The best story told about insurance is how it originated may centuries ago. Merchants traveling to a nearby market used to load their goods into boats and travel down-river to a nearby market. Unfortunately, dangerous water conditions often tipped the boats causing the merchants to lose all their possessions. Since this caused significant hardship for the merchants and their families, an alternative solution needed to be created.
The merchants decided if they spread their possessions among several boats traveling to the market, chances are most boats would make it and they wouldn't lose all their possessions. This model worked originally but unfortunately several conditions made it unfavorable over time, for example;
1. Some merchants didn't take good care of their boats and therefore were more likely to sink.
2. Newer merchants were inexperienced navigating the waters and tipped their boats more frequently.
3. Some merchants started stealing the goods of other merchants.
Eventually wealthy merchants decided a different alternative was needed. They then agreed to replace all the possessions of any given merchant for a small fee. With this model, every merchant would carry their own goods, in the event their boat tipped traveling through the dangerous waters, the wealthy merchants would pay to replace all their possessions. Of course, the merchants decided the following rules would apply;
1. Any merchant with a boat in poor condition would be charged extra for their journey
2. Newer merchants would be charged extra because they had less experience navigating the dangerous waters.
Of course, this story continues to evolve over many generations but you can get an idea of how insurance allows us to protect ourselves against the financial hardship of a loss.
Today insurance covers 100's possibilities. For example;
• Protecting you from financial loss when your home is damaged.
• Protecting your family against the financial loss of a critical illness or death.
• Protecting your business from the financial loss of damages, injury and interruption.
• Protecting yourself from the financial loss of lawsuits
• Protecting you from the financial loss of a car theft or accident.
Insurance works by "pooling" risk with others. This simply means a group of people want to protect against a loss or exposure that could cause financial hardship. Since the "pool" is so large, you can project what the actual losses will be for a loss or exposure "pool". It is obvious not all people in the pool will have a loss at the same time. This allows third parties (insurance companies) to profitably cover losses or new exposures as they may arise.
What do you think?
Why is the phone ringing?
This is one of the most important questions I ask anyone looking to purchase a business. There are several factors that will contribute to this answer but for now we are going to focus on risk management. To understand better we will look at a recent lawsuit Gestation F Lessard. v. Bourneville, where several defects had a negative impact on the purchase of a business.
What can we learn:
1. Avoid - In risk management, avoiding a risk can be the most effective strategy. Sometimes we need to take a step back and analyze things before making a commitment.
Solution: Ask a third party to analyze the business from an unbiased perspective. If you can’t gather all the information they need you are better off avoiding the risk than taking a chance.
2. Control - Terms and conditions can be a life saver when making any type of transaction. By controlling the risk, you are taking the necessary steps to reduce or prevent bad outcomes from happening
Solution: Consider a diligence review and subjectivities while doing a deal. This is something your legal council and business consultant can help with during the purchasing process
3.Retain - Part of owning a business is taking chances. Sometimes you will have exposures which you cannot avoid and you will need to accept that.
Solution: Understand what type of risks you are willing to and can afford to absorb. A good financial plan can help with planning for unexpected expenses.
What do you think?
Malwarebytes released a study suggesting too many businesses are oblivious to the realities of cyber crime. Almost 40% of business reported having experienced some form of ransomware in the last year and another 40% reported having paid a ransom amount to unlock their data. With an alarming 259% increase in the last year it is hard to imagine how big the impact has been on businesses.
When working with executives on risk management, cyber risk can one of the hardest areas understand. Often CIOs, CISOs and IT directors are stuck with limited budgets to handle such large threats to an organization. Not to mention the communication between highly technical IT personnel can be very difficult for other executives to understand.
From an insurance perspective cyber is one of those risks we can anticipate and handle accordingly. Organizations who take an active approach towards cyber strategy should engage their IT personnel with security and insurance professionals in order to tackle cyber risks holistically.
We wanted to take this opportunity to share a ransomware infographic posted by Malwarebytes.
The Privacy Commissioner Of Canada released a follow up to the investigation on the Ashley Madison (ALM) cyber breach and executives should be familiar with the results. The commissioner commented “It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
Here are 3 takeaways for executives on Cyber Security:
1. Harm extends beyond financial impacts:
Harm from data breaches is often focused on identity theft and credit card fraud. The commissioner notes “While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long-term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.” This is important given the recent court rulings coming out of the United States ruling otherwise.
Here is the story: Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm.
It is possible an organization could be held liable for harm caused by a data breach. A standard Commercial General Liability policy will not cover these damages and a separate Cyber Liability policy needs to be purchased to cover this exposure.
2. Safeguard should be supported by a coherent and adequate governance framework
The privacy commission mentions a security framework should be “consistently understood and effectively implemented.” In Ashley Madison’s case, regulators found 75 percent of the company's staff had not received general privacy and security training. Not to mention they supported a “Trustmark” to consumers, implying information was being protected when in fact it was not.
Executives should have written security policies and procedures for the entire organization. Not only will this protect an organization and its consumers, but it will assist with documentation in the event of legal proceedings. .
3. Documentation of privacy and security practices can itself be part of security safeguards
The commissioner notes “Having documented security policies and procedures is a basic organizational security safeguard”. It is surprising how many organizations have nothing in place, especially when free resources are available such as this Cyber Liability Toolkit.
Every executive should place an organization’s attention to security as a priority. The commissioner notes this helps an organization to identify and avoid gaps in risk mitigations, provides a baseline against which practices can be measured, and allows the business to reassess practices in an evolving threat landscape.
From a Directors and Officers liability perspective we can’t stress how important it is for executives to take a proactive step towards cyber security. Something as simple as documentation of privacy and security practices can help executives if there is ever a lawsuit.
Don’t wait until your company shows up in the headline of a local newspaper, start engaging in a cyber strategy today.
See the full release by the Privacy Commissioner here: https://www.priv.gc.ca/cf-dc/2016/2016_005_0822_e.asp
Almost 15% of systems remain vulnerable two years after the identification of the "Heartbleed Bug". Researcher Robert David Graham reported his results after completing scans on the 1.5 million systems that supported the bug. What should you be thinking?
What is the problem with this scenario? Most IT personnel will tell you the bug compromises security for applications including web and email, basically allowing cyber criminals to watch what you are doing. If two years have passed and systems are so vulnerable, what are the chances you or your third-party vendors are being impacted by this bug?
Can't my IT team detect this?
If you read the article (http://heartbleed.com/) "exploitation of this bug does not leave any trace of anything abnormal". Quite concerning to think someone could be tracing your actions undetected. This vulnerability can only be fixed as patches become available.
From an insurance standpoint
Unlike most types of crimes insurance professionals deal with, cyber crime can be mysterious. Unfortunately, cyber criminals are not breaking into your building and can't be easily caught by the police. This means most cyber activity goes undetected for a very long time.
When we work with business on cyber insurance, most are unaware of the IT infrastructure they have in place. This can make purchasing coverage difficult when it is hard to comprehend what type of exposure the organization is open to. These problems only mount when you consider the increasing number of clients and vendors interacting with a business every day.
Talking with an insurance professional about your cyber exposure should be a top priority. This exposure can have a large financial impact on your business and can be very hard quantify. It's time to start thinking about how cyber exposure might impact your business.
What do you think?
The Base Team
Insurance made easy. How we can make insurance better for you?