Category Archives: Cyber Risk

The Battle Against Deepfake Threats

By Max Dorfman, Research Writer, Triple-I

Some good news on the deepfake front: Computer scientists at the University of California have been able to detect manipulated facial expressions in deepfake videos with higher accuracy than current state-of-the-art methods.

Deepfakes are intricate forgeries of an image, video, or audio recording. They’ve existed for several years, and versions exist in social media apps, like Snapchat, which has face-changing filters. However, cybercriminals have begun to use them to impersonate celebrities and executives that create the potential for more damage from fraudulent claims and other forms of manipulation.

Deepfakes also have the dangerous potential to be used to in phishing attempts to manipulate employees to allow access to sensitive documents or passwords. As we previously reported, deepfakes present a real challenge for businesses, including insurers.

Are we prepared?

A recent study by Attestiv, which uses artificial intelligence and blockchain technology to detect and prevent fraud, surveyed U.S.-based business professionals concerning the risks to their businesses connected to synthetic or manipulated digital media. More than 80 percent of respondents recognized that deepfakes presented a threat to their organization, with the top three concerns being reputational threats, IT threats, and fraud threats.

Another study, conducted by a CyberCube, a cybersecurity and technology which specializes in insurance, found that the melding of domestic and business IT systems created by the pandemic, combined with the increasing use of online platforms, is making social engineering easier for criminals.

“As the availability of personal information increases online, criminals are investing in technology to exploit this trend,” said Darren Thomson, CyberCube’s head of cyber security strategy. “New and emerging social engineering techniques like deepfake video and audio will fundamentally change the cyber threat landscape and are becoming both technically feasible and economically viable for criminal organizations of all sizes.”

What insurers are doing

Deepfakes could facilitate the filing fraudulent claims, creation of counterfeit inspection reports, and possibly faking assets or the condition of assets that are not real. For example, a deepfake could conjure images of damage from a nearby hurricane or tornado or create a non-existent luxury watch that was insured and then lost. For an industry that already suffers from $80 billion in fraudulent claims, the threat looms large.

Insurers could use automated deepfake protection as a potential solution to protect against this novel mechanism for fraud. Yet, questions remain about how it can be applied into existing procedures for filing claims. Self-service driven insurance is particularly vulnerable to manipulated or fake media. Insurers also need to deliberate the possibility of deep fake technology to create large losses if these technologies were used to destabilize political systems or financial markets.

AI and rules-based models to identify deepfakes in all digital media remains a potential solution, as does digital authentication of photos or videos at the time of capture to “tamper-proof” the media at the point of capture, preventing the insured from uploading their own photos. Using a blockchain or unalterable ledger also might help.

As Michael Lewis, CEO at Claim Technology, states, “Running anti-virus on incoming attachments is non-negotiable. Shouldn’t the same apply to running counter-fraud checks on every image and document?”

The research results at UC Riverside may offer the beginnings of a solution, but as one Amit Roy-Chowdhury, one of the co-authors put it: “What makes the deepfake research area more challenging is the competition between the creation and detection and prevention of deepfakes which will become increasingly fierce in the future. With more advances in generative models, deepfakes will be easier to synthesize and harder to distinguish from real.”

Cyber Premiums Nearly Doubled as Losses Fell

By Max Dorfman, Research Writer, Triple-I

Direct written premiums for cyber policies grew sharply in 2021 from 2020, spurred by claims activity and cyber incidents. According to a recent analysis by S&P Global Market Intelligence, direct written premiums nearly doubled, to approximately $3.15 billion in 2021, from $1.64 billion the previous year. Direct written premiums for packaged cyber insurance rose approximately 48 percent, to $1.68 billion in 2021 from $1.14 billion in 2020. 

The average loss ratio for stand-alone policies decreased to 65.4 percent in 2021, from 72.5 percent in 2020, while they significantly grew premium. Analysts believe this might be a sign that insurers are becoming more disciplined and conservative in their cyber underwriting. Still, Fitch Ratings analysts noted that cyber insurance is the fastest-growing segment for U.S. property and casualty insurers, with prices increasing at “considerably higher” speed than other commercial business lines.

Cybercrime is increasing

According to the FBI’s Internet Crime Complaint Center (IC3) 2021 Internet Crime Report, the department had 3,729 ransomware complaints, with over $49.2 million of adjusted losses. In total, there was $6.9 billion in losses coinciding with more than 2,300 average complaints daily. The most common complaint was phishing scams, demonstrating a trend that has continued for some time.

Indeed, several data points demonstrate the increasingly dire situations organizations face when it comes to cyberattacks, and the need for businesses to become more vigilant. These include:

Challenges await

According to one analysis by Fortune Business Insights, the compound annual growth rate of cyber insurance could increase by 25.3 percent from 2021 to 2028, with the market growing to $36.85 billion.

However, Tom Johansmeyer, a cyber insurance expert, told Harvard Business Review in March 2022, “Cyber insurance is harder for companies to find than it was a year ago – and it’s likely going to get harder. While cyber insurance is becoming more of a must-have for businesses, the explosion of ransomware and cyberattacks means it’s also becoming a less enticing business for insurers.”

Organizations should combine these policies with a strong cyber security plan to fully safeguard against the possibility and consequences of a breach.

Learn More:

Triple-I “State of the Risk” Issues Brief on Cyber

Cyberattacks Growing in Frequency, Severity, and Complexity

As Cybercriminals Act More Like Businesses, Insurers Need to Think More Like Criminals

Cyberattacks Growing
in Frequency, Severity, And Complexity

By Max Dorfman, Research Writer, Triple-I (04/29/2022)

Several recent reports quantify the growing risk and cost of cyber attacks in 2021.

Willis Towers Watson PLC, a multinational risk-management, insurance brokerage, and advisory company, and global law firm Clyde & Co, surveyed directors and risk managers based in more than 40 countries around the world. They found that 65 percent regard cybercrime as “the most significant risk” facing directors and officers. Data loss and cyber extortion followed, at 63 percent and 59 percent, respectively.

In 2021, there were 623.3 million cyberattacks globally, with U.S. cyberattacks rising by 98 percent, according to cybersecurity firm SonicWall. Almost every threat increased in 2021, particularly ransomware, encrypted threats, Internet of Things (IoT) malware, and cryptojacking, in which a criminal uses a victim’s computing power to generate cryptocurrency.

The frequency of ransomware attacks alone rose by 105 percent globally in 2021, SonicWall says,  making them the most frequent type of cyberattack on record. The State of Ransomware 2022 by Sophos, a security software and hardware company, found that 66 percent of organizations surveyed were attacked by ransomware in 2021, rising from 37 percent in 2020. Ransomware payments often trended higher, with 11 percent of organizations stating that they paid ransoms of $1 million or more, up from 4 percent in 2020. Additionally, 46 percent of organizations that had data encrypted in a ransomware attack paid the ransom.

The 2021 Software Supply Chain Security Report by Argon, an Aqua Security company, underscores the main areas of criminal focus, including: “open-source vulnerabilities and poisoning; code integrity issues; and exploiting the software supply chain process and supplier trust to distribute malware or backdoors.”

According to the Argon report, cybercriminals often use these methods to extort victims:

  • Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop working because key files are encrypted.
  • Data Theft: Hackers release sensitive information if a ransom is not paid.
  • Denial of Service (DoS): Ransomware gangs launch denial of service attacks that shut down a victim’s public websites.
  • Harassment: Cybercriminals contact customers, business partners, employees, and media to tell them the organization was hacked.

“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing,” said Eran Orzel, a senior director at Argon.

Cyber insurers work toward protecting businesses

Cyber insurance remains an important investment for many companies, particularly as cyberattacks continue to wreak havoc across industries. Investing in cyber insurance can help an organization recover from an attack, with cyber insurance companies often helping to recover data, repair damaged devices, protect a company from civil lawsuits, and fixing any reputational damage sustained during an attack.

