How the Pandemic and Ransomware conspired to fundamentally shift the Cyber Insurance Market
Written by: Reid Putnam, Scott McGinness and Terry Ford from Gregory & Appel Inc.
Over the last 7-10 years, Cyber Insurance (formerly known as Cyber Liability) has grown exponentially in its adoption rate and incorporated into many, if not most, businesses’ Commercial Insurance Portfolio.
To a large extent, Cyber Insurance has become a Duty of Care coverage on par with Property, General Liability, Auto, Comp and Management Liability lines of coverage.
During this period (and specifically before March of 2020), the Cyber Insurance industry saw an influx of capital as Insurers saw a burgeoning marketplace and a new coverage to sell.
This created much inherent competition, and we saw the evolution of the coverage grants and wrap-around services offered by Insurance carriers iterate every 3 – 6 months. This also kept pricing (premiums) and retentions (deductibles) relatively low and competitive.
What is Cyber Insurance?
At its core, Cyber Insurance is Privacy and Network Security Insurance. It is about your business’ obligation to keep private information private, confidential information confidential and your network secure from intrusion.
Hold any level of Personally Identifiable Information (PII), Personal Health Information (PHI), Payment Card Information (PCI), or Confidential Corporate Information? Your business could be subject to Federal Regulations (such as HIPAA, Gramm/Leach, Bliley), State Breach Statutes, or Confidentiality clauses contained in Client and Vendor agreements.
Outside third party liability claims (who might sue over alleged harm created from the inappropriate or unauthorized access to their private/confidential information), there are certain expenses a business will incur just because they have had a breach (inappropriate or unauthorized access or disclosure) such as:
- IT Forensics Investigations
- Breach Coaching (Lawyers experienced in Breach Response and Legal obligations)
- Notification Expenses to affected individuals and parties
- Credit Monitoring/ID Restoration
- Public Relations Expenses
- Business Interruption and Extra Expenses
- Bricking (the rendering of your hardware useless because of malicious programming)
And there are more
In March of 2020, because of the Covid pandemic, we saw a vast cross-section of the workforce population work from home. In this new virtual environment, Bad Actors (hackers) exploited known and previously unknown vulnerabilities to deploy ransomware attacks.
As a result, both the frequency and severity of ransomware attacks exploded over the preceding 18 months. And thus, insurable claims triggered from these attacks also exploded. The net effect is that the insurance market has paid out dramatically more in cyber claims over the last two fiscal years than they collected in cyber premiums, making them unprofitable.
The losses are also not just on pipelines, government agencies, meat processors, and cell phone carriers. Some industries statics regularly cite that two-thirds of ransomware claims target small to medium-sized businesses. For hospitality risks, these bad actors certainly present as unwelcomed and uninvited guests.
Typical vulnerabilities for management companies are the large number of users (guests who visit the property, connecting to its wifi) and records held (proprietary in nature, personal and confidentially protected).
For self-managed resorts, HOAs, COAs and hotels, the same applies as noted above, which includes PII and PCI data typically on file. However, what makes them vulnerable is attributed to their size.
As a result, they can lack the resources to adequately prevent a breach or ransomware attack – compared to management companies, which may have their own IT department and risk management team in place, focused on preventing cyber-related attacks.
Ransomware, at its core, is a business model. It makes money by extorting money, usually cryptocurrency like Bitcoin, from the victim business in exchange for returning your network and information to you.
So, the Cyber Insurance market beginning around the start of 2021 started a dramatic shift. Premiums/rates rose (and continue to rise) exponentially. We see retentions in some cases double, and increased use of Co-Insurance/Co-Participation clauses and available capacity (limits) have contracted as insurance carriers attempt to manage their portfolios back to profitability.
There has also been a return to Underwriting Discipline that was lacking in the previous soft market cycle. This means that Insurance Carrier Underwriters are asking more questions and require more detailed information to assess their (and the client business’s) risk.
Much of this focus has been on Ransomware Controls
Ransomware Controls are the technical, policy, and procedural risk mitigation efforts a business would employ to prevent, mitigate, and manage a ransomware attack.
Statistically, most ransomware attacks arise from a business email compromise.
The Bad Actor has stolen a user’s login credentials, which allows them to run phishing, spearing, invoice manipulation campaigns.
But this also creates a front door for the Bad Actor to send communications with fraudulent links or attachments which contain the ransomware payload.
When the unwitting user clicks that fraudulent link or opens that malicious attachment, it grants the Bad Actor access to the network.
So, insurance carriers are asking questions about the efforts of businesses to prevent these specific attacks.
- Do you train your employees on Cyber Awareness and Good Cyber Hygiene?
- Do you have a written Incident Response Plan, and do you exercise it with a Table Top Breach exercise?
- Do you have Multi-factor Authentication (MFA) on Email, Remote Desktop Protocol/Virtual Desktop Instances, and Privileged/ Admin Access Accounts
- Do you have End Point Detection and Response tools?
- Do you have end-of-life / end-of-support hardware or applications running on your network?
- How do you manage back-ups?
- Are you segmenting your network and encrypting data at rest and in transit?
And there are more.
In today’s Cyber Insurance market, coverage is essential for an effective risk transfer but also increasingly more onerous to acquire.
For example, MFA should be considered table-stakes for any business wishing to apply for and purchase any reasonable and beneficial Cyber Insurance.
Without MFA deployed in the three critical areas (Email, RDP/VDI, and Privileged Access), it is unlikely that you can even get a Cyber Insurance quote that includes Extortion Demand Coverage or any coverage for ransomware related losses.
An effective Cyber Risk Management program engages both good cyber security controls on the front end to prevent and mitigate attacks. And good Cyber Insurance on the back end to transfer the risk of the Business balance sheet (and unto the insurance carriers).
We will often counsel clients to take the Cyber Insurance Application and the Ransomware Supplemental Questionnaire. If you turn it sideways and squint at it, you are looking at a set of criteria to consider implementing to have an effective and necessary Cyber Risk Management plan.
Do you have industry knowledge, advice and experience that you’d like to share with your colleagues in the hospitality industry? Would you like to feature on the IHS website and be acknowledged by your peers? Then why not write for IHS? Contact the editorial team to discuss your ideas and suggestions or read more about how you can contribute.