1-888-643-2217 Email ABEX
Keeping you updated

Monthly Archives: January 2019

Signs of Progress on National Flood Program for Canada

Canada is making good progress on a national flood program, pending a final decision by federal, provincial and territorial (FPT) ministers responsible for emergency management.

“What they are looking at is one national insurance solution to improve outcomes for high-risk Canadians across the country,” Craig Stewart, vice president of federal affairs at Insurance Bureau of Canada (IBC) told Canadian Underwriter in an interview Tuesday. “There may be regional insurance pools adapted to local conditions, but it would be nationally coordinated.”

FPT ministers responsible for emergency management have mandated IBC to lead a national working group to take a look at options and what they would look like. IBC provided three options:

  • A pure market approach (like in Germany and Australia) where governments exit disaster assistance
  • A broadened version of the status quo, but with better-coordinated insurance and disaster assistance
  • Deployment of a high-risk pool analogous to Flood Re in the United Kingdom.

The next step is for the working group, which Stewart chairs, to cost out the pool. “The pool needs to be capitalized as it was in Flood Re,” Stewart said. “So, we need to figure out where that money is going to come from. Is it going to come from governments? Is it going to come from insurers? Where is it going to come from?”

A final decision will be made by ministers after the high-risk pool is costed, which Stewart expects to be completed by June. Decisions on eligibility, how to capitalize the pool, and on any cross-subsidization await the results of that costing analysis.

In addition, this spring, the ministers will hold a technical summit on flood data and science. “Our view of the risk many not align with the government’s view of the risk,” Stewart said. “We need to bridge the gap. This symposium is going to focus on essentially the data and science of flood modelling.”

In early 2020, there will be the launch of a consumer-facing flood risk portal. IBC has been working with the federal government to develop the authoritative flood portal, where consumers can discover their risks and what to do about them.

“Elevating consumer awareness of flood risk is key,” Stewart said. “Consumers aren’t going to be incented to protect themselves or to buy insurance unless they know their risk.”

In May 2018, FPT ministers responsible for emergency management tasked IBC to lead the development of options to improve financial outcomes of those Canadians at highest risk of flooding. IBC worked with a wide range of insurers, government experts, academics and non-governmental organizations to produce the three options, which were tabled with ministers last week.

The ministers released the first-ever Emergency Management Strategy for Canada: Toward a Resilient 2030 on Jan. 25. The document provides a road map to strengthen Canada’s ability to better prevent, prepare for, respond to, and recover from disasters.

“In less than two years, Canadian insurers have secured a mandate with every province and territory to finalize development of a national flood insurance solution, have successfully catalyzed a national approach to flood risk information, have secured over two billion dollars in funding for flood mitigation, and have succeeded in securing a funded commitment for a national flood risk portal,” Stewart said.

Source: Canadian Underwriter


“Reading the Policy” Means Reading Every Word

Every insurance professional has had experience with small policy language changes that have big effects (usually negative) on coverage. Sometimes it’s a single word—added, deleted, or altered—that fundamentally changes the way a policy will respond to a given loss exposure, and those language differences are obviously the hardest to deal with, or even to find.

Take a look, for example, at this phrase from a modified commercial general liability (CGL) policy “aircraft, auto or watercraft” exclusion: “… the ownership, nonownership, maintenance, use or entrustment to others of any auto.…”

The term nonowership, of course, has a long tradition in commercial automobile insurance. It provides liability coverage for automobiles the insured does not own, hire, lease, rent, or borrow but that are used in connection with the named insured’s business. It includes autos owned by employees, partners, or members of their households used in connection with the business. So, it’s not a strange coverage term … in an auto policy. But remember, the policy under discussion is a CGL policy.

A knowledgeable CGL insured doesn’t expect to have coverage for liability arising out of the ownership, maintenance, or use of autos. But that same insured will expect to have CGL coverage in connection with auto-related exposures when some unrelated third party—for whose activities the insured does not otherwise have any legal responsibility—is the owner, operator, or user of an auto. (The use of vehicles by an independent contractor doing work for the insured is a common example. In such situations, the insured’s liability arising out of the nonownership of an auto is an important feature of CGL coverage, although few people would be likely to describe the exposure using that term.)

In this instance, the CGL insurer that was excluding coverage for the “nonownership of any auto” was one that markets its policies to firms with large land holdings, industrial operations, or retail establishments with substantial vehicular traffic. Warehouses, industrial sites, timber operations, quarries, and entertainment venues are examples. These risks typically have heavy traffic on their premises and perhaps personnel directing traffic in and out. An exclusion applicable to the “nonownership” of autos wipes out general liability coverage for these common exposures.

The modified exclusion in question was imposed in the middle of 1 of 23 pages of endorsements to a standard CGL policy. While it resulted in a material, and important, reduction in coverage, it could easily have gone unnoticed by an insured—or that insured’s insurance professional—unless every word of the policy and its endorsements were read carefully.

Source: International Risk Management Institute, Inc. (IRMI)


Vulnerability Found in Multi-Factor Authentication

CFC sent us the advisory below to share regarding a new multi-factor authentication (MFA) vulnerability.  Whether you have your cyber policy with CFC or elsewhere, please review and take steps to minimize your exposure.

CFC has become aware of a significant new security vulnerability that can be easily exploited to bypass multi-factor authentication (MFA). MFA is commonly used to protect against phishing attacks and compromised passwords, which are two of the most common root causes of cyber claims seen by our incident response team. Even worse, we’ve become aware of tools available on the dark web that exploit this vulnerability and expect substantial use of the tool to compromise previously protected environments.

How it works

A new penetration testing tool has been published by a security researcher that automates phishing attacks against multi-factor authentication protected websites. This tool, dubbed Modlishka, sits between a user and a target website such as Outlook 365 or Gmail.

The victim receives authentic content from the legitimate site but all traffic and all the victim’s interactions with the legitimate site pass through and are recorded on the Modlishka server. Any passwords a user may enter are automatically logged on this server, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.

If attackers are on hand to collect these tokens in real-time, they can use them to log into victims’ accounts and establish new and legitimate sessions. We have seen a similar method used to intercept other web services such as Citrix Web Access.

You can find more information here.

Steps to take

  1. Disable web access to email or remote desktop environments where possible
  2. Use hardware tokens as a means of multi-factor authentication (FIDO 2.0 and U2F)
  3. Implement phishing awareness and education:
    • Do not click on links in emails, and instead type the address in your browser
    • Avoid suspicious email attachments or links, and if necessary, verify the sender
    • Never hand over your credentials such as passwords or sensitive information such as bank account numbers
    • Check that the website address looks right and is spelled correctly
  4. Use DMARC in order to protect against spoofing of email domains

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn