The ransomware epidemic of the past few years has triggered a major shift in the cyber insurance marketplace, as carriers and insureds endeavor to mitigate the rising frequency and severity of attacks and resulting cyber insurance claims.
Ransomware is somewhat different to the “trendy” cyberattacks of the past in that every business is at risk, regardless of size or sector.
About five years ago, when data breach was considered the top cyber concern, there were classes of business - like manufacturing, distribution, warehousing, and transportation - that were considered lower risk because they held less personally identifiable information (PII) relative to their peers in other industry verticals, like healthcare and financial services, which had experienced tons of very costly PII data breaches. This meant those PII-light verticals were eligible for significant discounts on their cyber insurance premiums.
But that is no longer the case. Hackers have proven indiscriminate in who they target with ransomware because they know that businesses will pay out in order to avoid lengthy business disruption.
“Ransomware has really changed the landscape of the cyber insurance marketplace by turning the products into more of a business continuity backstop than a breach backstop,” said Matt Donovan (pictured), senior vice president, Amwins Brokerage. “In this recent ransomware epidemic, not only have the ransom extortion demands surged, but we’re also seeing massive business interruption losses on the back of these events.
“Five or six years ago, you’d be an outlier if you had a $25,000-$50,000 ransomware extortion demand. About a year ago, we were looking regularly at low to mid six-figure demands, and over the last six to nine months, demands north of $1 million have become very regular, with some outliers far exceeding that amount as well.
“That’s really changed the dynamic in the cyber insurance marketplace where underwriters are placing increased scrutiny on the cyber security controls that are employed by organizations, and they are pricing risks accordingly. Any significant discounts that were offered in the past due to a lack of PII have gone away.”
The primary security control that insurers are looking for today is multi-factor authentication (MFA). According to Donovan, underwriters are looking for MFA to be deployed for remote access (whether through a VPN or otherwise), for email, on privileged IT accounts, and for securing backups. Ideally, underwriters also want insureds’ risk mitigation practices to include endpoint detection and response (EDR) tools, system and organization controls (SOC), and comprehensive business continuity and disaster recovery planning.
“We definitely see underwriters reacting when the risk management controls they’re looking for are not revealed in the insureds’ submissions,” Donovan told Insurance Business. “If the insureds’ security and disaster recovery posture is not satisfactory to the underwriters, they’re either declining the business altogether or they’re applying onerous sublimits and/or coinsurance for ransomware. And those policy restrictions are applied to all claims where the genesis is ransomware, so the sublimit and/or coinsurance not only applies to the ransom payment itself, but also extends to the business interruption losses, the data restoration losses, and so on.”
While all businesses are exposed to ransomware, there has been a trend in the past year where hackers have grown more sophisticated and targeted in their attacks, aiming for larger organizations that can afford bigger ransoms. Higher revenues also typically equate to higher business interruption losses, Donovan pointed out, which has factored into the explosion in severity of cyber insurance claims.
“That’s why we see massive rate corrections in industry verticals like manufacturing, distribution, and transportation, because they’re generally high revenue business classes that also have intense operational expenditures when things aren’t working properly,” Donovan said. “But as far as where ransomware is being targeted and deployed today, it seems to be all over the place. We see companies of all sizes and all industry verticals being affected.”
It’s important for insureds and their brokers/agents to put their best foot forward in this complex cyber risk landscape. Donovan stressed that insureds’ submissions need to detail all of the risk management practices that they’re implementing. He said: “At Amwins, we’re trying to notify all of our partner agents that underwriters are really increasing the scrutiny that they apply to taking risks during their underwriting process.
“When we get applications in the door with enough lead time, we try to advise our insureds and our partner agents: ‘This response revealed no MFA on privileged it accounts. Is there any chance to go ahead and enable that? Do you have the technology so that you can do that and have a better security posture that you can present to the marketplace?’
“Beyond that, we’re trying to keep our insureds and agent partners updated on the coverage restrictions that are out there, and we’ll walk them through the nuance of these different types of restrictions that are being applied to the policy language. We’re trying to roll with the punches as best we can through a rapidly hardening marketplace.”