For the first time ever, cyber insurance is facing a hard market. Since the product line’s inception about twenty years ago, carriers, brokers and policyholders have reaped the benefits of soft market conditions. Policies were cheap, and they provided generous coverage and low retention. Losses were minimal, and therefore, cyber insurance books were very profitable. Over the last few years, the cyber risk landscape has shifted. The frequency and severity of losses have grown astronomically, forcing carriers to constrict their offerings, which can put policyholders and potential policyholders in tight positions.
Why are we in a hard market?
When carriers began selling cyber insurance, the risks facing large companies were one-off incidents like lost unencrypted laptops, misfired emails containing lists of employee information, and the occasional malicious insider. Smaller companies had even fewer issues. Over time the threats evolved and grew to include more email compromises and small ransomware interruptions. But even those could be resolved quickly by restoring from backups and resetting passwords.
However, in the last few years, the attack landscape has transformed significantly. Companies of all sizes started experiencing significant email compromise events that very often involved the expensive combination of large-scale data breach investigation and notification and the loss of funds through misdirected wire transfers or ACH payments. Phishing and social engineering campaigns exposed a lack of employee training, technical safeguards and data retention policies across many companies. Each of these incidents may cost tens of thousands of dollars to resolve on average, and the frequency led to huge loss ratios for cyber carriers. Further, small companies were not immune to these issues, and the costs associated with the investigations and response compared to the premiums paid for the policies exposed the small business space.
Just as carriers and brokers seemed to wrap their arms around business email compromises, by pushing extensive training and technical solutions, ransomware events exploded much larger than ever anticipated. Early on, ransomware was typically used to encrypt data in place. Attackers would access a network, quickly encrypt what they could, and demand a few hundred or a few thousand dollars in exchange for a decryption key. For many companies, restoring from backups was a way around having to pay, and for others, the demand was so minimal compared to the potential cost of the interruption that it made more sense to pay for the decryption key.
But as attackers saw companies responding rather successfully to these events, they shifted the nature of their attacks. Instead of simply locking users out of a network the moment access was acquired, attackers instead saw the potential for larger paydays with some additional effort. They sat stealthily in a network performing reconnaissance to understand the company’s backup strategy and to steal important company data, ultimately using internal phishing campaigns to escalate user privileges to gain access to critical systems. Once sufficient network administrator-level access was obtained, the ransomware attack was launched, finally encrypting the network a few days or months later. When these types of attacks hit companies, they were not only dealing with an overwhelming hit to critical systems and data and backups being encrypted, but also the added concern of data being accessed or stolen, and potentially exposed. This allowed attackers to demand much higher ransom payments—to the tune of millions of dollars per event.
Between the business interruption, extortion demand, data restoration and incident response, policies with $5 million or $10 million in coverage that had never been touched were exhausted on a weekly basis. Further, unlike a typical data breach matter, ransomware matters are immediately public events that draw attention from regulators and class action attorneys, especially when downstream services to customers are interrupted as a result.
What does that mean for the market?
Carriers have responded to the new landscape by increasing premiums, decreasing policy limits, and being more conservative in their underwriting process. Where it was previously hard to convince certain markets with minimal data collection and personally identifiable information that cyber insurance is essential for business, the demand for policies in those markets now outsizes supply.
At renewal, carriers have updated application questions, oftentimes with assistance from forensic experts, to better understand a company’s preparation for ransomware attacks and the subsequent business interruption. Carriers are now requiring additional technical safeguards, like multi-factor authentication (MFA) and endpoint detection and response tools (EDR), where previously organizations that implemented these tools were considered leagues ahead of their peers. The sudden shift towards requiring these protections as a prerequisite for coverage has left many organizations scrambling to find time and money in their IT budgets to implement these services ahead of a policy renewal.
In addition to increased premiums, limited coverages and higher security expectations, many carriers are outright declining risks in certain markets that have proven to be susceptible to expensive attacks. Manufacturing, technology supply chain providers, and healthcare institutions have especially faced an uphill battle in finding carriers willing to underwrite their businesses.
This forces those organizations to purchase more expensive policies with lower coverage and build more complex towers of insurance in order to maintain the amount of risk protection enjoyed for many years prior.
What can companies do?
Determine What Coverage You Have. The question of whether other insurance policies provide coverage for cyber incidents is hotly contested, but one that can be expensive to litigate. Thus, businesses need to have a clear understanding of whether their current policies cover cyber incidents, and if so, to what extent. These are questions you should ask of your cyber insurance provider:
Does my policy cover my vendor’s errors in addition to mine? Vendor management is becoming increasingly important for businesses, especially those that deal with sensitive information (i.e. financial services or health care). It is important to identify whether your cyber policy covers your loss of data when it is in someone else’s possession. For example, a policy may reference coverage for “your computer system” but the definition of “your computer system” might exclude (or not reference specifically) the cloud or networks run by third parties.
