In May this year, news of CNA Financial’s cave to ransomware hackers shocked the business community.
As one of the largest insurance companies in the US, its decision to capitulate and pay hackers US$40mn after the attack stole data and blocked access to the company’s network was an ice bucket wake-up call to the global insurance community.
But far from being a knee-jerk reaction to the crisis, the act of paying off the cybercriminals was the final straw for CNA Financial, which initially announced it had been hacked at the end of March, had called in experts and law enforcement to address the breach as well as launching a full-scale investigation.
Ultimately though, such efforts proved fruitless, and in the end, fearing for its reputation and the continued leak of precious data as well as the blocked network access, CNA threw up its proverbial hands and paid the ransom cheque.
The evolution of ransomware
Cyber-attacks have a typical pattern in that they lock up a target’s network or hold data to ransom. Although such attacks are on the rise, a recent report by the Financial Times stated that approximately just half of businesses in the US had purchased cyber insurance with ransomware, loss of business, and data delivery covered under those policies.
But due to the number of attacks, the cost of cover is on the increase, with a study by the insurance broker Aon showing the price of cyber insurance premiums rose 27% between April and May 2021, compared to the same period in 2020.
The cost of cyber insurance
According to Brian Pinnock, director of sales engineering EMEA at Mimecast, the growth of the cyber insurance industry is virtually unprecedented. He points out that estimates suggest the market, which was valued at $7bn in 2020, will be worth between $20-26bn in 2026.
Pinnock says that despite the growing demand, figures also suggest that services are not being adequately met by insurers, with many of them experiencing a relatively slow uptake from clients. This is regardless of the increasing threats to businesses which have been “growing exponentially since the start of the pandemic.”
Pinnock says there are a number of reasons for this - including the fact that risk assessment of businesses when it comes to cybersecurity are notoriously difficult to quantify. He says many small businesses are not covered due to the misbelief that small businesses face fewer security risks or are less likely to be attacked than their larger counterparts. “On top of this, it’s hard to quantify the security risks a business is facing at any one time; this can therefore make cyber insurance a difficult product for insurers to underwrite.”
The fact that some insurers have been unwilling to cover damage caused by a cyber breach has also given the sector bad press, resulting in businesses lacking faith in the policies on offers. “In a few high-profile cases, coverage has been refused by insurers for organisations who have fallen victim to cyber-attacks.”
Pinnock references a 2017 attack on a large food manufacturer that had its cyber insurance claims denied when it was targeted in the wave of NotPetya attacks. This, he says, was due to the attack being considered to fall under ‘acts of war’ – something its insurer was exempt from covering due to a clause in the policy.
Taking cybersecurity seriously
A recent study by Munich Re research found that despite many C-suite level staff being concerned about the growing risk cyber threats pose to their business, as much as 17% do not possess knowledge of the cyber insurance products available to them.
This suggests that although the demand is there, as well as knowledge of the numerous cyber threats, there appears to be a knowledge gap when it comes to solutions available to businesses that can help them mitigate the damage of attacks.
Pinnock says it is therefore up to insurers and providers of cyber insurance products to invest in educating C-level staff of the products they offer and the benefits they can have – this can perhaps be done through increased advertising and even strategic partnerships with cybersecurity firms.
Cybersecurity policy improvements
Cyber insurance companies need to address the challenges of the cybersecurity space, creating more awareness and defining cover for customers. The underwriting process, says Pinnock, could also do with an overhaul. He explains that insurers continue to face numerous challenges when it comes to managing insurance claims. There is a lack of transparency between insurers and customers when it comes to what exactly is covered by standalone cyber insurance products.
“Due to vague and broad definitions, organisations may often find out, just when they need it most, that their coverage is less comprehensive than originally perceived.
“This issue also applies to more general insurance policies taken out by businesses and has led to a rise in what is known as ‘silent cyber risks’; such risks are implicitly covered in traditional insurance policies, as opposed to being specifically stated, and therefore must be interpreted with nuance.”
Another key challenge, he points out, is the lack of industry-wide minimum standards. In the current underwriting process, much interpretation is subjective and left to the discretion of the insurer. So, theoretically, if one insurer is found to be too stringent or delivers an unfavourable result – organisations can just hop to another which provides cheaper premiums and is less thorough in their due diligence. “Reputation wise, this proves to be an obstacle for an industry seeking to gain respect and establish itself as a more serious industry,” Pinnock says.
A slow-changing industry
Despite the speed at which hackers develop their tactics and find new ways to attack companies, insurers offering cybersecurity are not as fast as they need to be in terms of reacting to the demands required of the protection.
Experts say that overall, it appears that only incremental improvements have been made by insurers to address the newfound security challenges businesses are currently facing. “We have witnessed prominent insurers announce they would stop writing cyber insurance policies in France which reimburse customers who make ransomware payments to cybercriminals,” says Pinnock, who points out that this was its response to growing concerns in the country that cyber insurance was contributing to the ransomware epidemic by encouraging organisations to make payments.
He continues, “On the other hand, we also see that some insurers are becoming more innovative and trying to sell adaptive policies by tying rates to risk and continuous monitoring.”
A way forward for cyber insurance?
But given the fact that cybersecurity cover is notoriously difficult to risk assess - especially since the work-from-home mandate has widened the footprint, what can companies do to offer better products to businesses?
Pinnock says data is critical for insurers who are underwriting policies for cyber insurance because it gives the accurate risk assessment store they need to build a holistic picture of the organisations applying to them for cover. Factors such as the hardware and software a business uses and the way they use their data are taken into consideration.
Ways to improve the risk assessment score
There are various things companies can make sure they are doing internally to improve their risk assessment scores, and therefore possibly reduce their premiums. These include:
- Regular security assessments – cyber insurers are increasingly looking at a company’s existing security arrangements to assess the levels of risk they face. An internal evaluation to determine an organisation’s biggest vulnerabilities and security challenges could provide valuable insight into areas that need to be addressed before applying or renewing a cyber insurance policy.
- Cybersecurity awareness training – making sure employees are educated on the threat landscape, GDPR and how to spot signs of an attack plays an important part in minimising a company’s risk exposure and is a crucial layer of security that should be invested in.
- Preparation for the worst – do you have an adequate business continuity plan in place in the event of an attack? Are people outside of the IT and security teams also clued up on the procedures within the plan? Insurers will be assessing such processes to ensure they’re robust and serve their purpose. Organisations should make sure that their continuity plan is combined with multi-layered cyber defense infrastructure to ensure the company networks are properly protected, and the business is prepared.
Information courtesy of Mimecast
2021 cyber insurance trends
- There will be more cyber insurance products on offer. This may lead to more data becoming available to insurers and independent bodies as part of the assessment process.
- There will be the development of an industry-wide framework or a body of regulations that will standardise procedures followed by insurers to underwrite products.
- The growth of the sector will increase premiums rates, which data shows is already on an upwards trajectory - with data from Fitch revealing it increased by 11.1% in the last quarter of 2020.
- Companies will increase their investment in layered security - an element the pandemic has already driven forward.
Information courtesy of Mimecast