As insurance products go, cyber is in its youth. It’s a teenager, about 15 years old for argument’s sake. In its earlier years, it was widely misunderstood and easily dismissed unless your business model was truly e-commerce. However, as businesses of all types and sizes moved to the cloud and SaaS replaced in-house software on a LAN, more and more business processes were automated, and more data was accessible from anywhere.
All types of insurers got into the game: Standard P&C carriers, specialty and E&S carriers, London markets, Lloyd’s syndicates, and recently InsurTech ventures. Supply arguably overwhelmed demand and each new entrant’s innovation forced competitors to evolve or at least catch-up lest they miss-out on the demand that was sure to come.
Evolution of Product
Early focus was on the breach event: hackers infiltrate your system or a thief steals a laptop and personal identifiable information (PII), personal health information (PHI), or customer credit card transactions (PCI) are taken. The costs of the immediate breach response would be covered by the cyber policy’s so-called first-party coverages (forensic IT, notification campaign costs, legal costs, etc.). Any legal liability from subsequent claims, lawsuits, or regulatory enforcements could be covered by the policy’s third-party coverages (various forms of liability insurance).
Eventually, the product expanded to include forms of crime/fraud coverage, business interruption (caused by your network’s interruption or one you depend on), data restoration costs, extra expense, bricking, cryptocurrency (for payment of ransoms), and others.
Evolution of Losses
Not that many years ago, most small-to-medium enterprises (SME) thought the bad guys only wanted to hack large corporations and many were not conversant in terms such as phishing, malware, ransomware, social engineering fraud, and business email compromise.
There is a misconception that cyber risk is mainly limited to large companies. According to the most recent NetDiligence Cyber Claims Study, incident costs continue to increase, and most cyber incidents (98%) are impacting SMEs as opposed to large corporations (organizations with >$2 billion annual revenue). While the overall costs of breaches at larger companies are naturally higher, the risks to SMEs is higher than it has ever been and is intensifying.
According to cybersecurity firm Coveware, the average ransomware payout has grown from less than $10,000 per event in 2018 to $154,108 per event in the 4th quarter of 2020. The U.S. provides a target-rich environment for cyber criminals with roughly 30 million SMEs.
Targeted Exposures
As uptake of cyber insurance has grown in recent years, so too has the insurers’ knowledge of what exposures matter and why loss events happen. Three items of intensifying focus are multi-factor authentication (MFA), open RDP ports (remote desktop protocol), and employee training. The criminal element sees such opportunity for gain; they’ll try both the “hacker’s way in” and the “human way in.” If security measures such as MFA are not adopted and good IT hygiene is not followed (closing RDPs), infiltration techniques abound for hackers to gain entry onto networks and devices.
Another burgeoning effort of infiltration is social engineering fraud, or simply schemes involving human interaction whereby the criminal gains a person’s attention and gets them to participate in a fraud (“Good morning, Jane. It’s CEO, Jack. You need to wire money immediately for a deal with our largest client, XYZ industries”).
What to Expect at Renewal?
With insurers taking losses on Cyber policies and both frequency in certain types of events and severity of events (dollars involved and downtime) increasing, underwriters are beginning to act. Although it’s impossible to provide specific pricing guidance in a post like this, it’s likely a safe bet Cyber renewal premiums in 2021 will increase by a double-digit percentage (e.g., 10% to 20% or higher in certain circumstances: programs that have sustained losses or fail to demonstrate effective controls).
In addition:
- Retentions will likely increase.
- Limits may be reduced overall or restructured throughout the policy.
- Underwriting will be more robust. Longer applications or supplemental questionnaires will be required.
- Get an early start. There is still capacity in the marketplace but securing alternate quotes will require time and a robust submission. Effective negotiation with an incumbent carrier will require the same. The Cyber renewal cannot be an afterthought or last-minute affair.
Correspondingly, underwriters are scrutinizing underwriting submissions and are insistent upon receiving specific information about an organization’s risk management security controls, policies, and protocols. One leading market will not provide a renewal or new business quote if multi-factor authentication procedures are not in place. Most computer systems are set up with MFA capabilities but need to be engaged. Costs range from $2 to $5 per user, per month.
Additional security controls include the following:
- Segregated Back-Ups
- Closed Computer Portals
- Encryption
- Employee Phishing training
- VPN Usage
We recommend you work with your technology department or third-party technology consultant to review and implement any of these controls. Employing these procedures will not only result in a more favorable renewal premium but will better safeguard your system against attacks.