Does OpenTable Equal Opening to Risk?

The risk of cyber-attacks and security breaches are becoming a critical concern for restaurant executives. Restaurants are experiencing a wave of technology innovation in everything from the customer experience to operational efficiency. With these technology enhancements comes an ever-increasing number of third-party vendors that interact with a restaurant’s customers and the business as a whole. New business relationships and processes can create security gaps, alter access to sensitive data, or cause increases in cyber risk liability exposures and threats.

The days of calling a restaurant for a reservation are all but over. Customers have come to expect real-time visibility into table availability online. Restaurants are becoming more and more dependent on apps to remain front and center with their customers, to increase traffic, and to better manage table turns. Loyalty programs are also being integrated to capture sensitive customer data, as well as to provide services like food delivery or tableside kiosks. These third-party technologies may or may not be integrated with the restaurant’s point-of-sale system but regardless, restaurant management will likely not have knowledge of how this data is stored, segregated, or transmitted. These third parties may also be sharing or sorting sensitive data with other parties unbeknownst to the restaurant, which creates vulnerabilities and entry points for cyber attacks and requires greater vigilance to protect customer data.

Payment processing is continuously evolving and increasingly shifting liability to the merchant if they cannot keep up with expensive and ever-changing technology standards. Therefore, strengthening resilience to cyber breaches is essential to business continuity.

The path forward for restaurant owners demands expanding cybersecurity programs in whole. This includes a core of controls and processes around the most sensitive assets, including up-to-date data on areas of vulnerabilities such as vendor software patching. Not acting on known areas of weakness in their environment is the most common factor for those that have been attacked. Awareness of how threats are evolving is critical to having the ability to analyze situations and to properly plan for business continuity.

What is also sometimes lost is that the biggest weakness with data security in the restaurant industry is the human component. It is an industry that is heavily reliant on lower cost labor, often experiences high turnover, and engages with a variety of third parties, including outsourcers; and directly interacts with customers through various physical and digital venues. This complex extended enterprise makes cultural awareness of data security important not only at the corporate level but also at the store level.

As the threats evolve, however, so does the spectrum of risk mitigation solutions that can be put in place to combat possible attack. Innovative insurance products, like the Smart Cyber policies offered through Corvus Insurance, use data scans to help restauranteurs identify possible vulnerabilities on an ongoing basis and provide liability coverage to address some of these new risks. Digital exposures emanating from third-party service providers should be adequately addressed in a cyber liability insurance policy. This may include comprehensive coverage extensions for contingent business interruption, PCI-DSS fines and penalties, and breach response expenses tied to contractual indemnification provisions. Sunshine is the best prevention as Corvus identifies risks for restaurants to manage.

Are you up to speed on “silent cyber” risk? Check out our new whitepaper: Silent Cyber: Threat or Opportunity?

Innovation in Life Sciences brings Great Possibility, but also New Risks

The powerful current of new digital technology has caused disruptive and transformational changes in the Life Science industry. This is changing the future of cancer treatment, producing life-changing vaccines, and allowing for valuable research efforts that many of us couldn’t even imagine. Much of the innovation is being powered by data and in many cases more and more personalized data. Information has never been more valuable and life sciences are becoming one of the most vulnerable industries to data breaches.

What’s at risk?

The cyber risks that plague life sciences can be detrimental. Compromised biotech research goes beyond issues for shareholders— there could be information powerful enough to develop dangerous products and bioweapons. As criminals and other threat actors continue to uncover new ways of monetizing sensitive and confidential data, these data assets are in turn becoming more and more valuable. Cybersecurity threats in the life sciences industry can directly put people’s health, safety, and security at risk. Many pharma and biotech companies, especially high-profile consumer brands, are high-value targets for cyber attackers.

Among the major threats in pharma and biotech are these three top points of concern:

  • Clinical Trial Data: this includes sensitive patient data that is generated from clinical trials— this is at-risk information on both a patient level and a commercial level.
  • Confidential Information and Intellectual Property: regarding the manufacture of biologic drugs, etc.
  • Commercially Sensitive Information: drug pricing and promotion

Cyber Threats in Life Sciences

Information-related risks including fraud, cyber, and security risks are now the areas of greatest concern for pharma and biotech sectors, as well as the sophisticated nature of medical devices and their connectivity schemas. Commercially sensitive information in all of these areas is at an all-time high. Physical theft or loss of intellectual property (IP) is currently the most prevalent type of security incident in the life sciences sector. Incidents relating to theft and loss of IP are costly and wide-ranging, affecting employees, customers, the organization’s reputation and bottom line, and putting these important research and development projects at risk.

Interconnectivity of corporate data networks is necessary for life sciences; however, this has made intellectual property that much more vulnerable to cyber thieves who can monetize this valuable data. Categories of IP within the life sciences and medical device sectors include pharmaceutical and biotechnology patents, copyrighted data sets and reports, and trade secrets.
Life science organizations should also guard against the loss of personal information such as financial information, personal health information, and medical data.

6 steps for protecting your sensitive proprietary data and IP assets:

1. Identify and data map IP assets within digital and physical systems. This should be done both onsite and in the cloud and include those with access, such as remote vendors and clinical researchers.

