According to a recent report, the FBI is currently investigating over 100 different ransomware variants circulating online.
Both the number and cost of cyber-attacks are increasing. According to a recent report from CB Insights, cybercrime worldwide hit $6 trillion in 2021 — and will likely surpass $10 trillion by 2025.
The challenge today in preventing or fighting cyber-attacks is complex, experts say, in part because cyber criminals continue to get more sophisticated — and operate from all corners of the world.
For example, a serious but ultimately unsuccessful ransomware attack and extortion attempt against the Port of San Diego in 2018 was orchestrated and launched in Iran.
The U.S. Justice Department has called cybercrime “21st century digital blackmail.”
The escalation in cyber-attacks on businesses “comes at an inopportune time, when cyber talent is in short supply and companies are supporting largely remote workforces,” the CB Insights report states.
With more and more companies moving to the cloud to conduct business, companies need to be certain their data and applications are protected from everything from “accidental” insider errors to ransomware attacks and exploitation of system vulnerability by hackers and more sophisticated cyber criminals.
For insurers, the dramatic escalation in cyber-attacks has created additional challenges — and opportunities — to add coverages. A typical cyber insurance policy today covers cybercrime, privacy breaches, business interruption and reputational damage.
The Marsh McLennan Agency has offered cyber insurance since the 1990s, “before it was even called ‘cyber’ insurance,” said Tim O’Brien, director of Cyber & Security at MMA.
“Our [cyber] offerings have always been as broad and as deep as the market affords,” O’Brien said. “We are a 360 degree firm when it comes to cyber. If we can’t find — and support — cyber insurance for an insured, then no one can.”
In 2022, O’Brien says he recommends some form of cyber coverage to all of his clients.
“If you capture, store or share information, you need cyber coverage,” O’Brien said. “The threats are real and threat actors don’t take holidays. In fact, they love our holidays and our weekends. This is often when an uptick in cyber events occurs.”
New geopolitical risks related to the invasion of Ukraine are only the latest in a long line of high-profile events that should make everyone concerned about cyber, O’Brien said. “Whether it is a potential nation-state, an organized group, hacktivists, or a lone actor, those who intend to do harm come in all sizes.”
“The clear trend among our clients in every class of business is more cyber coverage,” O’Brien said.
“Cyber threats will only get more sophisticated and severe, and they will cost companies more and more. It’s a digital world now, and cyber criminals have already seen how lucrative it is to attack companies with deep pockets.”
Tom Geisbush, VP at Teague Insurance, said his firm has been offering cyber coverage for a little more than a decade but the coverage is “still a line of insurance that most businesses do not have interest in purchasing as it is complicated and insured find it hard to understand their exposure to loss.”
Geisbush said only about 10% of his clients buy cyber coverage — but that number is increasing, he added. “This insurance coverage is something that all businesses need to consider as anyone that conducts business and retains information for clients and others has an exposure to loss.”
‘Front and Center as Business Need’
“Cyber war against businesses is a very real threat to companies of all sizes,” said Wella Campbell, client executive at C3 Risk & Insurance Services. “We are seeing cyber-attacks increase at an alarming rate, bringing this coverage front and center as a need for businesses.”
“Cyber insurance was initially rolled out with the intention of providing third party liability coverage only, typically focused on covering online content disseminated by the insured but also with the intention in covering errors in data processing,” Campbell said. “Over the years, the product has significantly adapted into a more robust offering specifically designed to keep up with the new methods/tactics that cyber criminals have adopted but also to conform to changes in the regulatory environment around the world.”
Campbell said C3’s product lineup has now evolved to offering many different types of first party coverage, including cyber extortion/ransom claims, wire fraud/social engineering claims — sometimes known as cyber deception — as well as regulatory fines/penalties, network asset damage, PR/crisis management expenses and credit monitoring.
“With the increased coverage offerings that are available in the market, many insurance carriers needed to amend their underwriting requirements to address the required security controls that are needed in order to prevent catastrophic loss, [like] having segregated backups and implementing multi-factor authentication not only for remote users but for onsite login attempts,” Campbell added.
Campbell said C3’s coverage is priced using numerous “ratable” elements, including revenue, total record count (PII and PHI), security controls in place, class of business and claims history. CHUBB, Travelers, AIG, AWAC, STARR, Markel, Hudson, AXA XL, RSUI and Lloyd’s are among the most active underwriters in the cyber market today, she added.
“About 50% of our clients have had to use their cyber liability coverage at one point or another,” Campbell said. “Some have had minor breaches that were resolved with minimal cost while others have suffered full policy limit losses due to ransomware attacks. The largest loss [to date] we are aware of is $20 million.”
“We started offering cyber about 8 years ago,” said Natalie Sherod, a risk manager at Cavignac. “The coverage was fairly basic at the time and since has evolved significantly.”
“Regardless of size, every one of our clients have a cyber exposure,” Sherod added. “Over the last two years, there has been increased scrutiny on controls in place. It is imperative that businesses are implementing measures like multi-factor authentication, encryption and employee training.”
In terms of product pricing, Sherod said most underwriters look at four “key” areas: type of industry, annual revenues, number of unique records collected and existing risk control measures.
“A unique record is any private or sensitive information that can be used to identify a person,” she said.
Sherod said 80-90% of the firm’s clients with revenues over $10 million purchase cyber coverage. “It drops off the smaller you get,” she added. “I’d guess that about 25%-35% of our clients with less than $10 million in revenues purchase cyber coverage.”
Cavignac has dealt with nearly a dozen cyber incidents over the past year. The largest claim was $650,000 and the average cyber claim is about $100,000.
“Some of the claims we have experienced, we didn’t see coming,” Sherod said. “Cyber criminals are getting very creative.”
Elissa Doroff, managing director and cyber product leader at Lockton Financial Services, said regulated industries like retail and healthcare have tended to be the biggest purchasers of cyber insurance recently. “Primarily due to those industries being typically targeted the most by cyber criminals.”
Doroff said manufacturing and construction as well as professional services firms have also seen an uptick in cyber coverage over the last five-plus years.
Doroff believes underwriting scrutiny will continue to become “more onerous as carriers are requiring minimum standards in order to provide quotes for insurance due to the large frequency of losses in the last five-plus years.”
On a positive note, Doroff said “carriers are offering more and more proactive services to help companies be better prepared for a cyber security incident.”
“As the world automates ever more, threats to the cyber landscape will only increase,” said MMA’s O’Brien. “Those firms with good governance tend to have stronger cyber security protocols and policies in place. A sound cyber security infrastructure comes at a cost, but organizations today can’t succeed without a state-of-the-art cyber security program.”
“Today, we see all classes of business, large and small, seeking cyber coverage,” O’Brien added. “Everyone is hearing the same news about cyber-attacks. After building a topnotch cyber security program, cyber coverage is the best hedge against cyber threats.”