Over the course of 2020, cyberattacks expanded to include coronavirus-related scams, state-sponsored attacks on government agencies unnerved many, and breaches at prominent companies like Twitter and Marriott made headlines. However, the most significant cyber event from 2020 wasn’t one hack or privacy breach – it was the mass influx of ransomware and the ensuing spike in ransom demands that have continued to cripple small- and medium-sized businesses.
“The already lofty ransom demands of 2019 have continued to increase by over 60% in the past few quarters,” said Michael Palotay, Chief Underwriting Officer of the Tokio Marine HCC – Cyber & Professional Lines Group.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently released guidance on ransomware. This document has been top-of-mind for many cyber insurance carriers wondering if the ability to pay ransoms soon could be curtailed by the government. The OFAC guidance is a step in the right direction, though chipping away at hackers’ incentives will require even more regulation.
“The incentive for a hacker to launch a ransomware attack is too high, and the increase in ransom demands is showing little sign of slowing down,” said Palotay. “Some are arguing that cyber insurance is giving hackers a perverse incentive to continue their attacks, but I think that is misguided. When hackers have completely crippled a company’s operations, most would find a way to pay the ransom whether they have insurance or not. The issue is the lack of security awareness, not the presence of risk transfer solutions.
The cyber insurance marketplace has already seen the impacts of this fast-evolving risk landscape. Capacity in the market is shrinking and carriers are reducing their limits. At the same time, reinsurance capacity is becoming more expensive, and cyber terms are tightening. Palotay also mentions that a number of cyber insurance carriers, including Lloyd’s carriers, are currently pulling out of the market due to these obstacles. He predicts this trend will continue into 2021.
Another factor putting pressure on the cyber insurance market is the scale of business interruption losses. These losses stem from cyber incidents and show the level of sophistication of the latest breed of ransomware attacks.
“Three to four years ago, a ransomware attack would typically encrypt one computer or a small group of computers. Now, when hackers launch one of these attacks, they intentionally linger in the network for days or maybe weeks and act as a network administrator,” explained Palotay. “There are no restrictions of what they can do within a network. They gain access to the backups and servers, and almost every endpoint; they have access to practically everything.”
He added that while there can be very little business interruption if just a handful of computers are encrypted, large business interruption losses can occur as an entire IT business structure can be rendered unusable causing companies to be down for weeks, even after paying the ransom.
For small businesses especially, the current cyber risk landscape can be difficult to navigate. The events of the past year have highlighted small- and medium-sized enterprises’ (SMEs) relative lack of preparedness for the very real threats, and smaller companies oftentimes do not have dedicated security teams and technology necessary to protect themselves comparable to that of an enterprise-level insured. However, there are technologies that small businesses can pay for to significantly reduce their risk without burdening their budgets. Palotay is optimistic that awareness around this type of technology, along with taking action towards cybersecurity precautions, is going to percolate over the coming years.
Meanwhile, for cyber insurers, the past year has brought several key lessons learned. For one, they’re now being more selective when taking on insureds and determining what risk mitigation controls are in place. When a company hasn’t been able to buy cyber insurance because they didn’t have enough security controls, Tokio Marine HCC – Cyber & Professional Lines Group has seen them in turn implement the necessary precautions. In an effort to help their insureds get more prepared, they created partnerships with Datto for their cloud-based backup solution, Cisco’s Duo for multi-factor authentication technology, through managed service provider OneIT, and CrowdStrike for endpoint security to offer its insureds discounts on their products if they don’t already have these critical security controls in place.
“Insureds are motivated because they see a difference in their product and policy rates,” said Palotay. “Most companies do not want to remain vulnerable, so we are trying to do our part to help our insureds stay safe.”
As for how he predicts the cyber risk and insurance landscape will continue to evolve into 2021, the Tokio Marine HCC – Cyber & Professional Lines Group expert sees the cyber market continuing to roll out preventative services to mitigate the risk, while experimenting with different underwriting selection criteria to determine what approach works best.
“I also expect [cyber insurers] to shift the composition of their books towards accounts that have top-notch security measures in place. There is a list of basics, like multi-factor authentication, strong endpoint security, and a secure backup solution, like those provided by Cisco’s Duo, CrowdStrike, and Datto,” said Palotay. “These are critical, but we are working to incorporate more detailed control information into our underwriting process as the threat continues to evolve.”