P&C the November 2021 issue

Fending Off the Lions

A late start and missteps by government, insurers and businesses have uncaged cyber criminals. Can we regain control?
By Jody Westby Posted on November 1, 2021

According to Mordor Intelligence, the size of the global insurance market is expected to grow from $7.36 billion in 2020 to $27.83 billion by 2026, with compound annual growth rate of 24.3% for that period.

A report released in May by the U.S. Government Accountability Office (GAO) indicated that uptake rates for Marsh McLennan clients nearly doubled in the five-year period from 2016 to 2020, going from 26% in 2016 to 47% in 2020. According to AdvisorSmith, 2.2 million cyber insurance policies were written in the United States in 2016, a figure that rose to 3.6 million in 2019. Although the number of cyber insurers increased 35% from 2016 to 2019, the cyber insurance market is fairly concentrated, with 10 carriers receiving about 70% of cyber premiums.

An increase in cyber attacks on organizations of all sizes has stressed carriers’ portfolios.

With cyber losses outpacing rate hikes, a recent report suggests “more trouble…as ransom demands continue to grow.”

The global pandemic forced many businesses to admit they had failed to prepare for such a catastrophic event.

This boon for brokers and agents has, however, turned risky for insurers. The increase in cyber attacks on organizations of all sizes in 2020 and 2021, particularly ransomware, has caused a steep increase in claims and stressed carriers’ portfolios. In a recent market update, AdvisorSmith noted, “With the rise in attacks and risk exposure for insurers, major changes have started to take place in the cyber insurance market, beginning in 2020, and carrying through to 2021.” This dynamic has created tension in the market as insurers have increased premiums and changed underwriting practices and reinsurance companies have become more hesitant to insure aggregated portfolios.

Sobering But Realistic

In the January 2021 Harvard Business Review, Tom Johansmeyer, head of Property Claims Services for Verisk, saw trouble headed for the cyber insurance market. Noting the increase in the sophistication of attacks, the inclination to pay ransomware demands, and the favorable geopolitical climate for cyber criminals, Johansmeyer correctly noted that boards and executives have pivoted toward cyber insurance to manage a looming risk. As the demand for coverage increased, so did the amount of cyber protection available. This trend put carriers at risk of losses exceeding premiums.

Indeed, as a recent report by A.M. Best noted, “The increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow.” Citing ransomware, business interruption and aggregation, A.M. Best warned that “prospects for the U.S. cyber insurance market are grim.” Similarly, Fitch Ratings cautioned the direct loss ratio for stand-alone cyber rose to 73% in 2020.

Johansmeyer noted there are about 250 companies that each purchase $200 million or more in cyber cover, comprising about $1.1 billion in premium (20% or so of the estimated $5 billion in global cyber premium). According to him, just five large insured losses would eradicate a full year of premiums, but “it would likely take decades for insurers to earn back such losses.” Johansmeyer calculated the 500 or so companies that buy $100 million to $199 million of cyber coverage annually represent a quarter of the global cyber premium. But, he cautioned, “it would only take a handful of losses to wipe out the $1.44 billion in premium they generate.” This is not fearmongering; it is realistic.

There are real concerns that a large-scale attack on critical infrastructure may have aggregated losses that are unsustainable for a carrier. We are examining what role the government could have, if any, on backstopping such losses.
John Pendleton, Director of Financial Markets & Community Investment, U.S. Government Accountability Office

Remember the 2017 NotPetya attacks? They brought down Maersk, Merck and a unit of FedEx for at least three weeks, causing each company to publicly admit their business interruption (BI) losses were at least $300 million. Merck later estimated its losses in regulatory filings at $870 million, but they went up from there. Merck sued carriers Allianz and AIG after they balked at paying its BI claim on grounds it was an act of war since the U.S. government had publicly blamed Russia for the attacks. Merck ultimately won $1.3 billion in court to cover its losses, but this case does not represent a worst-case scenario.

