SPECIAL REPORT
CYBER INSURANCE The biggest cyber threats for 2020 – and the solutions that can help clients tackle them
00_Insert OFC IFC IBC OBC-SUBBED.indd 1
23/10/2020 3:31:42 am
Stay ahead of the hackers From threat alerts to superfast incident response, CFC’s upgraded mobile app does it all
! Be better prepared with critical, time-sensitive security alerts pertaining specifically to your business
Notify claims instantly
Get expert advice
by submitting your incident type, triggering an immediate call-back from our experienced team
through ‘Ask the Expert’, where you can ask our team specific questions about risk mitigation, best practices and more
Free to all CFC cyber policyholders, the app is available on the App Store or Google Play
00_Insert OFC IFC IBC OBC-SUBBED.indd 2
23/10/2020 3:31:44 am
SPECIAL REPORT
CYBER INSURANCE
CYBER INSURANCE REPORT 2020 IBA caught up with four cyber insurance experts to uncover the answers to agents’ and brokers’ most pressing cyber queries CYBER HAS officially staked its claim as a central player on the global risk stage. In 2020, it’s no longer a matter of if a cyber incident will happen; it’s a question of when. Almost every organization and every person with access to the internet is exposed. Awareness of cyber risk has grown significantly in the last decade, thanks in part to some extremely high-profile cyber events. Five years ago, a top concern for cyber insurers was the protection and security of payment card industry (PCI) data. This was due partly to the infamous Target breach in 2013, in which the retail giant lost 40 million payment card credentials and 70 million customer records at the height of the holiday shopping season. That incident was followed by an even bigger breach at Home Depot in 2014, whereby hackers infiltrated the retailer’s point-of-sale system and stole more than 50 million customer credit card numbers and 53 million email addresses. Once risk managers, cybersecurity experts and insurers got to grips with the PCI data breach dilemma, hackers changed their course and started plaguing businesses with ransomware – a quick and easy way for cybercriminals to make money by extorting vulnerable individuals or corporations by encrypting important files and demanding payment for de-encryption. Ransomware made its mark on the cyber risk map in 2017, when a group of elite hackers leaked highly classified hacking
tools from the US National Security Agency on the dark web, including one that used malicious software called WannaCry, which had the ability to exploit the SMB communication protocol in Microsoft Windows. In May 2017, cybercriminals used the leaked tool to hack more than 200,000 computers across 150 countries, resulting in billions of dollars in losses. Since then, cybersecurity has advanced to meet the threat of ransomware, but cybercriminals have also upped the sophistication of their campaigns. A few years ago, hackers preferred remote desktop protocol (RDP) brute-force attacks, looking for unsecured RDP services to exploit and encrypt with ransomware, but now they’re moving laterally within systems, turning off antivirus software and creating domain controller accounts to gain complete access and cause a lot more damage. Every business in every sector is vulnerable to cyberattacks and non-malicious cyber incidents. So far in 2020, several universities have suffered data breaches after hackers launched a ransomware attack against the cloud computing firm that administered the schools’ data, tech firm Canon has fallen prey to a ransomware attack, and social media giant Twitter has suffered a sophisticated social engineering attack in which the accounts of celebrities and high-profile individuals were used to trick people into sending Bitcoin to criminal accounts. And these are
just some of the challenges present. While contending with cybercriminals, businesses are also under pressure to shore up their data privacy and protection practices, with the threat of increasingly punitive regulation should they slip up and expose personally identifiable information (PII). And cyber challenges have only grown more extreme in the context of the COVID-19 pandemic, which has forced many businesses to adopt remote working practices. With more employees working from home and accessing business networks remotely, commercial and personal cyber risk has grown exponentially. Insurance Business America’s 2020 Cyber Insurance Report takes a deep dive into the complex and ever-changing cyber risk landscape and corresponding insurance market. The cyber experts IBA interviewed tackle seven key questions, from how the COVID-19 pandemic has impacted the cyber insurance market to what agents and brokers should say to clients to help them understand the importance of purchasing cyber coverage. Through the insight provided on the following pages, IBA hopes to provide agents and brokers with an enhanced understanding of the current state of the market and what they should look for in a cyber insurance policy. Bethan Moorcraft Editor Insurance Business America
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 1
1
23/10/2020 4:00:09 am
SPECIAL REPORT
CYBER INSURANCE How is the cyber insurance market shaping up in 2020? Jeremy Barnett: The cyber insurance business is thriving! We look at the cyber insurance market on a global scale and see demand continuing to grow across all sectors. A recent report from Munich Re put the 2020 cyber insurance market at $7 billion, projecting five years of continued growth to $20 billion in 2025. Large enterprises continue to buy up higher limits, while the SME sector is expanding with lower-limit policies. While packaged programs continue to grow – low-cost cyber endorsements on business owner policies, for example – we are seeing small businesses also purchasing standalone cyber policies to gain access to higher limits of coverage, as well as to secure proactive cyber services that carriers are
making available. Small businesses are still taking advantage of relatively low rates for stand-alone coverage, especially in the US, though increasing claims among this sector are leading some carriers to adjust rate. With increased rates, carriers are focused on providing more value, including cyber training, call-center expert support and loss mitigation programs. Reinsurers play a key role in the market expansion, fueling carriers not only with capacity, but with essential services to help their clients educate their customers, manage risk and provide claims services.
