IN THE PUBLIC EYE

Cyber Liability – Proactive Risk Management in An Evolving Market

Author: Seth Cole, Alliant 

 

 
Presented by Seth Cole (Alliant) and Jon Paulsen (Sedgwick) at the Public Agency Risk Management Association (PARMA) Conference in Sacramento, California, February 2023.
 
Cyber exposures are directly connected to an entity’s responsibility for personally identifiable information (PII), which includes any data that could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver's license number, bank account number, passport number and email address. This is related to an entity’s employees or customers. The risks include, but are not limited, to privacy notifications, cyber extortion payments, intellectual property infringement and financial injury, as well as obligations associated with consumer protection and data privacy regulations.
 
Breaking down cyber coverage
There is no standard cyber policy; cyber coverage can be categorized as data, data privacy and computer equipment insurance. The three buckets of coverage are first party, third party and other. 
 
  • First party coverage includes protection for the loss of an entity’s data, business interruption and damage to computer hardware. 
  • Third party coverage includes liability for losing someone else’s data, government fines for not complying with regulations and payment card fines for non-companies. It can also include coverage for liability from information posted on an entity’s website.  
  • Other coverage includes costs to let people know an entity has lost their data, costs to enlist help in understanding the most recent data privacy laws in every state and internationally, costs for help in navigating the messaging to put forward in the event of a data breach, and recovering money lost in a fraudulent email that caused a transfer of money. 
 
Cyber extortion (ransomware) is a component of almost every cyber liability policy. At least two states have banned government entities from paying ransoms connected to ransomware attacks and several others are looking at it. 

 

Financial impacts of cybercrime

The financial impact of cybercrime has shaped the cyber insurance market. Cybercrime was estimated at $8.4 trillion in 2022 and is expected to grow to $10.5 trillion by 2025. To combat this, the global cyber security spend over the next five years is expected to exceed $1.75 trillion. A consumer or business suffered a ransomware attack every 11 seconds in 2021. This is expected to drop to every two seconds by 2031, and while ransomware has been the fastest growing in frequency and severity of claims for insurance companies, the later part of 2022 experienced a respite in overall loss activity. It’s too soon to call this a trend, but it’s a positive sign and we believe this is due in large part to the hard work done by many to harden network security.

 

We are in a challenging but improving cyber insurance market. Through Q4 of 2022, carriers cut their capacity with leading primary carriers restricting coverage for public entities. Abrupt pricing corrections were a result of the uptick in severity of claims and mounting pressure to increase retentions. This was all due in part to the view that the public and education sectors were below the median for all industry sectors when it comes to cyber risk preparedness based on a survey of organizations in the U.S. and UK.  The industry loss ratio and combined ratio are improving (75% and excess of 100% at the height, respectively), however carriers have concerns over systemic type events that could be catastrophic for the industry and are addressing these concerns through coverage restrictions.  While the past couple of years saw pricing increases of two and even three times what they were before, many insureds can expect some stability in pricing, terms and conditions for 2023, especially those with good cyber hygiene.

 

System security standards

Underwriters want to know that an entity’s network is secure, and they are focusing on minimum standards to ensure that data is indeed secure in order to provide a quote. System security standards include multi-factor authentication, end-point detection, remote desktop protocols, backups, incident response plans, employee training, email security protocols and plans in place to protect end-of-life software. Every carrier has its hot buttons, but these are generally what underwriters focus on, and we often see insurers run testing on their insureds’ (and applicants’) external sites to identify vulnerabilities.

There are many resources available to improve your security posture and many of these resources are provided by your insurance carriers, such as training, incident response planning and samples, and discounted partner rates for vendors. Governmental resources are provided by the Cyber Security & Infrastructure Security Agency (CISA) and the Department of Homeland Security. CISA provides a range of free services including system and website vulnerability scanning, penetration testing, phishing awareness training and self-evaluation tools. The Department of Homeland Security offers a grant program.

 

Cyber security vendors can assist with underwriting compliance, technology updates/enhancements, communications, crisis response, risk assessment and compliance. The vendor market is evolving very quickly, so it’s important to do your due diligence and network with peer risk managers.

 

Plan of attack

When an incident occurs, the first 24 hours is critical. Notify your insurance company of any suspected data breach, security breach, cyber extortion threat or system failure. Secure your IT systems and try to preserve all evidence pertaining to the incident as memories fade and emails get lost or deleted. Communicate, coordinate and execute with your insurance company.

 

Given the push for increased retentions, underwriter scrutiny and increased rates, many entities are finding themselves self-insuring portions of their cyber risk, and in some instances, the entire risk. Do you plan to take more cyber risk? Entities should be asking themselves these questions before going down that path:

 

  • Do we have a self-insurance fund in place to pay for losses like other lines?
  • Do we have comprehensive training to avoid losses?
  • Do we have regular and secure backups?
  • Do we have incident response, disaster recovery and business continuity plans in place? 

 

Cyber liability continues to evolve. Proactive risk management will be a continuous, ongoing process.