Guy Carpenter released a study in 2019 that looked at cyber-catastrophe scenarios. The purpose of the study was “to provide a realistic reflection of the potential losses that the U.S. cyber insurance market could face today.” It concluded that the costliest scenario would be widespread data loss from a leading operating system provider, resulting in a loss up to $23.8 billion. An attack on a major email provider was estimated at $19.1 billion. Other large exposures with the potential of high losses involved large cloud service providers:

            Large-scale data loss:            $22.2 billion

            Long-lasting outage:             $14.3 billion

            Large-scale ransomware:     $11.5 billion

The global pandemic forced many businesses to admit they had failed to prepare for such a catastrophic event—even though it was predicted. We do not have to wait for attacks on these large-scale vendors; they are happening now. Consider the 2020 cyber attack on SolarWinds that impacted 18,000 customers and the 2021 exploit of four zero-day vulnerabilities in Microsoft Exchange that impacted 250,000 servers globally, at least 30,000 of them in the United States and 7,000 in the United Kingdom. These large-scale events resulted in hearings in Congress, executive orders from the president, and widespread impacts on clients. One estimate claims the U.S. government and impacted companies will spend up to $100 billion to repair the damage from the SolarWinds attack; another group estimated $90 million, which seems unrealistic considering the number of organizations affected. Similar estimates for the Microsoft Exchange hack have not been calculated, but that attack certainly highlights the risk of third-party liability.

Johansmeyer warned the recent flurry of cyber attacks has caused insurers and reinsurers to become more skittish about losses. He noted that cyber insurers disproportionately rely on reinsurers, passing along approximately half of their cyber premiums to the reinsurance market, and this reliance is concentrated—four reinsurers get 60% of the premium. In light of the unrelenting cyber attacks in 2020 and 2021, reinsurers are simply finding insuring cyber liabilities less attractive.

John Pendleton, the GAO’s director of financial markets and community investment, and lead on the May report, says the GAO is working on a follow-on report examining potential losses from attacks on critical infrastructure, including those from a terrorist attack. “There are real concerns that a large-scale attack on critical infrastructure may have aggregated losses that are unsustainable for a carrier. We are examining what role the government could have, if any, on backstopping such losses,” Pendleton says. The insurance industry has advised the GAO it is uncertain whether the U.S. Treasury would certify a cyber attack as terrorism under the Terrorism Risk Insurance Act (TRIA) and expressed concern that a large attack could exceed TRIA’s $100 billion cap, leaving the insurer responsible for the remainder of losses.

It’s All About the Data

Insurers and reinsurers cite the lack of historical cyber-loss data as a major reason for the market uncertainty. The GAO also noted the lack of historical data and observed, “Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyber-attacks and price policies accordingly.” The GAO said, “Deloitte and the U.S. Cyberspace Solarium Commission suggest that access to data on cyber events would improve decision-making for insurers as it relates to modeling and pricing.” The federally chartered Solarium Commission suggested that Congress establish an entity to collect cyber event and loss data to help the insurance industry better understand cyber risk and create better risk modeling. That suggestion seems to ignore that this is a private-sector function that has been handled very well by the insurance industry for over 100 years.

The insurance industry has deep expertise in actuarial science and should have been building data repositories of policies and claims over the past 15 years. Since cyber was a new area of risk without underlying repositories of probability analysis and statistics, the industry should have known it would need an informed basis for underwriting. The initial pressure to grab market share may have encouraged lax underwriting, but there is no excuse for not collecting and analyzing data along the way. Warren Buffett told his investors in 2018, “I don’t think we or anybody else really knows what they’re doing when writing cyber.” He further said that cyber risk carries about a 2% chance every year of a super catastrophe that could cause $400 billion or more in insured losses.

Taking a step in the right direction, seven of the leading cyber insurers—AIG, Axis, Beazley, Chubb, The Hartford, Liberty Mutual, and Travelers—came together in June 2021 to form CyberAcuView, a company that will serve as a repository for cyber data and advance best practices and risk solutions for cyber. “Combining resources from across the insurance industry will allow us to better understand cyber trends, anticipate and potentially mitigate future attacks, and help improve overall cyber resilience,” says CEO Mark Camillo.