Global cyber reinsurers are using more sophisticated modeling to balance their placements, to assess aggregation risks and determine rates. One of the key factors in determining rates for reinsurers includes analysis of claims by industry segment. With the increased claims activity among healthcare providers, manufacturers and financial services companies, underwriters are beginning to adjust rate for these classes. Emy Donavan: This has been an interesting year, to say the least. We’ve seen players pull out of the market on both the insurance and reinsurance side. Otherwise
“Never has there been as much change in the cyber landscape as we’ve seen in the last year” Shannon Groeber, CFC Underwriting
PANEL OF EXPERTS Jeremy Barnett Chief marketing officer CyberScout Jeremy Barnett is the chief marketing officer at CyberScout, which empowers people and organizations to take control of their cybersecurity with state-of-the-art tools and expert services. Barnett works closely with CyberScout’s US and global markets teams to support growth, client engagement and product innovation. Prior to joining CyberScout in June, Barnett was the global marketing leader and SVP of marketing and business development at Tokio Marine HCC, where he helped create integrated risk management solutions for B2B and B2C customers. Prior to specializing in cybersecurity, Barnett worked in a variety of technology and marketing roles in the financial services, entertainment and technology industries.
2
Emy R. Donavan EVP and global chief underwriting officer Resilience Insurance Emy Donavan is EVP and global chief underwriting officer at Resilience Insurance, which connects security, insurance and recovery to provide comprehensive solutions to cyber risk for the middle market. With more than 15 years of experience in cyber, technology and specialty E&O liability, Donavan provides expert insights on topics such as cyber risk assessment, underwriting, technology risks and insurance product innovation. Before joining Resilience, she held a dual role as global head and CUO of cyber, tech and media professional indemnity for Allianz Global Corporate & Specialty and head of Allianz’s Cyber Center of Competence, which provides support and expertise on cyber initiatives for all Allianz operating entities.
Shannon Groeber Executive vice president CFC Underwriting
As executive vice president at CFC Underwriting, Shannon Groeber is responsible for leading the business’s strategy for its admitted cyber proposition. Based in New York, Groeber joined the team earlier this year from Marsh JLT Specialty, where she was cyber innovation leader. Groeber’s 15-year insurance career includes five years at JLT Specialty as cyber and E&O practice leader. She is a highly respected and influential figure in the cyber insurance market, and her expertise has put her in demand as a panelist and speaker at a range of industry events and conferences. She has been recognized for her exceptional work in the cyber market with numerous awards.
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 2
23/10/2020 4:00:15 am
Jack Kudale Founder and CEO Cowbell Cyber
With 25 years of enterprise software experience, Jack Kudale is the founder and CEO of Cowbell Cyber, a cyber insurance startup that aims to make enterprises more insurable for cyber liability. Cowbell delivers stand-alone, admitted cyber coverage in five minutes, with up to $15 million in limits, by using proprietary data, artificial intelligence and Cowbell Factors, its patent-pending risk rating factors. Before launching Cowbell, Kudale led three venture-capital-backed Silicon Valley cybersecurity and data analytics startups after a long stint as an executive in charge of distribution at a Fortune 500 software company.
profitable portfolios have been deeply impacted by ransomware events. In the face of losses and in response to several years of soft pricing, combined with broadening coverage, rates are finally going up. Underwriters are looking at cyber risk in the face of the pandemic and trying to make heads or tails of it. Unfortunately, without next-generation cybersecurity expertise, in most cases the industry isn’t well positioned to quantify this risk. And then you have regulatory developments, such as the announcement by the US Treasury Department’s Office of Foreign Assets Control that there will be sanctions for ransoms paid to threat actors on its blocked persons lists, which raises more questions about how ransomware will be handled going forward. While the cybersecurity/cyber insurance market is out of its early years, it’s still evolving and developing best practices. Shannon Groeber: We were one of the first markets to write a cyber policy back in 1999, and never has there been as much change in the cyber landscape as we’ve seen in the last year. Clients have more choice than ever before in where they place their cyber policy, which has meant increasingly broadened coverage at increasingly competitive prices, particularly from
players new to the game. However, the increasing frequency and severity of claims, as well as a better awareness among clients about what their coverage includes, means that cyber insurers are reacting, and we’re seeing a hardening of cyber rates in what had previously been a soft market relative to other lines of insurance. The cyber market has evolved more in 20 years than the property market has in the last 200 as we adapt to new threat landscapes. With the increase in frequency and severity of cyber claims happening for businesses in all industries and sectors, cyber insurers are yet again refining what their product should do for clients. Cyber providers like ourselves are now getting ahead of claims before they even happen, which ultimately provides something much more tangible for the client in helping to understand what value their cyber policy brings. The universe of insureds is also expanding and diversifying, with more buyers of all sizes and sectors. While SME buyers were the last segment to recognize the value of cyber insurance, the influx of carriers providing specific solutions to that demographic has contributed to the evolution of the product – competing with valueadds and proactive services, as opposed to
www.ibamag.com
3
SPECIAL REPORT
CYBER INSURANCE AVERAGE COST OF A DATA BREACH
$3.86 million Global average cost of a data breach in 2020
$8.64 million
Highest average cost of a data breach by country (in the US)
$7.13 million
Highest industry average cost of a data breach (for healthcare)
$150
Highest average cost per record (for personal consumer data) Source: Cost of a Data Breach Report 2020, IBM Security
pricing and terms and conditions. At CFC, we continue to expand and make investments in our cyber claims infrastructure. By way of our acquisition of ThreatInformer last year, we have a very well-established data enterprise division that works collaboratively with our underwriting and incident response teams in providing complementary risk management services upfront to clients. One of the most exciting developments this year is the major upgrade that we recently rolled out to our cyber incident response app. Leveraging our proprietary data enrichment platform and threat intelligence feeds, along with insights from active cyber claims, the app now notifies policyholders of critical, time-sensitive threats and vulnerabilities in real time, helping our customers to protect themselves from incidents before they happen and prevent potential losses. As well as providing them with direct access to our CFC response team to instantly notify an incident, the app also
