The cyber insurance market is at a critical juncture for both insurance carriers and policyholders. While the last few years have seen increased competition among cyber insurance carriers, higher capacity and expanded coverage terms, both 2020 and 2021 saw a rapidly hardening cyber insurance market, globally and here in Eastern Tennessee. Across industry lines, cyberattacks—namely, ransomware attacks and business email compromise scams—have surged in both cost and frequency. This increase in attacks has, in turn, resulted in a rise in cyber liability claims and subsequent underwriting losses.
At a time when businesses are looking to purchase cyber insurance for the first time or to expand upon their existing coverage, many carriers are taking a more cautious approach to this line of insurance. In particular, carriers are managing the deployment of capacity more stringently than in past years. For example, in instances where insurance carriers previously offered policies with limits of up to $10 million, the market is now seeing smaller layers closer to $5 million. What’s more, reinsurers have also begun restricting the capacity they offer to insurance carriers, while pressuring carriers to take a more proactive approach to underwriting cyber liability insurance.
In light of these market conditions, we are predicting that most policyholders will experience higher cyber liability insurance rates in 2022, with many insureds seeing double-digit rate increases. Apart from increased premium costs, insureds may also encounter coverage restrictions, further scrutiny from underwriters regarding cybersecurity practices, and exclusions or sub-limits for losses stemming from specific types of cyber incidents (e.g., ransomware attacks). Policyholders who operate in industries with more pronounced cyber exposures (e.g., education, technology, health care, finance, retail and hospitality) may experience greater rate increases. If policyholders fail to demonstrate proper cybersecurity protocols or have experienced cyber incidents in the past, coverage will be increasingly difficult to obtain.
Developments and Trends to Watch
- Tightened underwriting standards—With cyberattacks on the rise, cyber insurance carriers have adjusted their underwriting practices to help mitigate the risk of costly claims. These practices include the following:Asking for more documentation—Rather than providing a simple coverage application or asking questions about existing cybersecurity measures, carriers are now requiring more substantial documentation from their insureds. This may include detailed documentation related to workplace cyber policies, incident response planning, employee training, data storage and recovery processes, email safeguards, user authentication protocols, and security software capabilities. Furthermore, carriers may require insureds to fill out additional applications or provide extra documentation related to the specific prevention measures they have in place for growing cyber threats. Some carriers have even begun incorporating advanced scanning technology into their underwriting processes to better assess policyholders’ current cybersecurity practices and identify ongoing vulnerabilities.
Minimizing coverage capabilities—In addition to asking for further documentation, some cyber insurance carriers have also decreased their risk appetite and reduced their coverage offerings—especially as it pertains to protection for losses stemming from certain cyberattack methods. For instance, insureds are more likely to encounter policy exclusions or sub-limits regarding coverage for ransomware attacks, seeing as such attacks are rapidly increasing.
Reducing policy ambiguity—To prevent insureds from leveraging their cyber coverage for unintended purposes, some carriers have changed their policy wording to be less ambiguous. This adjusted wording can help carriers more clearly outline the types of cyber events they cover, as well as when and how coverage will be triggered amid these events. Through specific policy language, carriers can also provide more exact definitions for important policy terminology.
- Elevated ransomware concerns—Ransomware attacks—which entail cybercriminals compromising a device or server and demanding a large payment be made before restoring the technology (as well as any data stored on it)—have been steadily increasing in recent years. Cybersecurity experts confirmed that these incidents have surged by over 500% since 2018. Such a rise is likely tied to cybercriminals becoming increasingly sophisticated and developing more avenues for launching these attacks (e.g., ransomware-as-a-service and remote desk protocol). What’s worse, ransomware attacks often carry more significant costs than other types of cyber incidents due to their associated payment demands and data recovery efforts. According to NetDiligence’s annual cyber claims study, ransomware attacks were the largest driver of cyber insurance claims over the last five years—with the average ransom demand rising to $247,000 and the median incident cost reaching $352,000.
- Increased double extortion issues—Compounding current ransomware attack concerns, double extortion attacks are now a potential cybersecurity concern for organizations across industry lines. This technique follows a similar protocol to that of a typical ransomware attack but comes with an extra threat. The victim must pay a ransom to regain access to their technology and data and keep that data from being uploaded publicly online. Double extortion ransomware attacks can be significantly more damaging for affected organizations than typical ransomware incidents. This is because even if organizations have protocols in place (e.g., storing data in multiple secure locations) that allow them to recover their compromised information without paying a ransom, they may still be pressured to do so in order to keep their data from going public. Additionally, cybercriminals who conduct double extortion ransomware attacks are known to demand higher ransom payments, sell or trade stolen data to other attackers for future extortion attempts and still move forward with sharing data publicly even after the ransom is paid (whether on purpose or by accident)—making these attacks all the more harmful.