Another gap in the data game is the difficulty companies have in understanding their own cyber risk. Some companies try to determine cyber coverage needs simply by multiplying the number of records they have containing personal data by some average cost per breached record to arrive at an estimated coverage amount. This approach does not work for BI losses and is only a reasonable calculation if an organization’s breach matches the representative size of breach used to calculate the average cost per record.

Combining resources from across the insurance industry will allow us to better understand cyber trends, anticipate and potentially mitigate future attacks, and help improve overall cyber resilience.
Mark Camillo, CEO, CyberAcuView

It is possible for companies to determine, with some degree of accuracy, the expected and maximum foreseeable losses from potential cyber attacks. This requires a full cyber-security assessment and an analysis of the organization’s operations, compliance requirements, technical environment, and financial data. This approach can be simplified for small to midsize businesses, but it is most effective for large organizations with revenues of $1 billion or more. The data that results from these exercises can be shared with brokers and agents and used as a guide in developing risk strategies. The Council provided input to the GAO on this issue and noted that (1) agents and brokers help their clients understand their risk and the impact of potential cyber attacks on their operations and (2) customers do understand the coverage they purchase and the limits of coverage.

Insurtech companies are leveraging technologies to identify cyber risks and provide tools and resources to help clients manage cyber risk. Corvus is one such “smart commercial insurance” company that uses proprietary technical tools, including artificial intelligence and machine learning, and threat intelligence data to assess and monitor a company’s cyber risk and help it prevent cyber incidents. “Our approach is akin to sending an inspector into a factory—but not just once a year,” explains Phil Edmundson, Corvus’s founder and CEO. “Our repeated presence can help prevent cyber events from happening.”

Corvus’s business model enables it to capture real-time data about its clients’ cyber-risk posture and build a data repository that helps inform its reinsurance program. “The lack of reinsurance capacity is contributing to rising prices in the cyber market,” Edmundson notes. To address this trend, Corvus developed a software platform that provides real-time reports on risk aggregation in a book of cyber business. “This provides the data and certainty that reinsurance has needed to support the cyber-insurance market,” Edmundson says.

Advisen was the early entrant in the cyber data field. Recently acquired by Zywave, Advisen is the leading provider of data on the cyber insurance market. “We have collected over 150,000 cyber-loss records from reliable and publicly verifiable sources that enable our clients to draw correlations and understand loss values,” says Jeffrey Cohen, senior vice president at Zywave. “The severity of loss values is only becoming more substantial, and it is not isolated to certain industries, company sizes, or geographies, making it all the more important to base decisions on actual data.”

The Evolving Cyber Insurance Market  

Statistics strongly indicate the cyber insurance market is evolving. The problem is no one seems certain what will happen, because it is evolving in the midst of a perfect storm of cyber crime.

  • Malware attacks have increased every year for the past decade, going from 12.4 million infections in 2009 to 812.7 million in 2018. On average, 240,000 new forms of malware are produced daily.
  • Over 18 million websites are infected with malware every week, thereby infecting users who visit the sites.
  • Some of the most sophisticated cyber-offensive tools developed by the U.S. intelligence community were released in five tranches by a hacking group called the Shadow Brokers in 2016 and 2017 and by Wikileaks through its Vault 7 in 2017. These are now available on the internet to every nation, terrorist, cyber criminal, hacker and bad actor. Some of this malware was used in the WannaCry and NotPetya attacks and was the beginning of the “clickless attack” that can exploit an unpatched vulnerability in software to enter a system, eliminating the need to trick someone into opening a document or clicking on a link to get malware on a system.
  • Russia, China, Iran and North Korea are the four most notorious nation-states engaging in cyber attacks, and they sometimes partner with cyber criminals or academics that work at their behest. These countries, especially Russia, also rarely take any action against cyber criminals in their own countries unless they attack local institutions.
  • The nature of packet-switching technology used in internet communications commonly routes packets of data through foreign jurisdictions, adding to the complexity of tracking and tracing cyber crimes. The internet knows no borders, but law enforcement, government officials and prosecutors have to stop at national borders and request assistance from each country.
  • The cyber-crime laws around the globe are inconsistent, creating procedural and substantive issues in cyber-crime investigations that commonly impede the tracking, tracing and prosecution of cyber criminals.
  • In the United States and globally, there is a gross lack of law enforcement personnel capable of conducting cyber-crime investigations. Many metropolitan police departments do not have personnel skilled in cyber investigations. Without law enforcement assistance, companies are left to their own resources, which often results in a dead-end investigation.
  • The pandemic forced remote working, creating new vulnerabilities and less monitoring of employees—gaps that cyber criminals quickly exploited.
  • Many companies have delayed implementing encryption of data, thereby enabling cyber criminals to see the data once they are in the system and to exfiltrate valuable personal, strategic and proprietary data.
  • Some companies stopped regular offsite backups in favor of replicated data at an alternate site or online backups. This enabled criminals to encrypt, corrupt or zero out replicated and/or backup data, as well as the operational data, preventing companies from restoring their systems after ransomware attacks.
  • Since many companies could not risk the exposure of their exfiltrated data on the internet and/or could not restore encrypted data, they paid ransom demands to stay in business and preserve their reputation. AdvisorSmith reported a 311% increase in 2020 in ransomware payments by organizations. Ransom demands went into the millions.
  • Consistent with their policies on kidnapping and ransom payments, many insurance companies are paying ransom demands for their insureds, provided the payments are legal. This, however, makes companies with insurance a target.

The threat environment is so sophisticated and the cyber criminals so relentless, the cyber insurance market is stretched. The market’s dilemma has caught the attention of Congress, as some members expressed concern to the GAO about the availability, affordability and stability of the cyber insurance market. The GAO report highlighted key trends in the current market:

  • Increased demand for cyber insurance; client uptake rate was 46%
  • Higher premiums; more than half of brokers surveyed said premiums increased 10% to 30% in late 2020
  • Reduced coverage limits by some insurers for certain industry sectors
  • A shift away from packaged coverage to stand-alone cyber policies, with more specificity on what is covered.

Marc Schein, national co-chair of the Cyber Center of Excellence at Marsh & McLennan Agency, notes changes in the way his clients—primarily from the upper-middle market, with $100 million to $1 billion in revenue—are approaching cyber risk.

  • The number of first-time buyers is increasing.
  • Buyers are asking for higher limits.
  • Companies are more aware of their cyber-security maturity and are investing more on risk mitigation and prevention.

Schein also notes that carriers are improving their underwriting processes and asking more detailed questions so they can better understand the risks associated with an applicant organization. “According to Marsh USA,” Schein says, “as of July 2021, we have seen a 77.5% increase in the primary price per million and an 85.6% increase on the total price per million.”

Robert Rosenzweig, senior vice president and national cyber risk practice leader for Risk Strategies, says carriers are being more selective in deploying capacity. For example, Rosenzweig says, carriers are putting restrictions on coverage or requiring certain controls, such as multifactor authentication, endpoint protection, and privileged access management, but the supply is still strong. He acknowledges there is pressure on rates, and he says some industry sectors, such as healthcare, retail, manufacturing and professional services, are being looked at more closely.

On a positive note, Rosenzweig says, “Companies are finding out that paying attention to cyber security has value in the cyber-insurance market. Clients who are willing to share data with the market, want to be partners with their carrier, and are committed to managing their cyber risk are getting broader coverage and are seeing rate increases at the lower end of the spectrum.”

The Path Forward  

The path forward will certainly be determined by a multidisciplinary group of stakeholders: policyholders, agents and brokers, traditional carriers, tech-enabled MGAs, underwriters, reinsurance companies, legislators, policymakers and associations.

