Paul Ferrillo

In the following guest, Paul Ferrillo takes a look at the current deteriorating cyber insurance claims environment and offers his views on the likely impact of the claims developments on the market for cyber insurance in 2021. Paul is a partner in the McDermott, Will & Emery law firm. My thanks to Paul for allowing me to publish his article as a guest post on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.

 

**************************

 

The rarified place that cybersecurity insurance (“cyber insurance”) used to hold in the strata of the more “profitable” corporate insurance products is quickly closing, as significant losses are now more prevalent on the books of cyber insurance carriers. (And growing monthly.)

 

Will higher cyber insurance premiums follow? Will limits of liability contract as cyber insurers closely watch the capacity of their book of cyber insurance business? Finally, will underwriting standards tighten among the major cyber insurance carriers?

 

The answer to all three questions is probably, yes. What can you do to offset some of the potential premium increases that are lurking down the road? Here are our views, after first discussing the cyber claims environment to set the context.

 

One recent article published in Help Net Security on the cyber insurance markets noted:

The number of cyber insurance claims has steadily risen over the last few years, up from 77 in 2016, when cyber was a relatively new line of insurance, to 809 in 2019. In 2020, there were already 770 claims in the first three quarters. This steady increase in claims has been driven, in part, by the growth of the global cyber insurance market, which is currently estimated to be worth $7 billion according to Munich.

 

Another article in Help Net Security quoted:

 

“Commenting that internet security is lagging behind the sophistication of cybercriminals and is leading to an erosion of trust in the digital economy,” Omar Abbosh, who leads Accenture’s Communications, Media & Technology operating group, said.

 

The increased sophistication of cybersecurity criminals, frequently detected in “syndicate” format, is certainly causing losses to be sustained on a “campaign” style basis. The present “work from home” environment has added additional pressure to network defenses, with more and more employees and executives working remotely from laptops and other smart devices, which may or may not be fully protected from attacks. Targets have included several industries, including academia, healthcare, local governments and municipalities. According to the 2020 Ponemon Cost of Data Breach report, known for its state-of-the-art breach, claim and loss reporting, published recent losses:

 

2020 Report 2019 Report
Worldwide cost of data breach claims $3.86 million $3.92 million
US cost of data breach claims $8.64 million $8.19 million
Healthcare cost of data breach claims $7.13 million $6.45 million

 

Cost of data breach claims per record lost        $150 – $175 per record

 

What is the rest of 2020 expected to show? More losses, especially due to the dramatic growth of ransomware attacks in the United States caused by sophisticated cybercriminals. See “2020 Global Threat Report,” which notes that in 2019, “BGH (or ‘big game hunting’), another term for enterprise ransomware operations, was the most lucrative enterprise or eCrime adversaries. Ransomware demands soared into the millions causing unparalleled disruption.”

 

See also, “40% Increase in Ransomware Attacks in Q3 2020,” which notes, “The United States observed 145.2 million ransomware hits in Q3 2020, which is a 139% year-over-year increase. For at least one cybersecurity insurance carrier, their insureds received over $100 million in ransomware demands in the month of September 2020 alone. There is little doubt that some of the largest losses cyber carriers have faced in 2020 will be ransomware-related.

 

Having wartime “in the trenches” cybersecurity experience since 2012, it is our view that cybersecurity insurance carriers will be forced to rethink their books of business to remain profitable. Premiums will have to increase and reportedly have been on the rise for the past six to 12 months. Underwriting standards will likely tighten based on  known claim patterns (like the ransomware epidemic). Limits of liability (with towers of cyber insurance sometimes growing in excess of $500 million) will be decreased as cybersecurity carriers try to cut down their exposure to the growing cybersecurity threats detailed above.

 

Though there is some benefit to premiums increasing (principally so that the cyber insurance carriers remain healthy enough to pay a growing book of claims), there is some tension between what carriers believe they can charge, and what insureds can afford to pay. Your company may be thinking about those questions this second as end-of-year renewals approach.

 

To the extent you need help identifying the most critical areas a cybersecurity insurer will look at, we think the answers are clear. Be prepared to respond to the topics identified below. Review the underwriting standards that you will likely face, and meet or exceed them. You may still get a premium increase, but hopefully not one close to 50% of your expiring premium rate, which has been reported in the insurance trade papers. Here is what we suggest you do/review prior to your next renewal:

 

1. Perform a vulnerability assessment as soon as possible: To assess your network versus the cyber threats to your network (which you previously identified in your risk assessment), where is your network vulnerable? Is it a staffing and resource issue, where you do not have the staff to monitor your network? Is it a patching problem (where you might be two or three or more “Patch Tuesdays” behind the eight ball)? Is it a structural problem (are you still running Windows 7)? Or, is it an employee training and education that rears up every time one of your employees “clicks on a link” or attachment from which he or she doesn’t know the sender? Many of these issues are easily remediated for very little money. Some issues will need more TLC, and others will take some money to remediate. There is little doubt remediation will be easier, cheaper and better to swallow than a theoretical $200,000 premium increase and maybe an $8 million ransomware settlement that jeopardizes your credibility with your customers and investors.

