According to the Chinese zodiac, 2022 is the Year of the Tiger, a year associated with fortitude, courage and boldness—all traits you'll need in the current cyber landscape.
According to the Chinese zodiac, 2022 is the Year of the Tiger, a year associated with fortitude, courage and boldness. In the months ahead, these are characteristics that businesses and individuals will need to embody because—in the face of proliferating cybercrime—the year ahead may become the year of the cyber.
This year, every email must be personally vetted. Every link should be considered a trap. Every friend request should be met with suspicion.
But how did we get here? How did the situation become so dire that cyberattacks have put small and large companies out of business, caused fuel shortages and forced the president of the United States to issue warnings and sanctions to its foreign adversaries? More importantly, how do we move forward?
“Businesses and industries around the world have recognized that technology is fundamental to their growth and success," says Shawn Ram, head of insurance, Coalition. “Cloud-based services and the internet drive economic growth and create efficiency but deliver additional risk factors. The more we utilize technology, the more the risk increases."
“We can assist companies with incorporating the appropriate risk mitigation techniques to prevent losses. However, solving cybersecurity is not actually possible," Ram says. “Cyber defenses have to be right 100% of the time and cybercriminals only have to be right once."
In 2017, Warren Buffet said cyber risk is the “No. 1 problem with mankind," likening it to weapons of mass destruction. Two years later, he said, “cyber is uncharted territory. It's going to get worse, not better. There's a very material risk which didn't exist 10 or 15 years ago and will be much more intense as the years go along."
Back then, it was hard to argue—and his words ring truer today. Here are five cyber insurance trends to keep an eye on in 2022:
1) Ransomware
The 2021 Colonial Pipeline ransomware cyberattack will live in notoriety as one of the most disruptive ransomware attacks. Investigators believe hackers gained access to the Houston-based fuel carrier's systems via a password acquired on the dark web. Their job was made easier by the fact that Colonial Pipeline did not use multifactor authentication (MFA). Colonial Pipeline shut down its systems, resulting in widespread gas shortages and panic buying across the East Coast, and paid the $5-million ransom to regain access to its system.
As businesses and government entities face the same reality, that reality seems like it is getting worse. After a surge of ransomware attacks in the first half of 2021, the average ransom demand tripled, according to Coalition. Further, current trends indicate that ransomware-related transactions in 2021 will be higher than the previous 10 years combined, according to a report released by the U.S. Treasury Department's Financial Crimes Enforcement Network in October 2021.
“These cybercriminal gangs are so sophisticated that there is a whole marketplace around ransom," Ram says. “They've built businesses around exploiting cryptocurrency and selling malware to other cybercriminals."
“Insurance is intended to be the last line of defense—not the first," Ram adds, noting that MFA; regularly tested, disconnected or segmented backups; and endpoint protection are some of the measures businesses can take to improve their chances of avoiding an attack.
MFA protects systems by forcing digital users to provide two pieces of information to verify their identity, such as a password and sending a code to a cell phone. “In excess of 90% of claims could be prevented if the business just had MFA," Ram says.
Meanwhile, data backups remove the impulse of companies to buy back stolen or ransomed data that will provide a route to return to operations as soon as possible. However, hackers can occasionally reach the backups as well. Endpoint protection—defined by Gartner as “a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention capabilities into a single and cohesive solution"—is another recommended security measure.
2) Supply Chain Attacks
In 2013, Target was hit by one of the earliest and most well-known supply chain attacks. The retailer reported that hackers stole data from up to 40 million credit and debit cards after accessing Target's gateway server through credentials stolen from a third-party vendor. They installed malware on the system and captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes and other sensitive data.
“Supply chain attacks are sophisticated cyberattacks in which the threat actor first gains access to a trusted software provider and then uses that access to implant malicious code into an otherwise benign, regularly scheduled software update that the software provider sends to its customers," says Tim Zeilman, vice president, strategic products, HSB.
“Those customers, who are the ultimate targets of the attack, receive what they believe to be a routine software update from a trusted source and install it on their systems, thereby also unknowingly installing the attacker's malicious code onto their systems," Zeilman says. “With the malicious code installed, the attackers now have access into the systems of all of the customers of the software provider, and they can use that access for any purpose they wish, including espionage, theft of intellectual property, destructive activity or installing ransomware."
Since supply chain attacks are difficult to predict, underwrite and prevent, mitigation after the fact may be the best place for agents to focus. “Once an attack has been discovered, rapid communication with affected organizations is crucial," Zeilman says. “If the affected organizations can quickly be identified, notified and instructed about effective mitigation actions, it may be possible to significantly mitigate the impact of the attack. This is an area where coordination between carriers and agents is very important."
Supply chain attacks are becoming more frequent as dependence on technology grows and businesses of all sizes contract vendors to handle payments, marketing, payroll, benefits and more. If these attacks can't be prevented by cybersecurity measures and staff training, “the standard coverage elements found in cyber coverage forms—business interruption, data and system restoration, and data breach response—will typically apply to supply chain attacks," Zeilman adds.
