Cyber risk is everywhere. It’s an enterprise problem that can trigger a string of losses well beyond the technology or systems that were initially compromised. Cyber events can result in business interruption (both primary and contingent), productivity loss, reputational damage, physical damage, and significant legal repercussions and recovery expenses. It’s no wonder the scale and frequency of cyber insurance losses continue to soar.
Ransomware is arguably the most pressing issue the cyber insurance community is dealing with today. This variation of malware allows hackers to lock businesses out of their systems until they pay a ransom, usually in cryptocurrency. In recent years, there has been a significant uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors. Hackers have grown more sophisticated and targeted in their attacks, aiming for larger organizations that can afford bigger ransoms.
“Without a doubt, ransomware is the fastest growing cyber threat vector that keeps most companies’ IT professionals and chief information security officers (CISO) up at night,” said Ian Fraser (pictured above), AVP, tech/cyber & professional lines, Sovereign Insurance. “This is not surprising given the impact of losing closely held personal and confidential client records, the potential to cause catastrophic financial damage, and the reputational harm to the organization. The frequency of ransomware attacks has increased exponentially over the last five years, as has the cost.”
In the past five years, the average ransom demand has shot up from US$15,000 to US$175,000 – an almost twelve-fold increase – according to the NetDiligence 2021 Ransomware Spotlight Report. Furthermore, total ransom demands crossed the US$1 million threshold in 2018, the US$3 million threshold in 2019, and publicly available data indicates that they surpassed US$50 million in 2020, although this was likely negotiated down.
The ransomware headache doesn’t stop there. In 2020, a new wave of ransomware attacks known as ‘double extortion’ hit the market. With these attacks, threat actors are maximizing their chance of making a profit by threatening the victim with an additional abuse of the information they’ve encrypted, such as selling or auctioning it.
“Threat actors have moved to engaging in double extortion, meaning that the hackers would threaten to release private information if the organization doesn’t pay,” said Angela Feudo (pictured below), manager, professional solutions, Trisura Guarantee Insurance Company. “Threat actors are also using distribution denial of service [“DDoS”] attacks as well on their victims to put pressure on them to pay the ransom. Hackers have expanded ransomware into a business model whereby they will use the best method against the victim. This can include encryption, DDoS, or releasing of private information to cause the most disruption.”
In this fast-paced and ever-changing risk landscape, cyber insurers have reacted by seeking more rate and shoring up their underwriting guidelines to control their costs and protect their books. Some have even started sub-limiting ransomware and applying co-insurance provisions, forcing insureds to share more of the risk.
The firming of the market is having a big impact on brokers. Not only do they have to work harder to secure adequate coverage for their clients, but they also have to educate themselves and continue to develop technical skills around cybersecurity controls and best-practice cyber risk mitigation.
In a hardening market, “planning is key,” according to Lindsey Nelson (pictured below), cyber development leader at CFC. She told Insurance Business: “Increasingly the question is changing from what risk measures a client should adopt to get lower premiums, to how they can get cyber insurance altogether in the face of shrinking capacity and expectations around minimum security controls in place.”
Proactive cybersecurity controls are absolutely essential in today’s evolving threat landscape. Fraser commented: “Incorporating common preventative risk mitigation features such as installing firewalls, multi-factor authentication (MFA), data encryption, and least privilege permissions methodologies can significantly mitigate the severity and frequency of an attack occurrence.
“However, understanding that breaches can (and likely will) occur is half the battle and being prepared for such an event is critically important. An incident response plan is arguably the most important risk mitigation tool and provides a set of instructions to help staff identify, respond to, and recover from cybersecurity incidents. The goal is to return to normal business operations as swiftly as possible by removing the threat, minimizing damage, and preventing similar incidents in the future.”
Moving forward, the cyber insurance market will continue to evolve as losses develop, new threats emerge, and attacks become more severe. The claims, incident response, and insurance teams at Coalition, shared the following predictions for the remainder of 2021: ransomware will remain the single biggest threat for all organizations; supply chain attacks will be more common; and criminal attacks will follow nation-state attacks.
As such, Joshua Motta, CEO and co-founder of Coalition, expects the cyber insurance market will continue to harden throughout the year. He said: “It will be harder to qualify for cyber insurance, and the implementation of many common cybersecurity controls will increasingly be required as a condition of coverage. We predict that many insurance carriers will also begin to require companies to address identified vulnerabilities during the policy period or risk losing some (or all) coverage. Price increases, coinsurance, and sublimits on critical coverages are already happening, and will continue throughout 2021.”