The Risk of Underwriting: How Ransomware is Changing the Cyber Insurance Market
Who does an insurer turn to when its own systems are compromised? That question came to mind in September 2020 when insurance provider and risk management firm Arthur J. Gallagher & Co. disclosed to the U.S. Securities and Exchange Commission (SEC) that it had detected ransomware in its systems.
“We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers,” the company said in its filing to the SEC—made 48 hours after detection of the attack. “As of the date hereof, we have restarted or are in the process of restarting most of our business systems. Although we are in the early stages of assessing the incident, based on the information currently known, we do not expect the incident to have a material impact on our business, operations, or financial condition.”
While the firm recovered from the event, it noted in a February 2021 filing with the SEC that cyberattacks and other incidents—including ransomware attacks—could impact future financial results.
“In the future, any material cybersecurity or data incidents, or media reports of the same, even if untrue, could cause us to experience reputational harm, loss of clients and revenue, loss of proprietary data, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard clients’ information or financial losses,” the filing explained. “Such incidents could result in confidential, personal, or proprietary information being lost or stolen, used to perpetuate fraud, maliciously made public, surreptitiously modified, or rendered inaccessible for a period of time. As we experienced in connection with the 2020 ransomware incident referred to above, during a cyberattack we might have to take our systems offline, which could interfere with services to our clients or damage our reputation. Such losses may not be insured against or not fully covered through insurance we maintain.”
The questions of what is covered under cyber insurance policies, what is not, and who has coverage to begin with are increasingly coming into play as cyber incidents continue to rise—including ones targeting the insurance sector.
For instance, in May 2021 Bloomberg reported that CNA Financial Corp.—one of the largest insurance companies in the United States—allegedly paid $40 million to hackers to restore its networks after a ransomware incident. CNA reportedly made the payment roughly two weeks after its network was compromised and company data was stolen.
Average remediation cost of a ransomware attack in 2021.
This payment occurred while the cyber insurance market is experiencing a bit of turmoil. Analysis by Marsh McLennan, the largest commercial insurance broker of U.S. business based on revenues, found that clients’ cyber insurance take-up rates increased from 26 percent in 2016 to 47 percent in 2020. It saw the most interest from the education and healthcare sectors, as well as hospitality, retail, and manufacturing.
This uptick came after a series of high-profile data breaches in 2015—Anthem, Premera Blue Cross, Ashley Madison, and the U.S. Office of Personnel Management, says Mike Karbassi, chief underwriting officer for Corvus Insurance.
Karbassi adds that during this timeframe, insurance policies evolved to include cyber extortion, data recovery, business interruption, contingent business interruption, and cybercrime.
“This expanded on the traditional coverages related to data breach investigation and response costs, as well as privacy liability, regulatory and PCI fines, and penalties,” he says. “At the time, coverages related to contingent system failure, hardware replacement, bodily injury, and voluntary network shutdown were typically not included, but they have emerged in the past two years.”
But all things are not looking up for the market, according to a report by the U.S. Government Accountability Office (GAO) published in May 2021.
“Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as healthcare and education and for public-sector entities,” the GAO wrote after analyzing information from The Council of Insurance Agents and Brokers, Marsh McLennan, and AM Best. “These sources noted the contraction has resulted from factors that include increasing losses from cyberattacks, the threat of future attacks, and overall insurance market conditions.”
John Pendleton, GAO director of the financial markets and community investment team, says that when GAO was conducting its five-month assessment of the cyber insurance market in the United States, it noticed that premiums for policies began increasing in 2020 and that providers were narrowing their policies.
For instance, many began crafting standalone cyber policies for clients instead of including cyber coverage in an existing policy. These policies generally combine cyber coverage with professional liability coverage. Sources that the GAO spoke to said the increase in cyber-specific policies might be the result of a desire for clarity and coverage of losses from confidentiality, integrity, or availability of data and systems. These standalone policies might also reduce lawsuits in the wake of a cyberattack and provide policyholders with higher cyber-specific limits.