However, the first line of defense is creating a robust cybersecurity system, training employees on how to identify a potential attack, encrypting company data, and enabling antivirus protection. With only half of businesses reporting a consistent encryption strategy, and the cost of data breaches continuing to rise, organizations must do more to protect themselves and their customers.

Study Highlights Cost
of Data Breaches
in a Remote-Work World

By Max Dorfman, Research Writer, Triple-I (04/27/2022)

A recent study by IBM and the Ponemon Institute quantifies the rising cost of data breaches as workers moved to remote environments during the coronavirus pandemic.

According to the report, an average data breach in 2021 cost $4.24 million – up from $3.86 million in 2020. However, where remote work was a factor in causing the breach, the cost increased by $1.07 million. At organizations with 81-100 percent of employees working remotely, the total average cost was $5.54 million.

To combat the risks associated the rise of remote work, the study highlights the importance of security artificial intelligence (AI) and automation fully deployed – a process by which security technologies are enabled to supplement or substitute human intervention in the identification and containment of incidents and intrusion efforts.

Indeed, organizations with fully deployed security AI/automation saw the average cost of a data breach decrease to $2.90 million. The duration of the breach was also substantially lower, taking an average of 184 days to identify the breach and 63 days to contain the breach, as opposed to an average of 239 days to identify the breach and 85 days to contain the breach for organizations without these technologies.

Organizations continue to struggle with breaches

In 2021 and 2022, several high-profile data breaches have illustrated the major risks cyberattacks represent. This includes a January 2022 attack 483 users’ wallets on Crypto.com, which resulted in the loss of $18 million in Bitcoin and $15 million in Ethereum and other cryptocurrencies.

In February, the International Committee of the Red Cross (ICRC) was targeted by a cyberattack that resulted in the hackers accessing personal information of more than 515,000 people being helped by a humanitarian program, with the intruders maintaining access to ICRC’s servers for 70 days after the initial breach.

And in April, an SEC filing revealed that the company Block, which owns Cash App, had been breached by a former employee in December of 2021. This leak included customers’ names, brokerage account numbers, portfolio value, and stock trading activity for over 8 million U.S. users.

Insurers play a key role in helping organizations

The increasing frequency and seriousness of cyberattacks has led more organizations to purchase cyber insurance, with 47 percent of insurance clients using this coverage in 2020, up from 26 percent in 2016, according to the U.S. Government Accountability Office. This shift includes insurers offering more policies specific to cyber risk, instead of including this risk in packages with other coverage.

The insurance industry offers first-party coverage – which typically provides financial assistance to help an insured business with recovery costs, as well as cybersecurity liability, which safeguards a business if a third party files a lawsuit against the policyholder for damages as a result of a cyber incident.

A third option, technology errors and omissions coverage, can safeguard small businesses that offer technology services when cybersecurity insurance doesn’t offer coverage. This kind of coverage is triggered if a business’s product or service results in a cyber incident that involves a third party directly.

Still, the primary focus for organizations looking to defend themselves from cyberattacks is implementing a rigorous cyber defense system.  

Cyber Tops Allianz 2022 Survey of Business Risks

By Max Dorfman, Research Writer, Triple-I

Cyber incidents are the top threat to businesses, according to the latest Allianz Risk Barometer survey, up from third place in 2021. This result follows several significant data breaches and hacks last year, including the Colonial Pipeline ransomware attack, which caused a six-day shutdown and cost the company $4.4 million to regain access to its systems.

Business interruption fell to the second most important concern in a year marked by the continued presence of the coronavirus pandemic, cyberattacks, and natural catastrophes. Still, the report notes that the pandemic “has exposed the fragility and complexity of modern supply chains and how multiple events can come together to cause problems, raising awareness of the need for greater resilience and transparency.”

Natural catastrophe risk ranks third on the list – a jump from sixth in 2021. Global insured catastrophe losses increased to $112 billion in 2021, the fourth highest on record, according to Swiss Re.

While cyber is ranked as a more immediate threat to business than climate change, the report says these two perils are “linked by the fact that two of the most significant impacts expected from changes in legislation and regulation (the fifth top risk) in 2022 will be around big tech and sustainability.”

