Cyber breaches, regulatory guidance & the insurance market
Insurance companies are tightening underwriting standards to overcome the evolving challenges of insuring cyber risks.
On April 26, 2021, leaked data from the Washington, D.C. Metropolitan Police Department appeared online after the department was hit by a ransomware attack. The data that was posted online included screenshots of arrest records and internal memos.
The group that claimed responsibility for the attack, Babuk, threatened to leak further data if their ransom demands were not met within three days, including information about police informants. Babuk claimed to have downloaded a total of 250 gigabytes of data. As of this writing, there is no information about whether the Metropolitan Police paid the ransom.
Although it is widely known that ransomware attacks have exploded in frequency and severity, other forms of cyber-related claims also pose a significant risk.
According to a study by cyber insurer Coalition, Inc., ransomware attacks were the most common type of cyber claims in 2020 (41%), followed by funds transfer loss (27%), and business email compromise incidents (19%). All of these risks have accelerated in light of the global pandemic, with increases in employees working remotely giving hackers more opportunity to gain access to computer systems and sensitive information.
The overall costs of cyber incidents have been staggering. In its annual Internet Crime Report for 2020, the FBI reported that its Internet Crime Complaint Center received a total of 791,790 complaints in 2020, a 69% increase from 2019. Reported losses from cyber incidents, according to the FBI, were approximately $4.2 billion compared to $3.5 billion in reported losses in 2019.
Naturally, insureds have sought coverage for this onslaught of cyber risk. According to a 2020 survey by Advisen and PartnerRe, the top three coverages sought were cyber-related business interruption, cyber extortion/ransom and funds transfer fraud/social engineering. As would be expected, cyber insurers have been called upon to make payments for cybersecurity events. According to Hiscox’s 2021 Cyber Readiness Report, insured cyber losses totaled $1.8 billion in 2019.
As cyberattacks have become more widespread, government regulators and insurers have made efforts to control the risk. As discussed in greater detail herein, government regulators have reacted to these claim trends in a number of ways, including by providing guidance to insurers on how to manage the risk and respond to such attacks. Similarly, cyber insurers, in response to the increase in cyber claims, have undertaken more rigorous underwriting standards requiring that companies have specific cybersecurity measures in place in order to obtain coverage.
Government regulator reactions
At the federal level, in October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies about the potential sanctions that they could face for facilitating ransomware payments to hackers designated by OFAC as “malicious cyber actors.” OFAC also emphasized that facilitating ransomware payments on behalf of a victim may violate OFAC regulations, which could lead to civil penalties. A person or entity subject to U.S. jurisdiction who facilitates such payment can be held strictly liable, even if they did not know or have reason to know that they were engaging in a transaction that was prohibited under laws and regulations administered by OFAC.
The potential for companies and their cyber insurers to run afoul of OFAC’s rules by facilitating and making a ransom payment on behalf of an insured has made it important to determine, prior to making such a payment, whether the hacker responsible for a ransomware attack has been designated as a malicious cyber actor.
However, it is sometimes beyond the ability of a non-governmental organization to determine the identity of a hacker. In deciding whether to make a ransom payment, cyber response teams, including insurers, must now weigh the possibility of penalties if they cannot ascertain the identity of their attacker.
In an effort to “facilitate the continued growth of a sustainable and sound cyber insurance market,” New York’s Department of Financial Services (DFS) issued in February 2021 a cyber insurance risk framework of best practices for managing all types of cyber insurance risk.
First and foremost, DFS’ guidelines call for insurers to establish a formal cyber insurance risk strategy, including clear qualitative and quantitative goals for risk. The guidelines also recommend that cyber insurers manage and eventually eliminate “silent” cyber insurance risks, which the DFS describes as the risk that an insurer must cover losses arising from cyber incidents under insurance policies “that do not explicitly grant or exclude cyber coverage.” Silent cyber risk can be found in a variety of insurance policies, including errors and omissions, general liability and burglary and theft, according to DFS.
The DFS’ guidelines also recommend that cyber insurers undertake more rigorous underwriting of insurance risk, including evaluation of systemic risk exposures.
As illustrated by the major SolarWinds cybersecurity incident, the use of third-party vendors provides hackers with opportunities to exploit one cyber breach to affect multiple organizations and entities at the same time, creating systemic risk to cyber insurers. As such, the DFS recommends that insurers understand the third parties used by their insureds. Further, DFS recommends that insurers gather information regarding a potential insured’s cybersecurity program through surveys and interviews on various topics, including encryption, incident response planning and third-party security policies.
DFS also recommends that insurers educate insureds and brokers about cybersecurity measures that could reduce the risk of future cyber incidents and that insurers incentivize the adoption of such measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.
The actual legal impact of these guidelines on insurers remains to be seen. The guidelines are silent on any means of enforcement by the DFS.
Cyber insurance underwriting trends
Broadly speaking, the cyber insurance market has shifted from one characterized by broad coverage terms, robust capacity and stable pricing toward a hard market. Premiums and retentions have increased substantially, with some companies with no history of claims and strong ransomware controls seeing rate increases between 25% to 50%, while companies with weaker controls are experiencing rate increases above 50%.
Moreover, certain “high-risk” classes of business may be more likely to see premium increases, including in the healthcare, financial institutions and manufacturing sectors.
With respect to ransomware, many insurers are requiring the completion of a supplemental application for ransomware coverage, with rates, terms and conditions being determined by the company’s response to the application’s questions. If the responses indicate that a company’s network security is inadequate, that could be reflected in the cyber policy’s premium and coverage terms.
Similarly, some insurers are imposing sub-limits and/or co-insurance on ransomware coverage, and coverage for ransomware could be more difficult to obtain if current claim trends continue — or get worse.
As cybersecurity incidents continue to rise in frequency and severity, it is important for cyber insurance underwriters as well as insureds to be familiar with the laws and regulations that may impact cyber coverage. Cyber insurers that underwrite risk in New York should review the DFS’ guidelines and assess whether their underwriting procedures constitute “best practices” for cyber insurance. Finally, businesses should consult with competent counsel and brokers both before an event to ensure proper security and develop and response plan, as well as after a cybersecurity event occurs, to develop a plan for protecting data, investigating the breach and potentially providing notification to impacted users and governmental agencies, consistent with the ever-developing best practices.
Eric B. Stern is a partner and co-deputy chair of the data privacy and cybersecurity practice at Kaufman Dolowich & Voluck, who concentrates his practice in all aspects of insurance coverage litigation. Andrew A. Lipkowitz is an associate at the firm who primarily focuses his practice on insurance coverage litigation and monitoring. Kelly S. Geary is the national practice leader for executive risk and cyber at EPIC Insurance Brokers and Consultants.
Opinions expressed here are the authors’ own.
Related: