UNDERWRITING REQUIREMENTS IN THE NEW ERA OF CYBER RISK

The current ransomware threat has proven to be far more challenging to address than data breach risk

By Jacob Ingerslev

Since its creation in the late 1990s, cyber insurance has gone through several evolutionary changes both in terms of the coverage provided in cyber policies and the process through which underwriters assess cyber risk.

While the dynamic nature of cyber risk and changing regulation have generally been drivers of the ongoing evolution of the cyber market, two major shifts have occurred in the past decade that have particularly impacted cyber insurance. The first one occurred in 2014 and 2015 following a series of large-scale data breaches that forced cyber insurers to rethink the way they assessed breach-related exposure.

The second major shift is happening right now with the ransomware epidemic that started in 2019 and continues to worsen. The ransomware threat has proven far more challenging to the cyber insurance market than data breach risk because it’s not industry or size specific and loss amounts are far more unpredictable. A Fitch Ratings report says ransomware losses have contributed to an increase in U.S. (stand-alone) cyber loss ratios from 34% in 2018 to 73% in 2020.

The ransomware epidemic has forced insurers to make necessary upgrades to their question sets and increasingly move away from the binary answer format that often leads to limited insights.

Recent nation-state attacks have further elevated concerns about future cyber-related catastrophe events, and the deterioration of loss ratios due to the increase in attritional losses is adding increased pressure on cyber insurers to adequately model for such events. As a result, the market is experiencing significant changes in underwriting approach and pricing of risk, as insurers continue to adapt to these challenges.

While policyholders and new buyers have to cope with increased scrutiny and rising premiums, more risk control benefits are now available to them.

Cyber risk assessment tools

Insurers’ use of tools to assess policy-holders’ security posture is not an entirely new underwriting approach in cyber insurance; however, these practices have become much more widespread than they were just a few years ago. These tools, typically cybersecurity rating applications, collect information from a number of different data sources, including vulnerability scans, threat intelligence, and cybersecurity research, and they use a proprietary algorithm to aggregate the data into a score, rating, and/or probability of loss.

Early use of cybersecurity rating applications in the industry focused mostly on the score or rating given to a particular organization as a means for underwriters to compare the numeric value against the information provided in application forms. The way in which cyber risk assessment output is applied to the underwriting process has evolved significantly. Insurers now increasingly use specific identified vulnerabilities to guide pricing, manage limits, set subjectivities relating to specific remediation requirements, and in some cases decline to offer a quote altogether.

Cyber risk assessment tools provide insights into an organization’s perimeter security, including two areas of cyber exposure of particular interest to insurers: open port vulnerabilities and CVEs, or common vulnerabilities and exposures.

Open ports are the virtual access points used by systems to connect with other systems over the internet in order to communicate. While some ports are necessary for regular internet facing operations, such as web applications, unused ports left open to the internet will increase the risk of attacks.

CVEs are publicly disclosed software vulnerabilities, which are recorded in a database maintained by the MITRE Corporation. These can be exploited by threat actors and often have been by the time they’re disclosed to the public. Some CVEs can be mapped specifically to ransomware exploits, and their presence in an organization’s network perimeter will be a red flag to insurers.

Improved underwriting information gathering

Another recent underwriting requirement introduced by cyber insurers is the use of supplementary application forms specifically addressing ransomware controls. These applications are increasingly mandatory for organizations to complete when seeking cyber coverage or renewal of an existing policy. They focus on both prevention and recovery controls; one of the most effective measures to mitigate ransomware attacks is a recent, tested, and well-protected backup.

As with other application forms, some questions represent absolute cybersecurity requirements while others fall into the preferred category. The “must have” controls typically include the following:

• Use of multi-factor authentication, either for all access or for remote or privileged access is typically one of the must-have controls
• Frequent backups and protected backup storage
• Disabled or protected Remote Desktop Protocol (RDP is a remote access tool commonly exploited for ransomware delivery)
• Confirmation that no end-of-life operating systems are used

Ransomware supplements are, as they say, supplementary. They’re used alongside findings from cyber risk assessment tools to provide insights into security domains, such as administrative security controls and recovery procedures, that cannot be determined by the signals picked up in automated network perimeter scans. In some cases, answers provided in the application forms are compared against the risk assessment tool output to verify the accuracy of those answers.

Regardless of whether … attacks exploit zero-day vulnerabilities or use sophisticated malware hidden in software updates, the insurance industry will always have one fundamental problem: the twelve-month renewal cycle of most insurance policies.