“What we saw were prices were going up…take-up rates were going up, everything was drifting upwards,” Pendleton says. “And insurers were getting more specific in what they were covering.”
For instance, GAO found that insurance underwriters were “more carefully scrutinizing” risks by entities that could affect future insurance availability and affordability.
“They noted that insurers have become more selective in extending coverage to high-risk entities and industries and increasing prices of coverage they offer,” the report said. “This caution has been in response to the increasing frequency, severity, and cost of cyberattacks and uncertainty about the type, scope, and targets of future attacks.”
Insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors.
In 2020 and the beginning of 2021, organizations were repeatedly infected with ransomware. Threat actors also increased the likelihood that ransoms would be paid by threatening to publish sensitive corporate information if the victim did not pay the ransom. This occurred while the average cost of remediating a ransomware attack more than doubled, according to The State of Ransomware 2021 global survey from Sophos.
“Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021,” the survey assessed. “This means that the average cost of recovering from a ransomware attack is now 10 times the size of the ransom payment, on average.”
The survey also found that the number of organizations that paid a ransom increased from 26 percent in 2020 to 32 percent in 2021; however, less than 10 percent got all their data back.
Included in these costs, ironically, are likely cyber insurance premium increases, according to consulting firm Deloitte.
“There is little public data available on actual premium increases following cyberattacks,” Deloitte said in a CFO fact sheet. “Deloitte conducted informal research among leading providers of cyber insurance and found that it is not uncommon for a policyholder to face a 200 percent increase in premiums for the same coverage, or possibly even be denied coverage until stringent conditions are met following a cyber incident.”
In the GAO’s assessment, it found that insurance brokers expect premium increases in 2021 for larger high-risk industries. Many have also begun to reduce coverage for ransomware and higher risk sectors, like healthcare and education.
“Policies have evolved in the COVID-19 era, but likely not because of the pandemic so much as the increased frequency and severity of ransomware claims,” Karbassi says. “Insurers experienced tough losses over the past year and a half, and are starting to make adjustments beyond rate increases to their policy forms.”
In some instances, these adjustments include co-insurance or sub-limits on ransomware coverage. Underwriters have also started requiring that cyber insurance applicants confirm robust IT security protections exist prior to binding coverage, such as multi-factor authentication usage, email filtering tools, and a comprehensive network redundancy strategy.
“Industry participants have noted that insurers have been tightening policy terms and conditions for cyber-specific policies,” the GAO wrote. “They also have been adding exclusions to traditional lines of coverage and package policies with cyber endorsements to avoid any ambiguity that coverages would overlap with cyber policies. These restrictions seek to eliminate coverage of ‘silent’ cyber risks that could damage multiple businesses and result in insurers accumulating significant unforeseen losses that could pose a risk to their solvency.”
Also posing a challenge for insurers is the lack of data that could be used for risk forecasting and modeling. This is partly because cyber is still a young area for insurance coverage, but also because there are often few—if any—reporting requirements for cyber incidents, which prevents insurers from developing a database of historical incidents to analyze.
“In addition, a 2020 report by the International Association of Insurance Supervisors noted that incomplete or inaccurate historical data on cyber incidents decreases the reliability of actuarial models, leading to increases in uncertainty around loss estimates,” the GAO wrote. “Without access to such data, some industry participants and researchers are concerned that current prices for cyber policies may not accurately reflect risk.”
At Corvus, for instance, Karbassi says the firm’s data science and engineering teams have created a scan that looks for vulnerabilities in a potential account’s external IT infrastructure. The scan results are then used to generate a score so underwriters can assess the account.
“The scan looks at obvious aspects, such as the company’s public-facing website, as well as less obvious ones, such as vulnerabilities in bits of software embedded in a company’s Web applications, or unused domains owned by the company,” he explains.
There are some initiatives underway to address the industrywide dearth of data, including a recommendation by the U.S. Cyberspace Solarium Commission to have Congress create an entity to understand cyber risk and help insurers craft better risk models.
The recommendation, however, had not been translated into legislation as of Security Management’s press time.