evolving nature of email fraud. It stresses the importance of implementing technological defenses and re-evaluating policies to verify information received electronically, authenticate identities, and authorize payments to business partners.

What Have We Paid Lately:
Chubb Cyber Claims Scenarios

This document provides an overview of Chubb’s cyber insurance claims scenarios and their approach to handling claims. Chubb emphasizes their commitment to managing claims with integrity, empathy, promptness, expertise, and fairness.

Key Claim Scenarios

Biometric Cases

Companies collecting employee biometric data face lawsuits under Illinois’ Biometric Information Privacy Act (BIPA). These class-action suits seek damages for BIPA violations, with penalties ranging from $1,000 to $5,000 per violation.

Physician Impersonation

A healthcare organization discovered an unlicensed individual impersonating a doctor and accessing patient files. This led to notifications of exposure to personal health information (PHI) and subsequent third-party claims against the insured.

BitPaymer Ransomware

A financial service firm fell victim to BitPaymer ransomware, which encrypted their data and demanded over $500,000 in ransom. The attack also involved a banking Trojan designed to steal financial information. After consultation with Chubb, the insured decided to pay the ransom, which was covered under their cyber policy.

Business Interruption

A retail goods seller experienced a ransomware attack that encrypted their data and demanded $25,000 in Bitcoin. After paying the ransom and regaining access to their data, Chubb assisted in calculating the business interruption loss, resulting in a payment of over $200,000.

Chubb’s Approach

Chubb demonstrates its value in handling these claims through:

1. Utilizing top-tier cyber defense counsel
2. Conducting expert claims investigations
3. Providing technical expertise
4. Offering superior coverage

This document emphasizes Chubb’s commitment to providing peace of mind through its insurance offerings and its guiding principle of handling claims with integrity and expertise. It showcases Chubb’s capabilities in addressing various cyber threats and their dedication to supporting their insured clients through complex claim scenarios in the ever-evolving landscape of cyber risks.

What Have We Paid Lately:
Chubb Cyber Claims Scenarios

This document provides an overview of Chubb’s cyber claims scenarios and their approach to managing cyber security incidents. The summary highlights four critical cyber risk scenarios across different industries, showcasing Chubb’s expertise in handling various cyber threats.

Cyber Claims Scenarios

The document presents a summary of four cyber risk scenarios:

1. Emotet Malware affecting a public entity
2. Payment Card Scam in the restaurant/hospitality industry
3. Ryuk Ransomware targeting a financial services company
4. Business Interruption impacting a retail chain

Each scenario is associated with a specific claim difference, such as technical expertise, expert claims investigation, top-tier response coaching, and superior coverage.

Detailed Claim Scenarios

Emotet Malware

The document briefly mentions that Emotet is one of the more costly and destructive types of malware impacting governments today. While it doesn’t provide specific details about a claim scenario for Emotet, it highlights the significance of this threat, particularly for public entities.

Payment Card Scam

A restaurant fell victim to a malicious email containing a link that installed malware on their computer system. This attack compromised over 400,000 credit card numbers, resulting in potential Payment Card Industry (PCI) assessments estimated to cost more than $1 million, covered under the restaurant’s cyber policy.

Ryuk Ransomware

A financial services company experienced a targeted Ryuk ransomware attack, with a ransom demand exceeding $100,000 in Bitcoin. The attack affected the entire network, rendering data inaccessible. Chubb’s Cyber panel provided an incident response coach and forensic firm to assess the situation and determine potential notification obligations under data privacy laws.

Business Interruption

A Canadian retail chain suffered a ransomware attack that infiltrated its servers, computer systems, cash registers, online store, and website. Chubb-preferred vendors were retained to mitigate the incident. The attack resulted in approximately $1 million in mitigation expenses and $100,000 in business interruption costs.

Chubb’s Approach

The document emphasizes Chubb’s attentiveness to detail in managing cyber claims and their insight into trends and exposures impacting cyber security. It highlights their ability to help prevent and address cyber exposures when incidents occur, showcasing their experience across various industries.