2. Protect IP assets by implementing contractual, physical, and digital security systems.

3. Stay informed on the most recent cybersecurity risks. Implement basic security rules and create a security policy program that works to protect your IP assets.

4. Conduct risk assessments regularly to evaluate and simulate best practices around protecting the company and stakeholders in the event of a system and/or data breach.

5. Gain an understanding of the added risks that the Internet of Things and remote medical devices bring. Expect an exponential increase in cybersecurity risks and be prepared to mitigate.

6. Become educated on the legal framework surrounding protection of the confidentiality of IP assets. Additionally, understand the liability and regulatory frameworks impacting cybersecurity in life sciences and medical devices sectors.

Why now?

Cybersecurity should be one of the main focuses in almost any organization’s agenda, but especially for those in the life sciences sector. The massive growth rate and use of Big Data and the Internet of Things are just some of the examples of the need to be hyper-focused on privacy and data security. Systems have never been more complex and interconnected, as powerful and sophisticated discoveries continue in pharma, biotech, and medical devices. Life Science companies should use all tools available, including those offered by their insurers, in order to predict and prevent risk— not just once a year at the Cyber Insurance renewal, but throughout the year.

The Franchisee Factor

Cyber liability poses some unique questions for franchise organizations. Often after a data breach, any well-known retail brand name might lick their wounds, learn a lesson or two, release the specifics around the compromised data, and move on.

An interesting wrinkle arises when you factor the nature of the relationship between the franchisees and the central corporate entity. The franchisees, in most cases, are independent business owners who pay for the privilege of using the Corporate brand and supporting services. When a breach occurs, the affected owners could take a substantial hit to their wallets in the form of lost income, lost wages, spoiled food and other costs, and might look to the corporate “mothership” to make them whole again.

These sort of liability questions might lead the franchisees to take legal action that could significantly impact the potential financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyber threats.

The Downside of Franchisor/Franchisee Interdependence

Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include
the following:
• The franchisee is often a small individual business that doesn’t have the resources to adequately defend itself when threats arise.
• The franchisor typically avoids getting involved in the specifics of how a franchisee operates because the franchisee is an independent and separate organization and the franchisor isn’t structured for this level of micro-management. After all, the entire model behind a franchise- based enterprise is to allow the business to grow organically by taking advantage of the capital and sweat equity of each franchisee.
• The franchisee operates a local network that depends on services provided by the franchisor. Sometimes the networks share technical access to each other, which can be exploited by attackers to move laterally across networks.
• In many situations, franchisees will share a third-party resource for IT management. Even though franchises are operated independently, shared administration creates a logical broad domain of trust that can be leveraged to launch attacks which hit all independent franchises simultaneously.

Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise.
• What obligations do individual stores have to protect themselves and each other from cyber threats?
• What role does the franchisor play?
• What’s the appropriate level of security when defending against sophisticated attackers and
what penalties should be assessed when those defenses aren’t up to the task?
• When defenses fail, who is responsible for reporting the breach to consumers?

Regulators are Taking a New Approach

Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. When the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.

In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.

In 2018, an attack on Canada’s Tim Hortons added a new twist. Most often, when security breaches associated with a retail brand hit the news, it’s because of the impact on consumers. However, the Tim Hortons incident involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at an arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats. It’s also time the insurance industry step up with new products that address these new complicated risks for all parties.

“Hard” Market Conditions in Ocean Cargo Find a Solution in InsurTech

Over the past year, there has been an increasing number of Lloyd’s syndicates who have withdrawn or been closed from the London marine cargo market. The decline of these cargo syndicates reduces the overall supporting capacity from market leaders but also leaves over $6.4 billion dollars of market share up for grabs.

The reasons for this, according to Lloyds, include cargo reportedly running at a 135% loss ratio. This has put a large number of Lloyd’s syndicates either under review or closed completely and brokers are being forced to find other alternative options for their clients. There was also consolidation in 2018 with a number of larger insurance companies purchasing more vulnerable companies. This has resulted in a reduction in the number of market leaders available which restricts different options for insureds.

Lloyd’s has instructed its managing agents to provide a quarterly reports plan to improve the underwriting performance of the seven under-performing classes— Life Sciences/Pharmaceuticals being one of them. The bottoming out of cyclical market conditions, frequently caused by over-capacity, often results in violent price and coverage adjustments that punish not only those insureds with poor operations but the good as well.

The use of technology and data can help insurance buyers to differentiate their risk profiles. Corvus specializes in providing broad Ocean Cargo and Stock Throughput coverage for spoilage and other perils for Temperature sensitive products within the Food and Life Science industries. We are using data from leading IoT sensor providers to provide something NEW that is helping Brokers on our platform differentiate themselves and win new business with Life Science and traditional food customers.

Corvus compares the temperature shipment data of an insured to our mammoth database of shipment data. Our algorithms produce a Corvus Score through which we communicate our underwriting outcomes and coverage grants. We also use our CrowBar data platform to bring new information to our clients throughout the policy year in order to help our insureds identify anomalies that might lead to a claim. Working together, we manage risk and reduce claims. The win-win solution of Corvus, for those insureds that want to engage with the use of their data, is a better outcome from a “hard” insurance market that acceptance of price increases.