4
www.ibamag.com
now enables policyholders to access our specialist technical team for help with their cyber risk mitigation and general cyber security questions. This upgrade has been done in the spirit of taking risk management to the next level and to bolster our commitment to being a stable, long-term cyber partner for our US clients. Jack Kudale: Driven by an increase in cyber incidents such as cyber crimes and ransomware linked to the pandemic crisis, rates in cyber insurance are going up, limits are going down, and more restrictions are being applied. With many workers required to work from home, cybercriminals are taking advantage of badly configured networks and preying on people via email, SMS and phone calls. In addition to data breaches, cyber crimes, fraudulent fund transfers and ransomware attacks are now dominating the threat landscape. Overall, we see a great opportunity to deliver better cyber insurance programs, where coverages, limits and premiums are anchored in the actual cyber exposure of the business, not just its revenue size and industry. Cyber risks are unique in that they change every day, and every business has unique exposures to such risks. Qualifying a business’s exposure to cyber risks requires many considerations, including the level of
digitization of the business, its internet footprint, the type of technology in use, how systems and applications are deployed and managed, whether appropriate security controls are in place and how often they are verified, and how much cybersecurity awareness is built into the organization and its business partners. Policies based on revenue and industry alone force insurers to take a conservative approach to underwriting because they actually don’t have true visibility into the cyber risks they underwrite. This takes the form of low limits that do not provide adequate financial coverage, narrow coverage definitions such as data breach endorsements that do not cover third-party liability or the variety of incidents faced by businesses, and exclusion of classes of business. It is likely that cyber insurance programs, which are too restrictive either by design or because of a lack of risk insights, will simply disappear as AI-driven, flexible and comprehensive programs emerge, along with ‘cyber insurance 2.0’ becoming a reality. When launching Cowbell Cyber, we knew that we wanted to make use of all the data already available about a business, its use of technology and its deployed security solutions, including its approach to training
employees and partners about cyber security. A granular assessment of cyber risks that combines firmographics data and hundreds of security observations to deliver a risk rating framework along seven Cowbell Factors gives us the confidence and the flex ibility to issue policies that are truly riskbased and capture an unbiased, data-driven measurement of the risk covered.
How has the COVID-19 pandemic – and the accompanying increase in remote work – impacted the cyber insurance market? Jeremy Barnett: COVID has made the threat landscape significantly more dangerous in 2020 – and expensive. The US Department of Labor estimates $26 billion in unemployment fraud. Cybersecurity provider Carbon Black reports a 148% increase in ransomware attacks since March 2020, and Barracuda reports a 667% increase in COVID-related spear-phishing email attacks. As of May 2020, the FBI Internet Crime Complaint Center received as many complaints as they had in the entire
2019 calendar year. While we’ve not yet seen a full picture of the financial impact of these cybercrime activities, Marsh recently reported an 80% increase in cyber claims over last year. It’s sickening that cybercriminals are exploiting individuals and small businesses in this vulnerable time. And with the increase in claims activity, there will likely be signifi cant impact to cyber loss ratios for carriers, which will likely drive rate increases and hardening of the market. Emy Donavan: Because of the pandemic and related safety measures, all businesses, whether it’s manufacturing or financial or retail, are more reliant on tech nology. As a result, cyber risk exposure has increased in lockstep as more employees are working from home. We’re seeing two things as a result. First, companies that might have been planning for an increasingly remote work force over a period of time saw that shift happen all at once with a sudden increased exposure. Most SME businesses don’t have the in-house CISO or enterprise resources to
“It’s sickening that cybercriminals are exploiting individuals and small businesses in this vulnerable time” Jeremy Barnett, CyberScout protect against new risks, so they’re trying out cyber insurance for the first time. In those cases, we’ve seen that there is an unmet need in the market with CISOs reporting that they want additional coverage for work-from-home vulnerabilities. On the other hand, property rates are going up, and for some companies, that might impact monies earmarked for cyber insurance. This is particularly true and possibly somewhat painful for the firsttime cyber insurance buyers, where the risk
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 5
5
23/10/2020 4:00:25 am
SPECIAL REPORT
CYBER INSURANCE TOP CYBERSECURITY TIPS FOR WORKING REMOTELY Keep in close contact with your employer Use what’s in your company’s tech toolbox Control the impulse to improvise Stay current on software updates and patches Keep your VPN turned on Beware of coronavirus-themed phishing emails Develop a new routine Source: Emerging Threats 2020, Norton
manager is looking for funding for a new line item at the same time that the prices of their existing coverages are all going up. Shannon Groeber: While the massive influx of remote working has woken many businesses up to their cyber risk and the fact that they can actually transfer the risk of their systems being down to a cyber policy, it’s equally creating more opportunity for cybercriminals – in fact, this new era of remote or even partially remote working couldn’t be a better situation for them. Employees are working on potentially insecure devices, working through RDP without multi-factor authentication implemented, and businesses may not have implemented any additional training to help them spot potential scams. With that in mind, there are three main areas that brokers should look to cover when speaking to clients about cyber during this time: remote log-in capabilities and security, like multi-factor authentication; employee training on spotting phishing scams; and incident prepared-
6
ness. A few questions might be: Was the client able to switch to working remotely with minimum disruption, or were they having to implement new and untested methods to access the office remotely? Are most software and services being used cloud-based, or are they having to look at a potential migration? Do they still have any legacy systems in the office? Do they have an incident response or business continuity plan, and have they discussed how they would carry out that plan remotely? If there’s anything to take away from this for clients, it’s that the rapid increase in cyber claims is by no means just a COVID-19 issue – claims were already well on the rise prior to the current landscape, and we expect this trend to continue as businesses become increasingly reliant on their intangible assets. There’s often an assumption that COVID has led to a significant increase in the frequency of cyberattacks – and while we may be in a period of the calm before the storm while many businesses still aren’t fully operational to have discovered an incident just yet, what our cyber claims team has noted is that the severity of cyber attacks is much more impactful than what