3) Hard Market
The hard cyber insurance market, like many other markets, is encapsulated by three things: rising rates, tightening underwriting restrictions and reducing capacity. Businesses in the hardest-hit markets—education, health care, construction, public entities and manufacturing—have seen premium increases as high as 300% or more when they renew their cyber coverage, according to the U.S. Cyber Market Outlook released by RPS in October 2021.
The frequency and severity of cyberattacks are also forcing many insurers to withdraw any premium reduction measures. In the past, insureds could qualify for a discount if they had MFA, data backups or other security measures, “but now it's got to the point where they're not even going to write the policy if you don't have those types of preventative measures in place," says George Robertson, president of Robertson Consulting and host of the Insurance Agency Trendsetters Podcast. “Minimum premiums are going up and where you might have been able to get $10-million limits, you can only get $5 million."
When talking about cyber insurance with information-empowered and cost-sensitive consumers, agents should educate clients to “make them aware of the severity of a cyberattack," Robertson says. “The attorney fees alone are going to be $350 an hour and up, the forensics team is going to be upward of $20,000 and then you've got notification costs—it all adds up and can easily ruin a business."
Further, independent agents can add more value and differentiate themselves from the competition by gaining a full understanding of the products that are available in the market, such as their coverages and exclusions, as well as the specific risks that apply to each insured.
“The cyber market has not yet evolved to the point where all these policies are the same. We're still in a little bit of a Wild West scenario and every policy is different," Robertson says. “Agents need to make sure they understand their client's risk. Do they have credit card risk? Or a proprietary information risk? The last thing you want to do is sell a client a cyber liability policy, they have an incident and then you have to tell them that the policy doesn't cover it."
4) Nation-State Attacks
Late last year, Lloyd's of London issued a bulletin containing four cyber war and cyber operation exclusion clauses. “In discussion with Lloyd's it has been agreed that, in respect of standalone cyber-insurance policies, these clauses … state that all insurance and reinsurance policies written at Lloyd's must, except in very limited circumstances, contain a clause which excludes all losses caused by war," said the bulletin, indicating that it will no longer cover the fallout of cyberattacks exchanged between nation-states.
In March 2021, Microsoft announced it had fallen victim to an attack that compromised around 125,000 email services. The attack occurred just a matter of weeks after Microsoft, one of the world's most popular email providers, announced it had found a flaw in its security and encouraged users to upload a patch to close the security gap. Those breached were the unlucky users who had not been able to update their systems. Months later, the Biden administration formally blamed criminal hackers associated with the Chinese government for the attack.
By then, attacks by foreign entities were nothing new. In 2014, Sony was hacked by a group believed to be working in at least some capacity with North Korea. They stole information from Sony's network and leaked private information to journalists.
The SolarWinds supply chain attack is another high-profile nation-state attack. Perpetrated by Russian cybercriminals in December 2020, the attack brought the era of attacks from abroad into full focus. After various government email accounts were hacked, including emails at the U.S. Treasury, Justice and Commerce departments and other agencies, the attack illustrated the susceptibility of government entities to cybercrime.
Nation-state attacks have put pressure on the Biden administration to respond with sanctions and other measures to fend off hackers working for adversarial regimes. In many cases, proving that a cyberattack is a result of a nation-state is difficult, if not impossible. Yet, among tightening underwriting restrictions and a variety of products, agents must remain vigilant in 2022 toward whether these types of cyberattacks are a covered loss.
5) Government Regulation
Given today's cyberthreats, it is no surprise that policymakers and regulators increasingly expect—and require—businesses to take appropriate measures to protect their data.
A growing universe of states now require security measures and other data protection precautions, and some apply greater scrutiny to industries with access to particularly sensitive personal information. In addition, every jurisdiction in the country has now enacted a statute that spells out the steps that must be taken and the notices that must be provided when an entity is the victim of a data breach.
“A wide range of data security and breach notification laws have been enacted over the last two decades," says Wes Bissett, Big “I" government affairs senior counsel. “The subtle differences in these state requirements can make it challenging for an entity that is breached to achieve compliance and reinforces the need for cyber insurance."
There are growing calls for Congress to adopt broadly applicable, cross-industry national data protection standards. Although final passage of such federal legislation is unlikely in 2022, these issues have generated considerable interest among lawmakers of both political parties.
In the meantime, state insurance regulators are ratcheting up the cyber requirements and responsibilities for insurers, agents and others. In 2017, New York made a splash by adopting complex and cumbersome insurance-specific regulation. However, later that year, the National Association of Insurance Commissioners (NAIC) adopted a more reasonable model law that recommended new data security standards and post-breach requirements.
“Over one-third of the states have enacted heightened cybersecurity obligations based in large part on the NAIC model, including six in 2021," Bissett says. “Additional jurisdictions will do so in 2022."
“Insurance agents must take data security seriously," Bissett adds. “Policymakers and regulators are watching and expect nothing less."
2022 is set to be another whirlwind year for cybersecurity. The most businesses can do is batten down the hatches by developing and maintaining a cybersecurity plan, obtaining cyber coverage, mandating employee training and keeping systems and software up to date.
Will Jones is IA editor-in-chief.