Pandemic outbreak fell to fourth place for 2022, with many companies comfortable that they are now better prepared for the consequences of these occurrences. According to the report, 80 percent of respondents believe they are “adequately” or “well” prepared.

The 11th annual report was developed from a late 2021 survey of 2,650 risk management experts from 89 countries and territories, including Allianz customers, brokers, industry trade organizations, risk consultants, and underwriters, with a focus on large- and small to mid-size companies.

As Cybercriminals Act More Like Businesses, Insurers Must Think
More Like Criminals

Credit for all photos in this post: Don Pollard

Cybersecurity is no longer an emerging risk but a clear and present one for organizations of all sizes, panelists on a panel at Triple-I’s Joint Industry Forum (JIF) said. This is due in large part to the fact that cybercriminals are increasingly thinking and behaving like businesspeople.

“We’ve seen a large increase in ransomware attacks for the sensible economic reason that they are lucrative,” said Milliman managing director Chris Beck. Cybercriminals also are becoming more sophisticated, adapting their techniques to every move insurers, insureds, and regulators make in response to the latest attack trends. “Because this is a lucrative area for cyber bad actors to be in, specialization is happening. The people behind these attacks are becoming better at their jobs.”

As a result, the challenges facing insurers and the customers are increasing and becoming more complex and costly. Cyber insurance purchase rates reflect the growing awareness of this risk, with one global insurance broker finding that the percentage of its clients who purchased this coverage rose from 26 percent in 2016 to 47 percent in 2020, the U.S. Government Accountability Office (GAO) stated in a May 2021 report.

Panel moderator Dale Porfilio, Triple-I’s chief insurance officer, asked whether cyber is even an insurable risk for the private market. Panelist Paul Miskovich, global business leader for the Pango Group, said cyber insurance has been profitable almost every year for most insurers. Most cyber risk has been managed through more controls in underwriting, changes in cybersecurity tools, and modifications in IT maintenance for employees, he said.

By 2026, projections indicate insurers will be writing $28 billion annually in gross written premium for cyber insurance, according to Miskovich. He said he believes all the pieces are in place for insurers to adapt to the challenges presented by cyber and that part of the industry’s evolution will rely on recruiting new talent.

“I think the first step is bringing more young people into the industry who are more facile with technology,” he said. “Where insurance companies can’t move fast enough, we need partnerships with managing general agents, with technology and data analytics, who are going to bring in data and new information.”

“Reinsurers are in the game,” said Catherine Mulligan, Aon’s global head of cyber, stressing that reinsurers have been doing a lot of work to advance their understanding of cyber issues. “The attack vectors have largely remained unchanged over the last few years, and that’s good news because underwriters can pay more attention to those particular exposures and can close that gap in cybersecurity.”

Mulligan said reinsurers are committed to the cyber insurance space and believe it is insurable. “Let’s just keep refining our understanding of the risk,” she said.

When thinking about the future, Milliman’s Beck stressed the importance of understanding the business-driven logic of the cybercriminals.

If, for example, “insurance contracts will not pay if the insured pays the ransom, the logic for the bad actor is, ‘I need to come up with a ransom schema that I’m still making money’,” but the insured can still pay without using the insurance contract.

This could lead to a scenario in which the ransom demands become smaller, but the frequency of attacks increases. Under such circumstances, insurers might have to respond to demand for a new kind of product.

Learn More about Cyber Risk on the Triple-I Blog

Cyberattacks on Health Facilities: A Rising Danger

Cyber Insurance’s “Perfect Storm”

“Silent” Echoes of 9/11 in Today’s Management of Cyber-Related Risks

Brokers, Policyholders Need Greater Clarity on Cyber Coverage

Cyber Risk Gets Real, Demands New Approaches

Cyberattacks on Health Facilities: A Rising Danger

By Max Dorfman, Research Writer, Triple-I

As cyberattacks have increased in recent years, one area of particular concern has been those that target hospitals and health systems. These attacks have affected not only private information but also threatened the lives and well-being of patients.