- Greater government involvement—In response to the rise in ransomware attacks throughout the country, the White House released a letter this past June, stating that President Joe Biden’s administration is taking this cyber threat seriously. Within the letter, the Biden administration also encouraged corporate executives and business leaders to play their part in minimizing ransomware attacks by assessing their exposures and adopting proper prevention measures. Such measures include utilizing the federal government’s cybersecurity best practices, conducting frequent data backups, maintaining updated security software, ensuring an effective incident response plan, reviewing current cyber protocols and keeping critical workplace networks segmented.
- Heightened business email compromise risks—Put simply, a business email compromise (BEC) scam entails a cybercriminal impersonating a seemingly legitimate source—such as a senior-level employee, supplier, vendor, business partner or other organization—via email. The cybercriminal uses these emails to gain the trust of their target, thus tricking the victim into believing they are communicating with a genuine sender. From there, the cybercriminal convinces their target to wire money, share sensitive information (e.g., customer and employee data, proprietary knowledge or trade secrets) or engage in other compromising activities. According to the latest loss data from Advisen, BEC scams are among the most expensive types of social engineering losses, and they are on the rise—increasing 58% from 2015 to 2019. The median cost of a BEC loss is $764,000—significantly more expensive than other social engineering losses, which average around $580,000.
- Additional fallout from notable attacks—Finally, there has been lasting fallout within the cyber insurance market due to several large-scale supply chain cyberattacks that took place throughout 2021. Together, the widespread fallout from these incidents has motivated organizations of all sizes and sectors to review their supply chain cybersecurity risks and take steps to minimize their exposures. Additionally, these attacks have made cyber insurance carriers more reluctant to allow insureds to supplement their policies with dependent business interruption coverage, which can be particularly useful amid supply chain cyber events. Here’s an outline of the large-scale attacks:Microsoft Exchange—In January, state-sponsored hackers took advantage of four zero-day exploits (a type of software vulnerability) within
Microsoft Exchange’s servers to launch a widespread malware attack. The malware is estimated to have impacted over 250,000 servers and more than 30 organizations serviced by Microsoft before it was mitigated in early March.
Colonial Pipeline—In May, Colonial Pipeline was forced to temporarily shut down a 5,500-mile-long pipeline responsible for transporting 45% of the East Coast’s fuel supplies after falling victim to a double extortion ransomware attack. With the help of the FBI, Colonial Pipeline ended up paying the $5 million ransom payment within hours. However, the pipeline wasn’t restarted for nearly a week.Kaseya—In July, foreign hackers infiltrated the software of an IT firm known as Kaseya and utilized it to launch a major ransomware attack, impacting many of the firm’s customers via their managed service providers (MSPs). As many as 1,500 organizations were compromised through their MSPs due to this incident, which involved a record-breaking $70 million ransom demand
Tips for Insurance Buyers
- Work with the insurance professionals at Builtwell Insurance to understand the different types of cyber coverage available and secure a policy that suits your unique needs. Carefully determine whether your organization should purchase standalone cyber liability coverage.
- Take advantage of loss control services offered by insurance carriers to help strengthen your cybersecurity measures.
- Provide remote employees with adequate resources, support and software to avoid cybersecurity concerns amid work-from-home or hybrid arrangements.
- Focus on employee training to prevent cybercrime from affecting your operations. Employees should be aware of the latest cyber threats and ways to prevent them from occurring.
- Keep organizational technology secure by utilizing a virtual private network, installing antivirus software, implementing a firewall, restricting employees’ administrative controls and encrypting all sensitive data.
Store backups of critical data in a secure, offline location to minimize losses in the event of a ransomware attack.
- Update workplace software regularly to ensure its effectiveness. Keep employees on a strict software update schedule and consider using a patch management system to assist with updates.
- Establish an effective, documented cyber incident response plan to remain operational and minimize damages in the event of a data breach or cyberattack. Test this plan regularly by running through various scenarios with staff. Make updates to the plan as needed.
- Develop workplace policies that prioritize cybersecurity—including an internet usage policy, a remote work policy, a bring your own device policy and a data breach response policy.
- Be sure to consider potential supply chain exposures when establishing your organization’s cybersecurity policies and protocols.
For more business guidance or help making sure your business is protected, contact Builtwell Insurance today at 423-668-4888