Ripple Effects of Cyber Attacks
The current cyber threat environment is extremely dangerous. It involves cyber criminals and nation-states, often working together, launching multi-pronged attacks that leave companies offline for weeks.
The Allianz Risk Barometer 2021 quoted its CEO, Joachim Müller, in summing up the top three business risks: “Business interruption, pandemic and cyber are strongly interlinked, demonstrating the growing vulnerabilities of our highly globalized and connected world.” This linkage is, in large part, due to the reliance of all business operations on data and IT systems, a remote workforce, and the continued reluctance of businesses to spend money on cyber-security programs. This lack of preparedness is resulting in huge business interruption losses, primarily driven by ransomware.
Ransomware attacks have created a cyber pandemic. Beazley’s “2020 Breach Briefing” report said ransomware attacks increased more than 130% over the past year. In its “Ransomware Uncovered 2020-2021” report, cyber-security solutions company Group-IB noted that ransom demands averaged $170,000 this year and ransomware attacks caused an average of 18 days of downtime. That is three weeks of business interruption, folks.
As companies moved backups to the cloud and increased their reliance on vendors for enterprise applications and services, they often failed to update their incident response plans and ensure they had offsite backups. Cyber criminals began taking advantage of companies’ failure to spend money on cyber-security programs, a remote workforce that is harder to monitor, and the lack of effective and tested backup/recovery plans.
When data cannot be restored, companies have little choice but to pay a ransom, hoping the payment will result in a key that actually decrypts their data. But decrypting data is only the first part of the problem. The exfiltration of data by ransomware has caused enormous reputational issues for companies as criminals have threatened to post the data on the internet or notify customers or clients if the requested payment is not made.
This strategy has been very effective and lucrative for the criminals because companies have been slow to encrypt data at rest. Encryption is difficult to deploy, and strong key management requires specialized expertise that many companies do not have. When backups are deleted and databases are corrupted, business interruption is a reality. It is no longer about how many records of personal identifiable information were breached; it is now about staying in business.
The attacks that organizations are experiencing today are sophisticated and often multi-pronged, and, increasingly, they involve nation-states. Companies are starting to realize that the cost of responding to such an incident far exceeds any amount they would have spent building a cyber-security program to protect their operations, and that amount can increase substantially if cyber ransom or extortion are involved.
Insurance companies are reeling at the cyber claims. In March, Aon predicted cyber insurance premiums will increase 20-50% this year. In addition to premium increases, carriers are also likely to toughen their underwriting process and perhaps even deny coverage where companies have not implemented certain cyber-security controls. Rate increases across the board, however, serve to penalize the companies that actually spent money and matured their cyber-security program.
Regulators are already jumping in. The New York Department of Financial Services (NYDFS) issued Insurance Circular Letter No. 2 on Feb. 4, 2021, noting the dramatic increase in ransomware attacks. The NYDFS circular encouraged insurers to develop a more “rigorous and data driven approach to cyber risk” and noted: “A robust cyber insurance market that effectively prices cyber risk will also improve cybersecurity. By identifying and pricing risk created by gaps in cybersecurity, cyber insurance can create a financial incentive to fill those gaps to reduce premiums.”
In addition, the NYDFS called on insurers to look beyond individual companies by stating, “In addition to overall rising costs, insurers must account for the systemic risk that occurs when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.”
The circular went a step farther and developed a cyber insurance risk framework that outlines best practices for insurers in managing cyber insurance risk. The framework includes the recommendation that “[c]yber insurance policies should include a requirement that victims notify law enforcement.”
Legislators are jumping on board with this notion on both sides of the aisle. In a recent speech at the U.S. Chamber of Commerce, Sen. Mark Warner (D-Va.) stated, “We need to focus on [creating] a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure.” Sen. Angus King (I-Maine) also stated recently that he is drafting legislation that would mandate cyber incident reporting for critical infrastructure companies.
On the House side, Rep. Bennie Thompson (D-Miss.) and Rep. John Katko (R-N.Y.) also support mandatory incident reporting. Following the recent SolarWinds incident that compromised the software used to monitor the networks of 18,000 government and private sector entities, Thompson declared there was “growing interest” in enacting such a law and said, “We look forward to trying again this year and hope we can enact cyber incident notification legislation in short order.” Such legislation could rely on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as a central repository for information about reported cyber incidents. Rep. Michael McCaul (R-Texas) and Rep. Jim Langevin (D-R.I.) are reportedly drafting legislation along these lines.
All of this sends a big message to industry: regulators and legislators are tired of waiting for companies to get their act together on cyber security, and they have little sympathy for insurance companies that put market share over risk analysis. Agents and brokers can serve a critical role in helping clients understand their cyber-security maturity and in relaying the efforts of their clients to carriers. Companies that are approaching cyber security seriously and aligning their programs with best practices and standards should be given a break on premiums as a market incentive. It is going to take a while to get better underwriting processes in place, but agents and brokers can help bridge the gap by working on the client side to improve cyber security and resilience against attacks.