More companies are opting into cyber insurance as a means to offset financial risk. For insurance companies, the number of existing clients adding cyber policies had risen from 26 percent in 2016 to 47 percent in 2020. However, the days of leveraging cyber insurance as a safety net for breaches are coming to an end.
Insurance companies expect organizations to provide due care in protecting their networks or risk non-payment after a data breach. Insurers are beginning to look for security hygiene validation and no longer rely on the questionnaires that have long been an industry standard. Security Rating Services have emerged as a class of security vendors that collect public information and assign a rating to your company. Risk management must include all of a company’s options, including investment in better protection and detection technologies.
Ransomware incidents have risen considerably in both frequency and severity, as cybercriminals deploy new tactics and techniques to achieve a straightforward goal: to make money. To put this rise in incidents into perspective, in 2021, the cost of ransomware attacks alone will be around $20 billion. In 2015, the number was $325 million.
Insurers are now making adjustments to their approach to market risk. According to Gartner, “the insurance market has hardened in 2020 following the withdrawal of capacity from it, as insurers are faced with rising loss costs and pressure on underwriting profitability”.
Agencies like the NYS Department of Financial Services (DFS) issued a circular insurance letter in February addressed to all “Authorized Property/Casualty Insurers.” Here are some passages that demonstrate the severity of the challenge facing insurers:
“The damage done by many types of cybercrime – such as business email compromises – continues to rise. But the biggest driver is an increase in the frequency and cost of ransomware attacks... The cyber insurance industry has reported escalating costs to create pressure to increase rates and tighten underwriting standards for cyber insurance.”
While technology can provide solutions that assist in mitigating risk, it cannot eliminate it. Risks can be addressed in four ways: avoid, mitigate, transfer, or retain. In the context of cloud adoption and cybersecurity, avoiding risk is probably not the best option as it means limiting the business advantages digital transformation provides. Mitigating risk has been the default response for most organizations and includes technology, people, and processes built into a company’s security program.
That leaves us with retention and transfer of risk. Retaining risk includes the financial costs associated with recovery during a cyber breach, which can be staggering these days. The average ransom demand for the second half of 2020 was $1,304,743 and leveled to $1,193,159 in the first half of 2021. That isn’t a small price to pay for any company, and it’s a nearly 170% increase in just one year.
This leads us to the subject of this blog post: Transferring risk through cyber insurance.
A couple of weeks ago, ProArch’s incident response team was engaged with a client that had suffered a significant attack. Systems and accounts had been compromised, malware and malicious PowerShell scripts were running, which led to a recommendation requiring a complete rebuild and restoration of all workstations and servers.
However, the evaluation, containment, and recovery elements of incident response are only one side of the effort. There is a business side to incident response, which includes notification and inclusion in decision-making from critical stakeholders throughout the recovery.
The first questions our team of security experts asks are:
If the answer to the last question is yes, we pause until a meeting with the carrier can be arranged with legal counsel and business leaders present. This is extremely important since the insurance coverage and terms need to be understood before recovery can proceed.
One thing to note: A clause can be added to a policy that allows a company to name the incident response team they prefer. This is usually the case with large companies that are working with security partners but is available to all on request.
Now that you understand some of the challenges let’s see what is available. Below is a suggestion for cyber-insurance coverage and suggested amounts to maintain for each from our partner, Walsh Duffield Insurance Company.
Cyber Insurance Coverages |
||
First Party Coverages |
Definitions |
Recommended Coverage |
Cyber Incident Response Fund |
Legal fees, forensics, notification costs, credit monitoring, public relations, etc. |
$1,000,000 |
Accounting Costs Limit |
This means the reasonable fees or costs of a forensic accounting firm |
$1,000,000 |
Business Interruption/Dependent Business Interruption |
Loss of profits & expenses from interruptions of insured’s systems; Contingent Business Interruption, adds losses from interruptions of others’ systems |
$1,000,000 |
Reputation Harm |
Loss to the insured’s financial capital or damage to the Insured Entity’s reputation |
$1,000,000 |
System Failure |
Means an accidental, unintentional, and unplanned total or partial interruption of a Computer System |
$1,000,000 |
Digital Data Recovery |
Costs to restore or replace lost or damaged data or software |
$1,000,000 |
Telephone Toll Fraud |
Costs incurred as phone bill charges due to fraudulent calling |
$250,000 |
Network Extortion |
Payments to prevent digital destruction/impairment |
$1,000,000 |
Betterment Co-participation |
Reasonable costs incurred and paid by the Insured, with the Insurer’s written consent, for hardware or software to improve a Computer System after a Security Breach |
$250,000 |
Third-Party |
Definitions |
|
Cyber, Privacy and Network Security Liability |
Failure to protect the private or confidential information of others, and failure to prevent a cyber incident from impacting others’ systems |
$1,000,000 |
Payment Card Loss |
Contractual liabilities owed as a result of a cyber incident |
$250,000
|
Regulatory Proceedings |
Defense for regulatory actions and coverage for fines and penalties |
$1,000,000 |
Media Liability |
Copyright and trademark infringement within scope of defined media content |
$1,000,000 |
Cyber Crime |
Definitions |
|
Computer Fraud |
Third-party accessing insured’s computers to make money |
$250,000 |
Funds Transfer Fraud |
The third-party tricking a bank into transferring funds from the insured’s account |
$250,000 |
Social Engineering Fraud |
Third-party tricking an employee into transferring money |
$100,000* |
Telecom Fraud |
Means the unauthorized access to, or use of, the Insured Entity’s telephone system by a person or entity other than an Insured Person |
$250,000 |
The list above is a sample of the types of cyber insurance coverage offered but is by no means comprehensive. Different insurance carriers will have a variety of choices available. Make sure to evaluate multiple insurance providers to determine the best fit for your organization. Before choosing a carrier, your organization should perform a risk assessment to determine what types of attacks and the impact those attacks might have on the company.
Finally, recommended coverage is just a guideline, and the final decision should be based on quantifying the impact of a breach as best possible. For instance:
Based on the risk assessment, the correct coverage amount can be determined.
If you signed up for a cyber insurance policy a few years back, it is time to review and potentially update your coverages. The cyber landscape continually evolves, and what might have been appropriate three years ago may not be sufficient today. Make sure that the broker you are working with is advising you on all of your options.