Growing up, I used to hear stores about the American Wild West and how things can change in an instant. What was normal one day was totally different another day. The insurance marketplace for Cyber Liability insurance, reminds me of those Wild West days.
In a recent meeting with one our key distributors of Cyber insurance we discussed how, in one year, we saw 12 different insurance companies who collectively could offer over $200,000,000 of Cyber insurance Limits, and now that same group of companies will only offer $50,000,000. That abrupt and significant decrease in market capacity is unprecedented. But in looking over the landscape, it’s clear to see why this has happened.
For years insurance carriers marketed their Cyber insurance products as a tool to help with ransomware claims. Four years ago underwriters focused on how ransomware claims were an issue for businesses, and how Cyber insurance products could help with those claims.
The underwriters were right, ransomware claims were an issue. So much so, that the number of claims and the cost of demands increased faster than anyone anticipated. One underwriter for a major insurance carrier commented that they drastically underpriced their premium rates for ransomware. He said for every $1.00 of rate they charged, ransomware represented only $0.05, or 5% of the rate. So while on one hand they were recommended the coverage because of ransomware claims, they were charging inadequate premium to cover those anticipated claims. The rapidly escalating ransomware claims quickly became a problem.
In 2021 all of our insurance carriers that offered Cyber insurance implemented huge rate increases. In addition to rate increases, retentions for claims also increased. In 2020 a carrier quoted a Cyber insurance policy with a $1,000 deductible for a small private school that had revenue under $4 million. The school rejected the coverage. Eight months later they called about that Cyber quote and the insurance carrier requoted. The premium increased 161%, and the retention increased to $10,000. There was no change in revenue and no losses.
Some things are changing, and some have stayed the same:
Ransomware and business email compromise attacks are still accounting for 80% of the losses insurers incur. With that, we expect to see rates increase from 15% to 50%, depending on client loss experience and industry of operation.
In 2021 we saw insurance companies use outside resources like Bitsight to review organizations’ forward facing networks and websites. Cyber insurance underwriters will continue to take a close look at a company’s IT best practices.
Here are some Cyber Protection protocols that underwriters will expect to see:
Multi-Factor Authentication (MFA)
Underwriters are looking for MFA for remote access to an organization’s computer network and email services that are web-based. Some underwriters go a step further and look for MFA on computer networks’ critical infrastructure such as routers, servers, backup environments, and firewalls when it comes to individuals who have Administrative access.
If using a VPN to remotely access a network, having MFA implemented is another best practice to consider.
Endpoint Detection and Response (EDR)
EDR systems are designed to monitor the various points of access to a company’s network, such as laptops and servers. An EDR system constantly monitors these end points for any suspicious activity. If it detects such activity, than it isolates the device from the network.
This could prevent a ransomware event from spreading from one device to the network at large.
Remote Desktop Protocols (RDP)
RDP is embedded in the Windows operating system, and it allows for remote access from one computer to another. Hackers have been known to exploit these open RDP ports, because many users don’t know that they should be shut down if not in use.
Having VPN with MFA in place to access RDPs is also a way to secure RDPs.
Backup of Data Performed Frequently and Securely
Backup of data is essential if an organization falls victim to a data breach. Underwriters assess how frequently data is backed up, and the process for how it is backed up. Do not rely solely on Cloud backup. Use multiple systems to back up your data.
And test your backups. Some organizations overlook the testing of a backup. One client found out the hard way that they had never tested their backups. When they suffered a cyberattack, they discovered their backups were missing data or were corrupted.
Data Management Strategy (DMS)
DMS depends on type of data and how it is stored. Underwriters look to see if data is encrypted; or for large databases, if data is segregated. The purpose of segregating data is to prevent a hacker from access to all the data in one grab.
If data is segregated and a hacker can only access one part of the database, they could not use the data because they only have part of the picture.
Business Continuity Plan (BCP)
Having a formal BCP on how to respond to a cyber-event can dramatically impact how quickly an organization can get back to full operation. Future articles in our blog will talk more about the components of a good BCP. Because cyberattacks evolve in complexity over time, testing and updating a BCP is paramount.
One area in these reports is patching cadences of critical software updates. Underwriters look to see if an organization quickly implements critical security patches when they become available from a software developer. Implementation in less than 30 days is preferred. One best practice is automating critical software updates. That limits the vulnerability window, and eliminates human error.
A few insurance companies are including endorsements or exclusions to incentivize business owners to patch software quickly. One insurance company has gone so far as to say if a critical patch is not updated within 14 days of its public release by the software developer, coverage is excluded for hacking that exploits this vulnerability. Another carrier will gradually reduce coverage and increase co-insurance for unpatched software.
One carrier has made a move to limit coverage under a Cyber insurance policy for what is known as “Widespread Events”. Take, for example, the Log4J JavaScript Vulnerability which surfaced in December 2021. When this vulnerability surfaced, many organizations had a new vulnerability that hackers tried to exploit. A “Widespread Event” like this would trigger a reduction in coverage under this particular insurance carrier’s Cyber product.
Some insurance carriers may look at this kind of widespread event and exclude it entirely under their Cyber policies. Not all insurance carriers are doing this, but stay tuned.
In 2021 insurance carriers began reducing their limits capacity. One underwriter commented that the premium they must charge for high limits has become so costly that a small or medium size business may not be able to afford it. In addition to that, an insurance carrier might not be able to charge enough premium for the exposure, to be profitable.
One of our clients had $10 million Cyber insurance limits. The insurance carrier offering coverage slashed its total limits to $5 million for 2022-2023, at a premium higher than the $10 million limit premium was for 2021-2022. We were able to find another carrier to take on the additional $5 million limit exposure. In the end, the client’s premium was more than double what they were paying the prior year. Our client was a good risk, and their claim experience was fantastic. Their experience was symptomatic of what’s happening in the Cyber insurance marketplace.
Underwriters for Cyber insurance are taking a hard look at what companies are doing to protect themselves from a cyberattack. Having the above protocols in place will ensure that not only is your data protected, but if you are attacked, you can be resilient, and have a strong defense to prevent or mitigate a loss.