we were experiencing pre-COVID-19. The likelihood of companies falling victim to these scams in a vulnerable and remote working scenario is greater, and getting back up and running after a crippling cyber event becomes all the more complicated. That said, the staggering unemployment rate in the US, as well as the frequency of small business closings as a result of the COVID-19 response and restrictions, helps put into context the increase in frequency and severity of claims perpetrated on a much smaller number of businesses and employees. As businesses rush to reopen under loosening guidelines, we would expect to see the trend continue. Jack Kudale: The pandemic, with its increase in remote work, has resulted in an increase in cyberattacks for businesses across all industries. It has also fostered an environment dominated by fear and uncertainty for both businesses and individuals. In the commercial insurance market, the traditional distribution model has been completely disrupted. Small and large agencies alike had to rapidly transition from face-to-face engagements with their clients to a remote model. This has been a significant opportunity
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 6
23/10/2020 4:00:29 am
for Cowbell Cyber – from the beginning, we designed our solution to support a 100% online insurance process. From the first interaction to the policy being issued, all interactions can occur online. Everybody benefits: The process is simpler and faster for the policyholder and the broker with expedited onboarding, simplified application, and a quote prepared and customized in a few clicks, supported by instantaneous binding. The demand for cyber insurance is soaring beyond contractual obligations and fear, with significant interest in standalone and admitted cyber insurance products. The shift started before the pandemic and was validated by A.M. Best’s market report on cyber, showing premiums for stand-alone policies already growing twice as fast as for packaged cyber in 2019. Cyber-savvy businesses are dropping the old model, where cyber was being bolted onto another commercial insurance policy for transaction simplicity, to a new model where cyber coverage is delivered on stand-alone papers and comes with
value-added services. Bundling risk quantification and cyber coverage is becoming the new norm for cyber. This not only brings transparency to the insurance process, but also invites policyholders to be proactive about improving their security posture and reducing risks.
What are the most common causes of cyber claims, and how can brokers help companies prevent and mitigate these risks? Emy Donavan: Ransomware, ransomware, ransomware. Unfortunately, it has reached epidemic status – comprising up to 40% of cyber insurance claims – and it continues to get worse, not only in frequency but also in the demands them-
selves, which have gone from four- or five-figure sums to multimillion-dollar amounts. What’s more, perpetrators are not just encrypting data anymore, but are threatening to make it public, turning ransomware into triple threat attacks: business interruption, extortion and a data privacy event all at once. We are also still seeing major data breaches impact various customers and supply chains and business email compromise such as invoice scams. Finally, we’re seeing claims come from class-action liability and violations of data protection regulation in North America and Europe. These have the potential to especially impact middle-market companies, which may not be prepared for compliance.
“Unfortunately, [ransomware] has reached epidemic status – comprising up to 40% of cyber insurance claims – and it continues to get worse” Emy Donavan, Resilience Insurance
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 7
7
23/10/2020 4:00:32 am
SPECIAL REPORT
CYBER INSURANCE TOP CAUSES OF DATA BREACHES 60% 50% 40% 30% 20% 10% 0%
52%
19%
19%
13%
Malicious attacks
Compromised credentials
Cloud misconfigurations
Nation state attackers Source: Cost of a Data Breach Report 2020, IBM Security
Brokers should be well positioned to help quantify any risks the company might face and proactively negotiate coverage that is comprehensive, holistic and appropriate to specific client needs. In terms of mitigating risk, brokers should be encouraging clients to deploy security measures such as properly configured email gateway filters, cloud-based backup solutions and endpoint protection platforms. Jeremy Barnett: Globally, the most significant cyber claims seem to be consistently ransomware and business email compromise. Ransomware claims in Q2 2020 were up over 60% at an average of $178,000, per reports by Coveware, a global provider of ransomware incident response services. According to Munich Re, business email compromise – or forged business emails that lead to fraudulent payments – has doubled in the past year, and the average financial loss of these activities reached over $270,000. Brokers do an amazing job helping to educate their clients. They play a pivotal role in not only distributing cyber coverage, but in helping to shape the coverage by bringing valuable feedback to the carriers and reinsurers. In addition, brokers and agents can help their clients make the most of the policy they purchased by informing them of the value-added services carriers provide. Most robust commercial cyber policies include some type of online training for business owners, tools to assess vulnerabilities and
8
free consulting services from cyber experts to help create a data backup plan or incident response plan. Brokers are key to helping small businesses get proactive about managing their cyber risk. Shannon Groeber: Ransomware shows no sign of abating, making up 31% of the total claims CFC managed globally last year and accounting for a third of those handled for US businesses. However, 2020 is showing us the emergence of one worrying trend when it comes to these attacks: We’re increasingly seeing criminals steal confidential information and then threaten to release it if ransomware demands aren’t paid. They’re also conducting more due diligence to determine the maximum amount an organization can afford to pay to determine how much they try to extort. So where ransomware was typically associated as being a business interruption or system damage concern, it’s now increasingly becoming a privacy concern, triggering notification obligations to customers and key stakeholders. At the same time, we shouldn’t let the latest ransomware attacks distract us from the fact that run-of-the-mill phishing attacks, leading to business email compromise and wire transfer fraud, still make up a large percentage of claims across the globe, including for our US policyholders. And in the context of COVID, many businesses are spending thousands out of their own personal expenses to reopen, so the last thing they need is to lose their personal
funds to a fraudulent third party. Brokers play a crucial role in helping their clients mitigate against cyberattacks, the least of which is communicating to their clients that coverage is available by way of an affirmative, stand-alone cyber policy. Education is a very powerful tool, and brokers are the best-positioned individuals to help companies realize that the value of their intangible assets has now far outstripped their tangible ones. Regular communication is essential, using educational tools such as the cyber claims case studies we publish and the advisories we issue about the latest threats to help these companies better understand the very real risks that they face and how to avoid them. Jack Kudale: Cyber crimes and ransomware attacks that result in damages such as business interruption, fraudulent fund transfer or invoice manipulation have soared during the pandemic, leading claims both in numbers and damage inflicted. Compromised data through data breaches
