Cyber Security: Preparation is the Key

As we approach the second half of 2024, it’s clear that cyber insurers will continue to focus on individual insureds’ controls. The panel of experts at the closing session of PRIMA’s Annual Conference stressed that while the cyber market has seen some softening for insureds who have gone through the necessary cyber security changes with respect to cyber security controls over the last 12 months, the market continues to evolve. Meghan O’Malley, Western Region Leader for the Alliant Cyber team, sees continued focus on security, large class action suits and ongoing geopolitical events impacting the 2024 insurance market and beyond. Specifically, O’Malley discussed the following trends:

• Partnerships between cyber insurers and cybersecurity/IT/tech firms can expect continued evolution in the underwriting process.
• Prevalent Meta Pixel/tracking claims have led to the addition of new exclusions.
• The wars in Ukraine and Gaza and systemic risk with nation state threats will be the leading concern for carriers as they look to limit their exposure to CAT loss type risk.

“Ransomware activity continues to trend upward, with average initial ransom demands, average ransom payments and total ransom paid all on the rise,” said O’Malley. According to industry sources, regardless of whether an insured pays the ransom, the average business interruption from a ransomware attack ranges from 22-24 days. With the appropriate controls and backups in place, insureds may be in a position to ignore the ransom demand.

The Alliant Cyber team’s C.J Dietzman, Senior Vice President and cyber security expert, warned public entities that they will have to consider the following as they approach their cyber renewals:

• Increasing innovation in the cyberattack surface: Automation, AI and data analytics are increasing technology dependence, in addition to potentially expanding vulnerabilities and potential attack vectors.
• Heavy reliance on third parties and business partners: Pervasive usage of contractors, subcontractors, temporary workers and third parties can reduce the organization’s level of security control, while increasing potential exposures.
• Evolving cyber-regulatory requirements: Various regulators are enhancing their focus onto mandatory cyber requirements, including focusing on data protection, breach notification, disclosures, privacy and controls.
• Legacy infrastructure: Many organizations are not known for heavy investment in IT, OT and security innovation and architecture, and their environments may include significantly deprecated systems.
• Constrained resources/economic uncertainty: Many organizations have lean IT, cyber security and risk management teams and budgets, which may exasperate cyber exposures.
• Attractive target for cyber crime: Public entities may be targeted by cyber threat actors due to their storage of sensitive data.

Betty Coulter, Chief Risk Officer for the City of Charlotte, echoed CJ’s message, specifically regarding challenges in managing vendor contracts and running tabletop exercises. She advised her fellow risk managers that working with procurement and IT is key. Betty shared her own experience, including some specific challenges that arose in the cyber market when an application was completed for a recent renewal. A change in IT personnel had one city department answer the cyber application differently, which caused a negative reaction from cyber insurance carriers. This incident highlighted an additional challenge:  keeping IT talent in this highly competitive cyber security market.

Also critical to an entity’s risk management plan, says Coulter, are:   

• Testing incident response plans
• Following best practices for cyber security training
• Carrying out proven techniques to mitigate risk and recover when a third party is hacked
• Preparation, including working with a breach coach and understanding notification laws

Coulter stressed the importance of system security standards and guidelines. Her own experience includes working with CJ and the Alliant Cyber team to conduct a Cyber Insurability Readiness Assessment (CIRA) to understand where there were vulnerabilities. This allowed  the city’s IT department to address them before entering the insurance market. As a result of this exercise, the city department was able to successfully bind a competitive insurance program.

The panel of experts agreed that the five-step risk management process includes analyzing exposures and implementing methods to control the risk. At the core of managing cyber risk is examining your internal cyber practices and determining the best way to control and mitigate exposures. Being prepared is key.