Ransomware is a plague sinking its talons deeper and deeper into businesses and the cyber risk community. In recent years, hackers have grown more sophisticated and targeted in their attacks, leading to an uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors. Today, it is not unusual to see ransom demands of six- or seven-figure sums, resulting in an explosion in the severity of cyber insurance claims, and a reactionary defensive stance from cyber insurers.
From businesses to insurance brokers, to underwriters and cyber insurers, all “heads are spinning” in the effort to respond to such a dramatic escalation in ransomware risk, according to Meredith Schnur, US & Canada cyber brokerage leader at Marsh. There’s a “state of confusion” and a “state of experimentation” in the marketplace, she added, where insurers are trying to figure out how best to underwrite the risk and reduce the exposure with best practice risk management.
“The first thing that clients want from their brokers and insurer partners is education,” said Schnur at Reuters’ The Future of Insurance USA 2021. “Education and data - that’s what we’re asking for from our partners. [Insurers are] seeing the claims activity, they’re seeing the frequency and severity, and we need that information to be shared. Cyber hygiene is the most important thing to these organizations, and without this data to truly understand that X control would alleviate or minimize cyber risk, we just can’t get to the next step.
“What do our clients want? They want an education from us as their trusted advisor and their broker, and they want education from the insurers. I think that’s fantastic because it’s finally bringing the [entire] community - security professionals, underwriters and carriers, and brokers – all together in a room to figure this out, so we have a sustainable cyber market, and we can help our clients get to a better cyber hygiene level.”
Companies want statistics and data to help them better understand their cyber exposure and how to manage it, Schnur added. From average ransom payments to breach costs, to first party business interruption costs, data restoration, and third party privacy liability arising out of data exfiltration, companies are looking for examples and figures to help them benchmark their risk against similar entities, and figure out how best to transfer their risk.
“They also want claims data [to help with their] cyber hygiene - if we had X and Y control in place, that would alleviate the ramifications of the severity of this event,” Schnur added. “We can’t stop these things from happening, but we can be more prepared and more resilient, so they’re looking at the data that connects truly X to Y, and [if] there’s a direct correlation, […] they really take that in. They’re very serious about obtaining that information from our partners.”
From an insurer standpoint, the industry has “gone back to square one” to determine exactly what information and controls are needed for underwriters to properly and comfortably write cyber risks, according to Brad Gow, global cyber product leader at Sompo International. He said there’s a “laundry list of technical controls” such as enabling multi-factor authentication, using endpoint detection and response tools, and having robust offline back-ups, as well as operational controls like phishing training for all employees, which are now expected of cyber conscious companies.
“A year or two ago, a lot of carriers would consider many of those items nice to have. But now they are mandatory controls that need to be in place to even be eligible for the coverage,” said Gow. He alluded to the fact – also expressed by Schnur – that a lot of companies are now paying more attention to cyber risk management and are prioritizing and fast-tracking investments in mitigation.
“Honestly, we’ve seen the result of that as we’ve handled a lot of claims in 2021,” Gow added. “Where a year ago, there may have been significant gaps in endpoint protection or problems with back-ups, we’re seeing the operational resiliency of many of our ransomware victims be improved to the point where they’re saying: ‘Hey, regardless of the fact that we have cyber insurance, and that will pay for a ransom, we do not want to pay for the ransom and we’re not going to be forwarding the Bitcoin. We will restore from backups and do it ourselves. We don’t want to encourage the bad guys to continue this behaviour.’”
Read more: What’s behind the rise of cyber cartels?
Schnur said that when companies suffer a cyber event – whether it’s a ransomware attack, data breach, a social engineering incident, or something else – it is often “baptism by fire”. Insureds typically learn from those events and enact mitigating tools and strategies so they never suffer the same event again. But then they worry about when their risk management practices will become obsolete – a fair concern in an age where the cyber threat landscape is constantly evolving.
“They’re really struggling with how to stay on top of the security product and service market to make sure that it not only fits their [technology] stack, but that it’s not just really, truly patching (no pun intended) for today and not for the future,” she said. “So, we’re constantly talking about that with our clients […] but they have to get through the elementary controls first.
“If we can’t get [insureds to implement] those elementary controls, there are some cases where we cannot procure insurance. I fought the word ‘hard’ market for a very long time, and I was using the phrase ‘challenging’ market up until probably Q1 of this year. A hard market is when you cannot procure insurance, you cannot find a solution or a risk transfer product for your client, and in certain industry classes in certain areas, we are there - whether it be in filling limits in a tower or just a one-layer limit program - [and that’s] because they don’t have even the basic controls in place as of today, and the underwriting community just don’t have the appetite right now to take on that risk.”