Insurers Face Evolving Cyberrisk From Costly Hacks, Deepfake Attacks and Sophisticated Ransomware
Because cyberattacks can affect a range of coverages including business interruption and reputational risk, insurers are forced to constantly update their coverage tactics.
CYBERATTACK: Russian hackers targeted SolarWinds network software because it was used by government entities. The result? Some 18,000 customers’ data was exposed to criminal intelligence gatherers.
The Emerging Risks Special Section is sponsored by Finys. Click on the microphone icon to listen to the Finys podcast.
- An Evolving Problem: Cyberrisk is continually changing and evolving as more sophisticated tools fall into the hands of criminals.
- Security Is Paramount: Insurance companies need to pay attention to their own security best practices, as well as the practices of their insureds to minimize risk.
- Balancing Needs: As cyberattacks lead to greater losses, insurers have to strike the right balance between providing coverage and managing losses.
Early estimates for insured losses associated with the December SolarWinds hack are pegged at about $90 million, according to security ratings firm BitSight. This figure may be low, however, as the full extent of the attack is still unfolding. According to Microsoft President Brad Smith, SolarWinds is “the largest and most sophisticated attack the world has ever seen.” What happened?
Hackers, believed to be Russian, breached utility software from SolarWinds Corp. The compromised Orion network monitoring software was later downloaded by some 18,000 SolarWinds customers, many of which were government entities. The hackers were able to tunnel into the systems of those customers and access things such as emails from the United States Commerce, Justice and Treasury departments. U.S. intelligence agencies believe, for the moment, that the SolarWinds hack was meant to gather intelligence rather than to cause destruction or seek money via ransomware.
SolarWinds software was used by thousands of public and private organizations around the world, which points to the gravity and potentially catastrophic nature of the losses, either economic or insured, noted Fred Eslami, associate director North American property and casualty, AM Best. “Unlike natural catastrophes for which we have historical data and information, for cyber there is no reliable historical or result-oriented data that can be used to estimate losses. Every cyber incident is unique,” he said.
That's what makes them so worrisome.
Unlike natural catastrophes for which we have historical data and information, for cyber there is no reliable historical or result-oriented data that can be used to estimate losses. Every cyber incident is unique.
Cyber is a dynamic risk that knows no customer boundaries or geographic borders. Moreover, cyberattacks have wide-ranging implications for businesses, including business interruption, data loss and potential third-party liability as well as reputational risk, said Lori Bailey, global head of cyberrisk at Zurich Insurance Group. “As both the frequency and severity of cyber incidents increase, it will be important to provide support in building resilience, strong response services and relevant coverage for customers.”
Unlike other lines of business where the risk landscape stays relatively static, the cyberrisk landscape is continually evolving. For instance, artificial intelligence and machine learning are aiding social engineering and deepfake attacks at the same time the threat from ransomware and cloud provider outages are rising.
The different types of attacks, techniques and impacts all have an ability to change the coverage and policies being offered. For this reason, cyberrisk insurance coverages and policies will need to be updated constantly.
Brittany Baker, director of technical sales at CyberCube, a cyber data analytics company, said the changing regulatory landscape doesn't help. “As new regulations are introduced, coverages may be adjusted to reflect these changes. We've seen this in the past with increased data breach notification regulations leading to the creation and take-up of coverages that indemnify insureds for the cost of notifying customers in the event of a breach.”
Zurich's Bailey says cyber insurance has so far kept pace with the changes in technology, regulation and customer demand. This has led to many extensions and broadening of coverage on cyber policies. Though capacity has been reduced in recent months thanks to the jump in frequency and severity of incidents, the cyber insurance market is meeting its customers' needs, according to Bailey.
Cyber insurers have been forced to reckon with this change in various ways, according to Thomas Johansmeyer, head of PCS, Verisk. Historically, cyber was a buyer's market. Pricing was generally considered to be attainable. As a result, returns relative to the capital provided were seen as a bit slim. “Over the past couple of years, 2020 in particular, the increase in cyberattacks, particularly ransomware, alongside increased market penetration has unsurprisingly led to increases in insured loss,” said Johansmeyer. When companies see an increase in loss they have to consider both the prices and the protection, and the amount of capacity they are going to allocate to it.
For example, Beazley plc Chief Underwriting Officer Adrian Cox expects the highest rates changes in Beazley's book in cyber insurance this year. “The market is moving very fast” and is “the most dislocated one we have at the moment,” Cox said during a February earnings call.
As insureds seek more coverage, carriers need to better understand their exposure and adjust their risk management techniques. One impact this has had is the increased attention and the tightening of wording in noncyber lines of business to decrease exposure to silent cyber.
Over the past couple of years, 2020 in particular, the increase in cyberattacks, particularly ransomware, alongside increased market penetration, has unsurprisingly led to increases in insured loss.
The top two cyberrisks facing insurers are social engineering attacks and cloud outages, whether forced or incidental, said CyberCube.
