Market Minute

Bite-Sized Insights Into a World of Risk 

Volume 2, Issue 9

In this issue, we take a focused look at:

1. Feature Focus
   • Cyber Crime in the Crosshairs: How Companies Can Respond
2. Supply Chain and Business Risks
   • FMCSA Emergency Declaration
3. Insurance Products and Coverage Information
   • Presumptive Compensability
   • News of Note
4. Human Resources and Employee Benefits
   • AIHA Seeks Mask Guidance for Employers
   • Insights from Across the Firm

The coronavirus crisis created the need to provide commentary on areas of concern. With the evolution of the pandemic, going forward, each issue will include a focus feature on a timely topic impacting the insurance industry. Relevant updates about coronavirus, including insights from across the firm, will continue to be presented as necessary. As always, the information presented here is intended to provide a high level overview of critical areas of concern for businesses. Consult your EPIC insurance broker for more in-depth guidance.

Feature Focus

Cyber Crime in the Crosshairs: How Companies Can Respond

In a game of cat and mouse, it can often be hard to tell who is winning. Depending on the mouse’s defenses and the cat’s attacks, momentum can shift, and outcomes along with it.

Such is the state of the cyber market in the wake of a disruptive and highly publicized ransomware attack on Colonial Pipeline that resulted in the payment of a multi-million dollar ransom to an eastern European ransomware affiliate program known as DarkSide. The privately-held pipeline operator, transporting over 100 million gallons of fuel a day from Texas to New York, recovered its systems and ability to operate in less time than transpires during the typical cyber-attack. The incident; however, sparked fuel hoarding, the shakeup of some ransomware gangs, and renewed questions about where cyber-crime, as well as cyber coverage, may evolve from here.

Cyber at a Crossroads

We recently reported on the increased cyber risks faced by manufacturing companies, but here we consider the intersection between ransomware attacks, the cyber insurance that mitigates this risk, and potential governmental action to regulate both.

“Cyber insurance covers cyber extortion, or ransomware, which is exactly what this Colonial Pipeline situation was,” says Kelly Geary, EPIC National Practice Leader, Executive Risk and Cyber. “It covers the cost of paying the ransom, the costs associated with hiring a ransom negotiator, setting up a bitcoin wallet, data recovery and restoration, and the business interruption resulting from the event.”

Typical downtime caused by a malicious cyber-attack, like a ransomware attack, is between 10  to 20 days, depending on the size and nature of the business. Colonial Pipeline’s ability to get back up and running within a week was notable, and may possibly have been influenced by several factors. These include the attention of the public, involvement or pressure from the U.S. government, and the apparent inexperience of the cyber criminals responsible for the attack.

“DarkSide seems to be new to the game and not an incredibly well-established group,” Geary says. “Firstly, the $5 million ransom they demanded seemed relatively low given the level of disruption they caused and the potential they had to create much more.”

On Friday, May 14, DarkSide announced it was going out of business after losing access to some of its servers. The gang claimed some of its funds were transferred to new electronic wallets, though it is possible it plans to reorganize and emerge with a new identity.

Given the surge of ransomware attacks over the last 12 to 18 months, it is unlikely for ransomware attacks altogether to decline significantly any time soon. Ransomware attacks were the most common type of cyber claims in 2020. In its Internet Crime Report for 2020, the FBI reported a 69% increase in cyber incident complaints and a nearly $1 billion increase in reported losses from $3.5 billion in 2019 to $4.2 billion in 2020.

As Criminals Up Their Game, So Do Companies

The surge in ransomware attacks, which use malware to hold victims’ networks captive unless they pay a ransom, has pushed companies to become better prepared for them. As companies have become better at recovering from network encryption, cybergangs have lost some of their leverage. Victim companies may not “need” to pay the ransom to get their network’s back on-line. As a result, most ransomware schemes now involve network encryption plus the threat to release or sell the victim company’s confidential information, something often referred to as a ‘double extortion.’

“Over the past three or four years, because of the increased severity and frequency of ransomware attacks, the underwriting process has focused on ransomware controls” Geary says. This has pushed companies to consider and focus on controls they hadn’t previously. When asked questions by underwriters or being charged higher premiums, it creates behavior changes that ultimately helps companies be in a better position to respond when they are attacked.”

As a result of greater underwriting scrutiny, Geary says, cyber criminals have adapted their tactics.

“Now, they’ll enter a network and encrypt it so no work can be performed, and then they will steal data they believe is highly confidential and will threaten to release it unless a ransom is paid. We’ve even seen them harass employees, clients, and patients of the entities they attack.”

