Tag Archives: insurance

Security news for the Week Ending September 20, 2019

A New Trend?  Insurers Offering Consumers Ransomware Coverage

In what may be a new trend, Mercury Insurance is now offering individuals $50,000 of ransomware insurance in case your cat videos get encrypted.  The good news is that the insurance may help you get your data back in case of an attack.  The bad news is that  it will likely encourage hackers to go back to hacking consumers.  Source: The Register.

Security or Convenience Even Applies to Espionage

A story is coming out now that as far back as 2010  the Russians were trying to compromise US law enforcement (AKA the FBI) by spying on the spies.

The FBI was tracking what Russian agents were doing but because the FBI opted for small, light but not very secure communications gear, the Russians were able crack the encryption and listed in to us listening in to them.  We did finally expel some Russian spy/diplomats during Obama’s presidency, but not before they did damage.  Source: Yahoo

And Continuing the Spy Game – China Vs. Australia

Continuing the story of the spy game,  Australia is now blaming China for hacking their Parliament and their three largest political parties just before the elections earlier this year (sound familiar?  Replace China with Russia and Australia with United States).

Australia wants to keep the results of the investigation secret because it is more important to them not to offend a trade partner than to have honest elections (sound familiar?).  Source: ITNews .

The US Government is Suing Edward Snowden

If you think it is because he released all those secret documents, you’d be wrong.

It is because he published a book and part of the agreement that you sign if you go to work for the NSA or CIA is an agreement that you can’t publish a book without first letting them redact whatever they might want to hide.  He didn’t do that.

Note that they are not suing to stop the publication of the book – first because that has interesting First Amendment issues that the government might lose and they certainly do not want to set that precedent and secondly, because he could self publish on the net in a country – like say Russia – that would likely flip off the US if we told Putin to shut him down.  No, they just want any money he would get. Source: The Hacker News.

 

HP Printers Phone Home – Oh My!

An IT guy who was setting up an HP printer for a family member actually read all those agreements that everyone clicks on and here is what they said.

by agreeing to HP’s “automatic data collection” settings, you allow the company to acquire:

… product usage data such as pages printed, print mode, media used, ink or toner brand, file type printed (.pdf, .jpg, etc.), application used for printing (Word, Excel, Adobe Photoshop, etc.), file size, time stamp, and usage and status of other printer supplies…

… information about your computer, printer and/or device such as operating system, firmware, amount of memory, region, language, time zone, model number, first start date, age of device, device manufacture date, browser version, device manufacturer, connection port, warranty status, unique device identifiers, advertising identifiers and additional technical information that varies by product…

That seems like a lot of information that I don’t particularly want to share with a third party that is going to do who knows what with it.  Source: The Register.

Private Database of 9 Billion License Plate Events Available at a Click

Repo men – err, people – are always looking for cars that they need to repo.  So the created a tool.  Once they had that, they figured they might as well make some money off it.

As they tool around town, they record all the license plates that they can and upload the plate, photo, date, time and location to a database that currently has 9 billion records.

Then they sell that data to anyone who’s check will clear.  Want to know where your spouse is?  That will cost $20.  Want to get an alert any time they see the plate?  That costs $70.  Source: Vice.

Election Commission Says That It Won’t Decertify Voting Machines Running Windows 7

Come January 2020, for voting machines running Windows 7 (which is a whole lot of them) will no longer get security patches unless the city or county pays extra ($50 per computer in the first year and then $100 per computer in the second year) for each old computer.  Likely this means a whole lot of voting machines won’t get any more patches next year.

The nice folks in Washington would not certify a voting machine running an operating system that is not supported, but they won’t decertify one.  That, they say, would be inconvenient for manufacturers and cities.   I guess it is not so inconvenient for foreign nations to corrupt our elections.  Source: Cyberscoop

Do You Have Cyber-Risk Insurance? Enough?

A recent study estimates that a coordinated global cyber attack (think Wannacry, but not geographically bounded) could cause economic damages of between $85 billion and $193 billion.

The investigation was conducted by Lloyds of London and Aon Insurance as a “stress test” of the industry.

Claims would likely include everything from business interruption to incident response costs.

Total claims estimated to be paid by the insurance companies range from $10 billion to $27 billion.

That means that industry is on the hook for between $75 billion and $166 billion.

That is going to come out of victim companies’ checkbooks.

Are you ready to write a check for $166 billion?  How about $75 billion?

They estimate the biggest losses would be in retail, healthcare, manufacturing and banking.

Countries that are more service oriented – like the United States – would suffer more damage and have higher losses.

So there are a couple of questions –

  1. Do you have cyber insurance?
  2. Do you have enough cyber insurance?
  3. Can you make up the loss shortfall out of your checkbook?

One last thought.  Are you sure that the coverage that you do have matches the risk that you are exposed to?  Given that every policy is different, you might want to look into that too.  We can help.

Information for this post came from Reuters,

Food Giant Mondelez Sues Its Insurance Company Over “Act of War”

Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.

Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000  workstations at Mondelez into very expensive bricks.

Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for  100 million dollars.

White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.

The Zurich American policy in questions offers this coverage:

“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

It seems like this attack meets the requirements of this clause.

BUT, what insurance companies giveth, sometimes they taketh.

Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.

One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.

Zurich initially offered Mondelez $10 million to settle but then changed their mind.  Why?

Because of another clause in the policy.

There is a clause in their policy (and many others) that has an exclusion for  “hostile or warlike action in time of peace or war” by a “government or sovereign power.”   The key phrase here is BY a government or sovereign power.  Not hackers friendly to one.  Not hackers  mad at the world.  You get the idea.

Security experts and some governments blamed Russia for the attack.

Russia (of course) denied that claim.

So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”.  I don’t think it is sufficient to say “well the gov says it is”.

Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry.  Possibly the two sides will agree out of court, leaving the question unanswered for future claims.

Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.

This apparently is NOT a common technique to  limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.

Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments.  Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit?  Not clear but stay tuned.  Source:  The Register .

Your Tweets Could Affect Your Insurance Rates

While the big data vs. insurance rates battle is in its infancy, that does not mean that insurers don’t have plans.  They do.

Some are already using data from consumers to affect rates.  Some insurers say that the data that consumers give them could lower rates and SOME insurers say that the data won’t be used to raise rates.  Since this is still in its infancy, don’t count on those statements for much.

Swiss Re, one of the biggest reinsurers (the insurance companies’ insurance company) just bought digi.me .  Digi.me is currently allowing consumers to aggregate data in their system .  That data will be shared with businesses to give consumers targeted ads and discounts.  At least for now.

Discovery’s Vitality program collects diet, exercise and other information.  Make the “right” choices and you might get a premium discount or cash back.  Make the wrong choices and…

Allstate’s Drivewise gives drivers who install a gizmo in their car which sends driving data to Allstate discounts if you drive “appropriately”.  That is only a short step from penalizing you if you drive like Mario Andretti.

They could also use people’s public social media posts to affect rates too.  Have a salad for dinner and get discount points.  Have a burger and beer and your rates go up.

Refuse to share data and maybe you can’t get insurance at any price.

There are very few laws in the United States that control what insurance companies can do with “public” data or even data that they buy from the likes of R.L. Polk (owned by IHS now), A.C. Nielsen and others, each of which have data on tens of millions of people.

Also remember that the Internet never forgets.  Even if you improve your behavior, that data is still there in those databases.  Articles that I wrote in the 1990s are available.

And with things like smart TVs and smart refrigerators, what you eat and what you watch might affect your ability to get insurance.  Or your rates.

This is complete conjecture at this point but I sure wouldn’t rule it out.

Information for this post came from Reuters.

Uber and Insurance – Things You Probably Did Not Know

Whether you are an Uber driver or Uber customer, there are some things that you should be aware of before you turn on that app to accept passengers or use that app to hail a ride.

First of all comes terminology.  Regulators call Uber, Lyft and their competitors Transportation Network Companies or TNCs.  This distinguishes them from taxis and liveries because, they say, they don’t own or lease the vehicles and the drivers are not their employees.   This is not settled in the courts yet, but, for now, we will use that definition.

The second definition is Periods.  There are 3 periods, Period 1, 2 and 3.  Very creative.  Period 1 is the time from when a TNC driver starts the app and the time he or she accepts the job to pick up a passenger.  Basically, idle time, but when the driver is looking for fares.

Period 2 starts when the driver accepts a trip and ends when the rider enters the vehicle.  Period 3 covers the time when the rider is in the vehicle.

Some insurance companies are not keen to insure drivers who work for TNCs.  In fact, a script from Geico leaked in the SF Chronicle told agents to refer TNC drivers to the fraud department – that their normal auto policy did not cover TNC drivers.  This is in spite of the fact that Uber and Lyft have provided insurance for periods 2 and 3, but not period 1 as primary coverage for quite a while.

In early 2015, Geico came out with a hybrid personal-commercial policy that would cover TNC drivers.  It is currently only available in certain states.  Likely, it costs more – that would be why the insurance companies like it.

Metromile uses an ODB II dongle to track when a driver is “on the clock” and when he or she is not to determine whether they are liable if the driver has a accident.  If there is an accident and you are a TNC driver, they will check with the TNC company to see if you were working to figure out whether you have coverage from them.

In California, they recently passed a law requiring TNCs to provide coverage during period 1 – when the car is empty but you are looking for a rider.  The catch is that the coverage is not the $1 million that Uber always talks about, but rather $50k per individual, $100k max plus $300k in property damage.  While $50k or $100k is not insignificant, it is way less than $1 million.

More importantly, the California law says that TNC driver’s personal policies coverage of stuff like comprehensive, collision and medical are not active during period 1 unless the driver has purchased a TNC aware policy.

As a driver, it is important to understand who will and will not pay in case of an accident.

As a passenger, it is important to who will be responsible for paying in case you are hurt while in an Uber machine.

Why is this a security or privacy issue?

Because the insurance carriers want to use the telematics (basically, the built in cell phone which connects to the car’s computers in order to extract data) in the driver’s car to automatically track when they are on the clock and when they are not.  They want to coordinate this data with Uber and Lyft and their competitors so that they know when they are on the hook for an accident and when they are not and don’t have to try and figure out whether you are lying when an accident occurs about whether you were working or driving personally.  If they can collect data about the car and time and conditions of the accident and then extract data from the TNCs to figure out whether you were working or not, they just might get out of paying that claim.

What they are not saying is what they are doing with that data that they collect when you don’t have an accident.  Maybe to figure out if they want you as a customer.  Just sayin’.

 

Information for this post came from TU-Auto and Uber’s web site.

Are you managing your third party connections

Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.

Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.

According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.

92% of the firms don’t have a supply chain risk management process.

We have heard of law firms being targeted.  Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.

Do your vendors have the ability to log in to your systems?  You might say that if the answer to that question is no then you are safe.  Maybe not.

If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you.  If they can log on to your systems, the risk is even higher.

My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.

Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know),  who is getting the black eye is you, not them.  Nobody remembers the name of the heating contractor that started the Target breach.  And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.

Food for thought.

M