Practical Consideration: Require your vendors to carry their own cyber insurance policy that covers your data in their possession through contract.
Does my policy cover “inside the house” risks? Employees are the single greatest threat to a business’ cyber security. Many cyber policies only cover the malicious theft or destruction of data from an outside source, but studies have found that many times it is employees who are unintentionally and unwittingly contributing to data loss and breach.
Practical Consideration: Have written, up-to-date information security policies that employees are trained on annually and install proper physical and electronic safeguards on all business electronics that employees use (laptops, tablets and smartphones).
Does my policy cover cloud-related risks? Certain insurers have used “sub-limits” or lower limits of coverage that cap the amount available for claims specific to cloud-based risks for cloud users. Also note that some policies will have an exclusion for liability assumed through contract by the cloud provider. This means that your cloud provider may have far less liability coverage for your data than you assumed.
Practical Consideration: Review your policy’s sub-limits to ensure that you have sufficient available coverage and never limit liability in contracts with vendors or partners to “insurance limits.”
Does my policy apply retroactively? It takes an average of 256 days for most businesses to identify a malicious attack. If the attack occurred prior to you obtaining the policy, you may run the risk of your insurance not covering it. Some insurers will offer retroactive coverage for an additional premium.
Practical Consideration: Conduct penetration testing on your system prior to obtaining any cyber coverage. Through these tests, previous breaches or attempts on your network may be identified.
Is my policy limited geographically? Some policies limit coverage to the United States or put restrictions on how far from your place of business events or incidents must take occur in order to be covered. If you are using cloud-based services, those servers could be located outside of the U.S. or could be thousands of miles from your business’s headquarters.
Practical Consideration: Review your cyber insurance policies for geographic limitations and make sure all agreements with vendors or partners prohibit transmitting your data outside of those limitations.
Does my policy cover physical breaches? Claims relating to a cyber attack on your systems are covered, but what about physical breaches? Phone systems, security cameras and other systems that are controllable through the internet are all exploitable.
Practical Consideration: Have a clear understanding of which insurance product covers the physical aspect of a breach. If your policy does not cover the physical aspect of a breach, consider adding additional policies that do cover the physical aspect.
Who is my contact in the event of a breach? A set claims process following a cyber-security incident is something an increasing number of insurers are implementing. It is important to understand your insurer’s policy and know who your point of contact will be in the event of a breach.
Practical Consideration: Your insurer may also have breach response services available that you can take advantage of as a customer. Discuss with your insurer what, if any, breach response services are available to you before a breach occurs.
Can I get a reduction in premiums if I implement certain policies/procedures? Many insurers will offer you lower premiums or renegotiate your existing premiums if you can demonstrate you have taken concrete steps to manage your information security risks. Ask your insurer if they do this and have them identify what measures they like to see.
Practical Consideration: Consult with an information security professional to develop internal corporate information protection policies, draft template agreements to use with vendors that include provisions around information security and conduct penetration testing and other diagnostic steps to identify any risks in your system.
Does my policy cover PCI-DSS Assessments? One of the more common, and expensive, cyber liability risks is card payment processing information. The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express and Discover. From these standards, the credit card industry sets assessments for data breaches involving credit card information, and fines and penalties for violation of the PCI-DSS. Coverage for such liabilities often requires a specific policy or coverage type.
Practical Consideration: If your business handles credit/debit card information, review your policy for specific coverage provisions for both fines and penalties resulting from non-compliance with PCI-DSS and fraud-recovery and reimbursements regardless of compliance with PCI-DSS.
Make Your Business More Insurable. Carriers are expecting organizations to have, at minimum, basic modern IT security controls and data protection policies in place, and to be able to demonstrate that they are implemented correctly and enforced constantly.
Effective Backup Strategy, and Testing A big reason ransomware has exploded so successfully is that attackers have taken away a company’s option to restore without paying the ransom by either encrypting or deleting backups as part of the initial attack. In response, many forensic experts recommend the “3-2-1” approach—3 copies of the data (production, on-site backups, off-site backups), 2 different media types (cloud, disk, snapshot or tape) and 1 offsite copy (cloud, tapes).
When it comes to ransomware, best-laid plans often go awry. All too often an organization implements what they believe is a sound strategy, only to find out during an attack that their backups were not segregated properly, or the daily snapshot stopped functioning months ago. Carriers expect organizations to be able to demonstrate a regular testing schedule and the results of those tests. These tests will enable organizations to better anticipate potential downtime, restoration strategy and prioritization.
