Innovation Insurance Group

Ty Sagalow Discussing Cyber Liability and Insurance on C-Span circa 2000

Ty R. Sagalow — Thu, 04 Oct 2018 23:44:04 +0000

In this 14 minute C-Span clip, Ty Sagalow discusses cyber liability and insurance. Circa 2000

httpss://www.c-span.org/video/?c4753578/ty-sagalow-span-cyber-liability-circa-2000 (THIS LINK WORKS BETTER)

LA Times: Spending on Cyberattack insurance soars, quoting IIG CEO Ty Sagalow

Ty R. Sagalow — Thu, 12 Feb 2015 20:59:53 +0000

February 9, 2015 (Los Angeles). This LA Times article discusses the increase in cyber insurance due to the hack of Health insurer’s Anthem Inc’s computer system – affecting up to 80 million customers, and similar attacks over the last few years. According to the article “Hackers are wreaking havoc on big organizations, but they’re also spurring a new market- cyberattack insurance.” The article quotes several leading experts on cyber insurance including IIG CEO & Founder, Ty Sagalow:

Ty Sagalow, an industry consultant and former chief operating officer for AIG’s EBusiness division, said the growing sense that cyberattacks are no longer unusual events is dialing up the fear factor.

“Think of a massive cyberattack as an intelligent hurricane,” Mr. Sagalow said. “If it hits a house that doesn’t fall down it learns why the house didn’t fall and it changes. “It is a scary thing…. Scary things sell insurance.”

Insurance Thought Leadership Speaks with Ty Sagalow on Cyber Risk

Ty R. Sagalow — Wed, 30 Apr 2014 16:10:33 +0000

In this third installment of the Ty Sagalow Insurance Thought Leadership series, Mr. Sagalow is asked about the current status of cyber risk and the cyber risk insurance industry as well predictions to the next versions of cyber risk insurance.

Cyber Crime in the News: Responses to Cyber Risk

Ty R. Sagalow — Sun, 04 Aug 2013 21:50:02 +0000

Cybercrime and Cyber Risk are making headlines. Recently, Federal Prosecutors charged a gang of hackers from Russia and the Ukraine with stealing 160 million credit card numbers from more than a dozen companies. Authorities said it’s “the largest hacking scheme in U.S. history.” Some of the same hackers were accused of computer attacks on Citibank, PNC Bank and the Nasdaq stock exchange as well. And earlier this year, an international ring of cyber thieves stole $40 million in 10 hours from ATMs in more than two dozen countries.

Ty Sagalow, president of Innovation Insurance Group, joined WRIN.tv to discuss the impact of cybercrime on companies and infrastructure, what governments and insurers are doing to mitigate cyber losses, and developments in cyber risk insurance coverages.

View Innovations in Insurance programs with industry leaders Vince Tizzio, President/CEO of Navigators Management Company, Inc. and Pamela Newman of The Newman Team at Aon.

A Look at Cyber Risk of Financial Institutions

Ty R. Sagalow — Tue, 02 Apr 2013 17:16:44 +0000

You cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

Overview Of The Risk

There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don’t target large companies.

According to Symantec’s 2010 SMB Protection report, small businesses:
Sustained an average loss of $188,000 per breach
Comprised 73% of total cyber-crime targets/victims
Lost confidential data in 42% of all breaches
Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector

Willy Sutton once infamously remarked that he robs bank because “that’s where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target.

The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.

Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was the telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country’s infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market

With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.
Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker’s dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.
It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up.” Although, they quickly qualified, “as long as carriers can still write at a profit.”

Originally published on April 2, 2013 in Insurance Thought Leadership.

The Financial Management of Cyber-Risk

Ty R. Sagalow — Tue, 12 Jun 2012 01:23:52 +0000

Mr. Sagalow is former chairman of the Internet Security Alliance, a Washington, D.C.,-based trade association which deals with issues of cyber-risk and national security. He has authored a number of works on the subject, including The Financial Management of Cyber-Risk, which consisted of two publications published in conjunction with the American National Standards Institute:

and,

@Risk – the definitive guide to cyber-risk insurance and reinsurance issues.

Boardroom Role Play of Personal Identity Theft

Ty R. Sagalow — Thu, 15 Sep 2011 22:47:40 +0000

Boardroom role play of theft of PII data from fictional company intended to show in-fighting among department heads (legal, HR, Finance etc) when a inter-departmental coordinated cyber strategy had not been taken. Role Play ends with lessons learned and a summary of strategy from the ISA/ANSI publications above. Innovation Insurance Group President, Ty Sagalow, plays the company CEO. (20 minutes)

Ty Sagalow Comments on the Cyber-Insurance Market

Ty R. Sagalow — Thu, 15 Sep 2011 22:44:55 +0000

Ty Sagalow responds to a general question about the status of the cyber-insurance market at the NIST conference (September 2011). (2.5 min)

Sony Sues Zurich for Insurance Over Cyber-attack

Ty R. Sagalow — Fri, 22 Jul 2011 18:48:19 +0000

The case at hand pits insurer Zurich American against its client Sony: Zurich has refused to cover the costs of class-action lawsuits stemming from Sony’s embarrassing breaches, and wants the courts to weigh in with a judgment to clarify the matter.

“There are probably still some risk managers out there that think that their comprehensive general liability policy cover breaches,” says Sagalow, who was one of the main experts in charge of first drafting cyberinsurance policies for Zurich when he worked for the company prior to starting his own consulting shop. “These types of cyberevents are not covered in the typical standard forms of insurance.”

Sagalow says that as cyber-risks increase in sophistication and pervasiveness, organizations need to think about adding additional coverage that can hold up to court scrutiny when everything hits the fan. But because cyberinsurance is such a new phenomenon, it’s a buyer-beware situation.

“Unlike many insurance policies that companies buy, there is no standard form — it’s not like comprehensive general liability or workman’s comp or fleet auto — cyber is not standard,” Sagalow says. “Plus, it is in an area which is called surplus insurance, meaning that they’re not subject to state filing regulations for state approval, which allows freedom of an insurance carrier to set terms and conditions.”

Read the full article here or download the PDF version.