Cyber-Insurance Market Looks To Keep Up as Cyber Risks Grow, Evolve

The cyber threat continues to evolve and, with it, the cyber-insurance market. As cyber insurers attempt to keep pace with the growing exposure, premiums are increasing, and aspects of underwriters' focus are changing.

Just a few years ago, cyber-insurance rates were driven by competition rather than an actuarial measure of the risk, according to Aaron Hillebrandt, principal and consulting actuary at Pinnacle Actuarial Resources, Inc. "Now, because of that, and because of all the changes throughout the pandemic, the rate level is really struggling to catch back up. So, expect to see rate increases coming for a while," he said.

Mr. Hillebrandt made his remarks while moderating a session titled "The State of the Cyber Market and the Captive Solution" during this year's virtual Vermont Captive Insurance Association Annual Conference.

Mr. Hillebrandt cited statistics from the National Association of Insurance Commissioners that showed that while the number of cyber attacks didn't increase significantly during the COVID-19 pandemic, the success rate of attacks did increase.

Another session participant, Aarti Soni, cyber director at McGriff, noted that the hottest topic in cyber risk currently is ransomware.

"We've seen a huge uptick in ransomware attacks in the last 12 to 18 months, so much so that the cyber-insurance market and insurers that are participating in cyber coverage are trying to find ways to contain this exposure," Ms. Soni said.

Recent months have seen a number of high-profile attacks. "It's pretty difficult to determine the cause of a lot of these attacks, but we know they're increasing in frequency and severity," she said. Attackers' ransom demands have increased dramatically, Ms. Soni said, now often reaching into seven or eight figures.

"Another notable aspect of the cyber-insurance market right now is the regulatory environment," Ms. Soni said. The adoption of the General Data Protection Regulation in the European Union has prompted other countries and some US states to enact similar regulations.

"That sort of kicked off the global rush to get out a privacy law or cyber security-related law to protect consumers against their information being shared," Ms. Soni said. Several countries and several US states, including California, New York, Virginia, and Maine, have come up with their own laws surrounding data protection.

"Many of them are more and more consumer friendly and may be more challenging for companies to adhere to given the fast pace of technology, including something like biometrics," Ms. Soni said.

As the threat has grown, underwriting has changed, according to Ms. Soni.

"In terms of the underwriting environment, the effect of ransomware and then your standard garden-variety data breaches, business email compromises, because the payouts have been pretty significant on the insurance side, we've seen a really different approach to underwriting when companies are trying to procure cyber insurance," she said.

Ransomware coverages now often include sublimits and coinsurance, Ms. Soni said. "Cyber insurers are trying to figure out how to contain their exposure in this area while still offering ransomware coverage," she said.

Meanwhile, underwriters are putting greater emphasis on insureds' security controls, Ms. Soni said, "multifactor authentication being the biggest one." Underwriters are also considering backup systems, the quality of the insured's information technology team, and remote work protocols, "especially given COVID in the last year and the remote workforce," she said.

"Underwriters are asking a lot more questions around security controls just to get a handle on what companies have in place in the likely event that a ransomware attack could happen," she said.

Ms. Soni noted that cyber-insurance policies typically provide both first-party and third-party liability coverages.

Elements of cyber-insurance coverage for first-party events include incident response, cyber extortion/ransomware response, data restoration, and business interruption and contingent business interruption.

"The incident response, the traditional breach, hack, is sort of the birthplace of first-party cyber-insurance coverage because the market recognized a need to cover these malicious acts," Ms. Soni said.

If the cyber policy does cover ransomware attacks, "basically, what an insurer will do is send in a forensics vendor to determine whether the threat is credible, and then pay the ransom," Ms. Soni said. "The question really for the business is whether to pay the ransom or not. That's sort of the issue of the day."

The third-party coverages address losses arising as a result of the first-party events and include privacy liability, security liability, regulatory liability, and media liability.

"When you talk about privacy, you're talking about data, you're talking about information. When you talk about security, you're talking about computer systems or networks," Ms. Soni said. "They're often used interchangeably, while they have different meanings."

Ms. Soni suggested that businesses take steps to make sure they understand their cyber-insurance policies. "Go through your cyber-insurance policy and look for the words 'consent' and 'approve,'" she said.

Before a business calls a forensics vendor or a lawyer after a cyber attack, it's important to make sure that there is approval to do so under the insurance policy. "Any costs incurred before consent or before notice may not be covered under the policy," Ms. Soni said.

She also advised organizations to prepare for a cyber attack before it happens. Beyond cyber insurance, organizations should have an incident response plan in place and identify the response team in advance.

"You always want to keep in mind that while an event is live, the bad actor could still be in your system and still have access," Ms. Soni said.

Mr. Hillebrandt offered some cautions of his own. Among them is the fact that just as the cyber-insurance market is evolving, efforts to collect and report cyber-attack data are still evolving. "Be really careful anytime you're looking at quantitative cyber data," he said.

"One of the things we worry about as actuaries is the statistical credibility of the data," Mr. Hillebrandt said, noting that in some industries, there are still few cyber-attack data points to consider.

He also cautioned that for small businesses, the cost of data breach events can represent a much larger percentage of total revenue than for their larger counterparts.

"For those smaller companies that may feel that they don't have the time or resources to dedicate to cyber, they're the ones that truly have a catastrophic exposure to a data breach," Mr. Hillebrandt said. "So, it's really not something they can afford to overlook."

He also encouraged businesses considering writing cyber risks in their captives to take advantage of their service providers' expertise to make sure they fully understand the cyber-insurance market and the extent of their exposure.

"If you're looking at putting cyber in your captive or you're already doing that, the cyber exposure might be much more exposure to a captive than it is to a commercial carrier," Mr. Hillebrandt said. "It's not a coverage to be complacent on."