select
This is a tooltip for the edit command button

CYBER INSURANCE MARKET: CYBER INSURANCE - RISKS VS REALITY - YOU HAVE HEARD OF TOO BIG TO FAIL - TOO BIG TO INSURE?

Hacking and cyber incidents have been increasingly in the news in recent times.  Much has been written in the FORC Journal and elsewhere about cybersecurity and the issues presented.  And the insurance industry has been privy to major attacks and settlements, including CNA Financial in 2021.[1] The CNA ransomware payment remains the largest known to date in the insurance sector.[2]

Most FORC members and their firms likely have cyber insurance, and if they have sought cyber insurance in recent months, they likely have seen a tightening underwriting process. Whereas insurers in the space had underwritten with standard questions and pretty steady premium rates per $100,000 of coverage, we are seeing cyber insurers demand that clients provide incident response plans, copies of their privacy policies and procedures, and in many cases, requiring additional proactive measures, including demanding the insured engage in security measures such as multi-factor authentication.  Expect this to continue and get more challenging as insurers have faced increasing claims and coverage for major ransomware and other attacks. This article focuses on the challenges to cyber insurance facing insurers and the cyber insurance market and changes taking place based on the external factors.

The Cyber Risk Profile Increases

At a National Association of Insurance Commissioners (“NAIC”) meeting in August, Louisiana Insurance Commissioner Jim Donelon asked whether the cyber insurance market was going to be like the long term care (“LTC”) market thirty years from now, where understanding the risk and the coverages resulted in a major overhaul of the LTC products and coverages.  The concern Donelon raised centers on the underwriting practices and the increased frequency and severity of cyber insurance claims. One reason for the increased frequency and severity is that, with the Covid-19 pandemic, many businesses are entering into their third year of working remotely, with many executive orders being implemented in March 2020.  On March 19, 2020, California became the first state subject to a stay at home order when its governor issued an executive order to that effect.[3] Many questioned him at first, seeing the action as extreme and unlikely to happen in other states. Governor Newsom’s executive order followed some cities in California whose mayors had issued shelter in place orders. However, on that same day, Chicago Mayor Lightfoot announced that City Hall would not be open to the general public and that many library branches would close two days later.[4]  The following day, Illinois Governor Pritzker issued an executive order, effective March 21, that addressed essential services and shelter in place.[5]

With everyone remote, and using their home internet and systems, the vulnerabilities of many organizations’ security increased.   The numbers of incidents and exposures reported during the pandemic and outlook for the costs going forward for cybercrime have been startling:

“According to an FBI Internet Crime Report, there were 791,790 reported complaints of suspected internet crime in 2020, with over $4.2 billion in reported losses. Global costs of cybercrime are projected to increase 15% annually from 2015 to 2025—from $3 trillion to $10.5 trillion, according to the EY 2021 Global Insurance Outlook.”[6]

The amount of ransomware demands and payments have seen huge increases, with “average ransom paid for organizations increase[ing] from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase.”[7] That 2020 number climbed to $570,000 in the first half of 2021, according to Unit 42.  These staggering increases in claims and payments has led the insurance industry to a period of “retrenching.”[8]

Ransomware and the Cyber Insurance Market

Each year, pursuant to Title V of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the U.S. Department of Treasury’s Federal Insurance Office (the “FIO”) must complete an annual report that addresses the state of the insurance industry and market.[9] One of the focuses of the FIO Annual Report in 2021 was the emergence of ransomware and the overall cyber insurance market. Ransomware has become an increasingly problematic issue in cyber, with major impacts on the cyber insurance market.[10]  Cyber insurance policies primarily come in two forms, 1) a package where cyber and non-cyber risks are covered, and 2) a standalone, covering only cyber related risks.[11] More and more, standalone policies are becoming the majority of insurance policies that address cyber risks.  In 2020, premiums for cyber insurance passed the $3.0 billion mark, which is approximately 1% of the property and casualty market.[12] Per claim payments more than doubled from 2019, going from $145,000 to $348,000.[13] Cyber premiums are concentrated, with the top ten insurers representing more than 60% and the top 25 representing more than 80%.[14]

FIO notes that ransomware attacks have increased in recent years, and in 2020, with the pandemic and higher internet usage, cyber hackers increased activity, resulting in more than $300 billion of ransomware payments in 2020.[15]

In response to this increased ransomware and attacks, the federal government has taken several steps to address these issues, including 1) the creation of the website, StopRansomware.gov, 2) a Rewards for Justice program, and 3) other measures designed to educate and prevent ransomware attacks.[16]

While there are more than 780 insurers that provided cyber insurance in 2020, “the cyber

insurance market remains concentrated, with the top 10 cyber writers holding a combined market

share of 63.3 percent in 2020, down slightly from 64.1 percent in 2019. The top 25 cyber writers

combined hold nearly 85 percent of the cyber insurance market.”[17]

The Growth of the Cyber Insurance Market

The cyber insurance market has grown from an estimated market of less than $1 billion prior to 2012 to an estimated market in 2025 of more than $20 billion.[18]  That is an incredible level of growth.  As noted, the United States cyber insurance premium market was “less than $1 billion in premium in 2012”[19] and is growing exponentially.

In 2015, the NAIC[20] “created the Cybersecurity and Identity Theft Coverage Supplement, which requires insurance companies to report financial data on cyber risk coverage.”[21]  The intent was to track coverages offered and assess the market.

Despite the growth in the cyber insurance premiums, in a study conducted in 2014 by Aon Benfield, only approximately one-third of United States businesses had purchased some form of cyber insurance.[22]  The percentage continues to remain relatively small.  But the uptake and coverages for cyber insurance vary dramatically by industry and revenue size. According to a CyberScout[23] survey:

“This was made abundantly clear in the results of a recent survey by CyberScout, a global leader in cybersecurity and identity theft resolution services, which revealed that 76% of US small and medium-sized businesses (SMBs) experienced some form of cyberattack in 2019, but only 31% had cyber insurance coverage.”[24]

While many small and mid-sized companies are not buying cyber insurance, hackers realize that larger organizations “can devote more attention and resources to security and employee training. This makes smaller firms and high-net-worth individuals lower-risk targets for criminals.”[25]

Yet, for many small companies, cyber insurance is not something they buy.  A survey of small and mid-sized companies revealed the following reasons for not purchasing cyber insurance:[26]

  1. Costs too much (42%);
  2. Risk profile doesn’t warrant coverage (35%);
  3. Risks handled sufficiently internally (27%); and,
  4. Too many exclusions (17%).[27]

While uptake might still be less than a majority, in more modern times, cyber insurance is becoming a more common requirement for various contractual engagements, from third party vendor contracts to the M&A arena.

The General Accounting Office (“GAO”) Takes a Look

In May 2021, the GAO issued a report, “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market” (the “GAO Report”).[28]  The GAO Report reached a number of conclusions and findings, including that the uptake rate had significantly increased; price increases were substantial with shrinking coverage limits; and, standalone policies are becoming increasingly common.[29] The GAO Report also noted a lack in common terminology and that the industry could better work to refine that issue.[30]

According to one analyst, “Cyber rates were up 204% cumulatively over 12 months in the third quarter of 2021.”[31]  Even if you or your clients can get through the underwriting process, that rate increase is going to be significant. 

The New York Department of Financial Services (“NYDFS”) and cyber insurance

In addition to the GAO Report, in February 2021 the NYDFS issued Insurance Circular Letter No. 2 (2021) (the “NYDFS Circular”) to all property and casualty insurers authorized in New York.[32]  Amongst other topics covered by the NYDFS Circular was the issue of silent cyber risk, [33] “which is risk that an insurer must cover loss from a cyber incident under a policy that does not explicitly mention cyber.”[34]  The NYDFS Circular notes for insurers the risk of silent cyber risk:

“Even property/casualty insurers that do not explicitly offer cyber insurance should evaluate their exposure to silent risk and take appropriate steps to reduce their exposure.  Silent risk can be found in a variety of combined coverage policies and stand-alone non-cyber policies, including errors and omissions, burglary and theft, general liability and product liability insurance. Cyber risk likely has not been quantified or priced into these policies, which exposes insurers to unexpected losses.”[35]

As noted by the NYDFS Circular, numerous types of policies can contain silent cyber risk, including:

  • Crime Insurance
    • Computer Fraud Coverage
      • Business email compromise induced wire transfers
      • Ransom payments
    • Property Insurance
      • Direct physical loss (of) or damage to property
      • Loss of functionality of computer system following ransomware event
      • Loss of reliability of electronic data following air conditioning malfunction
    • Commercial General Liability
      • Personal Injury Coverage
      • Oral or written publication of material that violates a person’s right of privacy
    • Professional Liability