Chubb Cyber Enterprise Risk Management (ERM)

Chubb’s Cyber Enterprise Risk Management (Cyber ERM) is a comprehensive solution designed to address the evolving landscape of cyber risks businesses face today. With over 20 years of experience handling cyber incidents, Chubb offers a sustainable approach to insuring a broad array of cyber events, including widespread events that can result in catastrophic losses.

The Cyber ERM program is built on a three-pronged approach:

1. Loss Mitigation Services: Providing tools and resources to assess and address cybersecurity risks proactively.
2. Incident Response Services: Offering a diverse team of experts to help limit exposure when an event occurs.
3. Risk Transfer: Providing broad and sustainable insurance coverage backed by Chubb’s financial strength.

Competitive Advantages

Chubb’s Cyber ERM stands out with several competitive advantages:

• Leading provider of cyber risk solutions since 1998
• Highly customizable solutions for all sizes of businesses
• No minimum premiums
• Cybercrime coverage available
• Expansive consumer-based solutions for cyber incident response
• Online quoting for eligible small risks
• Innovative coverage addressing evolving standards
• Easy-to-read policy form
• Worldwide coverage territory

New Endorsements (2021)

Chubb introduced three new endorsements in 2021 to enhance their Cyber ERM offering:

1. Widespread Event Endorsement: Addresses events with widespread impact, allowing tailored coverage for specific perils.
2. Ransomware Encounter Endorsement: Provides a customized set of coverage options for ransomware risks.
3. Neglected Software Exploit Endorsement: Rewards good software patching practices while gradually adjusting risk-sharing for unpatched software.

Coverage Options

Cyber ERM offers a range of coverage options, including:

Third-Party Liability Coverage:

• Cyber, Privacy, and Network Security Liability
• Payment Card Loss
• Regulatory Proceedings
• Media Liability

First-Party Coverage:

• Cyber Incident Response Fund
• Business Interruption (including Contingent Business Interruption)
• Digital Data Recovery
• Telephone Toll Fraud
• Network Extortion

Cyber Crime (by endorsement):

• Computer Fraud
• Funds Transfer Fraud
• Social Engineering Fraud

Chubb’s Cyber ERM provides a flexible and comprehensive solution for businesses seeking to protect themselves against the ever-evolving landscape of cyber risks. By offering tailored coverage options and innovative endorsements, Chubb aims to provide long-term stability in the cyber insurance marketplace while addressing each client’s unique needs.

DigiTech® Enterprise Risk Management (ERM)

Chubb’s DigiTech® Enterprise Risk Management (ERM) policy is a comprehensive solution designed to address the complex cyber and technology risks modern businesses face. With over 30 years of experience handling technology-driven claims and cyber incidents, Chubb offers a distinctive level of protection that can be customized to meet specific organizational needs.

DigiTech® ERM employs a three-pronged approach:

1. Loss Mitigation Services: Provides access to tools and resources for proactively addressing and assessing key cybersecurity risks.
2. Risk Transfer: Offers broad and sustainable coverage backed by Chubb’s A++ rated financial strength.
3. Incident Response Services: Provides a team of experts to help limit exposure when an event occurs.

Competitive Advantages

• Market-leading customizable solutions for all sizes of risks and industries
• No minimum premiums
• Cybercrime coverage is available by endorsement or as a separate cover
• Expansive cyber incident response expense coverage
• Online quoting and real-time policy issuance for eligible small risks
• Industry-leading coverage designed to address evolving standards
• Easy-to-read policy form aligned with the typical cyber incident flow
• Universal coverage territory

New Endorsements (2021)

• Widespread Event Endorsement: Addresses cyber incidents with widespread impact, allowing tailored coverage for specific perils.
• Ransomware Encounter Endorsement: Provides customized coverage limits, retention amounts, and coinsurance for ransomware risks.
• Neglected Software Exploit Endorsement: Rewards good software-patching practices while gradually adjusting risk-sharing for unpatched software.