 

2. Allocate time for identity and access management controls (IAM): Given the current work from home environment, coupled with the approximately fifteen (yes, 15) billion credentials available on the Dark Web, a major threat to corporate networks is “unauthorized access.” That brings into question whether companies are enforcing a number of best practices, including: (1) password management policies that are both in writing and enforced with the company; (2) least privileged access (where employees have the “least access possible” to do their job); (3) multi-factor authentication (MFA) to access the core network as well as to privileged credentials; and (4) restricting the growth of administrative or “admin” privileges within companies. Certainly, not every employee needs access to everything. With the growth of credential thefts, admin privileges finding their ways into the hands of “bad guys” can spell “bad news” to any organization.

 

3. Review your data backup and restoration procedures: A majority of ransomware claims grow out of control when insureds do not have a proper backup policy and procedure they follow. Either companies leave their backup tapes/media online where they can be stolen or erased by attackers; or companies do not have recent backups, relying on their “once in a blue moon” approach to backing up a network. Either way is a big problem if not fixed relatively immediately. Carriers will be asking and investigating the same questions during your next renewal or purchasing cycle.

 

We recommend a process called “Backups X 3.”

1) One backup kept online and readily accessible;

2) One backup kept “on premises” but kept “offline” or “segmented” and not on any internet-facing appliance or server; and

3) One backup kept in the cloud—again segmented and offline to remain secure in the face of an attack.

If something bad happens, like a ransomware attack, at least you will know that a full backup is only one day away from restoring your network—not one week (or more!) away as some companies have faced.

4. Review your encryption or tokenization efforts concerning your most important data: This is a solution that might not have been immediately available four or five years ago. Today, they are immediately implementable, even for smaller businesses, and can help a company resist an extortion demand relating to stolen data or critical IP. It is important to remember that similar to your backup media, keep your encryption keys segmented and offline so that in the event of a maze or ransomware attack like Maze or REvil, where data is also stolen or exfiltrated, your encryption keys are not stolen. This approach will thereby make the cyber criminals’ best play (by encrypting your files, while stealing and then potentially “ransoming” back your stuff) unremarkable and unprofitable since what they will steal will be “gobbledygook.”

 

5. Are your cybersecurity policies and procedures up to date and practiced? Do you have an incident response, business continuity and crisis communications plan? How often are these plans updated? How often are they practiced? Do you have a privacy policy? How often do you review it to make sure it is compliant with both federal and state regulations?

 

6. Are you compliant with whatever laws your business or firm is required to be in compliance with? Federal laws (Health Insurance Portability and Accountability Act (HIPAA); Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE); Office of the Comptroller of the Currency (OCC)) or state laws (NY Stop Hacks and Improve Electronic Data Security Act (SHIELD) or California Consumer Privacy Act (CCPA)) or EU laws (Global Data Protection Regulation (GDPR))? Who monitors their compliance? Does the company use a forensic consultant or outside law firm to assist, or does the company say they “do it alone?” Carriers will be looking for evidence or proof of compliance given the fact assessed fines and penalties can complicate underlying litigation and/or breed further claims like shareholder derivative litigation.

 

  1. 7. How often does your board of directors meet with your chief information security officer (CISO) and senior information technology (IT) staff to review and assess the cybersecurity posture of the company? Since cybersecurity threats and tactics change constantly, we hope those meetings occur at least four times a year for at least 30 minutes each. “Discussions” should not only involve a lifeless powerpoint, but a robust oral discussion with the CISO or CTO about improving the cybersecurity posture of the company.

 

8. Do you have a critical vendor “supply chain risk management policy” that assesses the cybersecurity policies and procedures of your vendors, suppliers or other outsourced data processing functions (like cloud providers)? Who assesses the security of your vendors? Do you do it internally or do you outsource this function?

 

9. Does the company leverage any cybersecurity frameworks to help obtain a functioning 24/7 security posture, like the National Institute of Standards and Technology (NIST) cybersecurity framework, or ISO 27001? If so, has their compliance with frameworks like the NIST been audited or signed off by a third party?

 

10. Does your company have an endpoint solution? Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats by potentially identifying anomalous behavior and “shutting it down” before it infects the entire network

 

11. Does the company have a patching policy that requires critical vulnerabilities to be patched with 72 hours of when they are published by US Computer Emergency Readiness Team (US-CERT)? Or does it take you weeks to make critical patches?

Although the above does not cover every consideration by a cybersecurity insurance carrier, these 11 points will be important to underwriters for the rest of 2020 and through 2021.

Ask yourself these questions to help stem the rising tide of cyber claims and cyber insurance premiums. There are other protections we could recommend, like a machine learning anomaly detection solution, that would impress your cyber carrier. We won’t do that here, because very often, it is the basics that matter most in cybersecurity, including patching and updating your network and servers.