Author: Seth Cole, Alliant
Financial impacts of cybercrime
The financial impact of cybercrime has shaped the cyber insurance market. Cybercrime was estimated at $8.4 trillion in 2022 and is expected to grow to $10.5 trillion by 2025. To combat this, the global cyber security spend over the next five years is expected to exceed $1.75 trillion. A consumer or business suffered a ransomware attack every 11 seconds in 2021. This is expected to drop to every two seconds by 2031, and while ransomware has been the fastest growing in frequency and severity of claims for insurance companies, the later part of 2022 experienced a respite in overall loss activity. It’s too soon to call this a trend, but it’s a positive sign and we believe this is due in large part to the hard work done by many to harden network security.
We are in a challenging but improving cyber insurance market. Through Q4 of 2022, carriers cut their capacity with leading primary carriers restricting coverage for public entities. Abrupt pricing corrections were a result of the uptick in severity of claims and mounting pressure to increase retentions. This was all due in part to the view that the public and education sectors were below the median for all industry sectors when it comes to cyber risk preparedness based on a survey of organizations in the U.S. and UK. The industry loss ratio and combined ratio are improving (75% and excess of 100% at the height, respectively), however carriers have concerns over systemic type events that could be catastrophic for the industry and are addressing these concerns through coverage restrictions. While the past couple of years saw pricing increases of two and even three times what they were before, many insureds can expect some stability in pricing, terms and conditions for 2023, especially those with good cyber hygiene.
System security standards
Underwriters want to know that an entity’s network is secure, and they are focusing on minimum standards to ensure that data is indeed secure in order to provide a quote. System security standards include multi-factor authentication, end-point detection, remote desktop protocols, backups, incident response plans, employee training, email security protocols and plans in place to protect end-of-life software. Every carrier has its hot buttons, but these are generally what underwriters focus on, and we often see insurers run testing on their insureds’ (and applicants’) external sites to identify vulnerabilities.
There are many resources available to improve your security posture and many of these resources are provided by your insurance carriers, such as training, incident response planning and samples, and discounted partner rates for vendors. Governmental resources are provided by the Cyber Security & Infrastructure Security Agency (CISA) and the Department of Homeland Security. CISA provides a range of free services including system and website vulnerability scanning, penetration testing, phishing awareness training and self-evaluation tools. The Department of Homeland Security offers a grant program.
Cyber security vendors can assist with underwriting compliance, technology updates/enhancements, communications, crisis response, risk assessment and compliance. The vendor market is evolving very quickly, so it’s important to do your due diligence and network with peer risk managers.
Plan of attack
When an incident occurs, the first 24 hours is critical. Notify your insurance company of any suspected data breach, security breach, cyber extortion threat or system failure. Secure your IT systems and try to preserve all evidence pertaining to the incident as memories fade and emails get lost or deleted. Communicate, coordinate and execute with your insurance company.
Given the push for increased retentions, underwriter scrutiny and increased rates, many entities are finding themselves self-insuring portions of their cyber risk, and in some instances, the entire risk. Do you plan to take more cyber risk? Entities should be asking themselves these questions before going down that path:
Cyber liability continues to evolve. Proactive risk management will be a continuous, ongoing process.