Insurers need to pay particularly close attention to social engineering and “ensure that the risk management frameworks, security strategies, analytics tools and catastrophe models take this emerging threat into consideration,” said Darren Thomson, head of cybersecurity strategy at CyberCube.
Advances in artificial intelligence and machine learning will, unfortunately, supercharge social engineering techniques, such as phishing, and increase the impact of these attacks. “Social engineering is often used to open up opportunities for ransomware and destructive malware. Advances will likely cause these attack types to increase in severity,” noted Thomson.
Cloud provider outages are another cyberrisk that can take down large portions of the internet and the businesses that rely on those servers. For example, Amazon AWS suffered an outage in November for several hours that impacted a number of companies, including 1Password, Autodesk, Coinbase, Glassdoor, Flickr, Pocket, RadioLab, Roku, Vonage as well as several newspapers. Luckily it was a short outage, relatively speaking.
“Looking at this through the lens of cyber insurance, most coverages typically come with an eight- to 12-hour waiting period retention, which an insured must bear before coverage applies,” explained Thomson. “So, 'disaster,' at least from an insurance perspective, hasn't really occurred in the cloud yet.” CyberCube believes a 16-plus hour event—most likely caused by malicious actors—will happen at some point in the next five years and will lead to major loss accumulation on a national scale.
Zurich agrees with this basic position. It sees the increased use of cloud technologies and remote work taking greater prevalence in terms of cyberrisk. Zurich's Bailey said, “Whether assessing technological interdependencies with the supply chain or building contingencies into risk management response plans, this is a risk that all companies face and must address.”
Historically, insurers in the cyber category have relied heavily on reinsurance. Verisk estimates there are $5 billion in global cyber premiums and it believes the cyber reinsurance premium is around $2.5 billion worldwide. “So a lot of reinsurance gets purchased,” said Verisk's Johansmeyer. “Insurers haven't held as much of the risk as you might think.”
Ransomware a Zero Sum Game?
Ransomware forces victims to gamble. Do insureds pay the ransom to regain access to their systems or call the perpetrator's bluff? That's a question the City of Baltimore faced.
In 2019, Baltimore was hit with a ransomware attack wherein hackers accessed city systems and locked city employees out. Baltimore chose not to pay the $80,000 ransom demanded by the attackers. As a result, it cost the city some $18 million in fees for new computer hardware, lost revenue and remediation efforts.
“Why don't we just pay the ransom?” posed Mayor Bernard C. “Jack“ Young in a televised press conference in June 2019. “First, we've been advised by both the Secret Service and the FBI not to pay the ransom.” (This is the official position of the federal government.) “Second, that's just not the way we operate. We won't reward criminal behavior.” Perhaps most importantly, “If we paid the ransom, there is no guarantee they can or will unlock our system.” Baltimore officials believed the city would still be on the hook for the remediation costs even if it paid the ransom.
The right approach isn't always so easy to see. “If your operation is halted because of the ransomware, I don't think you have any choice,” said Best's Eslami. “Look at hospitals. If the attack is going to kill patients, you go and you pay the ransom.”
Ransomware claims have been increasing in both frequency and severity over the past few years, noted CyberCube's Baker. “While there are simple, straightforward cyber hygiene best practices to incentivize in their insureds, insurance carriers and risk managers should understand that this risk can occur across many industries and company sizes.”
Even those insured companies that don't have a lot of direct exposure to cyberrisk may be reliant upon software and technology that appeal to certain types of attacks. The SolarWinds hack and Amazon AWS outage are prime examples. “When these major targets, known as single points of failure, experience ransomware events there is the potential for major cascading impacts across an insurance carrier's book of business,” said Baker.
The increased prevalence of ransomware incidents means insurers are looking much more closely at risk controls and network security management as well as how quickly an organization can restore capabilities if its systems are compromised in an attack, said Zurich's Bailey. From a risk management perspective, focus areas should include protective controls, monitoring and employee awareness as well as backup and recovery measures to minimize the impact of any ransomware event.
US P/C Industry – Top 20 Cyber Insurers, 2018-2019
||% of Cybersecurity DPW
||2018-2019 DPW Change (%)
||Market Share (%)
||Chubb INA Group
||XL Reinsurance America Group (AXA XL)
||American International Group
||Beazley USA Insurance Group
||AXIS US Operations
||CNA Insurance Companies
||BCS Financial Group
||Liberty Mutual Insurance Companies
||Fairfax Financial (USA) Group
||Hartford Insurance Group
||Tokio Marine US PC Group
||Sompo Holdings US Group
||Zurich Insurance US PC Group
||Berkshire Hathaway Insurance Group
||W. R. Berkley Insurance Group
||The Cincinnati Insurance Companies
||Aspen US Insurance Group
||Markel Corporation Group
||Alleghany Corporation Group
||Total P/C Industry
Ranked by 2019 total standalone and packaged cybersecurity direct premiums written.