Risk Adviser
Ransomware Attacks, Biometric Regulations Challenge Insurers

• Elissa Doroff
• February 2021
• 

Disruption in the cyber liability insurance market continues. The frequency and severity of ransomware attacks and the scrutiny and litigation around biometric data are all on the rise, forcing a reevaluation of how to underwrite these risks. Insurers are revisiting application processes, asking supplemental questions about monitoring and preparing for routine threats, and learning how companies capture and secure biometric data.

Ransomware is a type of malware designed to deny access to a computing system or data—usually via encryption—until a ransom is paid. Attack vectors include remote desktop protocol compromise, email phishing and software vulnerabilities.

In 2012, when ransomware first emerged, demands ranged from $500 to $50,000. Today, they can exceed $20 million. Ransomware has become an increasingly prevalent threat worldwide.

No industry is exempt. Governments, educational institutions and professional services firms are frequent targets due to a lack of cybersecurity preparedness, typically the result of lower budgets relative to larger, more regulated industries.

As ransomware attacks continue to increase in size and scope, companies can employ risk mitigation techniques, including:

• Consistent employee testing and education such as reminders to not click unfamiliar links.
• Regular backup of files.
• Network segmentation.
• Multifactor authentication.
• Frequent patching to reduce vulnerabilities.
• Crisis planning with established contacts, such as legal counsel and cybersecurity vendors.
• Testing in a remote work environment.

Organizations can explore transferring some risk and resulting costs to cyber liability insurance, typically provided under the Cyber Extortion and Ransomware Insuring agreement. The agreement provides resources such as expert privacy counsel, forensic vendors to determine incident cause and scope, and advice on completing ransom payments.

Companies applying for coverage must answer questions on file backups, recovery time objectives, network accessibility, multifactor authentication, network segmentation, and web and email filtering protocols. Expect gradually increasing premiums and coinsurance and sublimited coverage.

Data protection rules and regulations—and noncompliance penalties—are expanding. Before the Global Data Protection Regulation, California Consumer Privacy Act and Illinois Biometric Information Privacy Act, personally identifiable information was a person's name, Social Security number, and mailing or email address. Now PII includes biological or behavioral characteristics (retina or iris scans, fingerprints) and information such as race, sexual orientation and economic data.

Compliance is hard and penalties severe. Failing to meet GDPR obligations can mean suspended or banned data processing activities and/or fines of up to €10 million (US$12 million) or 2% of global revenue, whichever is greater.

Cyber liability insurance can provide a risk transfer solution. The Privacy Regulatory Insuring Agreement covers costs associated with regulatory fines, penalties and BIPA litigation expenses. Application questions focus on biometric information storage, internal and external privacy policies, privacy awareness training, data transfer mechanisms and data sharing agreements.

Ransomware attacks and increased regulatory scrutiny create new challenges. To navigate these risks, companies must establish strong and responsive insurance programs informed by specialized expertise.

Best’s Review contributor Elissa Doroff is managing director and cyber technical leader at NFP. She can be reached at elissa.doroff@nfp.com.