View from the Nest: Welcoming the West Coast

Today, we’re pleased to announce Corvus’s third location— our West Coast office in the Los Angeles area.

A permanent presence on the West Coast allows the Corvus team to meet growing demand for our Smart Commercial Insurance™ products from brokers and their insureds across the western U.S. We’re so excited to be able to offer our services to more organizations than ever before.

Even more exciting are the two new members of the Corvus flock, who joined us this month to start the new office.

First is Brian Alva, Vice President of Cyber Underwriting at Corvus, who heads the West Coast office. Brian has nearly a decade of underwriting experience, having previously served as Vice President at NAS insurance. A Southern California native, Brian has a passion for insurance and sees how the industry is changing–in underwriting, buying, and selling. He’s excited to join Corvus to be at the forefront of innovation and to bring value to brokers using technology.

Joining Brian is West Coast Territory Manager Amanda Mirabile. Amanda started her career at ACE Westchester (now Chubb) in Orange County and most recently served as Client Relations Manager at RPS. She’s inspired by the Corvus founders’ vision of empowering brokers and looks forward to tackling the challenge of helping them to feel comfortable and secure as they incorporate technology into the products and services they provide their clients. A Pennsylvania native, Amanda has lived in and served clients in California for five years.

Welcome Brian and Amanda, see you on the West Coast!

If you’re interested in learning more about Corvus’s Smart Cyber™ and Smart Cargo™ Insurance products, click here to get in touch with me directly.

Three Ways to Use Data to Win New Business in 2019

2019 is upon us and many brokers are already into their new production year. Organic growth from new accounts or new lines of property and casualty business are two major means of meeting and exceeding these goals— but organic growth is difficult, and so is grabbing the attention of insurance buyers. InsurTech advances are allowing for some exciting new developments in differentiated product development that can help open doors for new clients and help round out accounts with new kinds of coverages, such as cyber insurance. In particular, the use of previously ignored or inaccessible data can move the needle and get the attention of insurance buyers in 2019. But how can you do that with everything else on your desk? We’d like to pitch some ideas.

First, align yourself with partners that can put data to work for you. Corvus is one of many data suppliers to the industry. Others, using a SaaS (Software as a Service) model sell “seats” or “licenses” to brokers. Prominent among them are AIR Worldwide and RMS, which use data to predict the likelihood of catastrophes such as earthquakes and windstorms. Their data is also used to help brokers and insureds determine the maximum probable losses in certain situations. In the same way, Corvus provides reports from externally sourced data that can help you and your clients predict and prevent claims.

Second, determine which coverage areas have the most potential for you and your clients to leverage novel data sets. These will generally be in areas that are causing anxiety for customers, such as property catastrophe risk, cyber insurance, and areas with large severity exposure. Predicting and preventing large and uncertain claims is far more urgent for insurance buyers than managing smaller events like slip and fall liability claims– or even more predictable events, such as auto claims.

Finally, demonstrate your expertise by using social media. LinkedIn and Twitter are business favorites, but in some communities, Facebook can be a strong tool in getting out the news about new risks and solutions. Effective social media is frequent, with headlines that grab attention (but aren’t sensational), and timely (linked to recent news developments). It can be enhanced with strong graphics and links to larger reports and external sources. Corvus and other marketing-oriented underwriting partners provide this information to its brokers. You should not need to find this information yourself.

While Corvus is not the only company to master unique data sets in order to support insurance brokers and their clients, we are digital natives. Everything at Corvus is built with digital integration in mind. From data science to data analytics to social media and other marketing tools, it all results in victory.

For more information about how Corvus can empower your 2019 New Business plans, contact Gerritt Graham, Chief Commercial Officer at ggraham@corvusinsurance.com. Here’s to a happy and successful 2019!

Does OpenTable Equal Opening to Risk?

The risk of cyber-attacks and security breaches are becoming a critical concern for restaurant executives. Restaurants are experiencing a wave of technology innovation in everything from the customer experience to operational efficiency. With these technology enhancements comes an ever-increasing number of third-party vendors that interact with a restaurant’s customers and the business as a whole. New business relationships and processes can create security gaps, alter access to sensitive data, or cause increases in cyber risk liability exposures and threats.

The days of calling a restaurant for a reservation are all but over. Customers have come to expect real-time visibility into table availability online. Restaurants are becoming more and more dependent on apps to remain front and center with their customers, to increase traffic, and to better manage table turns. Loyalty programs are also being integrated to capture sensitive customer data, as well as to provide services like food delivery or tableside kiosks. These third-party technologies may or may not be integrated with the restaurant’s point-of-sale system but regardless, restaurant management will likely not have knowledge of how this data is stored, segregated, or transmitted. These third parties may also be sharing or sorting sensitive data with other parties unbeknownst to the restaurant, which creates vulnerabilities and entry points for cyber attacks and requires greater vigilance to protect customer data.