A major shift

Hospitals rely more than ever on computerized systems to manage their information and systems. With the added complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only worsened.

“It’s part of a trend we’ve seen building over the last couple years, even before the pandemic,” said Scott Shackelford, chairman of the IU Cybersecurity Risk Management Program. Unfortunately, health-care providers are very much in the crosshairs. Not only do they often have insurance and deep pockets, but doctors need access to patient information to perform procedures and provide required services.

Because of this vulnerability and urgency, Shackelford said, “They are more likely to pay up.”

“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020, and there’s been a 45 percent uptick in that rate since last December,” Shackelford added.

One recent attack, on Johnson Memorial Health in Franklin, Indiana, disabled its computer system. Although the hospital said it could still manage its patient intake, the loss of computer capabilities slowed operations down dramatically.

“We’re used to sending lab orders via computer, sending prescriptions to pharmacies via computer, so we’re going back to a real reliance on paper again,” Johnson Memorial President and CEO David Dunkle said. “We’re using more human runners, people taking lab recs between the ER and the lab.”

Hospitals have been slow to respond

Although there have been major technological advancements in the medical field, not all health systems have provided robust IT teams or thorough safety protocols. One area of note is with new medical devices, which take years to earn FDA approval and can come with outmoded software and operating systems without the latest security mechanisms.

This has given hackers the ability to disable medical imaging devices like MRIs. They can then shut down or interfere with machines.  A recent study by McAfeeEnterprise’s Advanced Threat Research Team uncovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change medicine doses remotely.

And while traditional phishing attacks require a user to open a corrupted file — a trend that is now on the decline — new attacks can use so-called Zero Click malware, which can infect a system merely through receiving a text or email.

Additionally, sensitive data that health systems possess gives hackers the opportunity to sell this information online — or threaten to — with demands rising into the millions of dollars. After a 2009 U.S. law was passed that required Medicare and Medicaid providers to implement electronic health records, these risks have only accelerated.

Life and death circumstances

Hospitals are now not only seeing the financial risks with cyberattacks, but the threat to their patients’ lives.

In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled its electronic devices. This failure created dire circumstances for one infant, causing doctors to be unable to monitor the child’s condition during delivery. The infant died, and the hospital is being sued by the mother for malpractice—a charge Springhill denies.

Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman from an aortic aneurysm. What was supposed to be a routine pick-up turned into a nightmare, when the local hospital’s system was disabled by a ransomware attack, forcing the emergency department to turn away the woman and causing the ambulance to travel much farther. During this time, the patient’s condition worsened, and she eventually died.

How much worse can it get?

By the middle of August of 2021, 38 attacks on health-care providers or systems had interrupted care at approximately 963 U.S. locations. For all of 2020, only 560 sites were affected in 80 separate incidents, according to Brett Callow, a threat analyst at security firm Emsisoft.

With the vast amount of data and equipment at each of these health facilities—as well as the linked networks of many systems—the threat of cyberattacks in health care will only continue to grow unless more action is taken.

Building a Robust
Cyber Insurance Market
Is Focus of Oct. 13 Panel

Triple-I CEO Sean Kevelighan will join a virtual panel on Wednesday, Oct. 13, at 11 a.m., ET, to brief public policymakers on ways to build a robust cyber risk insurance market.

“To allow businesses to operate safely in an increasingly interconnected world, insurers are working closely with their commercial customers to mitigate cyber risks and to make sure businesses have the right types, and amounts, of cyber insurance,” Kevelighan said.  “However, as we are seeing increasing uncertainty in the extensiveness of cyber risk, it is also essential that we better understand the role government needs to play in particular around law enforcement and international diplomacy.”

As previously noted in The Triple-I Blog, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for large terrorist acts prior to 9/11. Before those attacks, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act to stabilize the market.

“A balanced public-private partnership that recognizes where insurance can be a helpful financial responder, and how government is an essential preventative tool, will be critical to helping mitigate the ever-increasing cyber risks we are facing in the world,” Kevelighan said.

