Just 20 years ago, cyber insurance was a developing product within professional liability and was not considered a necessary business purchase. Additionally, c-suite level security and IT professionals within organizations were skeptical of an insurance company providing subject matter expertise to their organization and technology strategy. Times have changed. Today, carriers, brokers, and insureds work hand in hand to develop a risk management solution that aligns with their cyber exposure and risk management transfer objectives.
“The large data losses that affected millions of consumers brought cyber coverage and exposures to the forefront of business needs in the early stages of the product,” said Steven H. Anderson, Director of Cyber Underwriting at Safety National. “These breaches highlighted coverage gaps in other products and shed light on the developing state privacy laws. It also started the conversation with the c-suite and board of directors discussing how to mitigate the exposure their companies were facing in the new digital world. Although large enterprise companies were the early purchasers of cyber insurance, companies with revenue under $500 million have now adopted a strategy to transfer the risk. Whether your revenue is $10 million or $10 billion, the exposure is present.”
What was cyber insurance at its creation?
Cyber liability insurance started as a data privacy product that allowed costs to be transferred to the carrier in the event of a breach. Other professional and casualty line products did not cover many of the costs associated with a breach. The early state privacy laws helped the market promote and protect consumers and businesses. One of the early adopters of pushing state privacy laws was California. In 2003, when California’s SB 1386 went into effect to regulate the privacy of personal information, it set a new standard. Companies were now held accountable for the data they stored.
With the passage of state privacy laws, companies could now understand their exposure. Cyber liability could tie to that exposure and help companies respond to data breaches, know what information was taken, notify consumers, and reunify the company. Today, the coverage has expanded and can include contingent business interruption coverage, funds transfer fraud, and extortion loss, making it a valuable policy to purchase so the risk can be transferred from the company’s balance sheet.
The impact of the NotPetya attack and its subsequent legal cases created a dedicated need for cyber insurance since it heavily impacted many large organizations. This became particularly evident after insureds with non-cyber policies had no idea whether or not their carriers would respond to this event. Those with cyber insurance responded; thus, this event created an additional need and understanding for cyber liability policies.
What changed that made cyber policies more readily adopted now?
Between 2016 and 2019, cyber criminals shifted from automated ransomware campaigns emphasizing scale to targeted extortion operations against organizations and established businesses. This adaptation made ransomware more disruptive and profitable, eventually attracting the attention of well-organized cybercrime gangs. The intensification of the ransomware epidemic from that point until the attack on the Colonial Pipeline resulted from the growing adoption of this new extortion model among criminals.
The recent surge in ransomware attacks is often explained via an alphabet soup of metallic-sounding acronyms and epithets. Ostensibly, acronyms and terms like ransomware-a-service (RaaS), initial access brokers (IABs), and double-extortion (the data disclosure threat) identify the phenomena that have supercharged digital extortion.
The shift to extorting organizations instead of individuals transformed the digital extortion industry profoundly. Increasing the importance of any single victim in the eyes of the attackers made ransomware more disruptive. Making digital extortion so profitable attracted a flurry of new activity and investment from cyber criminals.
What solutions should insureds have ready, so there is appropriate risk transfer?
No companies have the same cyber risks, so solutions should be customized based on industry needs. For example, healthcare will require patient data and data breach protections; manufacturing will need segmentation between their information technology (IT) networks and operation technology (OT) networks; technology companies will need to focus on data privacy and legal issues around consumer privacy rights. When assessing risks, carriers want to know how an organization builds resiliency. Exposures lie within technology configuration, not just the tools that make it possible. An organization can have every tool in place to prevent a cyber event, but those tools can be worthless if not configured properly.
What is the future outlook for cyber insurance coverage?
Cyber insurance is one of the fastest-growing categories in commercial insurance. It is also an area of insurance where new players can begin on an almost even playing field with incumbent carriers. The following three characteristics exemplify this:
- Demand is outpacing supply and the market is experiencing hyper-growth. The market demand for cyber insurance policies is robust and growing rapidly. The increased business reliance across all industries and the size of businesses on the internet have created more exposure to cyber risk. At the same time, data privacy regulations have tasked companies with managing their cyber exposure. The recent prevalence of ransomware and the media coverage of attacks has raised awareness of cybersecurity threats to small- and medium-sized businesses. As a result, expect the number of companies that purchase cyber, and the size of individual policies, to increase over time.
- Historical claims data is not a moat because risk changes quickly and continuously, and new technologies are more suitable for addressing this risk. Cyber insurance, unlike any other property and casualty segment, is constantly evolving and claims data from 10 years ago is not necessarily indicative of the risks 10 years from now.
- Insurance carriers are shifting away from pricing risk based on historical aggregate cohort calculations and moving toward writing policies tailored explicitly for the policyholder with an ever-evolving perspective of the future. This new underwriting approach enables carriers to be more proactive, personalized, forward-thinking, and accurate in risk assessment.