These three market concerns are leading to reduced cyber coverage

Loss events are proving problematic

These three market concerns are leading to reduced cyber coverage

Insurance News

By David Saric

There are three types of cyber losses that are resulting in reduced coverage, according to Kirsten Mickelson, Gallagher Bassett’s cyber product group leader.

  1. Reduced sub limits as a result of out-of-control fraudulent transfer of funds (FTFs).
  2. Coinsurance provisions due to ransomware payment where a policyholder would take on 50% of that total.
  3. Exclusions for third party and regulatory matters; this is mostly due to the potential for large regulatory fines, especially in the US.

“We are seeing cyber carriers pull back on coverage because there is just so much uncertainty out there,” Mickelson said.

A lack of historical data is also making it more difficult to standardize the constantly shifting cyber market and how the coverage can help safeguard an insured.

In an interview with Insurance Business, Mickelson spoke about why companies are underestimating their need for cybersecurity and leading to hefty claims, why an increase in ransomware should be closely monitored and advice to give insureds about safety procedures.

“SMEs don’t think they are a prime target for hackers”

Between 2019 and 2022, Gallagher Bassett witnessed a 1884% spike in cybersecurity insurance claims, which could be associated with companies underestimating their coverage needs.

There are certain classes of businesses should not have to worry about such losses taking place.

“SMEs don’t think they are a prime target for hackers,” Mickelson said. “With that mentality, cybersecurity doesn't become a priority.”

There is an idea out there that threat actors are only interested in banks or a government organizations that have larger resources, making them more appealing for a breach or ransomware attack.

“Ten years ago, when cyber-attacks were in their infancy, the threat actors were targeting hospitals, financial institutions, government, and really it was because they wanted personal identifiable information,” Mickelson said.

However, hackers are now looking to monetize quickly by going after “those low hanging fruits. So those companies that don't have the cybersecurity infrastructure, or the companies that don't think they're a target, because historically they haven't been a target.”

Mickelson said she also believes that because these operations are smaller in nature, they do not possess the infrastructure or resources to implement and maintain a more thorough security program that is preventative in scope.

Ransomware attacks are gaining in popularity

When the war in Ukraine began in early 2022, the insurance industry witnessed a marked drop in ransomware attacks, which Mickelson attributes to the Office of Foreign Assets Control (OFAC) check.

“If threat actors going to get paid, at least in the United States, they have to pass the OFAC. And with the conflict, more and more institutions and named individuals are on this list. So, it wasn't a guarantee that the threat actors would receive a payout,” she said.

However, threat actors have found a way to pass that OFAC check, whether it is through rerouting their bitcoin wallets or disbanding and being made anew via ransomware like Conti.

With these measures, Gallagher Bassett has found that ransomware attacks have increased 29% for the first half of 2023.

The tactics the threat actors are employing are also changing, with more and more using data deletion.

When they enter into a business’s cloud system, instead of encrypting the data, they start exfiltrating very slowly.

“They’ll sit, wait and move laterally, taking out the minimum amount to fly under the EDR tool,” Mickelson said.

The information that is most relevant is PII and a business’s trade secrets, and once enough has been pillaged, they will inform an operation that they have all this data and that it will be deleted from their servers once the ransom is paid.

Five steps to help safeguard an insured from a cyber-attack

While insurance can provide a salve when a company is being compromised digitally, risk prevention is the most important method to sidestep an attack in the first place.

Mickelson has provided five steps that are crucial for an insured to implement and follow:

  1. While it may sound redundant, setting up a multi-factor authentication is still very important, “especially for administrator credentials, because that is where threat actors get the most bang for their buck.”
  2. Segregation and segmentation of data — hosting it in different places and breaking it into smaller portions.
  3. Acquiring and endpoint detection response (EDR) that is actively monitored by an internal or external source.
  4. Due to rampant wire fraud, it is important that a policyholder have a dual authentication method in place when a new wire transfer is requested or an updated is required (this can be a sign of a threat actor at work).
  5. Training and cyber awareness protocols that are implemented and checked on regularly.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!