Payment processing is continuously evolving and increasingly shifting liability to the merchant if they cannot keep up with expensive and ever-changing technology standards. Therefore, strengthening resilience to cyber breaches is essential to business continuity.

The path forward for restaurant owners demands expanding cybersecurity programs in whole. This includes a core of controls and processes around the most sensitive assets, including up-to-date data on areas of vulnerabilities such as vendor software patching. Not acting on known areas of weakness in their environment is the most common factor for those that have been attacked. Awareness of how threats are evolving is critical to having the ability to analyze situations and to properly plan for business continuity.

What is also sometimes lost is that the biggest weakness with data security in the restaurant industry is the human component. It is an industry that is heavily reliant on lower cost labor, often experiences high turnover, and engages with a variety of third parties, including outsourcers; and directly interacts with customers through various physical and digital venues. This complex extended enterprise makes cultural awareness of data security important not only at the corporate level but also at the store level.

As the threats evolve, however, so does the spectrum of risk mitigation solutions that can be put in place to combat possible attack. Innovative insurance products, like the Smart Cyber policies offered through Corvus Insurance, use data scans to help restauranteurs identify possible vulnerabilities on an ongoing basis and provide liability coverage to address some of these new risks. Digital exposures emanating from third-party service providers should be adequately addressed in a cyber liability insurance policy. This may include comprehensive coverage extensions for contingent business interruption, PCI-DSS fines and penalties, and breach response expenses tied to contractual indemnification provisions. Sunshine is the best prevention as Corvus identifies risks for restaurants to manage.

Are you up to speed on “silent cyber” risk? Check out our new whitepaper: Silent Cyber: Threat or Opportunity?

Innovation in Life Sciences brings Great Possibility, but also New Risks

The powerful current of new digital technology has caused disruptive and transformational changes in the Life Science industry. This is changing the future of cancer treatment, producing life-changing vaccines, and allowing for valuable research efforts that many of us couldn’t even imagine. Much of the innovation is being powered by data and in many cases more and more personalized data. Information has never been more valuable and life sciences are becoming one of the most vulnerable industries to data breaches.

What’s at risk?

The cyber risks that plague life sciences can be detrimental. Compromised biotech research goes beyond issues for shareholders— there could be information powerful enough to develop dangerous products and bioweapons. As criminals and other threat actors continue to uncover new ways of monetizing sensitive and confidential data, these data assets are in turn becoming more and more valuable. Cybersecurity threats in the life sciences industry can directly put people’s health, safety, and security at risk. Many pharma and biotech companies, especially high-profile consumer brands, are high-value targets for cyber attackers.

Among the major threats in pharma and biotech are these three top points of concern:

  • Clinical Trial Data: this includes sensitive patient data that is generated from clinical trials— this is at-risk information on both a patient level and a commercial level.
  • Confidential Information and Intellectual Property: regarding the manufacture of biologic drugs, etc.
  • Commercially Sensitive Information: drug pricing and promotion

Cyber Threats in Life Sciences

Information-related risks including fraud, cyber, and security risks are now the areas of greatest concern for pharma and biotech sectors, as well as the sophisticated nature of medical devices and their connectivity schemas. Commercially sensitive information in all of these areas is at an all-time high. Physical theft or loss of intellectual property (IP) is currently the most prevalent type of security incident in the life sciences sector. Incidents relating to theft and loss of IP are costly and wide-ranging, affecting employees, customers, the organization’s reputation and bottom line, and putting these important research and development projects at risk.

Interconnectivity of corporate data networks is necessary for life sciences; however, this has made intellectual property that much more vulnerable to cyber thieves who can monetize this valuable data. Categories of IP within the life sciences and medical device sectors include pharmaceutical and biotechnology patents, copyrighted data sets and reports, and trade secrets.
Life science organizations should also guard against the loss of personal information such as financial information, personal health information, and medical data.

6 steps for protecting your sensitive proprietary data and IP assets:

1. Identify and data map IP assets within digital and physical systems. This should be done both onsite and in the cloud and include those with access, such as remote vendors and clinical researchers.

2. Protect IP assets by implementing contractual, physical, and digital security systems.

3. Stay informed on the most recent cybersecurity risks. Implement basic security rules and create a security policy program that works to protect your IP assets.

4. Conduct risk assessments regularly to evaluate and simulate best practices around protecting the company and stakeholders in the event of a system and/or data breach.

5. Gain an understanding of the added risks that the Internet of Things and remote medical devices bring. Expect an exponential increase in cybersecurity risks and be prepared to mitigate.

6. Become educated on the legal framework surrounding protection of the confidentiality of IP assets. Additionally, understand the liability and regulatory frameworks impacting cybersecurity in life sciences and medical devices sectors.

Why now?

Cybersecurity should be one of the main focuses in almost any organization’s agenda, but especially for those in the life sciences sector. The massive growth rate and use of Big Data and the Internet of Things are just some of the examples of the need to be hyper-focused on privacy and data security. Systems have never been more complex and interconnected, as powerful and sophisticated discoveries continue in pharma, biotech, and medical devices. Life Science companies should use all tools available, including those offered by their insurers, in order to predict and prevent risk— not just once a year at the Cyber Insurance renewal, but throughout the year.