Coverage Synopsis

DigiTech® ERM offers a range of third-party liability and first-party coverages:

Third-Party Liability Coverage:

• Technology Errors and Omissions
• Cyber, Privacy, and Network Security Liability
• Payment Card Loss
• Regulatory Proceedings
• Media Liability

First-Party Coverage:

• Cyber Incident Response Fund
• Business Interruption (including Contingent Business Interruption)
• Digital Data Recovery
• Telecom Theft
• Network Extortion

Cyber Crime (by endorsement):

• Computer Fraud
• Funds Transfer Fraud
• Social Engineering Fraud

DigiTech® ERM represents Chubb’s commitment to providing cutting-edge, adaptable cyber insurance solutions that address the evolving digital risk landscape. By offering tailored coverage options, including coverage for widespread events, Chubb aims to provide greater coverage certainty and long-term stability in the cyber insurance marketplace.

Pro ERM For Small Business

Chubb’s Professional Enterprise Risk Management (Pro ERM) is an insurance solution designed for small businesses. It was introduced in 2019 and is now available on Chubb Marketplace. This product offers comprehensive professional liability coverage tailored to various service providers and small business owners.

Key Features

• Experience: Chubb boasts over 20 years of experience in the Errors & Omissions (E&O) market.
• Customization: The company offers custom solutions based on industry class.
• Claims Handling: Chubb employs dedicated E&O claims adjusters and was rated #1 in Professional Liability Claims Service in the 2020 Advisen Survey on Claims Satisfaction.
• Coverage: The specialized coverage form includes optional Cyber coverage.

Target Industries

Pro ERM caters to a wide range of service providers, including but not limited to:

• Appraisers
• Consultants (Management, HR, Marketing)
• Event planners
• Graphic design firms
• Staffing agencies
• Tax preparation services
• Travel agents

Premium Examples

The document provides examples of businesses that have purchased Pro ERM, with premiums ranging from $700 to $4,000 based on revenue and industry. For instance:

Policy Features

The Pro ERM policy includes several notable terms and conditions:

• Reporting Provision: Claims should be reported “as soon as practicable” after knowledge by a control group member.
• Technology Services: The definition of Professional Services includes Professional Technology Services.
• Defense Cost Allocation: 100% defense cost allocation for covered claims worldwide.
• Defense and Settlement: The policy includes an 80/20 clause in the Insured’s favor.

Chubb’s Pro ERM solution aims to provide comprehensive and flexible coverage for small businesses across various service industries, leveraging the company’s extensive experience in professional liability insurance.

Cyber Vulnerability Outreach

Stay Ahead: Be Informed, Act Swiftly Against Vulnerabilities

In today’s rapidly evolving digital landscape, businesses face constant cybersecurity threats. The Cybersecurity Infrastructure Security Agency (CISA) reports that 50% of known exploited vulnerabilities (KEVs) are exploited within two days of identification and 75% within a month. This emphasizes the critical need for robust vulnerability management programs to address potential threats swiftly.

Vulnerability Management Outreach

Chubb’s Cyber Intelligence Team offers a comprehensive Vulnerability Management Outreach program to protect policyholders. This service includes:

Outreach Program: Proactive notifications to policyholders and brokers about critical vulnerabilities detected, including:

• Initial email communication detailing exposures and remediation steps
• Personalized support through email and phone calls

Breaking Alerts: Timely notifications (usually within 24 hours) to all policyholders and brokers about newly discovered high-risk vulnerabilities

Additional Cyber Vulnerability Management Solutions

Chubb Cyber policyholders have access to several complimentary services:

• Vulnerability Alert System: Biweekly emails about newly identified software vulnerabilities, provided in partnership with SecAlerts
• External Vulnerability Monitoring: Daily cybersecurity performance measurements via BitSight and Security Scorecard platforms

 Policyholders can also access the following solutions at preferred pricing:

Network Vulnerability Scan and Consulting: Comprehensive vulnerability testing with expert guidance (by NetDiligence)

Penetration Testing and Attack Surface Management: Evaluation of internal and external systems by offensive security experts (by NetSPI)

Vulnerability Management Platform: Software for discovering, prioritizing, and remediating vulnerabilities across IT environments (by Tanium)

Chubb’s Vulnerability Management Outreach program offers a proactive approach to cybersecurity, helping businesses stay ahead of potential threats. By combining timely alerts, personalized support, and access to advanced tools and services, Chubb empowers its policyholders to maintain a strong security posture in an increasingly complex digital landscape. 

Email: Is the Digital Door Propped Open For Identity Hijackers? 

This document discusses the growing threat of Business Email Compromise (BEC) attacks and the importance of Multi-Factor Authentication (MFA) in preventing them.

The Threat of Business Email Compromise

BEC attacks involve cybercriminals hijacking or impersonating corporate email accounts to defraud companies. In 2019, the FBI received over 467,000 complaints, resulting in more than $3.5 billion in losses. These attacks often target businesses of all sizes and can involve:

• Impersonating executives to request urgent fund transfers
• Redirecting legitimate invoice payments to criminal-controlled accounts
• Exploiting personal transactions like real estate purchases

Why BEC Attacks Succeed

• Reliance on email as the primary communication method
• Trust in familiar senders and urgency of requests
• Social engineering techniques exploiting human behavior
• Inadequate security measures, particularly weak passwords

Multi-Factor Authentication as a Solution

MFA is presented as an effective defense against BEC attacks. It requires two or more proofs of identity, typically involving:

1. Something you know (e.g., password)
2. Something you have (e.g., smartphone)
3. Something you are (e.g., biometrics)

Implementing MFA

The document emphasizes that MFA is:

• Available for most popular web services
• Often easy to set up and use
• Highly effective in preventing unauthorized access

Additional Security Measures

• Microsoft Secure Score: A tool to measure and improve overall security posture
• Encouraging partners and vendors also to implement MFA
• Ongoing vigilance and security awareness

Chubb stress that implementing MFA is one of the most critical and cost-effective cybersecurity controls businesses and individuals should adopt. By adding this extra layer of security, organizations can significantly reduce their risk of falling victim to BEC attacks and other forms of cybercrime.

Preparing Companies for the New SEC Cyber Regulations

Chubb outlines its approach to helping public companies navigate the new SEC Cyber Regulations, which took effect on December 18, 2023. The regulations require publicly traded companies to report material cyber breach events within four business days of discovery.

Chubb’s Offerings:

• Comprehensive cyber insurance and Directors and Officers (D&O) liability coverage
• Access to expert guidance, including Cyber Incident Response Coaches
• Risk reduction services, such as cyber security tools and incident response preparation
• Global reach, with the ability to issue local D&O liability policies in over 40 countries

SEC Rule Components:

1. Disclosure of Material Cybersecurity Incidents
2. Disclosure of Cyber Risk Management and Strategy
3. Disclosure of Cybersecurity Governance

Mullen Coughlin LLC Partnership:

• Provides legal expertise on the SEC ruling
• Offers assistance in assessing compliance and developing appropriate policies and procedures
• Specializes in data privacy and security law

Recommendations for Public Companies

• Consult with legal advisors to understand the SEC Rule’s impact
• Develop playbooks for assessing the materiality of cybersecurity threats
• Conduct privileged assessments of current compliance posture
• Revise existing policies and procedures to align with SEC Rule requirements
• Document diligence and compliance from a governance standpoint

This document emphasizes Chubb’s commitment to offering comprehensive risk management solutions tailored to the evolving regulatory landscape. It highlights the importance of a holistic approach to risk, combining insurance coverage with expert guidance and preventive measures.