Cyberattacks: Insurers Defend Against Ransomware
Battered by losses, cyber insurers have begun to work with the government and each other to mitigate losses and find solutions to an emerging threat.
- Tom Davis
- October 2021
- Attacks Increasing: Since May 1, there have been at least 37 “significant” international cyber incidents, including the Colonial Pipeline attack that caused a spike in gas prices, according to a report from the Center for Strategic and International Studies.
- Premiums Rising: Cyber premiums have more than doubled since 2016, rising from $1.3 billion to $2.7 billion last year, according to Fred Eslami, senior financial analyst at AM Best.
- Insurers Are Selective: The cyber activity is so high now, “we can be in a position of saying to clients, ‘If you don’t have these controls in place then you’re not going to get covered for these types of attacks,’” said Tracie Grella, global head of cyber insurance for AIG.
Vishaal Hariprasad, CEO and co-founder of cyber insurer Resilience, didn't hesitate when President Joe Biden looked right at him and asked: “How can the insurance industry help drive better cyber standards for the country?”
“Auto insurance helped us get seat belts, life insurance put a cost to smoking and property insurance brought smoke detectors,” Hariprasad told Biden during a recent White House summit on cyberattacks. “Insurance has done it other places. Why not cyber?”
Now the industry that's been battered by losses from ransomware has begun to collaborate with the government and each other to share resources, mitigate losses and find solutions to what has become an emerging national security threat.
A consortium of cyber insurers earlier this year formed CyberAcuView to “use their collective expertise” to compile and analyze data to enhance cyberrisk mitigation efforts and ensure a competitive market for cyber insurance, according to a statement from the organization.
“Helping the industry more broadly understand systemic risk is one of our top initiatives,” said Mark Camillo, CEO of CyberAcuView, which is sponsored and supported by such cyber insurance underwriters as American International Group Inc., Axis Capital, Beazley, Chubb, Hartford, Liberty Mutual and Travelers.
Years ago, it was more manageable. There were significant attacks that happened but they were less frequent.
Aon has called for the National Association of Insurance Commissioners to update its cyber reporting mechanism to “a format commensurate to where the line of business has grown,” Catherine Mulligan, global head of Aon's Reinsurance Solutions cyber practice group, said during a recent AM Best briefing on cyberattacks.
“The industry can't adequately address what we can't see,” Mulligan said. “More granular reporting would provide that additional clarity.” Right now, cyber comes “with limited direction on reporting” and “doesn't have the framework of an audit,” she said. “This was maybe appropriate when cyber was incidental and still in its earlier stages.”
At the White House summit in August, insurance industry leaders such as Hariprasad met with Biden, members of his Cabinet, his national security team and private sector and academic leaders to discuss the nation's cybersecurity efforts.
One attendee, Joshua Motta, chief executive officer and co-founder of Coalition, said the meeting was called to determine how these groups can work together to collectively improve the nation's cybersecurity.
“As the threats from ransomware and other cybercrimes accelerate, small and midsize businesses can't be left to fend for themselves. It takes a broad combination of accessible technology and aligned incentives to keep these companies safe,” Motta said.
Many insurers already have responded by raising premiums and, anecdotally, lowering limits and creating clearer policy language. They've been re-evaluating their own standards, changing their practices of underwriting, becoming more selective in issuing coverage and avoiding potential policyholders who don't have the right controls and protections in place.
“We've gotten to a point where it's a board-level concern and a concern of significance,” Mulligan said.
Cyber Premiums on the Rise
With cyberattackers benefiting from rapidly evolving digital technology, cyber premiums have more than doubled since 2016, rising from $1.3 billion to $2.7 billion last year for U.S. insurers that filed National Association of Insurance Commissioners statutory filings, according to Fred Eslami, associate director at AM Best.
“In 2020, the growth in premiums for the entire commercial lines was about 4% while the growth in cyber premiums was 21%. This is a tremendous growth for this line,” Eslami said.
Peter Zaffino, president and chief executive officer of AIG, said in an August conference call that the company's cyber premium prices rose nearly 40% globally over the past year, the largest increase in North America.
Loss and defense and cost containment ratios also increased from about 44% in 2019 to about 68% in 2020, Eslami said.
“This is a huge growth in terms of the loss ratio,” he said. “If you assume that there is a 25%, 27% underwriting expense, you're talking about a combined ratio of 96%, 97%, which seems to be high for this line.”
The trend is likely to continue, analysts say. Since May 1, there have been at least 37 “significant” international cyber incidents, including the Colonial Pipeline attack that impacted the oil industry and caused a spike in gas prices, according to the Center for Strategic and International Studies. In all of 2015, there were 35 incidents, according to the report.
Indeed, ransomware demands have risen as high as $70 million—a far cry from 2015, when they were typically in the thousands of dollars, insurers and analysts say.
Some insurers say they see opportunity when companies are scrambling to get more protection against losses. Coalition, for instance, which started in 2017, places its focus squarely on cyber.
“We've realized that a computer security failure can result in bodily injury, property damage and pollution liability, and we are the only cyber insurance market that I'm aware of that, by default, covers those in our policy,” Motta said. “We just want to be able to cover more of the exposures that organizations have when technology fails.”
Insurers also have worked with the government to share what they have learned about losses and security controls, according to Tracie Grella, global head of cyber insurance for AIG.
“We certainly have been on top of it,” Grella said. “Years ago, it was more manageable. There were significant attacks that happened but they were less frequent.”