The NYDFS is not alone in insurance regulators to require its regulated insurers to address the expanding exposures of silent cyber risks. For example, in February 2021, the Bermuda Monetary Authority (the “BMA”) issued its 2020 Bermuda Cyber Underwriting Report.[36] The BMA Report requires insurers to disclose in filings how they are managing silent cyber exposures and to “clarify whether cyber coverage is provided or not, in non-cyber policies, either by having clear exclusion language or adding the necessary endorsements.”[37]

Underwriting Intensifies

In part due to the increased frequency and severity of cyber insurance incidents and claims, and in part due to the issues of capacity and underwriting profit as the cyber insurance market develops, underwriters at cyber insurers are taking steps to undertake greater underwriting scrutiny and are imposing additional requirements on insureds.  These requirements often include a robust review of the privacy and cyber policies and procedures of an insured, requiring that the insureds have items such as incident response plans and multi-factor authentication in place. According to one recent report, supplementary applications are becoming more common that include a variety of required controls:

“The ‘must have’ controls typically include the following:

  • “Use of multi-factor authentication, either for all access or for remote or privileged access is typically one of the must-have controls
  • “Frequent backups and protected backup storage
  • “Disabled or protected Remote Desktop Protocol (RDP is a remote access tool commonly exploited for ransomware delivery)
  • “Confirmation that no end-of-life operating systems are used.”[38]

Supply and Demand Imbalance

According to one Reuters story, “Lloyds of London, the carrier holding nearly a fifth of the cyber insurance market, discouraged its syndicate from taking cyber business in 2022.”[39]  Insurance brokers have reported an increasing distancing between the uptick in demand for cyber insurance and the decrease in capacity.[40] While there has been no mass exodus of insurers from the cyber insurance market, insurers are taking steps to limit exposures and costs of offering cyber insurance, in part to avoid the exposures that Donelon raised with his comparison to LTC in the late 1980s and early 1990s. One CEO of a cyber insurer noted:

“We have seen a pullback in appetite as well as reduction in limits being offered by individual carriers. At the same time, we have seen a healthy focus on cyber risk management controls that clients need to have in place for a carrier to be willing to offer terms. We have also seen significant price increases on good risks with no claims.”[41]

In addition to the tightening insurance capacity, insurers have experienced higher combined ratios in a short period of time, “S&P said the cyber combined ratio in the U.S. increased by more than 20 percentage points to 95.4% in 2020, from 74.5% in 2019.”[42]

Pricing of cyber insurance is increasing rapidly as a result of this performance, with global cyber pricing “today nearly 50% higher than early 2019 levels. And there is little respite in sight:

rates rose by an average of 30% year-on-year in June 2021.”[43]

Reinsurance

Given the increased costs and claims imposed on the insurers, reinsurance rates in turn have increased for cyber insurance, with less capacity given the broadening demands.  According to a recent report, “Within the cyber space, reinsurance capacity continues to be scarce, with players choosing to back carriers with long-standing relationships and track records.”[44]

Exclusions Introduced

In order to address some of the silent risk issues and limit future exposures by insurers, some new exclusions have been introduced.    In November 2019, for example, Lloyd’s Market Association (the “LMA”) introduced two exclusions.[45]  One exclusion bars coverage for any loss arising from a cyber act or cyber incident under its property policies.  The exclusion defines a “cyber act” as an unauthorized, malicious, or criminal act, and a “cyber incident as an “error or omission.” The second exclusion is for marine policies and makes clear that it does not cover any losses related to computers including “failure, error or malfunction.”

In November 2021, the LMA issued four additional cyber exclusions, these intended to exclude cyber war and war causes.[46] The LMA bulletin reported that, “these clauses meet the requirements set out in the Performance Management - Supplemental Requirements & Guidance (July 2020) which state that all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war.”

The International Underwriting Association (“IUA”) issued similar exclusions to the 2019 ones.[47] Some US insurers have announced initiatives to address silent cyber exposures as well, including potential exclusions.

Coverage under Cyber Policies

The industry continues to work through policy interpretation. To date, there is no standard cyber insurance product, and there are major variations in coverages amongst insurers.  As GAO noted, there also are major variations in policy terms and definitions.  Further, cyber policy language generally has not been tested to date in the courts.  While coverage under many cyber policies is broad, coverage is of course not unlimited, and potential disputes will undoubtedly result between insureds and insurers.  Some of the issues that likely will develop in the near future include:

  • Activities beyond the scope of coverage;
  • Betterment versus Remediation;
  • Quantum of business interruption and contingent business interruption claims;
  • Breach of policy conditions and requirements;
  • Misrepresentation / Material Omission;
  • Notice Requirements;
  • Prior Consent Requirements; and,
  • Panel Firm Requirements.

