Attacks growing in frequency, severity, forcing insurers make tough adjustments.
For the first time ever, cyber insurance is facing a hard market. Since the product line’s inception about 20 years ago, carriers, brokers, and policyholders have reaped the benefits of soft market conditions. Policies were cheap, and they provided generous coverage and low retention. Losses were minimal, and therefore, cyber insurance books were very profitable.
Today, the cyber risk landscape has shifted. The frequency and severity of losses have grown astronomically, forcing carriers to constrict their offerings, which can put policyholders and potential policyholders in tight positions.
When carriers began selling cyber insurance, the risks facing large companies were one-off incidents like lost unencrypted laptops, misfired emails containing lists of employee information, and the occasional malicious insider. Smaller companies had even fewer issues. Then companies of all sizes started experiencing significant email compromise events that very often involved the expensive combination of large-scale data breach investigation and notification and the loss of funds through misdirected wire transfers or ACH payments. Phishing and social engineering campaigns exposed a lack of employee training, technical safeguards, and data-retention policies across many companies.
Each of these incidents may cost tens of thousands of dollars to resolve on average, and the frequency led to huge loss ratios for cyber carriers. Further, small companies were not immune to these issues, and the costs associated with the investigations and response compared to the premiums paid for the policies exposed the small business space.
The next threat level came with ransomware. At first, ransomware was typically used to encrypt data in place, but as attackers saw companies responding rather successfully to the threat, they shifted the nature of their attacks. Instead of simply locking users out of a network the moment access was acquired, attackers instead saw the potential for larger paydays with some additional effort. They sat stealthily inside a network, performing reconnaissance to understand the company’s backup strategy and to steal important company data, ultimately using internal phishing campaigns to escalate user privileges to gain access to critical systems.
Once sufficient network administrator-level access was obtained, the ransomware attack was launched, finally encrypting the network a few days or months later. When these types of attacks hit companies, they were not only dealing with an overwhelming blow to critical systems and data and backups being encrypted, but also the added concern of data being accessed or stolen and potentially exposed. This allowed attackers to demand much higher ransom payments—to the tune of millions of dollars per event.
Between the business interruption, extortion demand, data restoration, and incident response, policies with $5 million or $10 million in coverage that had never been touched were exhausted on a weekly basis. Further, unlike a typical data breach matter, ransomware matters are immediately public events that draw attention from regulators and class-action attorneys, especially when downstream services to customers are interrupted as a result.
What does that mean for the market? Carriers have responded to the new landscape by increasing premiums, decreasing policy limits, and being more conservative in their underwriting process. Where it was once hard to convince certain markets with minimal data collection and personally identifiable information that cyber insurance is essential for business, the demand for policies in those markets now outsizes supply. Carriers are now requiring additional technical safeguards, like multi-factor authentication (MFA) and endpoint detection and response tools (EDR), where previously, organizations that implemented these tools were considered leagues ahead of their peers.
The sudden shift towards requiring these protections as a prerequisite for coverage has left many organizations scrambling to find time and money in their IT budgets to implement these services ahead of a policy renewal. In addition to increased premiums, limited coverage, and higher security expectations, many carriers are outright declining risks in certain markets that have proven to be susceptible to expensive attacks. Manufacturing, technology supply-chain providers, and health-care institutions have especially faced an uphill battle in finding carriers willing to underwrite their businesses.
What can companies do? First, determine what coverage you have. Businesses need to have a clear understanding of whether their current policies cover cyber incidents and, if so, to what extent. Does your policy cover vendor errors? Does it cover “inside the house” risks from employees? What about coverage for cloud-related risks? Does the policy apply retroactively, and is it limited geographically? Does it cover physical breaches, and if so, who is my contact in the event of a breach? Can I get a reduction in premiums if I implement certain policies/procedures?
Those are just a few of the questions that business leaders should be asking their trusted legal advisers to help protect their organizations from an ever-increasing threat.
Excerpted from Polsinelli PC’s Tech Transactions & Data Privacy Report 2022.