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 8
23/10/2020 4:00:35 am
“The 2020 wave of cyber incidents is reaching new industries beyond those that have been obvious targets for cybercriminals” Jack Kudale, Cowbell Cyber is no longer the only primary damage that businesses have to pay attention to. Brokers can help their clients by advising them to get cyber coverage in the first place, but also to select a stand-alone program that explicitly covers the range of cyber incidents that are targeting businesses nowadays, while steering them away from programs that are solely focused on data breaches. Upfront clarity in the policy and coverage wording directly translates into a better experience for policyholders when, unfortunately, a claim is filed. More attention is being placed on claims, especially for ransomware. The recently issued advisories on ransomware from the US Department
of Treasury through the Office of Foreign Assets Control and the Financial Crimes Enforcement Network require ransomware victims, forensics and incident response firms, third-party claims processors, and other financial institutions to focus on potential sanctions associated with the payment of ransom and its facilitation by themselves or on behalf of their customers.
Which client groups should be the target markets for cyber insurance this year? Emy Donavan: The short answer is that cybersecurity impacts every industry. However, some industries were hit with
data breach attacks earlier on, and they are more ahead of the game with cyber insurance coverage. Right now, we are looking at manufacturing and construction, which have both been skeptical of and underserved by cyber insurance. At the same time, both of these sectors have the potential to be shut down by security events, particularly as we move deeper into the age of 5G network and the Internet of Things, which create more risk. We as an industry need to better communicate the value of how cyber insurance can guard against catastrophic loss. While the financial services industry has always been served by cyber insurance, we need to continue to focus on this sector as well, particularly with smaller companies that might not have budgeted for cyber insurance in the past. Jack Kudale: The small and mid-sized business (SMB) segment – defined as business up to $250 million in annual revenue – has traditionally been underserved, while also outperforming any other segment of the cyber insurance market in terms of growth, loss ratio, and frequency and severity of claims, according to Aon’s 2020 US Cyber Market Update report. Most important in this market is the need to deliver clarity of coverage and relevant policies that are tailored to the unique needs of the business in terms of limits, deductibles and risks covered. As SMBs demand lower premiums than large enterprises, it is also imperative to deliver such customized policies at speed, but with accuracy. The SMB market is a perfect fit to drive the digitization of cyber insurance with simplified insurance applications and the use of technology, data and artificial intelligence to bring speed, accuracy and consistency in the quantification, selection and pricing of the risk covered. Cowbell’s 2020 research report on the adoption of cyber insurance in the SMB market shows that 65% will likely spend more on cyber insurance in the next two years. The 2020 wave of cyber incidents is also reaching new industries beyond those that have been obvious targets for cybercriminals – financial services, healthcare, retail –
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 9
9
23/10/2020 4:00:39 am
SPECIAL REPORT
CYBER INSURANCE AVERAGE COST OF A CYBER INCIDENT BY BUSINESS SIZE
$178,000 Data breach
Large businesses
Small and mediumsized businesses
$5.6 million
$181,000 Legal
$112,000 Crisis services
Data breach
$3.8 million Crisis services
$2.2 million Legal
Source: Cyber Claims Study 2019, Diligence
because they process sensitive information. There is an increased demand from manufacturing and construction businesses for cyber coverage relevant to their sectors, such as missed bid and contractual damages, as they are more and more targeted by cybercrime and also serve clients that are now making cyber insurance mandatory. Jeremy Barnett: A recent CyberScout research study found that over 69% of small businesses do not have cyber liability coverage. Carriers, reinsurers, brokers and consultants should not only see the economic opportunity of catering to the SMB market, but also an obligation to protect them. No longer is it enough to have a robust commercial GL policy. Standalone cyber protection is still very affordable, especially in light of the increasing costs of cyberattacks. Cyber insurers also need to start to evolve their personal lines products to include cyber coverage and services. Homeowners are more vulnerable than ever to a wide range of cyber-related risks: online fraud, identity theft, cyber bullying and extortion. No longer is the ‘identity protection’ endorsement sufficient to provide support, as the FBI has seen a sharp
10
increase in consumer complaints – almost 500,000 in 2019. The FTC reports a 23% increase in email fraud. Thirty-seven percent of families report that their children have been bullied online. Online fraud targeting seniors has increased 28%, costing our aging parents and grandparents over $800 million in losses. Shannon Groeber: Cyber risk was, for a long time, synonymous with privacy risk; this class of insurance grew in large part as a way of managing the risk associated with growing privacy legislation. However, while privacy is still an important part of cyber policies today, it would be misleading to say that only companies with a privacy exposure have a need for cyber. In fact, the nearly ubiquitous use of technology to run businesses today – whether using wire transfers when dealing with suppliers, storing valuable IP on computer systems or using technology to fulfill business-critical functions – means that nearly all businesses in all industries have some form of cyber exposure and therefore a need for affirmative coverage. Ironically, the businesses that are probably most at risk are those that don’t think they have an exposure because they think
they are too small, too secure or too unlikely of a target. A good example of this is the construction industry, which is one of the industries that thinks they’re the least likely exposed, yet is one of the industries that has the highest source of claims activity by frequency at CFC. Regardless of whether you hold any data or not, almost all businesses make and receive payment using wire transfers. These businesses are also less likely to have adequate security or train their employees. They generally lack an incident response division and are likely to still be collateral damage in large-scale cyber attacks where they’ve outsourced their IT services to big-name providers, who are increasingly the target of attacks impacting thousands of businesses globally. Collectively, this makes businesses a prime target for cybercriminals on the lookout for low-hanging fruit.
What features should agents and brokers look for in a cyber policy? Jeremy Barnett: The most important features of the cyber policy are actually the
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 10
23/10/2020 4:00:43 am
services that accompany the policy. From claims handling to policyholder education, IT forensics to ransomware solutions, brokers should distinguish the good from the great based on their ability to service their clients. Brokers should be asking: How many cyber claims staff do you have? How many cyber claims have you handled in the past three years? Who are your go-to incident response service providers? Do you offer proactive consultation to my clients? Is there a call center for my small-business customers? The moment of truth for any insurer is the service they provide to their policyholder during a crisis. Brokers should feel confident in a carrier’s ability to provide expert support, quickly and thoroughly. Emy Donavan: Cyber is a complex risk, and it can manifest in many different ways, so you want a policy that responds to all of them. Brokers should always look for comprehensive coverage that covers both first-party and third-party risk, as well as business interruption, hardware replacement, liability and defense costs, and crime. Brokers can look for other key features
that are not typically standard to increase coverage. One is treating the waitingperiod deductible as a franchise, which can be helpful to some clients. Another is coverage for invoice manipulation or fraud. We’re starting to see the market respond with coverage there. Some coverage for cybercrime to supplement the stand-alone policy can also give more wraparound support, especially for extortion threats, data recovery costs and the like. Shannon Groeber: Cyber wordings are incredibly broad across the market right now and are becoming more uniform over time. More recently, however, brokers have really started to make the switch from comparing and contrasting wording technicalities between carriers to emphasizing the credibility of the claims solution that sits behind it instead – and it’s worked to their advantage, with clients understanding that the policy, in essence, works as a service without losing sight of the overall message. This means that the real differentiator in this class in terms of strength of the product and longevity of a cyber insurer is quickly becoming the
“Brokers have really started to make the switch from comparing and contrasting wording technicalities between carriers to emphasizing the credibility of the claims solution that sits behind it” Shannon Groeber, CFC Underwriting claims service behind the policy. One of the common objections we hear clients say is that they’ve invested in their IT infrastructure and therefore don’t need to purchase a cyber policy. Very few, however, realize the value that a set of cyber experts brings and that this expertise comes free with a policy. If we’ve learned anything from handling previous claims, it’s that IT departments are very different from incident response teams – and incident response can complement what IT already does very well from a different angle or, for smaller businesses, provide the full end-to-end solution in the absence of a CISO or IT division. A well-staffed, in-house cyber incident team with ample experience dealing with these threats is therefore a must. These will be the experts on the other end of a call who bring a well-rounded wealth of expertise, from technical to legal assistance, and who will know the most about ransomware variants and ransom demands, recovery from compromised business email accounts, and privacy obligations. And this knowledge and experience from a technically led approach ultimately leads to quicker recovery and less material impact
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 11
11
23/10/2020 4:00:46 am
SPECIAL REPORT
CYBER INSURANCE TOP CYBERSECURITY THREATS FOR SMALL BUSINESSES 1
Phishing attacks
2
Malware attacks
3
Ransomware
4
Weak passwords
5
Insider threats Source: Expert Insights, 2020
to the business. When trying to find out whether a cyber insurer has the capability to handle the wide range of cyber threats now emerging, here are a few questions you can ask: Is the insurer established in the class, and do they have global reach? Does the insurer have internal cyber claims capabilities, or
12
is everything outsourced to a third-party vendor or law firm to triage? Is crypto currency kept on hand in order to ensure a timely ransom can be paid if the insured has made that decision? What process do you have in place for checking sanctions to determine whether the insured is paying a sanctioned entity? Jack Kudale: The 2020 broker survey from Advisen and PartnerRe on cyber risk trends informs what policyholders care most about and what brokers should focus on. Key topics include clarity of coverage, relevant coverages and adequate limits, especially for business interruption. In order to best address these needs, brokers should work, first and foremost, with a stand-alone, admitted cyber insurance policy through a carrier that offers easy-to-understand coverages and focuses on transparency for the policyholders in terms of what is covered or not and how sublimits and the policy aggregate limit and sublimits get applied.
Coverages should explicitly address the many forms that cyber incidents can take – not just data breaches – and include ransomware, cybercrime and social engineering, and hardware-related damages, among other relevant coverages on a cyber policy. For example, a separate breach fund coverage can provide additional limits for credit monitoring, notification expenses, public relations or other common expenses incurred in the aftermath of an incident. Unique coverages such as cryptojacking and bodily injury and physical damage can close the insurability gap. In addition, speed in quoting, binding and activation should be a factor when comparing various insurance carriers. Continuous risk assessment, post-breach services and the development of direct carrier relationships are other factors that agents should consider when deciding between cyber insurance carriers. They should also avoid long paper applications, which are cumbersome, introduce delays
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 12
23/10/2020 4:00:49 am
in the policy binding process and can result in policies written on unverifiable data. Cowbell excels at providing fast, full-coverage cyber quotes that offer transparency to agents and policyholders, which is a groundbreaking concept in the cyber insurance market. Cowbell combines risk data, artificial intelligence, automated workflow, coverages and policy management into a vertically integrated solution that empowers brokers to deliver standalone and customized policies, written on the most robust insurance forms and delivered in minutes. In a nutshell, Cowbell brings to life the concept of ‘cyber insurance 2.0’ that Willis Towers Watson coined in August 2019. This new wave of cyber insurance is described as bringing clarity and simplicity, flexibility, and relevance – all attributes that Cowbell Cyber delivers with Cowbell Prime, our stand-alone, admitted set of programs.
If agents and brokers are looking to sell cyber insurance to a client
“Brokers new to selling cyber need to drop the jargon, drop the fear tactics and tell stories” Jeremy Barnett, CyberScout for the first time, what key points should they stress? Jeremy Barnett: Brokers new to selling cyber need to drop the jargon, drop the fear tactics and tell stories. Whether they’re speaking to the local bike shop owner or the multinational electronics distributor, the best way to sell cyber is to share the stories of recent cybercrime victims. ‘Business email compromise’ doesn’t mean much to the buyer on the product marketing sheet. A story about the accounts payable clerk at the law firm who sent a wire for $200,000 to a fake but familiar IT vendor of the firm makes it more clear. Emy Donavan: The client should understand, first and foremost, that it’s not a matter of if but when. No one is immune
to cybersecurity risk. We’ve heard IT teams say that their companies should invest that money on in-house security instead of a policy, but what we know is that even with the best security, you can only secure against 80% of incidents. It’s not about a magic bullet, but about a risk transfer – you need insurance to cover that additional 20% of latent risk. Additionally, when we think about the current challenges companies have with the increased risk exposures of workers at home, cyber insurance may be more necessary than ever before. Cyber risk is an extraordinarily complex problem that has too often been siloed between departments. Brokers should stress that the cyber insurance market pays claims – it has a track record that should be lauded,
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 13
13
23/10/2020 4:00:55 am
SPECIAL REPORT
CYBER INSURANCE CCPA AT A GLANCE
When it went into effect on January 1, 2020, the California Consumer Privacy Act (CCPA) became the strictest state-level privacy and data protection law in the US
CCPA sets a new bar for businesses that collect and share the personal data of California consumers
Companies can be fined up to $7,500 for each data privacy violation
In the case of theft of data, companies are liable for fines of up to $750 per consumer, per incident
and it can be relied upon in the future. Shannon Groeber: Our experience has taught us that before any specific coverage is discussed, clients first need to understand that they have a real exposure, and it needs to make sense for their business, as these exposures vary by industry. For example, if they hold a lot of sensitive data, then the conversation might focus on their privacy obligations; if they send or receive a lot of wire transfer payments, the conversation might center around cybercrime; if computer systems are critical to their day-to-day operations, then brokers should be talking about business interruption. Our broker partners who are actively
14
using our Connect cyber platform are quickly seeing success in selling the coverage as a result of this, as we’re able to provide industry-specific claims profiles, based on what their specific client is doing, alongside their quotations. When moving on to discussing the coverage that is available to address these risks, it’s also useful to relate cyber to lines of insurance that novice buyers are more familiar with. With kidnap & ransom policies, for example, you’re buying access to someone with expert negotiation skills who will get on the phone to negotiate a ransom – and cyber policies operate the same way, only it’s your computer systems held hostage, so you want to make sure the person picking up the phone is best-in-class. There are also several parallels with traditional crime policies. Extorting companies, stealing data and socially engineering employees into handing over money are all various forms of crime and really serve as an example that crime has just shifted from the physical to the electronic. Jack Kudale: Brokers should take the time to clearly articulate the coverages provided by the policy and highlight, based on the nature of the business of the insured, the most important coverages and parameters. In support of these efforts, insurance forms need to be clearly worded and avoid any ambiguity on what’s covered or not. For example, with many workers connecting to their office from home, a cyber policy relevant for 2020 should explicitly clarify whether the use of personal devices, WiFi networks and other work-from-home tools is covered and under which conditions. There is also an opportunity to engage the policyholder beyond the policy transaction and communicate the additional services and value the carrier might provide to policyholders throughout the policy life cycle. In the case of Cowbell, we give policyholders an opportunity to get value from the use of the platform even prior to the policy documents being generated and every day after the policy is being signed. Cowbell Factors rate risks based on hundreds of company-level data points
and security observations unique to each business. These are continuously updated to deliver indications related to any change in a business’s security posture. Similarly, Cowbell Insights build on the Cowbell Factors to deliver recommendations to fix cyber exposures. With a cyber policy, Cowbell not only delivers financial protection against a wide range of cyber incidents, but also invites businesses to proactively remediate security weaknesses to prevent any such incident. Finally, brokers should educate their clients about the concept of silent cyber – how packaged cyber and other policies are subject to many exclusions when it comes to cyber coverage. The many forms of cybercrime and social engineering – or business interruption, depending on the cause – might not be covered. These are just two examples where a fine review of policy documents is incredibly important.