Technology

InsurTech: Easier Than a Flu Shot

InsurTech is a new concept that is revitalizing an old industry. But what exactly is it, and how does it work? And how is Corvus shaking up something that’s already so cutting edge? InsurTech can be broken down into three primary aspects, each one important, all working together to run a system with maximum efficiency. Imagine visiting a doctor’s office— you check in at the front desk, you get your physical, and you get your bill. For most people, the bill is the greatest concern— and that’s why this third aspect is where Corvus is focusing its energy. What if you could prove to the doctor that you have been taking great care of your body all year? That you’ve been exercising, eating right, and cutting down on beers? And what if the doctor, having received this information, would, in turn, charge you less because of your healthy habits? That’s what Corvus is trying to do for commercial insurance buyers.

But we’re getting a little ahead of ourselves. So let’s begin at the “front desk” of insurance, the first aspect— that is, the contracts, the insurance platforms themselves, etc. This is the gateway to your policy, and there’s a lot of cool stuff happening in this arena. For instance, there is some great technology being applied to things like the mobile-enablement of auto claims, blockchain for reinsurance contract fulfillment, and online sales platforms for brokers and agents. This can cut the costs of managing an auto claim from 3% of premium to 2% which, given the size of the auto market, is an incredible achievement.

Next, we go to the actual doctor’s appointment— the second aspect, the product that you’re purchasing. Online channels, direct or broker-focused (Insureon or Wellthie are examples), as well as products that are sold for less than a year for the gig economy or on a P2P basis, fit into this category. Distribution costs can run from 3 to 30% or more, so reducing distribution costs is a big deal if they respond better to customer needs than conventional products and distribution methods.

The third aspect, where Corvus is most concerned, is that final doctor’s bill in the form of claims paid. This is where Corvus is particularly innovative— by using your data, we are able to help you reduce your risk in order to reduce your claims. Companies like Neos in the UK do this by giving out theft or water detection devices in order to prevent or respond more quickly to events that frequently lead to homeowners claims. Corvus accomplishes this not by creating new monitors of data, but by leveraging and licensing existing data sources to price, predict, and prevent commercial insurance claims. We use temperature sensors for cargo subject to spoilage in order to monitor and score risk with full customer (and broker) transparency. We are also perfecting the same for cyber (web-scanning technology). One big difference in this arena is the richness of the targets. In commercial insurance, between 60 and 80% of premiums go to pay claims. Reducing the cost of claims by 15% will make a bigger impact on overall economics than cutting distribution or back-end costs in half.

Corvus is excited to be breaking into InsurTech and excited for you to join us on this journey. From cargo to cars, we’ll reward you for your hard work, and you’ll reap the benefits of safer habits. By creating InsurTech for you, we are going to make the world a better place.

 

The Story of Corvus

Corvus Founder & CEO Phil Edmundson did not expect to be starting another insurance business. After successfully launching and exiting several insurance businesses focused on technology companies, Edmundson thought he would become an angel investor in what is now called InsurTech.
 
Instead, after a year reviewing 100+ InsurTech startups and investing in a half-dozen of them, Edmundson came to the conclusion that the opportunities for digital tools and data platforms were not reaching medium to large-sized commercial insurance brokers and customers. “My former colleagues and clients weren’t seeing the benefits that had started to reach personal and small commercial lines insurance markets”, he noted. “After many conversations with brokers and venture investors, I became convinced that there was a huge opportunity to help the brokers and buyers of commercial insurance”.
 
The barriers to commercial InsurTech innovation are significant. First, the underlying insurance products are more complicated than many tech entrepreneurs had the time or inclination to analyze. Easier missions are available for insurance products that tech entrepreneurs recognized from their own buying experience. Second, distribution was a barrier. Commercial insurance buyers of any but the smallest size want the help of their insurance broker. Yet most InsurTech entrepreneurs dislike brokers. Early efforts such as those of Zenefits were seen as a threat to brokers and the initial success of Zenefits kept the focus away from possible partnerships with brokers. (Zenefits has smartly changed its tune on its go-to-market strategy and now works with brokers). Edmundson saw the opportunity to leverage his experience working for start-up and global commercial insurance brokers focused on the tech sectors as an opportunity to provide broker partners with the confidence that Corvus would be their partner rather than a threat.
 
Next came the identification of novel sorts of data that could predict and prevent insurance claims. “Connecting to predictive data is just like having a safety inspector inside every shipment, auto trip, or online activity,” he noted in regard to the Corvus strategy to empower brokers and policyholders with risk scores that inform and direct risk management in order to lower the overall cost of risk.
 
Finally, brokers and their clients deserve an effective and helpful online experience. So, Corvus built a great one. It allows brokers and policyholders on-demand access to policy information, claims reporting, loss prevention recommendations and business intelligence.
 
Together with a team of top-flight tech leaders in Mike Lloyd and James McElhiney, the company is building tech-enabled commercial insurance products with novel data sources and its digital platform for commercial insurance brokers and their clients. That is why Corvus is InsurTech. For You.