The evolution of cyber insurance policies
The rise of ransomware in the last couple of years has been well reported as it has crippled organisations worldwide. The uptick in ransomware has led victim organisations to look for the cheapest and most legally compliant way out in the face of an attack. As such, many organisations have prioritised adopting cyber insurance programs. Whilst cyber insurance has developed in tandem with cyber risks, staying ahead of these risks and being able to predict outcomes has proved a difficult task and a unique challenge for underwriters and brokers alike.
Growth in the insurance market
As a result, the cyber insurance market has been valued at $3 billion and is predicted to reach $25 billion by 2026. The industry is measured by gross written premiums and, given the steady increase in reliance on an interconnected technological world, it is easy to understand how cyber insurance was once considered to be a profitable business. However, as ransomware has steadily grown so have the pay-outs accompanying such attacks, with the average ransomware pay-out reaching almost $250,000 in 2021.
The one common thread among all these attacks is that ransomware gangs are “suddenly everywhere, seemingly unstoppable—and very successful.” Insurance vernacular would characterise these attacks as “frequent and severe”. This is a measurement that puts underwriters on high alert, as business profits may be called into question if the loss ratio begins to escalate.
Cyber underwriters in this space do not have the same decades of actuarial loss data that other lines of business have, such as environmental or property. This is a significant disadvantage when the severity of ransomware incidents reached a notable level in 2020 and has grown since. If and when there isn’t enough capacity in the marketplace, and if the claim pay-outs exhaust policy limits, it becomes a harder task for underwriters to adjust pricing matrixes, encapsulating the uncertainty of the market.
Cyber insurance over security technology and processes
The best way to secure any organisation and put in place the most relevant insurance policy is to ensure cyber security best practices are in place. While many basic cyber security processes can go a long way in protecting organisations, the largest hacks require substantial cyber security investment. However, disparities in this ideology occur when businesses operate in a market that encourages cyber insurance policy purchases over massive IT expenditures.
Cyber insurance policies should not mean a company becomes complacent with its cyber security. Bad actors have learnt about the rise in cyber insurance and some cases, use this against the victim. DarkSide, a successful ransomware gang, recommended to Guess9, a recent target organisation, “...use your insurance, which just covers this case.” The group continued to suggest that “...we do not require more than the amount of cyber insurance...” An example of this occurred even more recently when the Hive ransomware group demanded £500,000 after an attack on Wootton Upper School in Bedfordshire, knowing that this amount was the same covered by their cyber insurance premium.
These threat actors are now able to identify which companies will cave and which insurers are willing to fund these payments, adding a layer of complexity to double extortion methods.
The company no longer needs deep pockets to pay as long as the hackers can get into the data room, find the insurance policy and make a ransom demand that either matches the policy limit or comes in below it. The question becomes, if you have a higher policy limit will this increase the likelihood that someone will exploit you? This query underlines the absolute necessity of best practice cyber security, even with an insurance policy in place.
The severity of ransomware attacks is also pushing carriers to increase premiums and to design stricter underwriting guidelines. Pricing increases and restricted coverage may only be a short-term solution. However, designing stricter underwriting guidelines can be extremely effective as a long-term solution, as it addresses one of the root causes insurance is trying to help remediate: an unprepared organisation.
Just by completing an underwriting application, an organisation can learn a bit about best practices and risks. These applications have evolved to be more assessment-like. Certainly, now with stricter underwriting guidelines, insurers, brokers and even cyber security companies can take on the role of an advisor or an assessor. Indeed, insurers are now uniquely positioned and can play a leading role in helping to de-escalate ransomware demands.
Going forward, new applications will have to meet much stricter requirements to obtain coverage via an insurance policy. These requirements may include the implementation of multi-factor authentication, managed detection and response tools and 24/7 SOC capabilities, the existence of backups, or proof that there are dedicated experts such as CISOs or hold established relationships with external IR teams. Cyber security training and regular pen testing may also be required. Some carriers will add sublimits, and some may even insert exclusions for damages or costs arising out of certain known events, such as SolarWinds. Some may even require the mitigation of certain vulnerabilities such as Log4j prior to purchasing the policy.
Evolving industry standards
Recently, Lloyd’s of London announced the latest evolution in the cyber insurance market, marking another unintended consequence of ransomware. As Lloyd’s has been a long-time leader in the insurance market and is known for creating innovative cyber policies covering complex risks, it would not be surprising to see other carriers following suit, therefore, this mandate is extremely impactful. The war risk exclusion announced on August 16 makes it mandatory to specifically exempt coverage for losses “arising from a war,” as well as from state-backed cyberattacks that “significantly impair the ability of a state to function,” or which impact a state’s security capabilities. Further mandating that syndicates have a clear system for how to attribute an attack to a state-based actor.
The move to make the exclusion clear and unambiguous is an important step for the industry. However, as the burden is on the carriers to defend the exclusion, one must question whether they have thought through the implications of that defence? The challenges lie in making a confident call of attribution and gathering the most appropriate parties to assist in that call, as well as the competitive stance each carrier might take in developing the process.
Government advice may be untenable for business
Governments worldwide are consistent with their advice for victims not to pay ransoms, as it encourages future cyber crime. This position may become untenable over time because attacks are becoming more frequent with victims, often publicly, held hostage.
Most ransomware attacks are perpetrated by teams of experts and despite the protection basic cyber security processes can offer, it is ultimately substantial IT investment by the Board that will prepare organisations. Ransom demands, insurance policy premiums, forensic investigations, and class action lawsuits are all rising in frequency and cost. The expense has become unsustainable, especially for small- and medium-sized businesses, where reputational damage can also be devastating.
Cyber insurance shouldn’t simply be a reactive policy
Organisations should champion cyber insurance as a core business programme rather than a reactive policy. Cyber threats are only increasing, and the onus is on private businesses to seek methods which mitigate and prevent attacks. Hardening the organisation’s security posture is becoming a vital way to access insurance premiums, working to maximise the cyber health of the company.