In 2020, the growth in premiums for the entire commercial lines was about 4% while the growth in cyber premiums was 21%. This is a tremendous growth for this line.
A Long History
Insurers and industry analysts say they first started to see an escalation in cyberattacks as far back as 15 years ago. Cyber coverage was small, and the claims were usually reported under the category of “kidnapping,” “extortion” or “casualty” because of the potential loss that could be caused.
“Your kidnapping ransom also included coverage for extortion. It just naturally included that,” said Grella. “So if you were placing a kidnapping or ransom policy, you would think, 'Well, what if the extortion is from a cyber means? Would that be covered?'
“And so a client or a risk manager or a broker would say, 'This policy, since it covers extortion, it should be expanded into cyber extortion.' So that change would often be made and become more standard in the coverage,” she said.
Grella said one of the problems was that, because there wasn't a lot of understanding within the specialized coverage areas to deal with cyber, “the industry didn't implement underwriting procedures around that.”
In 2014, Grella said, AIG started to engage with clients and the government on cyber scenarios that highlighted concerns around coverage response by traditional insurance policies, whether cyber should be more “affirmatively” covered, and what needed to be done to make policies more effective. Indeed, she said, AIG has been working closely with several different government agencies including the FBI, the U.S. Department of Treasury and the New York Department of Financial Services to share insights.
“The market has been going through this transition over the last number of years and more carriers [have been] getting on board,” she said. “Regulators started to ask questions and say, 'How are you measuring this exposure?'”
“In 2016, we started implementing the affirmative cyber strategy in different products and different geographies and so it's been a journey,” she said.
Mario Vitale, president of Resilience, which provides insurance coverage and cybersecurity services to protect midmarket companies, said the industry didn't initially deal with the rising problem of ransomware with the appropriate mindset because cybersecurity and cyber insurance were placed in “two different buckets.” They needed to be blended together, he said.
“Cyberrisk is too complex to be handled by risk management, risk transfer or IT/security independently. They need to be connected and integrated so that security and insurance are part of the same value proposition,” he said.
Cyberrisk is too complex to be handled by risk management, risk transfer or IT/security independently. They need to be connected and integrated so that security and insurance are part of the same value proposition.
Insurers Raise Standards
With ransomware demands potentially nearing $100 million, carriers have tightened underwriting and reduced limits. There's been a boost in minimum cybersecurity standards that must be met before a company qualifies for ransomware coverage, according to Sandeep Deva, vice president of policy development for Exdion, a consulting and product organization specializing in insurtech.
If those standards aren't met, carriers will exclude ransomware from a cyber policy. Axa and Hiscox have adopted this kind of change and imposed limits on ransomware coverage in some geographic areas. Axa in France won't cover ransomware, for example.
These changes have left some policyholders “scrambling for some sort of protection when they are due for renewal,” according to Deva.
“So they are not ready to offer any coverage at all. They're saying that we won't cover those losses … we won't even give you a quote on that,” he said.
The cyber activity is so high now, Grella said, “we can be in a position of saying to clients, 'If you don't have these controls in place then you're not going to get covered for these types of attacks.'”
“So that would be an incentive for organizations to invest in those controls so they can have proper insurance cover,” Grella said. “The government has looked to the insurance industry to be that incentive to help businesses improve their overall security.”
AIG is now asking more granular questions in the underwriting process “that are related to the failures that we observe when we're analyzing these losses after the incidents,” she said, adding, “We need to ensure the controls are in place to prevent those types of failures and losses.
“Because of the frequency and severity of the ransomware activity and the feeling that it's not anywhere near stopping, we need to make sure that we are focused on controls that we know specifically mitigate or reduce or prevent ransomware activity. So that's where we're focusing a lot of our underwriting, on those types of specific, granular-level questions.”
According to Exdion's Deva, “if more information is reported, then there's more data for underwriters to work with [and] come up with better coverages and better plans.”
“This would also mean that there are security protocols that are being put [in place] that are going to become more robust, and we'd be able to identify issues a lot faster,” he said. “So adding those questions that recognize the need—all of this needs to be reported. It's a big step forward. And it's a welcome step.”
Erik Weinick, attorney and co-founder, Otterbourg P.C.'s Privacy & Cybersecurity practice, said companies need to develop the same types of controls that a driver has with automobile insurance.
“Just like an auto insurance company may say to you, 'I'm sorry. If you had worn your seat belt, you wouldn't have sustained those injuries,' an insurance policy for cyber may not be enforceable if there were certain preconditions that an organization failed to take,” he said.
For example, Weinick said, cyber insurance policies could require an “educational component” or training exercise where an organization “sends out fake spoofing emails to see how the employees respond.”
“If they're responding incorrectly by clicking on a nefarious link, there's an opportunity to educate the employee on how to better deal with those emails, or to have an outside consultant come in and perform penetration testing so we can test and assess the actual electronic vulnerabilities of a particular system,” he said.
Grella said the government could take steps to compel potential policyholders to develop better controls and “tax credits are always brought up but it feels like the government is not really interested in that. But I think that could work.”
“We are involved in a lot of the conversations and the government has always viewed insurance as an area of importance with respect to cyber activity,” she said.
Mulligan said the industry needs “to continue the efforts that are already going on to address emerging trends. My view is that I would caution against any existential panic.”
“People who know me know that my motto is, 'Cooler heads will prevail,'” Mulligan said. “Collectively, we're working to build a long-term stable market for this line of business. We know that insurers have been responding to the challenges of ransomware.”