TAKING AIM AT CYBER THREATS
With cybercrime–and cyber insurance rates–on the rise, insurers are demanding more risk management efforts from organizations
By Jeremy Gittler
An automobile manufacturer. A pipeline company. A social network. A global consultancy. An insurer. A city’s police department. A meat packing company. A chemical distribution company. They all fell victim to cyber criminals in 2021.
Such attacks have increased in frequency and severity since the onset of the pandemic. While ransomware has gotten the most attention because of some very high-profile, high-dollar attacks, other threats, including phishing, endpoint security, third-party exposure, cloud vulnerabilities, and social engineering, pose significant cyber risk to businesses across industries. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing continues to be a dominant threat, contributing to more than a third (36%) of breaches. That’s up from 22% a year earlier, according to the DBIR. The UN Security Council also reported a 600% increase in malicious emails in 2020, with the finance industry being the most targeted.
Given the persistence of cyber criminals, it is no wonder that in 2021, global damages from cybercrime were estimated to reach $6 trillion. By2025, that number is expected to top $10.5 trillion.
In the current cyber insurance market, businesses that demonstrate they take
cybersecurity seriously will be able to access the best rates, limits, and terms and conditions.
The insurance impact
The insurance world is certainly seeing the impact of increased cybercrime. And so are its clients who, according to Marsh’s Global Insurance Market Index 2021, are experiencing increases climbing by 130%.
Today’s cyber insurance market is very challenging. Increased frequency and severity of cyber incidents are driving significant, and much needed, change in the market. Insurers operating in the cyber market have had to pull back on capacity and retool policy exclusions and language in order to reduce their own risk to the volume of claims.
A Risk Placement Services report reveals that insurers saw loss ratios spike from nearly 45% in 2019 to just under 68% in 2020, and often higher for individual carriers. Such loss trends are unsustainable at recent rates. As a result, cyber insurance rates have seen double, and in some cases, as previously mentioned, triple digit rate increases.
As cyber rates increase, capacity falls. There simply is not as much capacity available to buyers from cyber insurance carriers. Where limits of $10 million were once common not so long ago, insurers are reducing limits to $5 million.
Therefore, if brokers used to build insurance towers of up to $200 million for large companies, they may find themselves missing $50 million or more in capacity from the same insurance program. Plus, there are fewer new entrants in the market from which to get it.
Despite the market’s challenges, cyber underwriters are open to exploring different options for keeping clients’ coverages as cost-effective as possible, by adjusting deductibles or self-insured retentions, supporting a client’s captive, or via alternative approaches like structured reinsurance.
Stepping up risk management
Losses driven by cyber threats are expected to continue. Overall, more companies are conducting more business online and using more technology to operate. The pandemic added another layer of complexity to cybersecurity with employees working remotely. The blending of professional and personal lives created a new security issue for many businesses. Reliance on more technology is requiring companies to boost their security efforts.
Insurance companies are asking much more about policyholders’ efforts during the underwriting process; they are carefully examining clients’ cyber- security requirements as part of the policy application and especially as a precursor to getting ransomware coverage in a policy.
Fortunately, insurers are also lending a hand to help out before a client becomes a cybercrime target. In many cases, as part of cyber insurance policies, insureds are offered access to expert vendor partners who provide a range of proactive cyber risk mitigation services at negotiated preferred rates.
Among the protections carriers may look for is how potential clients secure systems and segregate important information so that if there is a breach, key information is not accessible. That segregation needs to extend to backups. Keeping copies of critical files offline in a secure location allows a company to access data easily and start the remediation and recovery process more quickly.
Of course, this requires companies to engage consistently in best practices in backup frequency and to maintain adequate storage for that data. Companies also are encouraged to assess and address the risks that could emerge if the credentials of key players with administrative rights are compromised.
Ensuring that remote workers follow cybersecurity best practices is a little more difficult. With people mixing their use of business and personal devices, organizations need to be making sure all devices—even personal ones—are protected from cyberattacks.
Human error is the most common way cyber thieves gain access to company infrastructure, so employee training on cybersecurity is an important loss prevention investment. Raising employee awareness about phishing scams, spoofed emails, and suspicious links is a key defense in staving off a cyberattack.
By making cybersecurity an ongoing conversation, organizations can heighten daily awareness, reduce the instance of breach, and enhance their cyber risk profile. In the current cyber insurance market, businesses that demonstrate they take cyber- security seriously will be able to access the best rates, limits, and terms and conditions.
Despite the market’s challenges, cyber underwriters are open to exploring
different options for keeping clients’ coverages as cost-effective as possible … .
Better response plans
When a breach does occur, knowing what to do and when are critical to limiting the damage. Companies should have business continuity/disaster recovery plans in place to ensure that critical systems and data restoration can occur as quickly and safely as possible. Also, companies are advised to establish workaround solutions that can help keep them afloat during the restoration process.
An incident response plan also is a key component to effectively responding to a ransomware event. Such a plan outlines the response process, roles and responsibilities of the internal response team, who to contact and when, incident response vendor information, company procedures and protocols in the event of a breach, and potentially communication strategies, restoration and remediation strategies, and other critical information relating to a response.
Should a breach occur, it’s import-ant for organizations to have a direct line to a team of experts. AXA XL, for instance, has developed a cyber incident response team to help clients understand, both pre- and post-breach, the risk management elements they need to have in place to best address their unique exposures.
Moments count in the aftermath of a breach. Partnering with an advisor that understands state laws and international regulations and has relationships with vetted vendors means recovery and response is better orchestrated and more effective.
The best way to deal with cyber-security breaches is to prevent them from happening. But there’s no place for complacency in cybersecurity, so no matter how strong a company thinks its safeguards are, it also needs a plan for responding swiftly, effectively, and credibly to the worst-case scenario.
As cybersecurity is an ever-changing exposure, improving security needs to be an ongoing effort and a key element in obtaining effective cyber insurance protection.
Jeremy Gittler is head of cyber and technology underwriting, Americas for AXA XL, the P-C and specialty risk division of AXA.