The top 25% of companies saw cyber insurance rate increases of 97.1% in the fourth quarter of 2021, while the median rate increase for all sizes of business was 50.2%, according to global insurance brokerage Gallagher.
As cyber claim frequency and severity continues to spiral upwards, driven primarily by ransomware attacks, carriers have responded with higher rates, higher retentions, sublimits for ransomware, and coinsurance requirements. They have also tightened up their underwriting scrutiny and risk selection, imposed significant limitations of capacity, and narrowed the scope of cyber coverage terms and conditions.
There were three main drivers that contributed to the hard market conditions for cyber insurance in 2021, according to John Farley (pictured), managing director of the Gallagher Global Brokerage cyber practice.
“Hackers in 2021 really pivoted to IT supply chain attacks,” he explained. “They were going after key targets in a supply chain [such as software providers and email platforms], where if they attacked them and successfully penetrated their networks, they were hoping to penetrate thousands, if not millions of others. Those kinds of attacks really got the underwriting community very nervous, because even the best risks in their books could be subject to this … it’s really beyond their control.
“Ransomware continued to evolve. We saw huge extortion amounts - we’re talking six and seven figures. And really, ransomware itself - the types of attacks that [cyber criminals] undertook - really evolved as well in the form of exfiltrating data and threatening to expose sensitive data during a ransomware attack. It wasn’t just that they froze your data and want you to pay. They’re pivoting to say: ‘If you don’t pay, I’m exposing your employees’ HR files, or your clients’ IP’. The [bad actors] really upped the game there and were pretty successful at it. So, we saw limit losses in ransomware attacks.”
Read next: Aon outlines impact of cyber breach
The third factor, which Farley described as “a hidden cyber risk for many,” was privacy regulation. Companies are under immense pressure to be compliant with local and international data privacy laws. If they violate the privacy rights of data subjects, they can be sued by a regulator or through a class action. Regulators started to pay more attention to this in 2021, triggering an uptick in lawsuits, which will likely continue in 2022.
“This year, those trends are continuing,” said Farley. “We’re seeing rate increases continue to go up, [with] higher rates for all, but we’re going to see it level off for some. The underwriters get pretty nervous with certain industry sectors. Municipalities is probably the one they’re most concerned about [because] they typically don’t have the budgets to employ cybersecurity experts, or at least the best ones, and so they’ve suffered a lot of attacks. Beyond municipalities … higher education, manufacturing, technology, and healthcare are really the hardest hit.
“All that said, everybody’s being hit. We’re going to see rate increases. We may see it [rate] level off to some degree, but it doesn’t come without higher retentions, and some coverage constriction as well, as far as exclusionary language being added to policies, and things like that. The rates are not the only story; it’s also about what coverage you’re getting, so be mindful of that.”
According to Farley, nearly all cyber carriers now require verification of at least some preventive controls, such as multi-factor authentication (MFA), remote desktop protocol (RDP), data back-up practices, patch management, employee training and a host of others. The more attention that a company pays towards cybersecurity controls, the more likely they will receive better coverage terms and pricing.
“Multi-factor authentication: make sure that is [in place] throughout your entire network and throughout your entire organization - it’s for employee email, it’s for privileged access, it’s for remote access. If you don’t have MFA in place, there’s a very good chance you’re not even going to get a quote, so that’s probably the most important,” said Farley.
“Endpoint detection and response: make sure that you have technology in place that tells you the bad guy got into the network the second he gets in. This way, you can kick that hacker out before they move laterally around your network. That’s really important. Patch management: when you see an exploit come to light, the underwriter wants to know that you can pivot very quickly to patch that vulnerability.”
Other important risk mitigation mechanisms include: data back-ups, which are kept separate from the primary data set and can be deployed within a pre-determined timeframe; employee training, in order to minimize human error associated with phishing attacks and cyber scams; and privileged account management, which gives advanced levels of control to the admins in the network with access to the most sensitive data.
“Incident response planning is critical [and] identifying key players on your incident response team, who are going to have key roles and responsibilities if an attack happens,” Farley added. “That’s got to be identified in a written plan, that plan has to work with external vendors as well. You’re going to have vendors that come with your cyber policy. Make sure you know who those experts are, because they’re going to work very closely with your internal incident response team. And also, practice that plan, have a tabletop exercise, and make sure that’s done at least once a year.”