Regulators Test New Measures

The FBI discourages businesses from paying ransom to hackers because it furthers the behavior. In fact, as cyber incidents have increased and expanded, government regulators and insurers have begun taking new steps to curb it. In addition to advising insurers about how to manage risk and respond to cyber-attacks, some governments are going a step further and refusing to allow cyber insurance to be offered in their domains.

“In the days before the Colonial Pipeline event, AXA took a position that they were no longer going to offer ransomware-related cyber coverage in France,” says Geary. “This was in response to concerns raised at a Senate roundtable held in Paris with French justice and cybersecurity officials where they concluded that ransomware was reaching pandemic levels.”

Geary says this is a concerning turn of events, and a timely reminder that companies should bolster and test their defenses to be as prepared as possible.

Testing a First Line of Defense

Such was the thought in a Harvard Business Review article, which recommended fire drills and tabletop exercises as a way for businesses to test their defenses in advance of a cyber-attack.

“These exercises,” the authors say, “will almost certainly reveal gaps in security, response plans, and employees’ familiarity with their own roles….Everyone – the board of directors, company executives, managers, and team members – has to know their roles and responsibilities and work out any potential problems with their response before a live cyberattack puts immense stress on the organization.”

Testing is a positive step that 47 percent of organizations surveyed by Ponemon have not yet taken. This could be a way to immediately mitigate the potential damage caused by a cyber-attack. Being prepared to respond helps lessen the costs associated with the attack – financial costs as well as reputational harm, noted Geary.

Parallels with Kidnap and Ransom

Geary says the current state of ransomware is reminiscent of the moral hazards of Kidnap and Ransom insurance, an area in which she has previous experience on the carrier side of the business.

“Kidnap/Ransom (K&R) insurance presents a similar dynamic to insurance for ransomware in that, arguably, the existence of the insurance encourages the criminal activity. With K&R insurance, it is more of a concern because people’s lives are more directly at risk. Many countries have banned K&R insurance at one time or another,” she says. “Venezuela, Columbia, Brazil, and Italy all, at one time, passed legislation prohibiting K&R insurance. If we start to see ransomware attacks directly impacting human life in a significant way, we could see governments try to legislate around it. This is something I am watching closely.”

Attacks Move Beyond Money

Indeed, the nature of cyber-attacks is beginning to shift toward incidents that do more than cost money. There are beginning to be real-world consequences affecting people’s physical health and lives, such as the case in Germany where a woman died after the hospital she was transporting to fell victim to a ransomware attack that shut down its controls. This incident attracted worldwide attention because it was reported to be the first time law enforcement considered a cyberattack to be directly responsible for a death. Other incidents since then that held the potential to cause more than monetary harm include an attack on a water filtration plant in Tampa, Florida, as well as the Colonial Pipeline attack.

The idea or possibility that a cyberattack can or will cause physical harm puts companies in a very difficult position. On May 19, CNN reported that Colonial Pipeline paid DarkSide $4.4 million, with its CEO Joseph Blount saying the decision was a “highly controversial one,” that he felt was ultimately, “the right thing to do for the country.” In an interview with the Wall Street Journal, Blount commented, “I didn’t make it lightly. I will admit I wasn’t comfortable seeing money go out the door to people like this.”

Geary understands the difficulty of the decision and the added danger of these newer kind of attacks. “The deeper we get into how these attacks impact people’s lives, like the attack on the water filtration plant, the more concerning it becomes. Thankfully no one was hurt, but if they wanted to, the attackers could have poisoned the water and people could have died,” Geary says. “When these events start disrupting lives to the scale of the Colonial Pipeline attack, politicians in Washington are going to feel pressured to take action.”

The actions that could or may be taken is not known. A productive place to start, Geary feels, could be stricter regulation of cryptocurrency, which is used to facilitate ransom payments.

“Almost all ransoms are demanded in bitcoin or some form of cryptocurrency. If we regulate that currency more tightly, it could make it more difficult for these gangs to fly in and out anonymously,” Geary says. “And then, maybe we could get the upper hand and change the dynamic of the cat-and-mouse game we’re all trapped in.”

For more information on how to better prepare your firm for a cyber-attack, contact Kelly Geary or your EPIC broker.