Presented by Indiana University’s Ostrom Workshop and Cybersecurity Risk Management Program in collaboration with The Institutes Griffith Insurance Education Foundation, the discussion can be viewed free of charge by public policymakers who register online in advance. It is one of three Cybersecurity Policy Bootcamp sessions the two organizations are co-hosting in October as part of Cyber Security Awareness Month.

The one-hour session will focus on Deepening Partnerships Between States, the Federal Government, the Private Sector, and Academia to Build a Robust Cyber Risk Insurance Market.

Along with Kevelighan on the panel will be three other subject matter experts:

  • Elizabeth Kelleher Dwyer, Esq., superintendent of Financial Services for Rhode Island Department of Business Regulation;
  • Scott J. Shackelford, JD, PhD, chair of the Cybersecurity Program at Indiana University, Bloomington; and
  • Douglas Swetnam, section chief for Data Privacy & Identity Theft in the Indiana Attorney General’s Office

Frank Tomasello, executive director for the Institutes Griffith Insurance Education Foundation, will be the panel’s moderator.

Learn More:

Article:                 Cyber Liability Risks

Video:                  Seven Cybersecurity Tips to Safeguard Your Business

Triple-I Blog:  

 Cyber Insurance’s “Perfect Storm”

 “Silent” Echoes Of 9/11 in Today’s Management of Cyber Risks

 Brokers, Policyholders Need Greater Clarity on Cyber Coverage

  Cyber Risk Gets Real, Demands New Approaches

Cyber Insurance’s “Perfect Storm”

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

Increasing cybercrime incidents resulting in large losses – combined with some carriers retreating from writing the coverage – is driving cyber insurance premiums sharply higher.

Once a diversifying secondary line and another endorsement on a policy, cyber has become a primary component of any corporation’s risk-management and insurance-buying decisions. As a result, insurers need to review their appetite for the peril, risk controls, modeling, stress testing and pricing.

According to A.M. Best, the prospects for the cyber insurance market are “grim” for several reasons:

  • Rapid growth in exposure without adequate risk controls,
  • Growing sophistication of cyber criminals, and
  • The cascading effects of cyber risks and a lack of geographic or commercial boundaries.

While the industry is well capitalized, A.M. Best says individual insurers who venture into cyber without thoroughly understanding the market can put themselves in a vulnerable position.

“The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity, and carriers pulling back coverage,” according to Joshua Motta, co-founder and CEO of Coalition, a San Francisco-based cyber insurance and security company. “We’ve seen many carriers sublimit ransomware coverage, add coinsurance, or add exclusions.”

Worsening since the pandemic

A recent Willis Towers Watson study found primary and excess cyber renewals averaging premium increases “well into the double digits.” One factor helping to drive these increases, Willis writes, is the sudden shift toward remote work on potentially less-secure networks and hardware during the pandemic, which has made organizations more vulnerable to phishing and hacking.

The average cost of a data breach rose year over year in 2021 from $3.86 million to $4.24 million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. Costs were highest in the United States, where the average cost of a data breach was $9.05 million, up from $8.64 million in 2020, driven by a complex regulatory landscape that can vary from state to state, especially for breach notification.

The top five industries for average total cost were:

  • Health care
  • Financial
  • Pharmaceuticals
  • Technology
  • Energy

For the health care sector, the average total cost rose 29.5 percent, from $7.13 million in 2020 to $9.23 million in 2021.

Since the start of the year, cyber insurance rates have increased 7 percent for small businesses, according to AdvisorSmith Solutions. For midsize and large businesses, AdvisorSmith said,  those increases were closer to 20 percent.

Insurers’ reactions

AIG last month said it is tightening terms of its cyber insurance, noting that its own premium prices are up nearly 40 percent globally, with the largest increase in North America.

“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” CEO Peter Zaffino said on a conference call with analysts.

In May, AXA said it would stop writing cyber policies in France that reimburse customers for extortion payments made to ransomware criminals. In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment to regain access.

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back.  An IBM survey of 600 U.S. business leaders found that 70 percent had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20 percent paid more than $40,000. 

