Most people with a finger on the pulse of the cyber insurance market will remember 2021 as the year of ransomware. While ransomware was the prominent threat of the past 12 months - driving the frequency, severity, and complexity of losses in the marketplace – 2021 also saw several major cyber risk aggregation events that really raised the industry’s hackles.
Cyber insurers had a tricky start to 2021, dealing with the SolarWinds attack. In December 2020, tech giant SolarWinds announced it was breached by state-sponsored hackers who abused a vulnerability on an update for its popular IT management software. SolarWinds revealed that as many as 18,000 of its 300,000 customers worldwide downloaded the compromised software update, which allowed the bad actors to spy on businesses and agencies for nearly nine months. However, it has since been reported that only a small number of companies (believed to be fewer than 100) were compromised by follow-on activity on their systems.
Then in March 2021, Microsoft announced that four ‘zero-day’ vulnerabilities in its Exchange Server software were being exploited by sophisticated hacking groups. Widespread exploitation of critical flaws in Exchange Servers began at the end of February, forcing the technology behemoth to release critical software patches in early March. Over the following months, the types of exploitations varied from email account compromises to domain controller compromises, data exfiltration, and the deployment of Black Kingdom ransomware.
While Microsoft was perhaps the biggest software service provider to fall prey to hackers in 2021, others suffered a similar fate. In July, a ransomware attack against tech-management software company Kaseya left as many as 1,500 organizations in total paralysis. At the time, investigators revealed that the Russian-speaking ransomware gang known as REvil used two flaws in Kaseya’s software to hack about 50 managed services providers (MSPs) that used its products, and demand ransoms of as much as $5 million per victim for data de-encryption.
“The major loss events that we’ve seen in the last year, such as SolarWinds, Kaseya, the Microsoft Exchange Server vulnerabilities, and even [supply chain events] like the Colonial Pipeline attack, have made insurance carriers think a lot, and maybe return their attention to where it should have been in the first place, which is on the potential for aggregation of cyber losses,” said Tim Zeilman (pictured), global cyber product owner at HSB, a Munich Re company.
“I would characterize some of these events as near misses. With the SolarWinds attack, for example, if some of the details of that attack had been a little bit different, it could have been a massive industry-wide event. As it turns out, the perpetrators of the SolarWinds attack were more interested in espionage than in doing damage. But had that been different, it could have been a very big deal for the cyber insurance industry.”
Near misses or not, the cyber risk aggregation events of 2021 certainly made cyber insurers stop and think. Zeilman commented: “Those events have really caused players at all levels, from primary insurance carriers all the way up to reinsurers in the marketplace, to really renew their focus on accumulation impacts, and the things they’re doing to monitor and manage those exposures.”
This is where cyber risk modeling has become particularly important, according to Zeilman. Whether insurers use in-house modeling capabilities or third-party industry models, he said it’s useful for insurers to measure their accumulation risk against more than one modeling source, and then “try to manage that accumulation against some other metric or gauge” to determine how much exposure they’re willing to take onto their portfolio.
“These aggregation events have definitely impacted the marketplace,” he added. “I would characterize capacity across the marketplace as becoming much more cautious. If you’re an MGA looking for a cyber carrier to come in and back you, or if you’re a cyber carrier looking for reinsurance, it’s not as easy to get that capacity, and often you’re asked to jump through a lot more hoops. Much better data is demanded, reinsurers are going to have a lot more questions, and they’re going to scrutinize insurers’ books a lot more carefully. But I do think the capacity is there if insurers can jump through those hoops and meet the required standards.”
