The Last Word
On Alert

• Lori Chordas
• April 2019
• 

Cyberhacks and breaches come in all shapes and sizes but one constant remains. Ransomware, malware-as-a service and other cyberattacks can wreak havoc on insurers and their insureds.

This year cybercrime costs are projected to top $2.1 trillion, according to Juniper Research. Included in that projection is a growing threat that insurers say could soon generate more business interruption and liability claims.

Last year was a monumental year for cryptojacking attacks. The attacks are carried out by cryptocriminals who use malware scripts to hijack users' computers and steal processing power to mine cryptocurrencies such as bitcoin and Monero.

During the first half of 2018, unauthorized cryptomining attacks were nearly 1000% higher than in the second half of 2017, according to a report by cybersecurity company Trend Micro. Some of last year's targets included Tesla, the Los Angeles Times, the Make-A-Wish Foundation and more than 4,000 U.S., Australian and U.K. government websites.

Insurers have so far been relatively unscathed by cryptojacking attacks. And they haven't had to raise rates as a result of those losses, said Stephen Vina, senior vice president and senior advisory specialist in Marsh's cyber practice.

“But soon we could see more business interruption claims, along with liability claims if criminals put cryptojacking malware onto a company's website and the company then transfers it to others,” he said.

Chubb is seeing a rise in cryptojacking claims. “As organizations become increasingly reliant on systems to run critical aspects of operations, they are becoming aware that degradations or interruptions of those systems can have greater consequences to their business,” said Patrick Thielen, senior vice president and product lead for cyber and technology errors and omissions for Chubb Financial Lines.

Cryptojacking victims are often unaware that they are targets of an attack. Last year, only one in five security professionals knew that their organization's systems had been impacted by mining malware, according to cybersecurity firm Check Point Research.

“It's difficult to quantify damage when data isn't stolen or destroyed or the cryptomining malware may ultimately end up looking like something else. So impacts of an attack may not be immediately known,” Marsh's Vina said.

Similar to other types of cyberattacks, losses generated from cryptojacking generally would fall under a traditional cyber policy, Vina said. However, the line starts to blur “when we begin talking about the usage of computing power, electricity and cloud usage. Those types of costs or financial harm may not be as clearly covered in current cyber policies,” he said.

Insurers are now educating insureds and the industry about ways to safeguard against the growing threat.

Vina hopes growing awareness will highlight the need for cyber coverage. “Often companies think they won't be a target of a cyberattack and some question why they even need the coverage. But anyone with a computer is a potential target, especially because cryptojacking isn't about the kind of information you have but about someone hijacking computing power and electricity and using it for their own purposes,” he said.

The growing investment in cryptocurrency among financial institutions will continue to attract the attention of cryptocriminals. “And if cryptocurrency becomes a widely traded commodity, i.e. has the element of anonymity and gains more widespread value to trade for real goods and services, then the incidence of cryptojacking will continue to rise,” said Sarah Stephens, head of cyber for JLT Group.