Spring 2021 McGriff Market Update:
Cyber Insurance

The cyber insurance industry is experiencing what many nascent marketplaces, particularly in technology, experience—a drastic market shift fueled by evolving threats. 

We’ve seen a dramatic increase in ransomware attacks against companies and organizations in the past two years. Threat actors are bolder and the attacks, while growing in complexity, are easier to carry out than ever before. Seven- and eight-figure ransom demands are now common. Complicating things further, even the less skilled hacker can wreak havoc now through the emergence of Ransomware as a Service (RaaS) tools.  

As attacks have been on the rise, so have the number of claims to insurers in this space. According to Guidewire, ransomware attacks increased 40% in the first three quarters of 2020, compared with the same period in 2019, totaling about 200 million incidents globally. Ransomware attacks in the United States increased 139% year over year, almost four times the global rate.

As a result, the effect on loss ratios has been significant, leading to higher premiums across all sectors—in the 30% to 100% range—and even the novel possibility of an outright declination. Cyber insurance markets are narrowing their exposure, and a few are refusing to remain on-risk for certain industry classes. Policyholders can expect to complete a detailed ransomware underwriting application as underwriters closely examine cybersecurity controls (particularly multi-factor authentication for networks), email and privileged access. Insurers are also bringing back sublimits for specific insuring agreements or co-insurance to moderate their contribution to losses. Several insurers are reducing their total limits on many program towers, and excess carriers are insisting on minimum premiums levels as they consider even higher attachments points as equally exposed to major loss.  

The coverage accompanying these premium surges often remains as expiring, or with minimum enhancements. Coverage expansions are more likely to be premium-bearing, and certain extensions will not be available to all clients.  

• SolarWinds, an Austin, TX-based company that provides IT monitoring and other technical services, experienced a breach last year of its global proprietary network monitoring software, Orion. The attack rattled the industry as the intrusion was unique both in character and deployment. On July 11, 2020, SolarWinds said the incident actually might have originated in September 2019, the time the earliest suspicious activity on their internal systems was detected (according to a Solar Winds SEC filing on January 11, 2021). Of the potential 18,000 SolarWinds affected customers, many did not have a direct connection to the company, highlighting supply chain risks and its corresponding coverage. The breadth of loss from this incident is still unknown.
• The Microsoft Exchange Server compromise, and others like it, will apply additional pressure on cyber underwriting, especially the aggregation challenge imposed on the carriers and their reinsurers. The threat intelligence community and many government agencies, including the Cybersecurity & Infrastructure Security Agency (CISA), have warned that this event could have far-reaching implications. Bloomberg predicts it could affect as many as 60,000 U.S. businesses. Disclosure 1 1 https://www.bloombergquint.com/business/hackers-breach-thousands-of-microsoft-customers-around-the-world
• Prompt patching provides no assurance that the hackers have not already downloaded remote files or scanning toolkits, dumped credentials, or condensed data into zip files for exfiltration. So, there could be significant future losses and attacks against organizations, including ransomware or other malicious exploits. Potential losses could involve compromised PII (personally identifiable information) and the associated data breach response costs, and might also include stolen intellectual property and the resulting loss of revenue.
• The Office of Foreign Assets Control (OFAC) issued an advisory regarding the examination and diligence processes companies must undertake to ensure that ransomware payments are not exposing them to OFAC violations and related sanctions.
• While Congress is considering another federal privacy law, states continue to implement and amend current laws. Virginia is the latest to pass new data collection and processing laws. The Supreme Court has weakened the Telephone Consumer Protection Act (TCPA), which should result in less litigation. We don’t yet know if Congress will propose additional legislation to address auto-dialers, robo-calling, and solicitation texting.
• The pandemic continues to affect the industry in multiple ways. Remote work presents an increased exposure to companies that must be mitigated. Topics such as employee health status, vaccinations, etc., could lead to changes in privacy laws such as HIPAA. Government guidance on these topics may affect privacy and employment insurance.

At a minimum, new applicants and existing cyber policyholders need to prepare for an exhaustive underwriting process. Clients should be prepared to share a comprehensive explanation of their cyber security tools, techniques and best practices, as well as implementation plans for the policy term. Along with the traditional expectations for proper cyber security hygiene, expect an increased focus to include:

• Disabling or enhancing security around remote desktop protocol and VNC utilization.
• Multifactor authentication for network access, email, and critical applications and privileged access, along with endpoint detection and response.
• Segmented backups with regular tests for functional viability.
• Timely patching cadence and rigorous patching discipline.
• Robust employee phishing awareness and training programs.
• Adequately staffed and/or resourced IT/OT service team.
• Suitable disaster recovery and business continuity planning, including annual mock exercise.
• Internal and external pen tests and timely remediation of vulnerabilities and weaknesses.

On most large towers, McGriff will approach more than 40 markets to determine which carriers will participate, and to optimize pricing and maintain breadth of coverage up the full tower. In the current market, quota share capacity may be utilized to manage rate and fill tower layers.  

McGriff continues to monitor the technology ecosystem, especially as businesses adopt new web-enabled solutions to enhance customer engagement, improve work flows and production, and leverage innovative hardware and software products to meet performance targets. But new technology is always accompanied by new risk, and not all potential consequences can be fully understood until implementation. Cyber policy language will need to keep up accordingly. Advancements in the next few years will greatly influence coverage and underwriting, most notably:

• Rollout of 5G and WiFi 6 and related security concerns around the distributed software environment, with no central chokepoint for oversight and correction—and its potential effect on securing the supply chain.  
• The widespread and rapid deployment of IoT (Internet of Things), which expands the attack surface that hackers can access and exploit.
• Growing utilization of Machine Learning and Artificial Intelligence (ML/AI), which can provide a huge benefit to information and operational systems in terms of enterprise oversight, but also may be used for nefarious purposes.

We expect 2021 to continue to be a volatile year, but with pruning comes positive and sustainable growth. Some experts predict the global cyber insurance marketplace will increase at least 21% this year, likely topping out at around $9.5 billion. Assuming increased underwriting discipline and recent movement towards future risk-based premiums, the market should continue to grow to over $20.4 billion by 2025. Disclosure 2 2 www.infosecurity-magazine.com/news/cyber-insurance-market-surge-2021 However, this remains to be seen. We will continue to monitor closely and apprise as the market progresses.