Carrier Q&A: AXA XL
bcp tech recently sat down with Greg Chambers, Senior Underwriter at AXA XL. Greg has been with AXA XL for four years, working as a cyber and technology risk underwriter. During Greg’s 18-year career, he has worked on both the carrier and broker side.
What do you see as the biggest cyber threats?
There are a few things. First off, ransomware attacks are going to continue to be a direct risk for companies of al sizes. You don’t need to be a particularly large organization to fall prey to a ransomware attack, you just need a vulnerability that can be exploited.
Second, the regulatory environment is presenting its own risks in the forms of litigation, responding to regulatory body inquiries and paying fines. In the European Union, General Data Protection Regulation – GDPR – is comprehensive and far-reaching. We have already seen significant fines levied for violations.
In the US, the risks will be much more challenging due to the fact that the US government has thus far shown no appetite for or ability to enact comprehensive federal data protection like GDPR. And this is despite polls that show a vast majority of Americans want exactly that.
So, we are already starting to see the beginnings of a patchwork approach taking shape, beginning with the California Consumer Protection Act, which came into law on January 1, 2020. The CCPA has a broader definition of personal information than the GDPR and includes: personal characteristics, browsing history, marital status, and location information.
Maine and Nevada have already passed privacy laws that include features of the CCPA, but are more limited in terms of defining how the data are collected. There are an additional 11 states considering privacy bills, while 5 more states have tabled pending legislation and have launched task forces to examine how to regulate data privacy. In this environment, it will become increasingly harder to cover the associated risks. In the meantime, organizations would be well advised to look closely at GDPR and CCPA and move toward compliance with one or both, depending on the jurisdictions in which you operate.
Next, is hacking attempts. No organization is immune from phishing or spear phishing attacks to steal network credentials. Theft of devices like laptops or smartphones can also lead to breaches. The danger for a breach like this is that an attack can happen from the inside for months before being detected, if at all. In cases like this, it is less about the strength of your firewall and more about the application of security best practices, including: strong password, password rotation, two-factor authentication, and phishing attack simulations.
We are also at greater risk today of government–sponsored attacks. Operatives in nations like Iran and Russia use highly sophisticated techniques and technologies. Worse still, these kinds of attacks may be aimed at disrupting the economy as a whole and, therefore, may encrypt an organization’s data without demanding a ransom. It may be more difficult to resolve, while resulting in: business interruption claims, loss of income, data recovery costs, and additional expenses, including legal fees, security consultants, and more.
What risk do you think companies tend to overlook?
Probably reputational harm. While a ransomware attack can disrupt your business in the near-term, the reputational harm that can be caused by a breach has the potential to be catastrophic.
Hackers targeted a third-party vendor, Fazio Mechanical Services, an HVAC and refrigeration service company. Exploiting Fazio system weaknesses gave hackers the ability to attack Target from the inside in 2013. It was the largest data breach ever, with over 41 million payment card accounts and 60 million Target customer accounts affected.
In 21017, Target settled suits in 27 states and the District of Columbia for USD 18.7M. According to Target, the breach cost them over USD 200M. Target’s sales fell 46% year-over-year.
The cost to brand value and reputation is hard, if not impossible to quantify. But the risk is there. A survey of consumers showed that more than 86% of respondents were either not at all likely or not very likely to shop at a merchant that had been breached. Such a finding is certainly an indicator of lost consumer trust and that trust is essential to a brand’s value.
Earlier you mentioned ransomware attacks. Most ransoms are paid in bitcoin and there have been reports of its instability. Is that a risk?
It’s hard to say. But that instability is really nothing new. Bitcoin and other so-called cryptocurrencies, have been historically volatile with values swinging wildly. Because the swings do tend to be dramatic, that attracts attention. The investment bank UBS has warned that cryptocurrencies are not yet ready to be called real money. But that misses the point of cryptocurrency, which is designed for systemic stability rather than price stability. And that systemic stability is of value to those who use Bitcoin for illicit purposes, like ransomware attacks.
The bigger risk in ransomware attacks is in the fact that hackers are continually upgrading the malware they use in their attacks.
What advice would you give companies regarding cyber risk?
Don’t wait until you’ve been breached. Then it’s too late. And don’t think it won’t or can’t happen to you. It can. In 2019, a business was successfully hacked approximately every 14 seconds.
If you’re investing money in a product or service, invest in the tools to protect it. You likely have burglar alarms and fire suppression systems in place to protect your investments, along with related insurance cover. You should take the same approach and discipline with cyber liability.
Also, scale your protection appropriately. Not every organization has the same risks. You could also be leaving yourself vulnerable to attack if you’re not looking at threats holistically. Remember that the Target data breach happened because a vendor was first breached, not Target.
Why should companies consider coverage from AXA XL’s cyber liability team?
When a breach occurs, everything happens fast. Literally every second counts. Our team is highly experienced; we’ve handled complex breaches and move quickly. We have an entirely in-house claims team that is accessible 24/7 via hotline.
In addition to our in-house experts who will walk you through the process, we also have additional services that come with your coverage. Services that will help you improve your cyber security and reduce your risk from the beginning.
AXA XL’s cyber insurance solutions help clients address cyber risks through proactive services, dedicated support, and flexible coverages designed to protect an organization’s business operations. To learn more, visit their website.