Client Advisory: Cyber Market Update, September 2020

Just 18 months ago, pricing seemed to be hitting record lows commensurate with constantly expanding coverage. Since more markets were entering the cyber space, there was no scarcity of capacity, and we suspected this trend would continue. However, times have changed dramatically, and cyber insurers continue to see increase in both frequency and severity of ransomware attacks against their policyholders, especially in vulnerable industry classes such as healthcare, municipalities, higher education, and any company without robust cyber security.

Worsening loss ratios have led to increased premiums across all sectors, and we expect the trend to continue. Most clients can expect primary policy premiums to increase in the 10%+ range, and underwriters will upwardly adjust pricing for insureds with expanding record counts (volume of PII collected/processed) and revenue growth. Some difficult industry classes may see even higher increases as underwriters, particularly on excess layers, bring pricing back into proper alignment.

While the market remains competitive, gone are the days of expanded coverage with no additional premium. Underwriters can offer some enhancements, like bricking cover and contingent business system failure, but with an additional premium and perhaps at a sub-limit. Underwriters are also requiring much more visibility into the insured’s business continuity plan, security controls and dependency on critical technology and non-technology service providers.

Cyber trends

• A well-funded and emboldened hacking community continues to use their new Ransomware-as-a-Service model and doxing campaigns (threats to publish highly sensitive data) to force victim companies to pay hefty ransoms with no assurance that the decryption key will unlock all compromised data, nor that the hackers will not sell the exfiltrated confidential data in a dark web forum; there is also no guarantee that a company will not be re-victimized by another ransomware attack.
• Evolving risks resulting from new and expanding laws regarding statutory duties to protect employee and consumer data, especially where new laws afford a private right of action and severe per violation penalties as remedy; policy wording is very important to optimize claims outcomes; and regulators have heightened expectations that companies have complete data inventories, manage their data controller and data processing risk with critical vendors and service providers, and that they are prepared to respond appropriately to investigation and litigation from both breach events and allegations of wrongful collection.
• More states are incorporating broader definitions of personal data and some are following Illinois’ lead with its Biometric Information Protection Act (BIPA). EPL carriers have seen a spike in these claims, and some carriers are imposing exclusions. Since BIPA covers both employee and customer biometric data, it is important to make sure the cyber policy includes a broad definition of personal data, offers regulatory coverage for both data breaches and allegations of wrongful collection, and that exclusions around fines and penalties and employment claims are modified to preserve coverage.
• Inherited risk and attack surfaces are both increasing. Hackers are taking advantage of the COVID-19 conditions since most employees are working from home on devices which may not be fully protected endpoints. A company also inherits risk from all of its application and software developers since threat actors have a hundred day lead on knowing (and exploiting) a vulnerability before the software developer can patch it. This lag time creates a huge opportunity window for skilled and novice hackers alike. As more smart devices (including printers, cameras, HVAC controls, etc.) are Internet-enabled, hackers are taking advantage of poor security and using IoT devices as access points into networks, where they can move laterally to other systems and databases.
• Losses from system disruption due to cyber-attacks (including cyber extortion) AND from system failures (operation errors/unplanned outages) are increasingly complex to adjust, as companies struggle with applying traditional BI loss adjustment protocols to losses caused by cyber-attacks; outage periods are lengthening and much attention is needed around the policy wording for key areas such as outage triggers, covered period of restoration, mitigation expenses to shorten duration of outage, and how retentions and waiting periods apply (and increase out of pocket exposure for the insured).
• War exclusion – While this concern has somewhat moved to the back burner under a cloud of COVID-19 priorities, cyber risks from nation-state attacks (attributed and non-attributed) continue to be a top concern for both CISOs and risk managers. Organizations should understand how this exclusion and/or the lack of affirmative cyber terrorism coverage could influence loss recovery under certain breach scenarios.
• Aggregation and systemic risk – Many organizations rely on the same cloud service providers (AWS, Azure), which creates a challenge for underwriters to adequately price their coverage should a breach to a commonly used vendor (e.g., Cognizant) cause cascading financial loss across many of their insureds. Underwriters are insisting on more visibility into their insured’s dependency on key technology service providers and may retreat from certain opportunities if they do not feel they have sufficient spread of risk.
• Social engineering schemes (phishing, invoice manipulation) continue to yield nice paydays for the threat actors, and companies often find themselves navigating coverage challenges with gaps or overlaps in crime and cyber policies.
• Silent cyber is finding its voice. London underwriters are leading the way in defining where their property and casualty policies are affirmatively covering or excluding particular cyber risks, and some U.S. markets are following suit. Policyholders must conduct a comprehensive coverage gap analysis against various realistic cyber loss scenarios in order to document when and how they may be partially covered by traditional P&C lines; companies should be prepared for new cyber exclusions on their P&C lines, and be ready to purchase coverage “buy-backs” or self-insure loss events that may fall between cyber policy and property and casualty policies. There are many buy-back solutions, and they each require a very meticulous review. New definitions of cyber act and cyber incident in Lloyd’s exclusions must be evaluated in context of the draft buy-back wording and tricky exclusions, such as “wear and tear” and “failure to maintain cyber security levels” are reappearing on some draft forms. Attention to detail and rigorous negotiating is required to get the policyholder the right solution at a competitive premium.

