There are three types of cyber losses that are resulting in reduced coverage, according to Kirsten Mickelson, Gallagher Bassett’s cyber product group leader.
“We are seeing cyber carriers pull back on coverage because there is just so much uncertainty out there,” Mickelson said.
A lack of historical data is also making it more difficult to standardize the constantly shifting cyber market and how the coverage can help safeguard an insured.
In an interview with Insurance Business, Mickelson spoke about why companies are underestimating their need for cybersecurity and leading to hefty claims, why an increase in ransomware should be closely monitored and advice to give insureds about safety procedures.
Between 2019 and 2022, Gallagher Bassett witnessed a 1884% spike in cybersecurity insurance claims, which could be associated with companies underestimating their coverage needs.
There are certain classes of businesses should not have to worry about such losses taking place.
“SMEs don’t think they are a prime target for hackers,” Mickelson said. “With that mentality, cybersecurity doesn't become a priority.”
There is an idea out there that threat actors are only interested in banks or a government organizations that have larger resources, making them more appealing for a breach or ransomware attack.
“Ten years ago, when cyber-attacks were in their infancy, the threat actors were targeting hospitals, financial institutions, government, and really it was because they wanted personal identifiable information,” Mickelson said.
However, hackers are now looking to monetize quickly by going after “those low hanging fruits. So those companies that don't have the cybersecurity infrastructure, or the companies that don't think they're a target, because historically they haven't been a target.”
Mickelson said she also believes that because these operations are smaller in nature, they do not possess the infrastructure or resources to implement and maintain a more thorough security program that is preventative in scope.
When the war in Ukraine began in early 2022, the insurance industry witnessed a marked drop in ransomware attacks, which Mickelson attributes to the Office of Foreign Assets Control (OFAC) check.
“If threat actors going to get paid, at least in the United States, they have to pass the OFAC. And with the conflict, more and more institutions and named individuals are on this list. So, it wasn't a guarantee that the threat actors would receive a payout,” she said.
However, threat actors have found a way to pass that OFAC check, whether it is through rerouting their bitcoin wallets or disbanding and being made anew via ransomware like Conti.
With these measures, Gallagher Bassett has found that ransomware attacks have increased 29% for the first half of 2023.
The tactics the threat actors are employing are also changing, with more and more using data deletion.
When they enter into a business’s cloud system, instead of encrypting the data, they start exfiltrating very slowly.
“They’ll sit, wait and move laterally, taking out the minimum amount to fly under the EDR tool,” Mickelson said.
The information that is most relevant is PII and a business’s trade secrets, and once enough has been pillaged, they will inform an operation that they have all this data and that it will be deleted from their servers once the ransom is paid.
While insurance can provide a salve when a company is being compromised digitally, risk prevention is the most important method to sidestep an attack in the first place.
Mickelson has provided five steps that are crucial for an insured to implement and follow: