Like the Property and Casualty insurance market in general, the market for Cyber Liability Insurance was already hardening when 2020 began. Then the COVID-19 pandemic hit.
Offices emptied, their former occupants shifting to work-at-home arrangements, including remote access to company networks. The trend toward dominance in online commerce accelerated, as stores and restaurants limited occupancy or closed their doors altogether. And as cyber exposures increased, growing numbers of cyber criminals skillfully preyed on the vulnerabilities.
Data breaches and ransomware attacks increased in frequency and severity across all industries. Claims grew exponentially. According to the 2020 edition of the annual Cost of a Date Breach Report by IBM and the Ponemon Institute, the average cost of a data breach between August 2019 and April 2020 was $3.86 million.
The news hasn’t gotten any better since the report’s release last July, with three national and global events illuminating a spotlight on cyber risk:
- A surge in COVID-19 cases coinciding with cyberattacks on healthcare providers;
- An attack, believed to be tied to Russia, on U.S. government networks, infrastructure and the private sector through SolarWinds software;
- Widespread, cyber-driven unemployment fraud, which spiked in late spring 2020 with the passage of new federal relief legislation and has continued virtually unabated.
Needless to say, the Cyber Liability Insurance market isn’t likely to soften in 2021.
But here’s a point that cannot be understated: Despite rising cost, stricter underwriting and decreased limits, Cyber Liability Insurance remains a good value. Given heightened risks, range of coverage and relatively low price, Cyber Liability is insurance you can’t afford not to have.
Outlook for 2021
To review, here are the key takeaways regarding Cyber Liability in Alera Group’s Property & Casualty 2021 Market Outlook:
► Insurance companies are not exiting this business; they’re just pulling back. A wide range of companies still wants to write cyber liability. Companies are raising rates an increasing deductibles to keep pace with claims, tightening up policy wording and being cautious about how much capacity they allocate to any single account.
► Heavily exposed industries should expect to see higher than 10% rate increases. These industries include healthcare, public entities, education, tech companies and financial institutions.
► The trend is towards standalone cyber policies rather than package protection. As concerns about cyber risk grow, buyers and insurers want clarity and specificity on what protection is being offered.
► Managing risk is key. Insurers want to know that clients have adequate security in place and have a solid backup plan in the event of an attack or system failure. Clients should anticipate the request for documentation on their policies and procedures.
While we stand by this outlook, it’s important to remember that the insurance marketplace is dynamic, its characteristics influenced by multiple factors. Those recent events affecting the Cyber Liability market are prime examples.
COVID-19, Cybercriminals and Healthcare
In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the U.S. Department of Health and Human Services (HHS) issued an alert that cybercriminals were treating the coronavirus pandemic as an opportunity to heighten attacks on healthcare providers and public health agencies. The agencies, as Healthcare IT News reported, specifically cited the threat of attempts to “infect systems with Ryuk ransomware for financial gain” on an unprecedented scale.
As if to verify the validity of the warning, on the same day the agencies issued the report, a breach at the University of Vermont Medical Center shut down its phone system, internet access and entire technical infrastructure. As a result, the hospital had to cancel elective surgeries and suffered losses averaging about $1.5 million a day, causing it to furlough employees for several weeks.
In reporting on the incident, Insurance Journal noted that the pandemic has made facilities such as the UVM Medical Center face a heightened risk of cybercrime: “With COVID-19 infections and hospitalizations climbing nationwide, experts say healthcare providers are dangerously vulnerable to attacks on their ability to function efficiently and manage limited resources.”
Pervasive Effects of the SolarWinds Breach
Believed to have been launched last spring and discovered in early December, the SolarWinds breach by foreign actors believed to be Russian agents is ongoing still and may be for years to come. In its January 2 story on the growing alarm over the breach the New York Times reported:
Three weeks after the intrusion came to light, American officials are still trying to understand whether what the Russians pulled off was simply an espionage operation inside the systems of the American bureaucracy or something more sinister, inserting “backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.
At a minimum it has set off alarms about the vulnerability of government and private sector networks in the United States to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly.
Obviously, insurance underwriters will be monitoring the fallout from the SolarWinds Breach closely.
A coronavirus-fueled surge in unemployment and a federal program designed to get relief to the unemployed as quickly as possible led to a boom in unemployment fraud that began last spring and is still resounding. In addition to filing fraudulent claims in the names of people actually employed full-time, cybercriminals have been capitalizing on Pandemic Unemployment Assistance, which the Times describes as a “federally funded program for part-time workers, the self-employed and others ordinarily ineligible for jobless benefits.”
By the end of 2020, domestic and foreign fraudsters had claimed at least $36 billion in funds intended for out-of-work Americans. USA Today reports: “In addition to the crushing volume of legitimate claims during COVID-19 and public pressure to speed up payments, mobile banking apps and prepaid debit cards issued by some state unemployment offices paved the way for fraud (in 2020), security experts said.”
In an infographic accompanying the USA Today story, the publication describes the five parties involved in a typical case of cyber fraud involving unemployment claims, including the identity-theft victim:
Victims typically have no idea the scam is happening until they receive a notice from state unemployment officials or their employer alerting them that someone has filed in their name. They often struggle to clear the confusion – and if they do become unemployed, will struggle to set up a real profile in the state program.
In addition to creating time-devouring headaches for employers and employees, the scams have cost cash-starved states hundreds of millions of dollars each.
What You Can Do
Because most Property Insurance policies now provide little in cyber coverage – if they cover cyber liability at all – Cyber Liability Insurance is essential. A tale of two companies illustrates why.
The first company, a $50 million global entity, repeatedly refused advice to purchase a cyber policy for between $5,000 and $7,000. After a ransomware attack cost the company about a month’s worth of work and replace its servers, the company received a small claim from its Property policy but suffered a net loss of about $75,000.
The second company suffered a similar ransomware attack but had cyber coverage. The hackers’ demands: $250,000 in bitcoin. Insurance covered the ransom. The company was back up and running in 24 hours.
So, while costs have risen and many limits have been reduced – say, to $250,000 from $1 million in coverage – it’s important to work with your broker on marketing your organization rather than dropping coverage because your current carrier has introduced a massive jump in premium.
A client recently threatened to drop its cyber coverage when its carrier raised the premium on its policy from $2,500 a year to $17,000. Such reaction was understandable. But given the opportunity to market the coverage, we were able to broker a policy for $3,000 – an increase, to be sure, but a relatively modest one for the coverage Cyber Insurance provides.
These days, some form of cyber breach of your organization is all but inevitable. How you respond is critical. To guide you through the process, Alera Group has produced a whitepaper titled “The Importance of Cyber Resilience.” Inside, you’ll find a step-by-step guide to limiting the impact of a cybersecurity incident. In addition, on April 28, Alera Group will host a webinar, “Cybersecurity: Breach Preparedness,” outlining what to do to protect your business before a breach and what to do afterwards. I’m confident you’ll find both resources helpful.
About Christopher Breck, Senior Vice President, Alper Services
Chris Breck began working at Alper Services in 1989 and is now a Senior Vice President managing the day-to-day insurance and business needs of many of Alper Services’ oldest clients. He specializes in delivering alternative risk solutions, including captive insurance programs. Chris maintains a broad industry focus that includes manufacturing, service, retail, healthcare and nonprofit organizations.