Increased ransomware attacks have led to sometimes dramatic hikes in the cost of cyber insurance, according to brokers and policy holders alike, but some believe this “hard market” bolsters efforts by insurers to write policies that drive stronger security practices, while also revealing areas where resource-constrained entities can use help from government.
“The hard market, while difficult in the near term for clients, does create an opportunity to re-examine the focus of insurance and is it part of a risk management strategy,” said Thomas Finan, cyber growth leader with insurance broker Willis Towers Watson and a former senior cybersecurity strategist at the Department of Homeland Security. “Insurers want to know what your controls are, and that is very powerful.”
Stakeholders including purchasers of cyber insurance downplayed the idea of a brewing crisis but agreed that prices are rising, insurers are imposing tougher conditions, and companies that haven’t been carrying insurance may find the cost to be a barrier to entry at this moment.
Tamara Bruno, Partner, Pillsbury Winthrop Shaw Pittman LLP
A CyberScoop article posted Monday discussed a “crisis moment” around cyber insurance amid escalating premium prices attributed to the rapid growth in ransomware attacks.
“The cybersecurity insurance market is not in danger of collapse but this is an opportunity to rewrite the strategy,” said Michael Phillips of Resilience Insurance, who served on the Institute for Security and Technology’s Ransomware Task Force. “It is a challenging needle to thread and we are in a pivotal moment, but I am hopeful.”
Phillips called for “incremental changes” in public policy, citing three different types of ransomware victims: “resource-starved” entities including some in health care and local governments; some critical infrastructure operators and other companies that have “’under-invested” in security; and “the unlucky” that have been targeted with sophisticated attacks.
“I’m heartened to see new attention from the federal government” toward entities facing resource constraints, Phillips said, while adding that this is a “historic opportunity for insurers to identify appropriate security controls and appropriate levels of investment” by industry clients.
Phillips said it’s “a great misnomer that insurers haven’t coupled coverage with security consulting and requirements, and there’s a redoubling of those efforts. Historically the uptake was low, but now amid the uptick in ransomware attacks, companies are looking for the most comprehensive services including security services.”
He called for increased information sharing “to drive innovation” and pointed to growing partnerships between tech firms and insurers to help deploy cyber tools to small and midsized businesses.
Resilience CEO Vishaal Hariprasad participated in Wednesday’s cybersecurity summit at the White House, where his firm announced it will require policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
“It is a challenging moment, we have seen the pendulum swing toward it getting harder” to obtain insurance, said Tamara Bruno, a partner in the Houston office of Pillsbury Winthrop Shaw Pittman LLP, who represents policy holders. “We’re seeing lower limits, higher premiums and it’s getting harder for entities that haven’t previously had cyber coverage to get it.”
Bruno said, “If you’ve been a cyber insurance holder, you’re in a better position though there are rate increases. Companies without cyber insurance are finding entrance into the market to be prohibitive.”
She said policies now contain additional “conditions” in areas ranging from security controls to “who has to authorize transactions” for coverage of intercepted transactions.
“There had been quite a loosening of cybersecurity checks before [the rapid escalation of ransomware attacks] where companies were given coverage with less examination of their practices. That’s tightening amid ransomware conditions,” Bruno said. “I expect to see more conditions and for insurers to look more closely at all entities.”
Pointing to smaller entities that may find the price of entry into the insurance market to be prohibitive, Bruno said such companies “need more information” including “guidance and guidelines” and “more transparent information on who to contact, how to get their systems back online and things like how do you pay ransoms in crypto.”
Finan agreed that insurers previously would “ask about security controls, but unless it was a dumpster fire, you would get coverage.”
“Ransomware has been a game-changer, it’s really difficult and it’s changed the way cyber insurance and brokerage is done,” Finan said. “But in a way that reflects a maturing market, not a crisis.”
He said, “The silver lining in a hard market is it forces insurers to underwrite differently and better, and demand controls. Companies that invest against risk will be an attractive market.”
Cyber insurance, Finan said, “needs to be seen as what you do after you’ve invested what you can to secure your systems. The hard market has forced carriers to require this. Insurers weren’t demanding the follow-through on controls, but cybersecurity has to be an ongoing process. There’s going to be a more dynamic relationship between the broker and a company’s CISO.”
Finan also noted that amid debates on whether carriers should pay out on ransomware demands, there are significant costs related to an attack that insurance will continue to cover even if ransomware payments eventually are prohibited. Response costs are more expensive than the actual payout to the criminals, he said.
Matthew McCabe, a former cyber insurance industry leader and now general counsel at “end-to-end” cybersecurity firm Kivu Consulting, said insurers are “very involved in due diligence” over clients’ cyber practices and are “scaling up their practice of assessing clients’ cyber maturity.”
“For over a decade, the cyber insurance industry has been very interested in learning about the cyber threat environment and improving its approach to clients on the issue,” McCabe said. “But when you have something like ransomware and sudden unaccounted-for losses, they’re looking even more closely. I think you have a robust cyber insurance market, there’s more thought capital and resources being out into it than ever before.”
McCabe dubbed it “’an era of challenge” rather than a moment of crisis.
“Insurers need to evolve and they’re doing that,” he said. “It’s a hard market and it’s being taken very seriously, but we will work through it.” – Charlie Mitchell (firstname.lastname@example.org)