Although it seems life is getting back to normal, one area that will likely never return to pre-pandemic levels, is the number of cyber-attacks on commercial businesses. It seems like every time you turn on the news, a reporter is discussing another devastating cyber-attack. From the Colonial Pipeline hack to the Kaseya ransomware attack, cyber events and data breaches are on the rise and they show no sign of reprieve in the immediate future.
Hackers have become much more savvy with their demands and direct costs for a ransomware attack exceed $200,000, while total costs have been seen to reach anywhere from $600,000 to $800,000 per attack. The cyber market has always been a moving target, but we have never seen it evolve as quickly as it has now. The following three trends are what you should be aware of when talking to your insureds about cyber liability insurance.
New Requirements
Gone are the days of immediate quotes with no additional questions asked. A business that once only needed a four-question application may now be required to fill out an additional questionnaire on their security practices and protocols. However, it does not end at filling out the application. A business must also provide favorable responses to each question or risk declination or non-renewal.
Leading the list for favorable review are the questions about Multi-Factor Authentication (MFA). This control requires confirmation of each entry into an account from a new device using an authenticator app or responding to a text, call or email. MFA can block fraudulent entries before a hacker can reach your emails, files, and data by only allowing entry to an unknown device through confirmation of a valid login attempt.
Second on the list for favorable review is the maintenance of file back-ups protected by MFA. In most cases, critical information must be backed-up, at least monthly, and must also be subject to segmentation and encryption. In the event that your insured is hacked, and their files are encrypted, these back-ups provide a quicker route to getting business back up and running again.
A final area that must be answered favorably includes the security of Remote Desktop Protocols. RDPs that are not subject to VPN access only have the potential to enable loopholes in the networks that hackers can easily enter, much like the way a house with an open door nearly invites an intruder inside.
Further, business conveniences that allow one to work from anywhere in the world must be even further secured which is why it should not come as a shock that Remote Desktops must be protected by MFA. Although this list of requirements is not comprehensive, nor are these sure-fire ways to evade a hack, these security measures add a layer of protection for your insureds and an increased level of difficulty for unauthorized access.
Coverage Enhancements
To keep up with the ever-changing cyber market, carriers are offering new cyber coverage enhancements. One coverage that is a recent addition to many quote letters is Proof of Loss with Business Interruption. This coverage is designed to help an insured determine a loss with a forensic accountant and prove business income loss due to a business interruption claim. Forensic accountants as well as legal advice can cost, at a minimum, $500 per hour and this coverage offers a sublimit specifically designated to hiring an expert to help mitigate a business interruption claim.
The same idea applies to another newer coverage – Proof of Loss with Reputational Harm. Both Business Interruption and Reputational Harm are difficult to determine the extent of the loss and can be arduous to have coverage afforded without the investigation of a trained professional.
Another coverage extension that is starting to become more common among carriers is the broadening of the definition of a Computer System to include employee’s personal devices. Often called B.Y.O.D., or Bring Your Own Device Coverage, this extended definition allows employees who are working from home on personal devices to be afforded coverage if they experience a cyber-attack. Technically, without this extension, a personal device would not be considered an insurable interest of the insured and would, therefore, not be covered by their employers’ cyber liability policy.
Another important coverage that has become more common among cyber carriers is Mitigation Expense. This coverage gives the insurer the flexibility to pay for the insured to take steps to stabilize their network and stop or mitigate an attack that had not previously fallen within the definition of damages. This could prevent further business income loss due to newly uncovered system issue, not originally a result of the cyber-attack in question. Although coverage enhancements have been slower to evolve, the structure of cyber claims as well as challenges posed by COVID-19 have increased the need for broadening of coverages and, consequently, increasing rates.
Rising Costs and Declinations
Although including new coverages in policy forms may cause pricing increases, the most prominent cause of this increase is due to the rise in claims. Cyber loss ratios increased by over 70% in the last year across the market, compared to just over a 40% loss ratio in the previous five years according to a report from Fitch Ratings. Hackers are demanding higher ransoms with no sign of reprieve, which is subsequently creating more expensive claim payouts for carriers.
Historically, cyber pricing has been artificially low due to poor predictability models and insufficient rate structures. Now pricing is rising to coincide with the trending increase in claims that previous premiums we unable to accommodate. Where insureds see this as an unwelcome consequence, it has become a necessary evil for inevitably increasing claims across all industries.
In addition to rising premiums, classification restrictions have become more common than ever. Underwriting boxes for some (but not all) carriers are getting smaller in terms of which business classification is afforded coverage. Classifications such as IT companies, payment card processors, collection agencies, and cannabis have become more difficult to place coverage for while other classifications are outright declines. Unfortunately, this trend shows promise to rise throughout 2021 and into the following years where, likely, more business classifications will be added to the list.
Final Thoughts
These three trends are just the tip of the iceberg in the cyber liability world and Wingman Insurance is here to help you understand the impacts of the ever-evolving market. It will be very important in the coming months to set realistic expectations for your insureds and ensure that they are aware of the new requirements that carriers are enforcing. Equally as important is educating yourself on how to install these security measures and understanding why they are essential for the continuity (or beginning) of your insured’s cyber liability policy.
The underwriters at Wingman are more than willing to provide educational tools and training on how to be prepared for your clients’ seemingly endless questions about these trends. With the hassle of installing new security measures and protocols comes the reassurance that your insured is doing everything in their power to protect themselves against a cyber-attack. Changes are occurring in every facet of the process from underwriting to coverages and pricing as well as risk management and it is highly recommended to begin renewal conversations early in order to ensure that your insured has the best possible chance of placing their business with cyber liability insurance.
To learn more about the importance of cyber liability insurance, reach out to Brad Schrum, ARM (brad@wingmanins.com, 410-404-1330) or Madde Narr, AU (madde@wingmanins.com, 410-228-1717 x104).