Multi-Factor Authentication Is a Must, and Other Findings from the RPS Cyber Trends Report
Cyber threats can be found everywhere – across industries, businesses and organizations of all sizes.
According to Steve Robinson, national cyber practice leader at RPS, there are some key insights that emerged from the new U.S. Cyber Insurance Market Outlook report by RPS.
“Insureds are experiencing higher premiums, restrictions in capacity and stricter underwriting standards this year. But all these changes were a necessary evolution of the cyber insurance market and better reflect today’s risks,” Robinson said.
“In addition, the significant increase in the severity and frequency of ransomware attacks is the leading driver of change in the current cyber insurance market.”
Industry classes that have been hit hardest by cybercrime and cyber extortion over the past year include education, public entity/government, healthcare, construction and manufacturing.
As such, Robinson said multi-factor authentication (MFA) has become a must-have to qualify for cyber coverage, as it’s one of the most effective ways to prevent a cyber extortion event.
“Retail agents need to quickly become familiar with baseline requirements of insurers if they want to secure renewals or new business for their clients this year,” Robinson said. “I would encourage agents to work with experts like RPS to help navigate the ever-evolving changes in the cyber insurance market.”
Driving Forces
The frequency and severity of ransomware attacks has driven the demand for cyber insurance.
Prior to 2019, cyber-attacks largely involved data breaches to sell personally identifiable information (PII) on the Dark Web. But in 2019, ransomware claims began to climb at an unprecedented rate, and this continues to this day.
As Robinson explained, many attribute this increase to the work-from-home environment during the COVID-19 pandemic, which opened up technological vulnerabilities for hackers to penetrate. During this time, losses often far exceeded actuarial estimates.
“Unlike highly publicized data breaches that targeted industries such as retail, finance, and healthcare for PII and protected health information (PHI), ransomware does not discriminate,” Robinson said. “Ransomware relies more on a company’s willingness to pay for access to its critical data, rather than how much PII it holds.”
Indeed, as highlighted in the report, the market suddenly changed direction in 2020 as insurance companies began to calculate the unanticipated impact of ransomware claims on their bottom line. The additional exposure created by employees working from home during the global pandemic contributed to their greater focus.
According to RPS, “within a single year, claim frequency and severity had climbed at an unprecedented rate. Losses often far exceeded actuarial estimates. Cyber loss ratios jumped from 44.8% in 2019 to 67.8% in 2020, and higher for many carriers.”
It is also common for bad actors to demand payment for a decryption key, as well as payment to prevent the release of customer data and nonpublic information. Double extortion, as it’s called, has become a contributing factor in cyber claim severity over the past year.
“Business e-mail compromise and social engineering also have contributed to the increased demand in cyber insurance,” Robinson said.
Evolution of Sorts
Today the industry is seeing the integration of technology and more informed questions from underwriters that are more representative of today’s risks.
When ransomware became more of a threat, Robinson said it had a great impact on the underwriting process.
Now underwriters are asking more pointed questions and requiring detailed information to learn about an organization’s exposure to cyber-attacks.
“Insurers want to know whether or not MFA has been implemented; they want to know about an organization’s backup processes and segregation of data, in addition to tools in use to detect threats as they occur and utilize artificial intelligence to thwart intrusions before they occur,” Robinson said. .
Additionally, insurers are increasingly incorporating the same scanning technology used by hackers into their own underwriting processes, and/or applying sublimits or exclusions on cyber extortion and business interruption resulting from ransomware events, to better control their loss ratios.
Struggling to Secure Cyber Insurance Coverage
Even with the right information security practices in place, organizations are finding it impossible to secure 2021 coverage at 2020 rates.
According to Robinson, while there are many insurers in the marketplace, they are being more selective on the risks they will accept so capacity is limited. Carriers also are strategically increasing premiums.
“With the natural lift in revenues from rate increases, they can afford to be more discriminate about the industry classes, size of risk and limits they will offer,” Robinson said.
The market is extremely difficult for education, public entity/government, healthcare, construction and manufacturing. These classes have been hit hardest by cybercrime and cyber extortion over the past year.
Large public entities, especially, are finding it difficult to secure coverage. Many carriers do not want to be the primary insurer. Therefore, capacity is severely restricted. For those fortunate enough to procure higher limits, the path to get there involves many more insurers.
Public entities and education also have tighter budgets and often face a severe lack of funding for implementing information security enhancements and employee training to help prevent cyber-attacks.
Manufacturing, which was considered low risk in years past due to lack of PII, is now a high risk and a target for ransomware due to the industry’s greater reliance on process automation.
“Significant business interruption losses are a concern,” Robinson said.
The hope is with the underwriting changes and tweaks to pricing, retentions, and limit offerings, coupled with more effective risk management on the part of insureds, an increasingly stable marketplace will be sustainable for years to come.
As Robinson said, this year’s changes in capacity, underwriting standards and even increases in premium were a “necessary evolution.” These changes should lead to most insurance companies having a more stable cyber book in the future.
The RPS team also believes that “the partnership between IT, government, insurance and private enterprise in combating cyber exposures is stronger than it has ever been. And it will need to remain strong if we are to continue to innovate in this increasingly critical coverage area.”
“It won’t happen overnight; it’s definitely an evolution,” Robinson said. “But the drastic underwriting changes we saw this year better align with cyber liability exposures, and as a result, a better balance between cyber insurance coverage supply and demand is expected as we draw closer to 2022 and beyond.” &