A rapidly changing cyber risk landscape requires companies to reassess defence levels regularly to minimise potential damage to their balance sheets and reputations. While cyber insurance underwriters have become very selective in their approaches, this process is having a positive effect in helping companies to identify and address their weaknesses.
The world has experienced a rise in severity and frequency of cyber-attacks. This has resulted in an increase in cost for businesses and claims for insurers.
A sharp increase in cyber incidents in Australia, particularly ransomware, has led to higher insurance claim counts and loss severity over the past two years, according to a recent Fitch Ratings report.
The Australian Cyber Security Centre (ACSC) in their latest Annual Report note the ongoing increase in frequency and severity of cyber events impacting Australian organisations.
Information from the Lockton Cyber Claims Team in London covering the last five years shows that:
Claims frequency has been increasing at an average of 13% year-on-year since 2017, and total loss has increased at an average of 80%.
Claims arising from external actors (such as data theft, malware, and social engineering) have increased by 59% as a proportion of all claims the team has witnessed between 2019 and 2020.
The share of claims specifically caused by ransomware grew from 5% of claims notified to Lockton in 2018 to 17% in 2020. Similarly, ransomware-driven claims accounted for 10% of the total cost incurred in 2018, while this figure increased to 80% in 2020.
A tough cyber market
Cyber insurance premiums have been on the rise as underwriters have adjusted pricing to reflect claims history. The shift has also resulted in some insurance buyers facing reduced limits, ransomware sub-limits and co-insurance restrictions. Additionally, insureds are noticing an increased requirement of time and resources to address stricter insurer minimum standards. These tightening market conditions, increased time and resource commitments, set against declining market capacity, might cause some companies to wonder if purchasing cyber insurance still makes financial sense.
Notwithstanding all of this bad news, even in this tense cyber risk environment, transferring cyber risk to the insurance market, as opposed to retaining it, is still likely to make commercial sense.
Survival of the fittest
Insurers are raising the floor for minimum controls for businesses and seeking greater assurances around cyber security controls before submitting a quote. Some cyber hygiene standards which were recommended 2 years ago, are now considered ‘mandatory’.
While additional underwriter scrutiny may add further complexity and necessitate greater internal resources to provide the requisite degree of comfort to insurers, this scrutiny offers an opportunity to strengthen a company’s cyber defences. As the frequency and severity of attacks continue and as companies continue to expand their digital footprints, the greater focus on cyber hygiene protocols, may be viewed as a welcome opportunity to increase resilience.
Lockton have observed a number of instances where internal IT departments have actually leveraged off insurer minimum requirements as a key incentive to internal cyber security projects or improvements being approved – a win for both insureds and insurer.
Add into the mix, a 24/7 ‘cyber hotline’. A market-leading cyber policy typically includes a breach response team, providing immediate access to legal advisers, IT forensic consultants, specialist ransomware negotiators, and public relations and crisis management personnel. Having an experienced response team on call, ready to deal with the consequences of a cyber event is a welcome benefit, particularly when staff may be feeling vulnerable, and when time is of the essence. This will maximise the ability for an insured to get back ‘up and running’ as quickly as possible.
A significant increase in claims in the last 24 months, has led to breach response teams being engaged now more than ever. Lockton have observed insureds benefiting from intelligence obtained by breach response teams. By way of example a breach response team may be dealing with the same threat actor across a number of clams over a one-month period. Expertise in how particular threat actors operate and negotiate can be priceless and has led to better outcomes on claims.
There can be some misunderstandings around what cyber insurance is and in fact, what ‘cyber cover’ a company has, in fact, purchased. Anecdotally, we are aware of businesses which thought they had purchased ‘cyber cover’ only to reveal that their cover was a component part of another policy. Historically, some more traditional policies such as Professional Indemnity (PI) insurance, have extended to include limited cyber cover; however, this is often restricted to 3rd party liability (with little cover for 1st party costs, such as the breach response).
Relying on cyber cover in these more ‘general’ (i.e. not standalone cyber) policies can be risky, particularly in light of the recent Lloyd’s ‘silent cyber’ mandate which has seen cyber-related losses excluded in these policies.
A standalone cyber policy is designed specifically to respond to events involving privacy breaches (as they often happen in the ‘cyber space’) and network security breaches (e.g. the classic ransomware attack or phishing event).
Cover generally extends to both 3rd party liabilities and 1st party costs.
Openly and transparently addressing a company’s cyber strengths and weaknesses can limit potential exposure to directors and officers (D&O) claims, based on a proposition that management failed in its duties to protect the organisation appropriately.
Addressing deficiencies, having assessments performed by independent third parties and transferring the risk to insurance all assist in showing serious consideration, understanding and management of a business’s critical risk, mitigating directors’ and officers’ exposures.
Important consideration needs to be given for those organisations who are currently insured and are considering being uninsured, due to increases in premiums. Whilst increased premiums and retentions can - on the face of it - make the insurance seem less appealing, choosing to not insure a business critical risk due to increases in costs could present directors and officers liability issues, should an organisation face a significant uninsured loss. Further, even below the deductible most insureds will still be afforded access to insurers crisis response providers at “panel rates”, which is often significantly reduced when compared to standard rates.
Furthermore, the process may mitigate claims of ‘greenwashing’ of environmental, social, and governance (ESG) principles, showing commitment to the S (e.g. data protection) and the G (management leadership).
Finally, contractual considerations need to be taken account with many organisations now under contractual obligations with third parties to carry a minimum level of Cyber Insurance.
Many companies, as part of purchasing a cyber insurance policy, choose to complete a full cyber risk analysis as part of the process (often using third party consultants who specialise in this area). This should ensure that the cyber threat is appropriately (and accurately) identified, mitigated, managed and then transferred.
Insurers now also provide significant ‘add-values’ through information sharing, vulnerability alerts and applications that assist organisations in their broader risk posture.