Malicious malware, such as NotPetya, and nation-state hacking have cast a dark shadow over the cyber insurance landscape, and while the threats are real, that’s just the top of the pyramid of what’s driving cyber claims.
CFC Underwriting’s chief innovation officer can count on one hand the number of claims that the insurance company has seen tied to high-profile nation-state attacks.
“The vast majority of cyber incidents are carried out by organised criminal gangs. That is absolutely where the action is at, that is the mainstay of what we deal with, day in and day out – it’s just crime,” said Graeme Newman. “The bottom line is that crime has shifted dramatically in the last 20 years. Once upon a time, organised criminal gangs used to try to steal physical possessions from you. They used to walk into banks with shotguns and masks. They realised that old-fashioned crime is difficult, it’s dangerous, the chance of being caught is incredibly high, and the money you can get away with is pretty limited. Technology has changed everything we do beyond recognition, but it’s also changed the world of crime, and now the vast majority of crime is carried out electronically.”
The activities of these gangs, as well as cybersecurity vulnerabilities created by employees who don’t use basic security protections, are the primary causes of cyber-related claims, added Newman.
The other shifts in the world of cyber are the end receivers of hacks, and that’s thanks to the investment into cybersecurity that was driven by cyberattacks in the first place. For instance, only four or five years ago, cyber incidents were largely affecting retailers, according to Newman.
“All you would read about was payment card breaches at retailers and it’s fascinating, you look at cyber insurance forms today – they look like they were written for high street retailers,” he told Insurance Business. Following huge investment from retailers, banks, and payment card networks into security infrastructure, the risk profiles of these companies went down. “You’ll still see every now and again details about payment card breaches, but that has subsided massively.”
Healthcare businesses went on a similar journey, though much of their cyber claims were a result of physical thefts of devices that contained personal data.
“Healthcare companies weren’t even doing the most basic of things, like encrypting data on mobile devices. When we looked five years ago at what was the key driver behind our healthcare claims, it had nothing to do with the security posture and everything to do with the physical crime rate within the location that the business was operating,” said Newman, adding that people were literally stealing laptops because they wanted the device, and not the data that was on it.
Watching trends in cyber claims can reveal the next big threat or target of hacking – one of which has already become clear.
“We’re now seeing the next level of victims, so we’re seeing a lot of municipalities, states, government-run entities, not being necessarily targets, [but] they have incredibly low security maturity, so massive underinvestment in their IT infrastructure, and yet they hold valuable data, so that’s leading to a spate of data breach within cities, towns, even at the state-level,” said Newman.
Undoubtedly though, the biggest change the chief innovation officer says CFC is seeing from a claims perspective is a move from mass-mailing ransomware that’s indiscriminate towards targeted extortion, which is driving ransomware demands up. While in conversation with Insurance Business, CFC was dealing with its biggest ransomware demand ever – a million-dollar ask facing a company that had all of its data stolen and was being threatened with release of that data online.
“That trend mirrors what’s happened with security technology,” said Newman. “Security technology is getting better at blocking preventing the indiscriminate malware and yet, criminals are turning their focus towards specific targeted attacks.”
That’s where a strong cyber insurance policy comes into play, covering a policyholder on an all-risks basis.
“It insures the asset, not the way that it’s compromised,” he explained. “So, if you’re constructing a policy in the right way, you say, ‘I’m going to protect the asset,’ in this case the data. It doesn’t matter how it is compromised, whether it’s carelessly left in a waste disposal or whether it’s a laptop or mobile phone that’s been dropped or whether it’s a hacker that’s come in and corrupted it.”