The full format application forms that have been used in cyber insurance since its infancy are still part of the underwriting process and they too have improved in their scope and design. Many of these application forms had become obsolete due to the constantly changing threat landscape and cybersecurity protection measures.

The ransomware epidemic has forced insurers to make necessary upgrades to their question sets and increasingly move away from the binary answer format that often leads to limited insights. Leading cyber insurance brokers, particularly those with in-house cybersecurity consulting units, have also played a role in improving the underwriting information gathering with very extensive questionnaires closely resembling those used in vendor security assessments. While these have mostly been used for large account customers, they’re slowly being adopted in the upper middle market segment.

Systemic risk exposure considerations

The SolarWinds and Microsoft Exchange Server attacks have brought added challenges on top of issues already facing cyber insurers due to ransomware. Both were advanced persistent-threat attacks, and they amplify the limitations of cyber underwriting processes. Even with improvements from the use of cyber risk assessment tools and upgraded application forms, the vulnerabilities exploited in these attacks would likely never be caught by underwriters.

Regardless of whether such attacks exploit zero-day vulnerabilities or use sophisticated malware hidden in soft-ware updates, the insurance industry will always have one fundamental problem: the twelve-month renewal cycle of most insurance policies.

Insurers’ ability to react quickly to events that have the potential for widespread impact to their portfolios is usually restricted to the next renewal date of each policy, when it’s often too late. While the industry continues to expand cyber services offered in conjunction with the policies, such as incident alerts during the policy period, these have little impact since inaction is not sanctioned.

All is not lost, however, since robust practices relating to patching of critical vulnerabilities and incident response can still mitigate the risk of even advanced persistent-threat attacks. Questions addressing such controls form part of most insurers’ applications and underwriters also increasingly require as part of the renewal process information on how organizations have responded to recent widespread events.

Insurers have valuable insights gathered from their portfolios’ claim statistics and are well positioned to provide policyholders with information about the most commonly exploited vulnerabilities and help them remediate issues … .

Acknowledging that systemic events are becoming more frequent, there’s recognition among leading cyber insurers that tail risk exposure needs to be accounted for in the pricing of cyber coverage. Improved cyber risk modeling capabilities are supporting insurers’ work to more accurately determine the pricing and reserving needed for future catastrophic events. That is part of the reason for the general increase in premium levels taking place in the current market environment.

Risk control benefits to policyholders

Standard lines of insurance, such as property, general liability, and workers compensation, have long incorporated risk control services that help reduce both the frequency and severity of loss. Such services have been available for the past few years in cyber insurance, but the uptake rate has been fairly limited for a number of reasons.

Many policyholders and their agents or brokers have not been fully aware of the benefits of the services, and the subscription is often an afterthought to the procurement of the policy itself. All of that is gradually changing and the explanation is the impact that the ransomware epidemic is having on both insurers and insureds.

By now the cyber risk awareness gap is closing, and policyholders increasingly understand the benefit of cyber risk control services.

The range of available risk control services varies greatly among cyber insurers, but the most valuable services that policyholders can benefit from are:

• Cybersecurity rating reports with identified vulnerabilities
• Cybersecurity remediation and improvement assistance
• Cyber risk awareness training
• Dark Web scans and credential monitoring

Insurers have valuable insights gathered from their portfolios’ claim statistics and are well positioned to provide policyholders with information about the most commonly exploited vulnerabilities and help them remediate issues through established partnerships. For that reason, they’re taking a proactive approach to incorporate risk control services into their underwriting requirements.

The author

Jacob Ingerslev is the Head of Cyber Risk at The Hartford. He joined The Hartford (through Navigators Group) in February 2017 and is responsible for the Cyber Risk and Technology Errors and Omissions product suite, underwriting strategy, and incident response solutions, and is leader of the enterprise Cyber Risk practice. He started his 20-year insurance career in the Scandinavian insurance market underwriting Technology and Life Science risks and has held leadership positions with CNA Financial Corporation and the Chubb Corporation in both the U.S. and Europe. He holds a BSc and Master of Laws degree from Aarhus University in Denmark. This article provides general information and should not be construed as specific legal, risk management, or insurance advice. As with all matters of a legal or risk management nature, you should consult with your own legal counsel and other professionals. The Hartford shall not be liable for any direct, indirect, special, consequential, incidental, punitive, or exemplary damages in connection with the use by you or anyone of the information provided herein.