Cyber expert talks state of risk to the insurance industry
Jennifer Wilson, head of cyber at Newfront, says ransomware still ranks number one among digital threats.
While less than half of all cyber claims included ransom payments last year, an ever-evolving threat landscape highlights the need for robust security protocols and comprehensive insurance coverage in 2024 and beyond, a report June from the insurance brokerage Newfront said.
Despite AI’s potential to customize insurance policies based on a policyholder’s specific needs — like monitoring driving behavior to determine auto policy discounts or using smart devices and IoT to help mitigate property risk — the technology also opens the door to considerable risk.
PropertyCasualty360.com recently spoke to Jennifer Wilson, head of Cyber at Newfront, about cybersecurity’s impact on the insurance industry in 2024. The conversation touched on the threats that worry insurers most, accurately calculating cyber risk, the most common types of cyber claims and susceptible industries.
In her role, Wilson directs the marketing, placement and claims management of cyber risk and technology E&O insurance. She works with clients to identify and understand their cyber risk exposure, while recommending ways to best mitigate these risks and negotiate the broadest terms available in the cyber insurance marketplace.
PropertyCasualty360: What scares insurance carries most about cybersecurity in 2024?
Wilson: The lack of implementation. The biggest issue with cybersecurity is organizations failing to implement adequate controls. At the onset of 2020, most insurers required base line controls for consideration of cyber insurance. By 2021, most organizations had implemented multi-factor authentication (MFA), with end point detection and response (EDR).
While the cyberattack vectors have evolved significantly over the past few years, the security tools to thwart these attacks have not changed much. MFA and EDR remain on the list of most effective security tools. Within recent months underwriters have begun looking for an expansion in controls with a renewed interest in managed detection and response (MDR). While EDR is a tool that is deployed to protect a particular endpoint, MDR provides security monitoring and management across an organization’s entire IT environment. I expect that underwriters’ requests for MDR will change into requirements for MDR over the coming months.
PC360: What are the most common cyber claims?
Wilson: Ransomware remains the leading type of cyber-attack for several years running. This involves a threat actor group using malware that holds the victim’s sensitive data or device hostage, with the threat to keep it locked or publicly disclosing it unless the victim pays a ransom to the group.
A close second to ransomware is business email compromise (BEC) which is a type of phishing attack that uses email to trick the victim into sending money or divulging confidential information to the scammer.
With the enhancements in artificial intelligence, cyber-attacks are becoming more sophisticated such as the use of deepfakes via video or phone impersonation to scam victims into sending money or confidential information to the cybercriminal. Wire fraud, and invoice manipulation remain leading types of cybercrime claims.
PC360: What industries are impacted most?
Wilson: Cyberattacks are industry agnostic in that no industry is safe from attack. However, some industries have been hit harder than others. According to the 2024 IBM X-Force Threat Intelligence Index, the manufacturing sector is the most vulnerable to data breach in 2024, healthcare continues to be one of the most impacted industries, followed closely by financial institutions, then energy and technology.
PC360: How often are companies and people forced to pay ransoms?
Wilson: The decision to pay ransom or not is often contingent on reliable backups and the ability to recover in a short amount of time. However, even with robust business continuity in place, the risk of data leaks often drives the decision-making process.
We recommend that an organization determine whether to pay or not as part of their incident response plan to avoid being forced to make the decision during the crisis mode of an actual attack. Sophos reports that over half of victims (56%) report paying ransom in order to recover data, which is a decrease from prior years. While the rates of victims paying ransom have decreased, the amounts of ransom payments have increased year over year, with the average ransom payment soaring to a staggering $2M in 2024.
PC360: How can insurance protect businesses and people from cybercrimes?
Wilson: Insurance doesn’t protect businesses from cybercrime. Rather, insurance supports the costs associated with cybercrime claims. The best way to protect, mitigate and prevent cybercrime is through the implementation of current and robust cybersecurity coupled with ongoing employee training. Insurance steps in as a mechanism to transfer the costs of cyber claims away from your balance sheet. Consider insurance as the last step in the cybercrime mitigation process.
PC360: How do insurance companies mitigate risk while calculating premiums for cyber coverage?
Wilson: Following the pandemic and subsequent ransomware epidemic, the insurance industry developed and implemented effective cybersecurity requirements in order to obtain cyber insurance coverage. Insurance companies also invested in technical risk management staff to support underwriting, offering an alternative and critical lens to the coverage analysis.
Scrutiny in security controls is an area that was lacking in prior decades, and the increased security requirements over the past few years has helped insurers to more effectively and accurately assess risks and manage loss ratios in a more stable and consistent manner. After a couple of years of drastic rate increases, followed by plummeting decreases, the market seems much more stable, and we don’t expect such wild swings in premiums in either direction over the coming years.
Following the theme of this discussion, the companies and industries that are most susceptible to cyber-attacks are the ones that are lacking in baseline security controls, such as MFA and EDR, or those lacking sustainable response and business continuity following an attack. Rather than a regional difference, what makes an organization more apt to pay a ransom is reflective of their ability to recover from the attack quickly, the type and amount of data that is at risk, and the impact to the organization related to the attack.
Related: