Getting Schooled: Schools Face Host of Risk Management Challenges

Posted by on December 29, 2014 | Be the First to Comment


There are many risk exposures school administrators need to mindful of, including things such as traumatic brain injury, sexual harassment, discrimination, and security.

In a recent article in Property Casualty 360°, I reveal how only 25 percent to 30 percent of schools currently purchase cyber security coverage, resulting in schools being a treasure trove of information for hackers. Schools have a lot of personal information on students, faculty and employees, not to mention colleges that accept credit cards for payment.

Brokers who understand the need for Cyber have a real opportunity to educate schools on the risk as well as the extent of coverage in today’s Cyber forms, which provide third-party liability and first-party coverage including business interruption, reputational risk, forensic analysis, damage control, and more.

Overall, schools and colleges are considered desirable risks. For clients with average to favorable loss ratios, we’ve seen rates stable as a general rule.

The FCC Jumps into Cyber-Regulation with Millions in Fines

Posted by on November 18, 2014 | Be the First to Comment

Recently, the Federal Communications Commission entered into the cyber regulatory field in a big way: proposing to fine two companies $10 million for alleged data security breaches.

The FCC is taking action against two telecommunications companies who provided prepaid phone services to low-income residential customers. According to the agency, the companies “collected names, addresses, Social Security numbers, driver’s licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”

The FCC justified imposing such large fines in part because “the companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.” The FCC gave the companies 30 days to seek a reduction in the fine.

The FCC’s $10 million fine followed a $7.4 million settlement with Verizon in September over its use of customer information for marketing, and a $7.5 million settlement with Sprint back in May over “do not call” violations. These multimillion dollar fines are coming from a federal regulator not thought of as a data security and privacy watchdog. The Federal Trade Commission has mainly filled that role.


The FCC appears to be a new aggressive player on the cyber regulatory field that may have the power to move quicker in issuing fines than the FTC. When faced with a data security situation, the FTC typically issues a complaint setting forth its charges. If the respondent elects to settle the charges, it may sign a consent agreement (without admitting liability), agreeing to the entry of a final order and waiving all right to judicial review.

If contested, the matter is adjudicated, starting with an administrative trial working its way through the Federal courts and ending, potentially with the U.S. Supreme Court. Fines and penalties may be imposed on a respondent for violations of the FTC Act. The FCC, however, can move much more quickly in connection with companies it regulates and may impose a fine once it determines the company failed to protect the “confidentiality of proprietary information of its customers.”

From a risk standpoint, the recent FCC actions represent yet another exposure for telecommunications companies in connection with data security. A cyber insurance product is designed to protect against this risk and should offer coverage for regulatory claims such as those brought by the FTC, FCC or any other governmental agency, federal, state or local.

For those who already purchase a cyber policy to address this risk, it would be prudent to review the policy wordings to assure that regulatory claims are defined as broadly as possible to address new entrants in the privacy regulatory arena.

Additionally, cyber coverage purchasers should look to see whether their policy provides full policy limits for regulatory claims. In some cases, insurers hedge their bets by offering reduced sub-limits of liability for regulatory claims. Given the ramped up efforts by regulators such as the FCC, it is important to make sure adequate limits are in place.

State of the Cyber Insurance Market: 10 Lessons Learned From Major Retailer Breaches

Posted by on August 22, 2014 | Be the First to Comment


It is not an overstatement to say that there is a “pre-Target and “post-Target” state of the cyber market for major retailers from both the underwriting and the client side.

In November–December 2013, cyber thieves executed a well-planned intrusion into Target’s computer network and the point-of-sale terminals at its 1,800 stores around the holiday season and successfully obtained not only 40 million customers’ credit and debit card information, but also noncard customer personal data for as many as 70 million customers.

But Target was not alone, as in that same time period, retailers such a s Neiman Marcus and Michaels were also reportedly exposed with 1.1 million and 3 million cards at their respective establishments.

Read my newest white paper that features a comprehensive snapshot of the Target case study, the 10 lessons learned from the underwriters and pointe of view, as well as a peer group perspective on the current state of the cyber insurance market.

International Engagement on Cyber: Developing Global Norms for a Safe, Stable, and Predictable Cyber Environment

Posted by on March 18, 2014 | Be the First to Comment

Cyber security has become a major priority for governments on a global scale. In February 2014, the U.S. government launched a Cyber Security Framework under Executive Order 13636 to support critical infrastructure industries in improving defenses against a cyber attack.

 On March 4th, international leaders including Secretary Michael Chertoff, General Michael Hayden, Rear Admiral Michael Brown, and Senator Sheldon Whitehouse, gathered in Washington D.C. to debate how the global community can come together to implement a common security approach.

 The International Engagement on Cyber 2014 was hosted by Georgetown University Institute for Law, Science and Global Security, and took place as planned, despite the threat of winter weather interrupting the meeting.

 The day included four panel discussions on topics such as national cyber strategies, Internet governance, national cyber security in a post-Snowden era, and the development of international norms for cyberspace.

 Key to overcoming our global cyber security challenges is an increased willingness for both the private and public sectors to share information, such as threat intelligence. I was pleased to participate in a panel discussing private/public partnerships to protect critical infrastructure. Co-panelists included Adam Sedgwick from NIST (National Institute of Standards and Technology), the architect of the new cyber security framework, as well as representatives of the Department of Homeland Security.

 The federal government has engaged the insurance industry directly to support the roll out of the framework and I expressed support for the initiative, as it will cement cyber security as a boardroom risk.

 For more information about cyber security, read my white paper, The Ever-Evolving Cyber Laws, and visit Lockton’s Cyber & Technology website.

Lockton Expert Talks Cyber Insurance with Marketplace

Posted by on | Be the First to Comment

High profile data breaches have brought cyber insurance into the media spotlight. Estimates indicate more than 70 million people who shopped at Target between Thanksgiving and Christmas had their personal data compromised, costing the company $60 million. However, Target expects to see that number drop to $17 million, thanks to cyber insurance coverage.

 In a recent story by American Public Media’s Marketplace, Lockton cyber expert Emily Freeman talks about the growing demand for cyber coverage. She stresses that this coverage serves only as a safeguard.

 “We sit on the shoulders of their best efforts to prevent the event from happening in the first place,” said Freeman.

 Cyber policies can be contingent on a company having protection measures in place to stave off a cyber attack or lessen its impact.

 Learn about Lockton’s Cyber Risk capabilities.