Ransomware attacks' quickly evolving nature and widespread impact have led to a hardening cyber insurance market, narrowing coverage and more.
The U.S. cyber insurance market is estimated to be worth $2.5-$3.5 billion annually and is expected to grow by another $2 billion over the next three years, according to PwC's global cyber insurance survey. Major factors driving this growth include the increasing number of ransomware and cyberattacks as well as expanding government regulation with more states enacting new legislation around cyber insurance policies.
As the world entered a new era of work-from-home arrangements across all industries, cybercriminals were presented with new and ample opportunities, resulting in a changing risk landscape of ransomware attacks, data breaches, insurance claims and an overall increase in threat awareness.
“Ransomware is the biggest cybersecurity threat companies are facing today, followed closely by increased data privacy law enforcement," says Marc Voses, data privacy and cybersecurity partner, Clyde & Co.
In the first half of 2020, 41% of insurance claims in North America were related to ransomware attacks, making it a profoundly impactful form of cyberattack, according to Coalition's Cyber Insurance Claims Report.
“Ransomware requires a whole additional suite of incident response remediation and cybersecurity efforts," says Shawn Ram, head of insurance, Coalition Inc. “In a matter of days, an adversary will hold your information hostage, causing general business interruption loss. If data is not appropriately segmented and backed up, the interruption of business—not being able to access customer data, not being able to run your business, not being able to access your computers—is debilitating."
Financial losses from ransomware attacks during 2020 were severe. The reported multimillion-dollar ransom payment made by Garmin after an attack took many of its products and services offline last year and the potentially serious risk to small businesses caused by the mail server software security holes announced by Microsoft in March are two of a growing list of costly high-profile incidents.
In testimony to the impact of cybercrime on every industry, Google announced its entry into the market in a partnership with two global insurers, Allianz Global Corporate and Specialty (AGCS) and Munich Re, to launch the Risk Protection Program, a partnership that will offer cyber insurance coverage and reduce cybersecurity risks for Google Cloud customers.
However, ransomware's widespread impact has led to major changes within the cyber insurance market—and thus a hardening market. “Among these changes is an end to the consistently increasing capacity and consistently decreasing rates that we have seen for most of the history of cyber insurance," says Timothy Zeilman, vice president, global cyber products, HSB (The Hartford Steam Boiler Inspection and Insurance Company), part of Munich Re. “Instead, we are seeing increasing rates and more selective deployment of capacity as carriers seek to balance their portfolios and seek profitable business."
“We're seeing two things happen in the cyber insurance market: a re-analysis of the wording in policies to see which areas need to be narrowed in terms of scope of coverage, and what new areas can be developed," Voses says. “While we know general business interruption losses, contingent business interruption losses, as well as supply chain risks are not new to cyber insurance, they are being reviewed to see whether or not they can be tweaked to cover some additional risks that insureds are now seeing materialize in the marketplace."
While attacks on computer systems, viruses and data breaches have occurred for decades, 2020 was a turning point. “The change to remote working has both driven home the need for cyber insurance, as companies rely even more heavily on their IT infrastructure for basic operations, and has provided opportunities for cybercriminals to create new attack vectors and opportunities for fraud and social engineering," Zeilman says.
State government and law enforcement agencies are also taking notice with “some regulatory bodies now adding teeth to their cyber policy guidelines with concrete expectations and financial penalties for noncompliance," according to Cooper Wallach, vice president, specialty commercial underwriting, Fortegra Insurance and Rob Hegedus, CEO, Sera-Brynn Cybersecurity Risk Management.
Some such initiatives include:
- New York DFS Cyber Security Regulation
- California Consumer Privacy Act
- Virginia Insurance Data Security Act
- Securities and Exchange Commission's refinements to policies regarding incident response
- Department of Defense's implementation of DFARS 252.204.7012
- Department of Health and Human Services HIPAA Security Rule
- European Union General Data Protection Regulation
- National Association of Insurance Commissioners Insurance Data Security Model Law
Cyberattacks are becoming more and more prevalent and while we may be several years away from cyber truly becoming a core line, data indicates otherwise.
“The digital assets that we have as companies are far more valuable than losing, for example, a building which will quickly be rebuilt," Ram says. “The reputational damage and business interruption associated with a cyber event is prolific and becoming more real for businesses by the day."
Olivia Overman is IA content editor.