We predict that underwriters will continue to focus on the volume of records that a company collects, processes, stores, and transmits on its customers, patients, employees, dependents, and beneficiaries. Large databases are under perpetual threat, and nation-states have adopted stealth measures to gain visibility into data within an organization, including that which is managed by its administrative and business process service providers. For some companies, this presents both a downstream exposure for them from their own service providers, as well as a professional liability exposure with respect to their own contractual duties to maintain information security best practices. Once again, getting the policy wording right is crucial.

The McGriff approach

Balancing budget constraints with a dynamic threat environment, clients are increasingly focused on cyber risk quantification. We offer our clients a number of resources to assist in evaluating how much coverage is necessary and affordable. Consideration must be given to both first and third-party loss scenarios, and some incidents may straddle both sides of the cyber policy. Models based on historic loss trends tend to be less useful since new exploits are created daily.

We subscribe to taking a holistic view of the company’s exposures (e.g., type of PII collected, processed, transmitted within and across network, data hosting specifics, technology usage, inherited risk from software service providers, unknown vulnerabilities, patching cadence, etc.) rather than simply basing such a decision on benchmarking alone. We also discuss other financial impacts, such as duration of outage, lost income, extra expenses incurred during total or partial system shutdown, ransom payments (if unavoidable), investigations costs, and legal liabilities to third parties (ex. contractual obligations).

Cyber program structures are also undergoing some changes, as risk managers confront budget pressures from the huge pricing increases on other lines. To achieve renewal objectives, McGriff recommends starting the process at least six months prior to the policy renewal date, and to allow the client to prepare and present a comprehensive renewal submission via the application process, the underwriting call or both.

On most towers, McGriff will approach 40+ markets to optimize pricing and maintain breadth of coverage up the full tower. During firming markets, it is quite common to build a coverage tower using quota-share layers to manage rate and to fill layers where insurers are willing to participate. A few insureds utilize their captive in a quota share capacity, to achieve some cost savings, but most are hesitant to transfer risk to their captives since cyber exposures are highly unpredictable (WannaCry/NotPetya), hundreds of new exploits are being created daily, and there is not a mature and reliable loss history upon which to accurately quantify risk. For the near term, it is likely most companies will continue to prefer to transfer cyber risk to the cyber marketplace.

To learn more about McGriff’s cyber coverage options, please contact:

Suzanne Gladle
Executive Risk Advisors
Senior Vice President, Cyber Practice Leader
404-497-7515
sgladle@mcgriff.com

To learn more about McGriff Executive Risk Advisors, please contact:

David Sellars
Executive Risk Advisors
Executive Vice President, Co-Division Leader
404-497-7582
dsellars@mcgriff.com  

Dusty Cahill
Executive Risk Advisors
Executive Vice President, Co-Division Leader
404-497-7537
dcahill@mcgriff.com