Cyber risk is everywhere. It’s an enterprise problem that can trigger a string of loss-driving events well beyond the technology or the systems that were initially compromised. Cyber events can result in business interruption (both primary and contingent), productivity loss, reputational damage, physical damage, and significant legal repercussions and recovery expenses. As the impacts of cyber exposure are realized, the scale and frequency of cyber insurance losses continue to soar.
Ransomware is arguably the most pressing issue the cyber insurance community is dealing with today. This variation of malware allows hackers to lock people out of their business systems until they pay a ransom, usually in cryptocurrency and to an offshore bank account. In recent years, there has been a significant uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors. Hackers have grown more sophisticated and targeted in their attacks, aiming for larger organizations that can afford bigger ransoms.
In the past five years, the average ransom demand has shot up from US$15,000 to US$175,000 – an almost twelve-fold increase – according to the NetDiligence 2021 Ransomware Spotlight Report. Furthermore, ransom demands crossed the US$1 million threshold in 2018, the US$3 million threshold in 2019, and publicly available data indicates that they crossed the US$30 million threshold in 2020 – although this was likely negotiated down.
The ransomware headache doesn’t stop there. In 2020, a new wave of ransomware attacks hit the market. Known as ‘double extortion,’ threat actors are maximizing their chance of making profit by threatening the victim with an additional abuse of the information they encrypted, such as selling or auctioning it.
In contention with such a fast-paced and ever-changing risk landscape, cyber insurers have reacted by seeking more rate and shoring up their underwriting guidelines in order to control their costs and protect their books. Some have even started sub-limiting ransomware and applying co-insurance provisions, forcing insureds to share more of the risk.
“The cyber market is undergoing significant volatility due to the unprecedented level of dangerous and damaging cyberattacks being successfully launched against companies,” said Ari Giller (pictured top), vice president of cyber & tech underwriting, Tokio Marine HCC – Cyber & Professional Lines Group. “Based on our claims data, ransomware frequency increased by over 100% compared to 2018, and the average ransom demand increased by 700%. The cyber landscape is constantly evolving.”
The firming of the market is having a big impact on brokers and agents. Not only do they have to work harder to secure adequate coverage for their clients, but they also have to educate themselves and continue to develop their technical skillsets around cybersecurity controls and best-practice cyber risk mitigation. This is vital if they want to differentiate themselves in a hardening market, according to Christiaan Durdaller (pictured immediately below), president and CEO of INSUREtrust.
“If you can’t carry the messaging to your clients around what multi-factor authentication (MFA) is and how to implement it, you are going to struggle to put the best cyber insurance program in front of them,” said Durdaller. “[Likewise], if a broker cannot explain how to put remote desktop protocol (RDP) behind a VPN with everyone working from home […] they will not be successful in this market.”
Companies of all sizes benefit from a layered and dynamic approach to cyber risk management, which incorporates tools, products and services, said Shannon Groeber (pictured below), executive vice president, CFC Underwriting. “From a proactive perspective, tools such as MFA, segmentation of networks and sensitive information, consistent backups of data and employee training and awareness are foundational and put companies in a better position to define and minimize threats.”
Proactive cyber security controls are absolutely essential in today’s evolving threat landscape. Many would argue that cyber insurance should not be seen simply as a financial risk transfer product; rather, it is a holistic risk management solution that protects not only the insureds but also the cyber insurance market itself. As rates rise, coverage constricts, and cyber threats boom, we will only succeed with an ‘all in this together’ approach.