Supply Chain & Business Risks

FMCSA Issues Emergency Declaration in Wake of Colonial Pipeline Disaster

On May 11, the Federal Motor Carrier Safety Administration (FMCSA) Eastern, Southern, and Western Service Centers issued a Regional Emergency Declaration and exemption from Parts 390 through 399 of the Federal Motor Carrier Safety (FMCSRs). The declaration, which was issued in accordance with the provisions of 49 CFR § 390.23, responds to the unanticipated shutdown of the Colonial Pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout Affected States. “Affected States” are:  Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, and West Virginia.

This Declaration addresses the emergency conditions that create a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief.

In accordance with 49 CFR § 390.23, this amended declaration is effective immediately and shall remain in effect until the end of the emergency (as defined in 49 CFR § 390.5) or until 11:59 P.M. (ET), June 8, 2021, whichever is earlier. FMCSA intends to continually review the status of this Emergency Declaration and may take action to modify or terminate the Emergency Declaration sooner if conditions warrant.

The full text of the declaration can be viewed online at www.fmcsa.dot.gov

For more information, contact an EPIC Transportation and Logistics team member.

Insurance Products & Coverage

Presumptive Compensability Legislation

Washington became the latest state to enact presumptive compensability legislation. The governor signed S.B. 5190 and 5155 into law, making coronavirus a compensable occupational illness for front-line workers in that state. Both bills state that employers can rebut presumptions with clear evidence that exposure to the virus happened outside of the workplace.

As this remains an evolving issue, the National Law Review has compiled a helpful list of the state, territorial and local government policies (proposed or passed) in response to the ongoing coronavirus pandemic. It is organized by state and is available online at www.natlawreview.com

For more information, contact an EPIC broker.

News of Note

The passage of another two weeks has brought forth more developments across the insurance world. Here is a rundown of recent news stories of interest.

• Your Questions About Vaccines at Work, Answered, New York Times, May 15
• NJ Casino Hits Zurich with $500K Virus Coverage Suit, Law 360, May 14
• State of the Law for Business Interruption Insurance Coverage for Coronavirus Claims, National Law Review, May 14
• Delta Will Require That New Employees be Vaccinated, New York Times, May 13

HR & Employee Benefits Insights

AIHA Asks CDC and OSHA to Clarify Mask Guidance for Employers

The American Industrial Hygiene Association (AIHA) urged the Centers for Disease Control (CDC) and the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) to clarify what the CDC’s latest guidance on masking requirements for fully vaccinated people means for employers and workers.

In a statement released on May 14, AIHA says the CDC’s current guidance is insufficient and offered to work with the CDC and OSHA to clarify it. Guidance from the federal level would be helpful, as state level OSHA organizations, such as Nevada OSHA, announced they would no longer require vaccinated workers to wear masks.

A day earlier, the CDC issued guidance stating that fully vaccinated people no longer need to wear a mask or practice physical distancing in any setting except where required by federal, state, local, tribal, or territorial laws, rules and regulations, including local business and workplace guidance.

Indeed, as states and cities prepare to draw back masking and distancing requirements, the move has left some businesses confused about what workplace restrictions or controls they should continue to enforce. Large retailers including CVS, Target, Walmart and Starbucks have stopped requiring employees and customers to wear masks as long as they are fully vaccinated. Costco, which was one of the first retailers to require masks, says they will now only be required in localities where masking requirements remain in place.

The retailers have all strongly encouraged non-vaccinated individuals to continue wearing masks, but have said vaccination status will be enforced on the honor system, meaning no proof of vaccination will be required.

The CDC’s guidance for fully vaccinated people still requires mask wearing while traveling on planes, buses, trains and other forms of public transportation into, within, or out of the United States, as well as at airports and train stations. The CDC’s guidance can be viewed in full online at www.cdc.gov/coronavirus

For more information about how this may affect your business, contact an EPIC team member.

Insights From Across the Firm

EPIC thought leaders have written numerous articles on matters relating to coronavirus, all of which are available on EPIC’s website. The most recent articles include:

• Overcoming Mental Health Barriers in the Workplace, May 18
• Webinar Recording: Top 3 Trends in Fiduciary Insurance, May 17
• 2021 Employee Benefits Compliance Webinar Series Announced, May 17
• New Mexico Latest State to Enact a Paid Sick Leave Law, May 12
• IRS Releases 2022 HSA & HDHP Limits, May 12
• Webinar on June 9: How the Insurance Market is Reacting to the Weather, May 11
• Top 10 OSHA Citations, May 7
• Blue Cross Blue Shield (BCBS) Antitrust Settlement Update, May 5
• American Rescue Plan Act COBRA Subsidy Overview and FAQs, May 5