In today’s rapidly evolving cybersecurity landscape, one threat has reached epidemic status: ransomware, or software that encrypts a victim’s data until a ransom is paid. Ransomware currently accounts for up to 40% of cyber insurance claims, according to Resilience Insurance’s Chief Underwriting Officer, CJ Pruzinsky.
“It continues to get worse, not only in frequency, but also in the demands themselves, which have gone from four- or five-figure sums to multimillion-dollar amounts,” Pruzinsky says.
Last year, ransomware attacks grew sevenfold from 2019, according to Mike Wilson, founder and chief technology officer of cybersecurity firm Enzoic. And according to IBM Security, the average cost of a data breach, many of which are caused by ransomware, hit $3.86 million in 2020.
“The impact of ransomware is debilitating, and it’s hurting companies of all sizes,” Shawn Ram, head of insurance at Coalition, told IBA in January. “I think if you solve ransomware today, you solve cyber risk. It’s the most prominent issue we’re dealing with.”
Like much that currently ails society, last year’s increase in ransomware can be largely attributed to COVID-19. The rapid onset of the pandemic forced companies to scramble to empower their workforces with the technology they needed to work remotely. Malevolent actors pounced on badly configured networks to launch ransomware and other cyberattacks.
The risks are especially grave for small and medium-sized enterprises, 69% of which still lack cyber insurance, according to a 2020 survey by cyber insurer Cyberscout. The survey also found that 51% of SMEs in the US did not have an ongoing training program on cybersecurity best practices – and 14% said they do not follow any cybersecurity measures for remote work, leaving the door wide open for cybercriminals.
“When you have a large percentage of the population working from home, when more individuals are using their own devices to log into a network, and when you have IT departments that have had to scramble in order to enable employees to work remotely, we’ve certainly seen adversaries exploit these tendencies,” Ram says. “Twenty-twenty was the perfect storm. Ransomware was a prominent topic in 2019 as well; it’s just grown in significance because of the proliferation of all of these things coming together at the same time.”
In addition, companies often have large gaps between their perceptions of cyber risks and the reality. A study by Hanover Insurance Group and Zogby Analytics in early 2020 found that nearly 70% of businesses considered breaches of personally identifiable information (PII) a top concern, yet only 19% of respondents had experienced a such a breach in the previous year. Likewise, just 11% of businesses were concerned about supply chain risks – one of the fastest-growing cyber threats today.
In 2021, Wilson expects not much will change in the cybersecurity landscape. He predicts one or two major companies will be hit with ransomware attacks and that susceptibility to such attacks will start to be considered in company valuations. He also believes the continued adoption of the Internet of Things (IoT) and remote working will bring heightened risks, as will the ongoing migration of data and services to the cloud.
State of the market
Not surprisingly, these compounding risks have been a boon for the cyber insurance market, which stood at $7 billion in 2020 and is expected to balloon to $20 billion by 2025, according to a recent report from Munich Re.
Yet the fast-evolving risk landscape has also taken a toll on cyber insurers, who have reduced their limits in the face of shrinking market capacity. At the same time, reinsurance capacity is becoming more expensive, and cyber terms are tightening. Michael Palotay, chief underwriting officer for Tokio Marine HCC’s Cyber & Professional Lines Group, told IBA in February that a number of cyber insurance carriers, including Lloyd’s carriers, are currently pulling out of the market due to these obstacles – and he predicts this trend will continue into 2021.
As a result, cyber insurers are being more selective when taking on insureds and determining what risk mitigation controls are in place. When a company hasn’t been able to buy cyber insurance because they didn’t have enough security controls, Palotay says his organization has seen them implement the necessary precautions, such as cloud-based backups, multi-factor authentication and endpoint security.
“Insureds are motivated because they see a difference in their product and policy rates,” he says. “Most companies do not want to remain vulnerable, so we are trying to do our part to help our insureds stay safe.”
What brokers want
So what are brokers looking for in a comprehensive cyber policy for their clients? Eighty-five percent of the brokers surveyed by IBA said first-party coverage is the most important element in a cyber policy, while 75% identified third-party coverage as the key element.
When it comes to the service that accompanies cyber policies, 63% of brokers said claims processing and payments were key, while 56% highlighted both underwriting expertise and access to risk mitigation partners as crucial. Pricing isn’t as important in the cyber insurance arena – only 38% of brokers listed price as the most important factor when selecting a cyber policy.