The Franchisee Factor

Cyber liability poses some unique questions for franchise organizations. Often after a data breach, any well-known retail brand name might lick their wounds, learn a lesson or two, release the specifics around the compromised data, and move on.

An interesting wrinkle arises when you factor the nature of the relationship between the franchisees and the central corporate entity. The franchisees, in most cases, are independent business owners who pay for the privilege of using the Corporate brand and supporting services. When a breach occurs, the affected owners could take a substantial hit to their wallets in the form of lost income, lost wages, spoiled food and other costs, and might look to the corporate “mothership” to make them whole again.

These sort of liability questions might lead the franchisees to take legal action that could significantly impact the potential financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyber threats.

The Downside of Franchisor/Franchisee Interdependence

Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include
the following:
• The franchisee is often a small individual business that doesn’t have the resources to adequately defend itself when threats arise.
• The franchisor typically avoids getting involved in the specifics of how a franchisee operates because the franchisee is an independent and separate organization and the franchisor isn’t structured for this level of micro-management. After all, the entire model behind a franchise- based enterprise is to allow the business to grow organically by taking advantage of the capital and sweat equity of each franchisee.
• The franchisee operates a local network that depends on services provided by the franchisor. Sometimes the networks share technical access to each other, which can be exploited by attackers to move laterally across networks.
• In many situations, franchisees will share a third-party resource for IT management. Even though franchises are operated independently, shared administration creates a logical broad domain of trust that can be leveraged to launch attacks which hit all independent franchises simultaneously.

Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise.
• What obligations do individual stores have to protect themselves and each other from cyber threats?
• What role does the franchisor play?
• What’s the appropriate level of security when defending against sophisticated attackers and
what penalties should be assessed when those defenses aren’t up to the task?
• When defenses fail, who is responsible for reporting the breach to consumers?

Regulators are Taking a New Approach

Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. When the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.

In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.

In 2018, an attack on Canada’s Tim Hortons added a new twist. Most often, when security breaches associated with a retail brand hit the news, it’s because of the impact on consumers. However, the Tim Hortons incident involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at an arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats. It’s also time the insurance industry step up with new products that address these new complicated risks for all parties.

Cyber

Smart Cyber Insurance and The Evolution of Cyber Risk

Massive retail data breaches, state-sponsored malware attacks, and the mishandling of sensitive information by the world’s largest companies have kept cyber risk in the headlines for the greater part of the last decade. Digitization has forced even smaller organizations to consider a wide variety of both internal and external threats to data security. The self-contained enterprise is a thing of the past, as more companies rely on third party vendors for services related to data storage, web hosting, IT security management, logistics and more. While these providers have allowed companies to operate more efficiently, cyber exposures have increased as a result. It’s no wonder cyber liability coverage has received much of the recent attention in the commercial insurance world.

Nearly 15 years ago, the earliest versions of stand-alone cyber policies would only cover third-party liability arising from the wrongful release of confidential information. Expenses related to first-party breach notification costs, digital forensics, data destruction, and contingent business interruption were not typically addressed. Not only was the coverage limited, but the underwriting process was arduous as insureds were forced to complete lengthy applications, supplemental questionnaires, and teleconferences to discuss the details of their IT security. Carriers offered few proactive risk management services, forcing insureds to incur additional expenses if they needed guidance on IT security best practices.

While insurers have made progress broadening the scope of cyber coverage, unfortunately many of the outdated methods of underwriting remain commonplace and carrier loss prevention advice is often inadequate.

At Corvus, we take a vastly different approach to underwriting and risk management. We believe in leveraging the best technology to assist our policyholders proactively address cyber risk. Rather than relying on prolonged applications with limited value, we use non-invasive web scans as part of the underwriting process and we provide our customers with meaningful insight into their IT security performance. At the time of quoting and throughout the policy period, we deliver a detailed analysis of the insured’s security operations with concise, risk-prioritized recommendations to resolve critical vulnerabilities. We red-flag IT supply chain issues and we offer meaningful business intelligence reports to insureds that are serious about confronting cyber risk head-on. Policyholders have access to a number of resources to help strengthen their IT security posture, including sample IT security policies, online privacy training, and a directory of pre and post breach experts. We call this process as Dynamic Loss Prevention™.

More precise underwriting means improved coverage and competitive premiums as well. Insureds with the strongest IT security controls are eligible for broad-form first and third party coverage, including extensions for blanket contingent business interruption triggered by cyber perils, system failure, reputational loss, social engineering, ransomware, and much more.

Our mission at Corvus is to arm commercial insurance brokers and our policyholders with the best available tools to tackle cyber risk from all angles. A modern and dynamic solution is required to address a constantly evolving risk landscape. This tech-enabled, holistic approach to risk management is what we call Smart Cyber Insurance™.