The only way we are ever going to be able to turn the tide and stop cyber criminals from winning is for businesses to take cyber security seriously, implement a cyber-security program aligned with best practices and standards, monitor the effectiveness of their controls, and have strong governance of cyber risk by boards and executives. These are the companies that will conduct regular risk assessments, quantify their cyber risk, purchase only the insurance they need, and mature their cyber-security programs based on data.

Carriers, underwriters, and other tech-enabled cyber companies that build cyber claim/loss databases will improve policy coverage and underwriting processes through better data. The past couple of years have seen a shift of focus from personal data breaches to ransomware attacks. It has highlighted the need for carriers to understand the threat environment instead of simply reacting to it through rate hikes and control requirements.

It would be far more motivating to companies if carriers required cyber-security programs that are pegged to a standard. For example, the National Securities Clearing Corporation (NSCC), a wholly owned subsidiary of the Depository Trust & Clearing Corporation, requires its members (banks, brokerage firms and insurance carriers) to submit a Cybersecurity Confirmation to the NSCC at least every two years. The Cybersecurity Confirmation requires them to confirm they maintain a cyber-security program aligned with one of the main standards (NIST, ISO, FFIEC), which include risk assessments and appropriate controls.

Agents and brokers who help their clients determine their cyber risks and develop a risk strategy using a methodology that is aligned with best practices and standards will impact the market because their clients will be a lower risk. Additionally, it is likely that these clients will be eligible for lower premiums and higher levels of coverage and that they will be viewed favorably by reinsurers as part of an aggregate book of business.

Governments that work to improve multilateral cooperation in cyber-crime investigations and promote the adoption of consistent cyber-crime provisions will be better positioned to bring down cyber-criminal rings, indict cyber criminals, and improve the global safety of the internet. State and federal governments that develop common cyber-investigation training programs for law enforcement will also impact the cyber-insurance market, because cyber criminals will not be able to operate with impunity.

When legislation and policy cooperate with the insurance market, private insurers can better leverage technologies and develop new approaches to cyber-risk management, and market forces are allowed to work. That said, legislators and policymakers will positively influence the cyber-insurance market by ensuring that citizens are protected online, by developing standards to guide new innovations, and by securing critical infrastructure.

Associations that educate their members on cyber risks, inform their members about new legislative, regulatory initiatives and policy issues, and educate legislators and policymakers on their member preferences will also help shape the cyber insurance market. Stakeholders who come together to develop frameworks for action to counter cyber attacks help advance defenses across industry sectors and between public- and private-sector organizations. For example, the Ransomware Working Group, co-chaired by a multidisciplinary group of industry leaders, including Michael Phillips, chief claims officer at Resilience Insurance, produced a valuable report that provides recommendations for industry, government and organizations to help counter ransomware attacks.

Beware of Risks  

All stakeholders need to be aware of risks that can disrupt the cyber insurance market. Everyone needs to be cognizant of the risks associated with overreliance on technology, especially artificial intelligence, machine learning, algorithms and internet of things devices. When technologies are incorporated into the cyber insurance market, their use and risks need careful evaluation. Privacy impact assessments are useful in this regard, but so are targeted cyber-security assessments of how technologies will be used.

It is also important to keep a close eye on the biggest risk of all—the threat environment. Criminals continually change their tactics and tools, and they have the ability to upend the cyber insurance market. Organizations must be alert and adapt their system architecture, cyber-security programs, and operations to counter new threats and keep pace.

More in P&C

The Future of Workspace
P&C The Future of Workspace
Creating spaces employees want to come back to.
P&C Retail a Go-Go
Ghost malls give way to experiential retail.
Office-to-Residential Conversions
P&C Office-to-Residential Conversions
Building owners have a choice to make.
Not If but When
P&C Not If but When
Cyber attacks are becoming more frequent and severe—but few businesses are pre...
Sponsored By Ryan Specialty Group
Navigating Red Sea Risks
P&C Navigating Red Sea Risks
Q&A with Brook Styles, Head of Cargo at Markel, and Camilla ...
Cyber Attacks Tailored to Individuals
P&C Cyber Attacks Tailored to Individuals
As individuals’ lives are increasingly based on digital in...