By Jacquelyn Connelly, IA Magazine
Cyber risk is increasing rapidly for everyone—and not just your commercial lines clients.
Although the insurance industry has been slow to respond to cyber exposures in personal lines, companies are beginning to recognize the threat, particularly when it comes to high net-worth insureds who make appealing targets for hackers and other cybercriminals.
“Watch the space—I think you’re going to start seeing some responses in that area,” predicts Eric Cernak, vice president for reinsurer Munich Re America. “Traditional identity theft insurance is already pretty commonplace for high net-worth people, but what you’re going to start seeing is more carriers looking at a commercial lines cyber policy and saying, ‘What might be transportable to personal lines?’”
Cernak expects coverage for extortion, data and systems restoration and the like, with an initial emphasis on first-party coverage. “It’s easier for people to grasp that exposure to themselves than the third-party exposure,” he explains. “And there could be some confusion around the liability section of homeowners or umbrella cover. Might some of this be already picked up there? The industry still needs to work through that part of it.”
But until it does, individuals don’t have to sit around waiting to become victims—they can take matters into their own hands. Right now, they probably just don’t know they can. As smart home technology continues to open up new doorways for inviting cyberattacks, your personal lines clients may not even be aware of their risk.
“People aren’t thinking that their refrigerator is a computer,” Cernak points out. “That’s what it’ll come down to—people will have to start thinking about these things that they haven’t thought about in the same light as their traditional computing devices.”
“It actually takes a lot of doing,” says Jessica Groopman, independent industry analyst and IoT adviser. “The umbrella step is to care. A lot of people don’t, but it’s because they don’t know to care.”
That’s where you come in. Encourage your high net-worth clients to take these five steps right now to mitigate their personal lines cyber risk.
1) Freeze your credit. If you won’t be using your credit any time in the near future, there’s a process you can use to freeze it temporarily so that no one can open up a new account in your name.
“You have to actually write a letter to each credit bureau individually, but all of them have forms on their websites,” explains Julie Conroy, research director at Aite Group. “And it’s a pretty easy process to unfreeze it—it takes about 10 days, and then once you’re done buying a car or whatever you need to do, you can just freeze it back up again. Especially for high net-worth individuals, that’s a really good practice because they make such attractive targets.”
Considering how many different companies, devices and services we entrust with our personal financial data, “the credit freeze seals up one major exposure point,” Conroy adds.
2) Set the bar high. Cernak encourages consumers to be selective about the smart home devices they purchase. “You’re probably better off with recognized brands that have institutional power behind them,” he says. “Start with a company that’s serious in this game and has the wherewithal to stand by their product. If you’re buying from a retailer, make sure you’re not buying from the discount rack.”
And encourage your clients to demand more from product and service providers. “Put that security system provider through their hoops to explain how they are protecting data,” Conroy suggests. “Your layman person is probably not going to understand whether or not that’s adequate, but those providers better at least have an answer. If they don’t, that’s a red flag right there.”
“There’s a lot to be said for the demand coming from consumers to drive this,” Groopman agrees. “A lot of the manufacturers I talk to about this subject know it’s important, but frankly, consumers aren’t asking for this. From a business model standpoint, it’s not a fire under them. Think about this in your purchasing decisions, prioritize the vendors that are talking about this and delivering this—the ones that are proactive in how they communicate with you about it.”
3) Don’t make it easy. Once they’ve installed their smart home devices, encourage clients to maintain them properly. “Just like you would patch your operating system on your desktop, a lot of these things are going to get firmware patches sent to them,” Cernak points out. “You need to keep on top of that and make sure you’re deploying safe firmware.”
“Turning off unwanted features is a big thing, upgrading your devices—very often, these kinds of upgrades have embedded security augmentations into what will then be downloaded or uploaded onto your device,” Groopman agrees.
When using public Wi-Fi, Cernak recommends using a virtual private network (VPN), which “helps protect you from the bad guy who might be ‘surfing over your shoulder’ in the unsecured Wi-Fi area,” he says.
For example, “if you’re at Midway Airport and you connect to freemidway.com, is that really the Midway Wi-Fi? Or is that a bad guy putting out a signal, wanting you to connect so they can see your traffic? That’s unsecured and unencrypted,” Cernak explains. “But if you were to log on and activate your VPN before you do anything, you’re creating a secure tunnel.”
And as cyberattacks continue to increase in mobile environments, “make sure your smartphones and tablets at a baseline have antivirus and malware software,” Conroy says. “It’s not 100% perfect, but it’s better than nothing.”
4) Practice good password hygiene. “The first and easiest way to protect yourself is to change your passwords,” says Christie Alderman, vice president, client product and service manager at Chubb. “When you get a new device, if it allows you to change the password, change it to something complex using letters, numbers and special characters.”
Keeping passwords sophisticated and updated shouldn’t be a one-time practice, either—“changing passwords regularly is huge—changing passwords on multiple devices, and having different passwords on multiple devices,” Groopman adds.
And double up when possible: For all devices, “if you can turn on two-factor authentication—fingerprint and password or ID and pin number or something else—turn it on,” Cernak advises. “It’s a little bit more cumbersome, it probably takes a minute more to do something, but it’s a lot more secure.”
5) Don’t go overboard. As technology becomes more and more integrated in every corner of life, “it’s probably a good practice to step back and weigh the question: Does this device bring enough convenience to my life that I’m willing to give up my privacy? That’s a question all of us have to face,” Alderman says.
Consider devices that let you know your plants need watering. “Agents can be talking to their clients about whether that’s really relevant,” Alderman says. “It’s probably not something customers have thought a lot about, and that certainly brings value to that relationship from a risk management standpoint.”
Remember: None of these measures are foolproof. “If it’s built by a human, it can be hacked by a human,” Cernak says. “None of these things are going to keep you absolutely secure. But it’s all about raising the level effort that the bad guy has to take to get to you.”