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 14
23/10/2020 4:01:00 am
How have data privacy laws like CCPA and GDPR impacted commercial cyber exposure? Have there been many claims? Are companies well protected? Jack Kudale: The CCPA regulation impacts businesses in California that generate more than $25 million in gross revenue worldwide, process more than 50,000 records annually or derive more than 50% of their annual revenue from selling consumer personal data. Similarly, EU GDPR impacts all businesses serving EU residents and processing EU residents’ personal information. Due to the growing number of regulations that aim to protect consumer data privacy and security, companies are exposed to stricter regulatory standards with regard to a data breach involving sensitive data. Brokers should be diligent in explaining to their clients the range of activities and
expenses that they might face after a data breach. Most regulations impose tight deadlines on the need to notify impacted parties. Audits might be triggered and lead to penalties for non-compliance to regulations. Lawsuits might follow. Brokers and insureds should be aware of the long tail of post-incident activities that they might have to engage in and examine whether their current policy will deliver the right level of financial protection. In general, a stand-alone cyber policy will deliver a more comprehensive set of coverages, addressing a variety of incidents and covering all types of post-breach activities, from first-party loss and first-party expenses to third-party liability, including regulatory penalties and expenses. In summary, CCPA and GDPR endorsements to a stand-alone cyber policy are best suited and aligned to claims scenarios. Emy Donavan: By and large, it’s still
early days for these regulations, and to some extent, insurance partners are still waiting to see what regulators and attorneys are going to do next. Companies need to be sensitive to the fact that these statutes impose requirements about cybersecurity that are becoming the guiding standard. With GDPR, we are starting to see some major impacts, and the fines may or may not be insurable, depending on which countries they are levied in. In the United States, more attorneys general are getting involved with cyber security as well. At the same time, we haven’t seen the full results of CCPA yet, as it was just recently implemented, and there is not enough infrastructure to fully enforce it. I don’t think anyone is really ready for CCPA. It’s going to take time to get compliant, and that’s a long-term process. Shannon Groeber: Both CCPA and GDPR certainly brought about an increase
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 15
15
23/10/2020 4:01:05 am
SPECIAL REPORT
CYBER INSURANCE in the awareness of cyber policies as a method of risk transfer for businesses; however, with regulatory fines very few and far between – particularly for businesses that don’t hold significant PII like retailers or financial institutions do – there hasn’t been any meaningful claims activity for the everyday business. In fact, less than 4% of the cyber claims we see at CFC are as a result of any third-party or regulatory action being brought forth. Despite the less-than-anticipated fine implications of these new regulations, these privacy laws have done a tremendous job in increasing the profile of cyber insurance within organizations, which understand now just how fines could be covered under a policy, and also how all of the tangential expenses and costs associated with a regulatory violation or investigation can be supported through a properly structured cyber insurance program. What is interesting to note in recent months, however, is how privacy laws have interacted with newer variants of ransomware that exfiltrate sensitive data to entice companies to pay their demands. Ransomware was always considered a severitydriven event long before data exfiltration, and it’s easy to see why when you add up the business interruption costs for loss of profits per day and re-creating potentially sophisticated and complex networks completely from scratch – not to mention paying the demand itself, which some companies have little choice but to do without appropriate backups. Now, with confidential data at stake, it’s brought in implications for having to conduct due diligence to determine whether data was viewed or exfiltrated by the criminals. As a result, businesses could have to bring in costly legal services to draft and issue appropriate notification to customers in accordance with privacy guidelines. The impact we’re seeing on policyholders as a result is very rarely fines and penalties, if ever – but very much so the reputational damage from their customers no longer wanting to do business with them as a result of the notification, something that cyber insurance policies are able
16
“Brokers and insureds should be aware of the long tail of post-incident activities that they might have to engage in and examine whether their current policy will deliver the right level of financial protection” Jack Kudale, Cowbell Cyber to provide a solution for. Jeremy Barnett: I believe this the next frontier of cyber education, protection and losses. The world has been, ahem, distracted since CCPA went into effect in January 2020. And our clients in Europe are quite concerned about the growing regulatory pressure and enforcement of GDPR. While we’re not yet seeing much claims activity, we are seeing new ways that insurers are helping their clients become prepared and compliant. New tools and
services from companies like Apomaya and Clarip are designed to help companies understand some of the ways their web properties may be violating their own privacy policies. There’s stew of third-party apps and cookies that are collecting, storing and sending individuals’ data all over the world. With films like Netflix’s The Social Dilemma gaining in popularity, perhaps 2021 will be the year that we look more closely at privacy, data collection, data brokering and how new government regulations will be enforced.
www.ibamag.com
01-16_Cyber Report 2020-SUBBED.indd 16
23/10/2020 4:01:09 am
00_Insert OFC IFC IBC OBC-SUBBED.indd 3
23/10/2020 3:31:48 am
A new day for cyber insurance— and a better night’s sleep for clients. Now that’s Resilience.
When it comes to cyber risk, you need to be prepared for tomorrow’s risk — not yesterday’s. At Resilience, we make this possible by collecting and assessing millions of data points through our Cyber Meteorology framework. Combining this robust, real-time data with decades of experience, our experts then provide safeguard recommendations and clearer, forward-looking quotes —helping you build resilience of your own. Talk with us today to learn how we’re bringing a game-changing approach to cyber insurance, and greater confidence to clients everywhere.
resilienceinsurance.com
00_Insert OFC IFC IBC OBC-SUBBED.indd 4
23/10/2020 3:31:53 am