Multi-factor Authentication (MFA)Most ransomware attacks start with an account takeover. Once credentials are stolen, attackers typically use credential-harvesting malware to escalate privileges in order to gain access to a network administrator account. Companies that properly implement MFA across all users can thwart many of these attacks. Rather than just asking for a username and password, MFA requires one or more additional forms of verification (like a one-time use code sent to a user’s phone), which decreases the likelihood of an attacker gaining access to the account. MFA should be implemented on all email accounts, local administrator accounts and domain administrator accounts and on any remote access points. If you work with third-party vendors who have direct access to perform functions on your network, MFA should also be enabled here too.
Data Retention PoliciesAs mentioned above, ransomware attacks have shifted from encryption only, to encryption + data access. While much of this article is focused on the business interruption and data restoration issues caused by ransomware attacks, the access and acquisition of sensitive data is another hurdle organizations must overcome. For organizations that can restore from backups and avoid a huge interruption, they still must consider the data breach implications of the stolen data. Most often, attackers will provide a sampling of stolen data at the outset of a conversation with the victim organization, in order to encourage payment for the return and destruction of the information. Organizations that have strong data retention policies and enforce those policies can limit the amount of extraneous data available for attackers to monetize. They can also use the sampling to pinpoint where on the network the attacker may have stolen the data from, in order to get a better sense of what data the attacker might have and to better focus a forensic investigation.
Further, for the ongoing issue of business email compromises, inbox hygiene and email archiving drastically limit the data potentially available in a compromised inbox, substantially decreasing the time and money spent determining what the attacker could have had access to while in the compromised account.
Endpoint Detection and Response (EDR) EDR is a next-level antivirus solution. It not only provides real-time monitoring of your endpoints for any anomalous activity, but it can also quickly alert security personnel to security issues, allowing organizations to contain an incident before it becomes catastrophic. Further, when an incident does occur, forensic investigators can use EDR logging to understand the timeline of the attack and any movement that occurred in the network. This can speed up the response and help an organization understand what, if any, data is at risk as a result of the limited intrusion.
However, EDR is only as good as the monitoring of alerts. Because attackers tend to strike at inopportune times, it is important to have dedicated resources to rule out false positives from legitimate threats. There are many 24/7 security companies that offer these services.
Brokers are keenly positioned in the ecosystem to ensure that organizations seeking coverage are prepared for the more stringent carrier expectations and well-positioned to fill out a renewal or new policy application. Having access to applications across the market, brokers are in the best position to educate and prepare clients for the inevitable squeeze. Because many of the required safeguards will require additional IT financing and company buy-in, brokers can help clients by flagging issues they need to be prepared for earlier in the application process. This way, by the time the insured is filling out an application, they can provide answers that will put them in the best possible position to get coverage. In line with that, through their connections to the legal and forensic field, brokers can also help an insured party by putting them in touch with resources that can help them identify gaps in their current cybersecurity posture and remediate those gaps prior to the application process. This includes working with law firms and IT security firms to conduct privileged risk assessments, penetration tests and gap analyses and then implement solutions based on the results of those activities.
Additionally, attorneys skilled in cybersecurity insurance can assist clients in both obtaining and negotiating the policy coverage necessary for the client’s business. By analyzing the needs of their client’s organization, attorneys can ensure that the policy provides an acceptable level of coverage, both in terms of the amount and scope of coverage. They can identify their client’s major areas of cyber-related risks and review their client’s policy to ensure that it matches these risk areas. For some organizations, a policy may only need to cover direct damages, yet for other organizations, this amount of coverage would be extremely inadequate. An attorney skilled in cyber insurance can identify additional cyber-related risks and negotiate with an insurer to also include coverage for downtime, breach-related expenses and civil liability, if necessary.
Cyber insurance attorneys can also analyze and review their client’s current IT security controls and data protection policies to determine if they are sufficient and properly aligned with carriers’ expectations. If these controls or policies are lacking, your attorney can identify actions to take that will allow your organization to be more insurable. Further, your cyber insurance attorney can review your insurance policy to determine how your policy compares with those in the marketplace, and if you are renewing your policy or obtaining a policy for the first time, avoid coverage gaps, negotiate enhancements or request modifications to the policy as necessary.
While cyber insurance is facing a hard market for the first time in its existence, due to increasingly sophisticated ransomware and other attacks, organizations can still effectively determine what coverage their business needs, implement policies and testing to make their business more insurable and negotiate with carriers to receive the best coverage for their organization. Please contact your Polsinelli attorney for assistance in the process of assessing, obtaining or renewing your organization’s cyber insurance policy.
Kelsey L. Brandes also contributed to this article.
© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XII, Number 39