One of brokers’ top concerns in the cyber insurance space is the lack of capacity. One broker told IBA that “there is need for excess capacity in the national account space, as insureds are constantly considering higher limits due to the increased severity and frequency of breaches; this type of behavior will trickle down to the larger middle-market segment.”
Another broker added that cyber carriers “are all doing a really good job covering the customers’ exposures and pointing out the weakness areas in their systems, [but] we need to begin writing real limits and pricing for issues that are not being addressed with current policies, [such as] dependent business interruption and IoT/property/product liability issues.”
Brokers also expressed a wish for insurers to step up their educational efforts. “The insurance industry has done a really poor job on educating brokers and, more importantly, clients about how important the coverage is, how great the risk is and how comprehensive the coverage can be if properly placed,” one
respondent said. Another noted that the industry needs to be “educating non-tech businesses on their exposures.”
Underwriting was one area where brokers were generally pleased with their cyber insurers. “Through AI and scanning, they’ve been able to identify weaknesses and enhance underwriting,” one broker said of their cyber insurer. However, another wished cyber underwriters could “be more specific with the subjectives that they require to bond.”
Finally, brokers continue to expect innovation from their cyber insurers, in line with the constantly evolving threat landscape. Among their wishes were “easier-to-read policies,” “more robust pre-breach and post-breach services,” and “continued expansion of new coverages specific to cyber.” One broker also mentioned the need for more personal cyber coverage options: “Personal cyber seems to be a growing concern with so many high-profile breaches. It is starting to catch attention for people to protect themselves more.”
‘Market-leading’ is a phrase many insurance companies like to use when describing their products. Now nine companies can claim that title on the back of hard market research from the people who matter most: insurance brokers.
To select the best cyber insurers for 2021, IBA enlisted some of the industry’s top experts. During a 15-week process, our research team conducted one-on-one interviews with specialist brokers and surveyed thousands more within IBA’s network to gain a keen understanding of what insurance professionals think of current market offerings. Brokers were first quizzed on what features they thought were most important in a cyber insurance policy and then asked how the insurers they dealt with rated on those attributes.
Insurers were measured on the strength of their relationships with brokers, ability to handle claims, underwriting expertise and, most importantly, the strength of the individual products they provide.
Who needs cyber insurance?
Businesses with online components, or that store or send electronic data, will benefit from cyber insurance, as will any company relying on technology to conduct its business operations. Private personal data like contact information about staff and customers, intellectual property, and sensitive financial data are all extremely valuable to cybercriminals who would attempt to break into a network.
Ransomware is another way hackers could cripple your network. A cyber insurance policy that covers ransomware will go a long way toward protecting businesses that are vulnerable to these types of attacks.
How much cyber insurance coverage do you need?
It’s important to evaluate your business risk to decide the level of cyber insurance you require. Judgments or settlements can easily reach six figures, depending on the severity of a cyberattack and the cost of recovering data.
A small tech company, for instance, will usually buy a cyber liability insurance policy with a $1 million occurrence limit, a $1 million aggregate limit and a $1,000 deductible. That coverage limit would be sufficient in protecting businesses handling a few thousand records, in the event of a data breach that costs $250 per client or customer record. For high-risk businesses that specialize in data storage, buying a cyber liability policy with a higher coverage limit might be a smarter choice. A lot of policies have a coverage limit of $5 million.
You should, however, speak with your insurance provider if you need more coverage. Many smaller tech companies, instead of buying a stand-alone cyber liability insurance policy, buy a technology errors & omissions policy that includes cyber liability coverage. Insurers usually bundle those policies because the risk of cyber liability is high for tech businesses.
Because the policy is limited to data breaches on the policyholder’s network, independent contractors usually do not require first-party cyber liability. To protect themselves from lawsuits, however, contractors might require third-party cyber liability insurance. Sometimes, before independent contractors can start work on a project, clients will require them to carry third-party cyber liability insurance.
How much does cyber liability insurance cost?
The cost of cyber liability insurance depends on various factors, including your business’s annual revenue and the size of the business, as well as the industry you specialize in, the kind of data you usually deal with and the overall security of your network. Organizations will likely be charged more for a cyber liability insurance policy if they have a lackluster cybersecurity record or have a history of data breaches. Due to the sensitive nature of different fields, sectors like health and finance, for instance, will generally find that cyber liability insurance policies cost more.
In the US, the median price for cyber liability insurance with a $1 million/occurrence limit and a $1 million aggregate limit is roughly $145 per month ($1,745 per year). About 41% of small businesses pay anywhere from $1,500 to $3,000 a year for cyber liability insurance, while 39% of small businesses pay less than $1,500 a year.