Two advisories last year from U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicated that companies paying ransom or facilitating such payments could be subject to federal penalties. These notices underscore businesses’ need to consult with knowledgeable, reputable professionals long before an attack occurs and before making any payments. 

More like terror than flood

Cyber risk is unlike flood and fire, for which insurers have decades of data to help them accurately measure and price policies. Cyber threats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.

Insurers and policyholders need to be partners in mitigating these risks through continuously improving data hygiene, sharing of intelligence, and clarity as to coverage and its limits.

“Silent” Echoes of 9/11
in Today’s Management
of Cyber-Related Risks

“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11.”
Garrett Graff , historian and journalist

Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.

TRIA requires insurers to make terrorism coverage available to commercial policyholders but doesn’t require policyholders to buy it. Originally created as three-year program allowing the federal government to share losses due to terrorist attacks with insurers, it has been renewed four times: in 200520072015, and 2019.  

An evolving risk

Terrorism risk has evolved in complexity and scope, and some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for terrorist acts two decades ago.

“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11,” historian and journalist Garrett Graff said during a recent Homeland Security Committee event at which scholars and former 9/11 Commission members urged lawmakers to increase funding for the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies focused on preventing attacks.

Cyber is more complicated, said Amy Zegart, co-director of Stanford University’s Center for International Security and Cooperation, due to the private sector’s role “as both a victim and a threat vector. There are more people in the U.S. protecting our national parks than there are in CISA protecting our critical infrastructure.”  Cyberattacks like the one on the Colonial Pipeline underscore this reality.

When TRIA was reauthorized in 2019, a crucial component was the mandate for the Government Accountability Office (GAO) to make recommendations to Congress on amending the act to address cyberthreats. The trillion-dollar infrastructure bill now being considered in Congress proposes $1.9 billion for cybersecurity, with more than half set aside for state, local, and tribal governments. It would establish a Cyber Response and Recovery Fund for use by CISA.

“Silent cyber”

Like terrorism before 9/11, much cyber risk remains silent. Silent cyber – also called “non-affirmative cyber” – refers to potential losses stemming from policies not designed to cover cyber-related hazards. If silent cyber isn’t addressed, insurer solvency could be affected, ultimately hurting policyholders. 

The United Kingdom’s Prudential Regulation Authority in 2019 sent a letter to all U.K. insurers saying they must have “action plans to reduce the unintended exposure” to non-affirmative cyber. Later that year, Lloyd’s issued a bulletin mandating clarity on all policies as to whether cyber risk is covered. This led many insurers to exclude cyber or include it and price the risk accordingly. 

“Other regulators and the rating agencies have been less vocal about the issue” writes Willis Towers Watson,  “and, until recently, efforts to address silent cyber have been limited.” Some insurers – most notably in the specialty mutual sector – updated their policies in the mid-2010s to provide clarity on cyber. But, until recently, movement elsewhere has been sporadic, Willis writes.

Event-driven action

The recent proliferation of ransomware attacks leading to business interruption has led to cyber insurance – which began as a diversifying, secondary line – becoming a primary insurance-purchasing consideration. Unfortunately, while policies are available, many policyholders still incorrectly expect to be covered under their property and liability policies. Confusion around cyber coverage can lead to unexpected gaps.

“In a best-case scenario, a cyber incident may trigger coverage under multiple policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”

Cyber risk will only grow in significance, complexity, and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially massive and need to be mitigated in advance.

From the Triple-I blog

Emerging Cyber Terrorism Threats and the Federal Terrorism Risk Insurance Act

A World Without TRIA:  Formation of a Federal Terrorism Insurance Backstop

Brokers, Policyholders Need Greater Clarity on Cyber Coverage

Cyber Risk Gets Real, Demands New Approaches

Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World

Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

From Risk & Insurance (an affiliate of The Institutes and sister organization to Triple-I)

Silent Cyber Will Sabotage Your Insurance Policy if You Don’t Watch Out. Here’s What Risk Managers Should Keep Top of Mind