These issues and potential battles are in addition to the issues raised by silent cyber risk issues and other insurance provisions and related disputes.

Conclusion

Given the increased frequency and severity of cyber insurance claims and the increased attacks on individuals and entities of all sizes, the insurance industry is reviewing the cyber insurance market and making changes to address the line.  Things likely will continue to evolve as the market continues to harden and the attackers continue to increase their crimes and demands.

References

*The title is from a panel presentation at the 30th Annual Insurance Coverage Litigation Committee Mid-Year Program, “The Heat Is On: Hot Topics In The World Of Insurance,” done live on February 24, 2022 in Phoenix, Arizona. Thanks to moderator Anthony Macauley and panelists Judy Selby and Peter Kochenburger for working together to develop our presentation, which helped inform much of this article.

[1] Kartikay Mehrotra and William Turton, Bloomberg, Business, Cybersecurity, “CNA Financial Paid $40 Million in Ransom After March Cyberattack,” May 20, 2021, available at https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack.

[2] In its 10K report filed in 2021, CNA disclosed:

“We sustained a sophisticated cybersecurity attack in March 2021 involving ransomware that caused a network disruption and impacted certain of our systems. Promptly upon detection, we undertook steps to address the incident, including engaging a team of third-party forensic experts and notifying law enforcement and key regulators. As of the date of this report, we have restored network systems and resumed normal operations. We are continuing to assess the full extent of the impact from the incident, as well as determining any additional actions we may take to improve our existing systems. Although the investigation is ongoing, should we determine that personal information was impacted, it is possible that notification to individuals, other parties and/or regulators may be required based on applicable law. As a result or otherwise related to the incident, we may be subject to subsequent investigations, claims or actions in addition to other costs, fines, penalties, or other obligations.”

Available at https://d18rn0p25nwr6d.cloudfront.net/CIK-0000021175/5c42783a-bd36-4411-8a37-5e0e28d288ae.pdf.

[3] See California Executive Order N-33-20, available at https://www.fmcsa.dot.gov/sites/fmcsa.dot.gov/files/2020-03/California%20Govenor%20Newsom%20Shelter%20in%20place%20Executive-Order-N-33-20.pdf.

[4] https://chicago.cbslocal.com/2020/03/19/mayor-lori-lightfoot-coronavirus-covid-19-pandemic-speech-city-hall-address/.

[5] See Illinois Executive Order 2020-10 available at https://www2.illinois.gov/Pages/Executive-Orders/ExecutiveOrder2020-10.aspx.

[6] Lori Widmer, Rough Notes, “Navigating a Hardening Cyber Insurance Market,” September 30, 2021, available at https://roughnotes.com/navigating-a-hardening-cyber-insurance-market/.

[7] Unit 42, “Ransomware Threat Report 2021,” available at https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf.

[8] Howden Group, “Cyber Insurance: A Hard Reset,” available at https://www.howdengroup.com/sites/g/files/mwfley566/files/inline-files/Howden%20Cyber%20Insurance%20-%20A%20Hard%20Reset%20report_1.pdf.

[9] Federal Insurance Office, U.S. Department of the Treasury,  “Annual Report on the Insurance Industry,” September 2021, available at https://home.treasury.gov/system/files/311/FIO-2021-Annual-Report-Insurance-Industry.pdf (hereinafter Annual Report).

[10] Annual Report, p. 74.

[11] Annual Report, p. 74.

[12] Annual Report, p. 74.

[13] Annual Report, p. 75.

[14] Annual Report, p. 75.

[15] Annual Report, p. 77.

[16] Annual Report, pgs. 78-79.

[17] Annual Report, p. 75.

[18] Statista, Estimated value of cyber insurance premiums written worldwide in 2018, 2020 and 2025(in billion U.S. dollars),Statista Research Department, available at https://www.statista.com/statistics/976526/global-cyber-insurance-market-size/#:~:text=Global%20cyber%20insurance%20market%20size%202018%2C%202020%20and%202025&text=This%20statistic%20shows%20the%20estimated,20%20billion%20U.S.%20dollars%20globally (last visited Jan. 21, 2021)

[19] Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones, Content analysis of cyber insurance policies: how do carriers price cyber risk?, Journal of Cybersecurity, Vol. 5, Issue 1, (2019), available at https://doi.org/10.1093/cybsec/tyz002.

[20] The National Association of Insurance Commissioners is “the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.”  More information can be found at NAIC, www.naic.org (last visited Jan. 21, 2021).

