Phishing and social engineering schemes continue to be among the leading causes of cyber-related losses, but emerging perils are creating a dynamic new risk landscape that may not be reflected in today’s cyber insurance policies.
Ransomware attacks, in which hackers seize control of company data and demand payment to release it, are growing more common and more sophisticated. While the ransom amounts remain small – typically in the hundreds of dollars – a new report issued late last week by underwriter
Beazley revealed attacks have been four times more prominent in 2016 than they were the year previous.
Spurred on by a case in which a Los Angeles hospital paid $17,000 for the restoration of its computer network, hackers are seeking smaller amounts from smaller companies through large-scale phishing scams that compromise systems or steal data. According to the Beazley Breach Insights report, the company’s Breach Response Services unit managed more than 1,400 such attacks on behalf of clients during the first nine months of 2016 alone – up from 931 breaches during the same period last year.
Healthcare providers, financial service and companies in the retail and hospitality sectors are among the most targeted, the report found, and ransoms sought from companies hover in the region of $1,000.
In addition to the ransom demanded, companies are also often on the hook for expensive systems reviews as well as the issuance of data breach notifications, even if no data is removed.
Beazley’s findings reflect the anecdotal experience of other cyber risk professionals.
“We are definitely noticing an uptick in extortion claims and expect it to be a major risk in 2017,” Robert Rosenzweig, vice president and national cyber risk practice leader with DeWitt Stern, told
Insurance Business America. “The majority of these attackers are less interested in selling the information than getting the ransom paid, which is often being demanded in bitcoin.”
For the most part, the insurance industry has been able to account for changing cyber risk in its policies, Rosenzweig said. Defense and indemnity costs for cyber extortion can be included in cyber insurance forms, and language specifically covering the use of bitcoin payments has been added to many products.
However, insurance brokers are advised to check a policy’s replacement/restoration clause for specific language related to ransomware and extortion. Adding a cyber extortion endorsement may require additional premium, and even if coverage is included, the scope of coverage and limits can be restrictive.
Cyber extortion coverage is frequently sub-limited, for example, with only $500,000 available for cyber extortion in a $10 million limit policy.
Policies may also place certain restraints on the insured, including requirements that the insured does not disclose it has cyber extortion coverage or that the insured must first obtain the consent of the insurer before paying the demanded ransom.
In order to advise on such policy nuances, however, brokers must be well-versed in the cyber product – something Christine Marciano, president of Cyber Data Risk Managers, isn’t confident about.
“The broker community is still so far behind in understanding what they’re selling,” Marciano said.” I get a lot of calls from brokers asking very basic questions about coverage.”
To prepare brokers for these eventualities, both Marciano and Rosenzweig are speaking on cyber extortion at other topics at Cyber Risk 2016, a global event produced by
Insurance Business, on November 2.
Related stories:
Cyber insurance products at a "B-" level as market struggles to stay ahead of risk
Broker community remains “far behind” in cyber