Cyber risk has gained centre stage prominence over the last six months as companies around the world grapple with the impacts of the COVID-19 pandemic and navigate the “new normal” of technology-driven remote work. This rapid digitalization of business worldwide has shed a spotlight on widespread cybersecurity vulnerabilities, including the fragility of home networks that the majority of employees are relying on right now, and the ongoing issue of human error, which hackers have clearly tried to exploit through the pandemic via a huge uptick in phishing and spear-phishing campaigns.
While some cyber risks have evolved to capitalize on the challenges of the pandemic, it’s still the more “traditional” cyber events, like data breaches and ransomware attacks that are the largest threats, according to Jacqueline Detablan (pictured), Vice President of Specialty Insurance at CNA Canada. Ransomware, in particular, and the business interruption losses tied to ransomware events, have caused some of the most severe and challenging cyber claims over the past few years.
“Most of our cyber claim experience at CNA Canada involves ransomware and cyber-triggered business interruption,” said Detablan. “Since 2017, we’ve seen ransomware demands increase significantly. Whereas hackers used to demand amounts of $25,000-$50,000, now they’re demanding $2 million or more in Bitcoin. We negotiate with the bad actors to try to reduce or eliminate those demands, but every situation is unique. Sometimes, the hackers have already exfiltrated the data, which reduces our ability to negotiate because they have leverage. And even if the insured can limit their business interruption by reverting to back-ups or any other restorative measures they may have in place, if the bad actors have successfully exfiltrated data, it makes any negotiation much more difficult.”
Regarding cyber-triggered business interruption losses, Detablan has seen increases in both the frequency and severity of claims. She attributes this partly to the fact that the type of companies buying cyber insurance in Canada has evolved. In the past the market was dominated by companies with data privacy exposure, now there are a lot more operationally driven risks, like manufacturing and construction companies, where business interruption can be more problematic.
“For industries like manufacturing, the business interruption component is outsized,” Detablan commented. “Even if they’re only a small-sized manufacturer, if a ransomware attack stalls the production of their goods or their supply chain, this can dramatically affect their income – and that’s really contributing to the severity of claims that we’re seeing.
“I would also add that there’s definitely more awareness among insureds and brokers on what business interruption coverage is and how useful it is in relation to a cyber event. Also, the competitive nature of the cyber insurance market has eroded some of the waiting periods on the business interruption to a lower number of hours, so the policies are triggered a lot more quickly from the business interruption perspective. That could be another reason why we’re seeing more of these claims.”
Claims handling with respect to cyber should be every insurer’s “number one priority,” according to Detablan. It’s a key focus for the team behind CNA Canada’s monoline cyber insurance product, CNA NetProtect®, which offers first- and third-party coverages associated with e-business, the internet, networks and other electronic assets and information.
“We differentiate ourselves in the service that we provide, both from a claims perspective and from the value-added services that clients get with our policy,” Detablan told Insurance Business. “We have a dedicated and experienced cyber claims team in Canada, and we leverage our large network of vendors and claims partners to ensure we’re always providing the best possible service. We hold onboarding calls where we introduce our clients to the claims team and to their breach coach, so that if they do unfortunately suffer a claim in the future, they know exactly who they’ll be working with.
“We’ve found that when the communication lines are open and transparent before an event happens, it creates better results for all, whether that’s because there’s less pressure on the insured because the expectations have already been set, or because we’re engaged earlier with respect to a breach since the insureds know who to call. We’ve actually had claims that we believe were less severe than they could have been simply because the communication lines were open before the breach even occurred.”
While cyber claims handling is absolutely critical, risk prevention and mitigation is just as important to policyholders. Knowing this, CNA Canada enhanced its cyber proposition in 2019 with several new pre-breach services. The insurer formed a partnership with website security firm GamaSec, through which all existing and new qualifying cyber insurance policyholders in Canada can use its cutting-edge technology to identify and eradicate dangerous malware threats and website application vulnerabilities. The insurer also launched an eRiskHub®, a cyber breach portal powered by NetDiligence®. This provides tools and resources to help organizations understand their cyber risk, establish incident response plans, and minimize the effects of a breach on their organizations.
“We’re looking to expand our pre- and post-breach services in the first quarter of 2021, so that we can offer some additional services to our policyholders” said Detablan. When asked why it’s so important for cyber insurers to offer holistic cyber risk management solutions, she responded: “Clients are looking for more tools. Everyone’s been challenged with respect to resourcing, especially in the context of COVID-19, so if we can partner with our clients , not only will they stand up better in a breach situation, but it will also help the industry’s results if these tools can lower or lessen the severity of claims.
“There’s an education piece as well. As insurers, it’s part of our responsibility to keep our insureds informed about their major risks. Cyber is arguably one of the prime risks at the moment, and we have a responsibility to educate around that.”