[21] The American Risk and Insurance Association, Cyber Insurance Supply and Performance: An Analysis of the U.S. Cyber Insurance Market, available at https://www.aria.org/wp-content/uploads/2020/06/CyberInsuranceARIA2019.pdf (published Feb. 14, 2019).

[22] Aon Benfield, Insurance Risk Study - Growth, Profitability, and Opportunity, (2014), available at http://thoughtleadership.aonbenfield.com/documents/20140912_ab_analytics_insurance_risk_study.pdf.

[23] Cyberscout, https://cyberscout.com/en (last visited Jan. 21, 2021)

[24] Bethan Moorcraft, US insurance market not keeping up with cyber risk needs for small businesses, (Nov. 19, 2020), available at https://www.insurancebusinessmag.com/us/news/cyber/us-insurance-market-not-keeping-up-with-cyber-risk-needs-for-small-businesses-239608.aspx#:~:text=This%20was%20made%20abundantly%20clear,31%25%20had%20cyber%20insurance%20coverage.

[25] Insurance Information Institute and J.D. Power, 2019 Small-Business Cyber Insurance and Security Spotlight Survey SM, available at  https://www.iii.org/sites/default/files/docs/pdf/small_business_cyber_wp_102319.pdf (the “III/J.D. Power Study”).

[26] Id at p. 6, Figure 1.

[27] Id.

[28] General Accounting Office, “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market,” available at https://www.gao.gov/assets/720/714429.pdf.

[29] Id.

[30] Id.

[31] Business Insurance, International, “Cyber insurance, reinsurance market hardening to continue,” January 27, 2022, available at https://www.businessinsurance.com/article/20220127/STORY/912347503/Cyber-insurance,-reinsurance-market-hardening-to-continue?utm_campaign=BI20220127GlobalFocus&utm_medium=email&utm_source=ActiveCampaign&vgo_ee=C8qWfDhscemEWde2BTzh4w%3D%3D&utm_campaign=BI20220127GlobalFocus&utm_medium=email&utm_source=ActiveCampaign&vgo_ee=C8qWfDhscemEWde2BTzh4w%3D%3D.

[32] Available at https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02.

[33] Id.

[34] Id.

[35] Available at https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02.

[36] Available at https://www.bma.bm/pdfview/5242.

[37] Id.

[38] Jacob Ingerslev, Rough Notes, “Underwriting Requirements in the New Era of Cyberrisk,” May 28, 2021, available at  https://roughnotes.com/underwriting-requirements-new-era-cyber-risk/.

[39] Joe Uchill, SC Magazine, Ransomware, “As the cyber insurance bubble begins to burst, the market scrambles for a new approach,” November 23, 2021, available at https://www.scmagazine.com/feature/policy/as-the-cyber-insurance-bubble-begins-to-burst-the-market-scrambles-for-a-new-approach.

[40] Howden Group, “Cyber Insurance: A Hard Reset,” available at https://www.howdengroup.com/sites/g/files/mwfley566/files/inline-files/Howden%20Cyber%20Insurance%20-%20A%20Hard%20Reset%20report_1.pdf.

[41] Lori Widmer, Rough Notes, “Navigating a Hardening Cyber Insurance Market,” September 30, 2021, available at https://roughnotes.com/navigating-a-hardening-cyber-insurance-market/.

[42] L.S. Howard, Insurance Journal, “Re/Insurance Cyber Rates Could Double Before 2023, as Attacks Skyrocket: S&P,” September 30, 2021, available at https://www.insurancejournal.com/news/international/2021/09/30/634535.htm.

[43] Howden Group, “Cyber Insurance: A Hard Reset,” available at https://www.howdengroup.com/sites/g/files/mwfley566/files/inline-files/Howden%20Cyber%20Insurance%20-%20A%20Hard%20Reset%20report_1.pdf.

[44] Matt Sheehan, Reinsurance News, “Hardening cyber market shows no signs of slowing: Berenberg,” 25th January 2022, available at https://www.reinsurancene.ws/hardening-cyber-market-shows-no-signs-of-slowing-berenberg/.

[45] Lloyd's Market Association Bulletin, LMA19-031-PD, 13 November 2019, “Property and Marine Cyber Clauses,” available at https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA19-031-PD.aspx.

[46] Lloyd's Market Association Bulletin, LMA21-042-PD,  25 November 2021, “Cyber War and Cyber Operation Exclusion Clauses,” available at https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx.

[47] http://www.iua.co.uk/IUA_Member/Press/Press_Releases_2019/IUA_publishes_cyber_exclusion_clauses.aspx.