Over the last year, a barrage of sophisticated ransomware attacks has thrown the nascent market for cyber insurance into upheaval, with premium increases for this important coverage averaging 25 percent1. This development results from substantial underwriting losses for what have proved to be high frequency/high severity claims resulting from ransomware payments and cyber extortion losses. In addition, cyber insurers, insureds and their respective agents face increasing risks in paying claims, particularly ransomware payments to entities banned by the U.S. Treasury Office of Foreign Assets Control (“OFAC”)2.
Increased premiums are only the beginning. Cyber insurers are now underwriting based on risk assessment rather than a desire to increase market share for this relatively new line of coverage. Some insureds may be cancelled or non-renewed for failing to implement best-in-class security measures. Others may have “subjectivities” placed on renewal quotes, giving the insurer a reason to decline coverage if the insured does not install and maintain upgraded security measures. Consequently, companies are left juggling the newly intricate process of negotiating premiums and discussing the implementation of new cybersecurity defenses with their insurers’ pre-claim, while navigating potential criminal liability for unwittingly making ransom payments to an enemy of the United States, in the event of a ransomware or cyber-extortion payment.
The reasons for such sudden changes in the cyber insurance market are understandable. Cyber insurance is a relative infant in the insurance field, with policies generally available only in the last 10 years. For existing lines of insurance, such as first-party property insurance (e.g. fire insurance policies) and general liability, policies are typically underwritten and priced based on well-developed experience models, where an insurer can assess historical loss data related to each coverage and price the product accordingly. At its inception, cyber insurance had no historic modelling because computer technology and its adoption by business were both new and evolving. Consequently, insurers rushed to market with non-standardized coverages and premium quotations designed to buy market share rather than pay for the level of risk accepted. The onslaught of cyberattacks like ransomware and cyber extortion (often bundled together, as a hydra of business risk) changed the landscape. Insurers began losing substantial sums and are now reacting by adapting both their pricing models and their technical underwriting requirements.
Ransomware attacks can cripple a company by preventing it from accessing its own business systems until it pays a ransom, often through digital currency. Hackers can combine ransomware with cyber extortion, as they already have access to a company’s records before imposing lock down software which compels the ransom demand. IBM’s “Cost of a Data Breach Report 2021”3 surveyed 500 companies and found that the average cost of a ransomware data breach was 4.62 million dollars per event. These costs include escalation, notification, lost business and response cost, but did not include the cost of the ransom itself.
Insurers are now exploring their insured’s vulnerability as a condition of providing a premium quote, with some insurers insisting on penetration testing. If the insurer finds an intrusion risk, it imposes subjectivities requiring industry standard cyber security and intrusion detection.
What can businesses do to respond? Inadequately represented companies may not have the knowledge base to effectively maneuver either the insurance renewal application or the implementation of necessary cyber security measures. Post-loss, the failure to properly address OFAC liabilities before payments are made can have devastating criminal and civil consequences. Moving forward, having current, continually upgraded, and documented cybersecurity defense systems, as well as dedicated legal and personnel resources and incident response plans, will continue to be important to cyber underwriters and will likely be a prerequisite for obtaining cyber coverage. Companies need trusted and adaptable legal counsel like the Data Privacy and Security Group at Prince Lobel Tye to adequately navigate the new and increasing cyber risk management obligations including cyber insurance renewal application process and advice in implementing insurer required security measures and software. Before your next (or first) purchase of cyber insurance, consider your need for legal advice. We are here to help you manage your cyber risk in all respects.