Cyber Insurance – the question has changed from ‘Should we’ to ‘Can we’

What is Cyber Insurance

Cyber insurance (or more correctly) Cyber-Liability insurance is an insurance policy which helps mitigate the consequences of a cyber incident. The mitigation is generally seen as a form of risk transfer where the losses are transferred to the insurance company.

“It protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.“ (Fortinet, 2022)

In recent years, the Cyber insurance market has seen a rapid expansion with customers gaining access to high coverage, relatively low policy costs and a competitive market, but this has begun to change.

The cyber insurance market recorded a growth of 33.5% in 2020 and 27.3% in 2021 and it is estimated that the Cyber insurance industry is to exceed $20bn by 2025 (Cyber Insurance - Thematic Research, 2021).

?Do we need Cyber Insurance?

This is a difficult question where the typical cybersecurity answer is, it depends.

In general, it is said that any organization that captures, and processes sensitive data is vulnerable to cyber attacks and breaches therefore they should consider cyber insurance.

Originally organizations would have assessed the need based for insurance on a Risk Based Approach (RBA) and Cost Benefit Analysis (CBA), but now insurance is nearly always a requirement in all contracts and agreements. Forrester’s analysts predict, "a cyber policy will become a need-to-have rather than a nice-to-have." (Shey et al., 2021)

Can Cyber insurance replace cyber defence?

One of the issues now seen is that Insurance has been seen by several organisations as an easy replacement rather than mitigating the threats and vulnerabilities which may lead to the potential event or incident.

It is imperative to remember insurance is not a substitute for security. There should be a balance and investment with people, processes and technology than using insurance to reduce the residual risk after best efforts have been implemented to mitigate events and attacks.

Rising Insurance Costs

The pandemic caused organizations to digitize their processes and adopt remote working practices overnight, this also presented an opportunity for cybercriminals to exploit global panic, with a surge in cyberattacks occurring in 2020. “This has made the need for cyber insurance apparent to businesses” (Cyber Insurance - Thematic Research, 2021).

Cyber insurance policies have seen a stark rise in prices compared to other premiums, a recent report from the insurancejournal.com states that globally non cyber insurance premiums moderated in Q1 of 2022 except cyber where prices rose by 11% in the first quarter of 2022 which was the 18th consecutive quarter of price rises (Insurance Journal, 2022).

There are several reasons for this, one is obviously the rise in cyberattacks, especially ransomware, Smartwatch maker Garmin is said to have paid a multi-million-dollar ransom alone (Martin. 2020).

Other issues causing the rise in premiums is that there is a lack of quantifiable data, this is especially true when organizations are seen to be hiding the amount, type and cost of cyber incidents they suffer (this is a reason several countries and regulators are requiring mandatory reporting), there is also a lack of specialized underwriters and reinsurance coverage providers.

To curb losses, insurance companies have both increased their premiums and limited the circumstances to which they will pay out by adding additional exclusions to their policies.

This rise in premiums can be examined by a report from FitchRatings.com which stated that after a sharp rise in cyber loss ratios in 2020 that this promoted rising insurance costs and rapid premium growth in 2021 which then exceeded incurred losses with cyber statutory direct written premiums rising to over 74% (fitchratings.com, 2022).

In their article entitled “The Cyber Insurance Roller Coaster” the authors identify four possible shifts as follows in the cyber insurance market (Shey et al., 2021):

·??????Cyber insurance capacity challenges increase where they say that “With shrinking capacity, we’ll reach a point where some organizations will not qualify for cyber insurance. They won’t be insurable through typical commercial channels and coverages”

·??????Risk management maturity becomes the qualifier and the gauge. Here they say that insurance providers will acquire or use third party organizations to monitor cybersecurity postures.

·??????Cyber insurance becomes the price of admission for the partner ecosystem. Here they say that insurance will become mandatory for all third-party relationships.

·??????Digital business DNA will test underwriting processes and underwriter skills. Where they stress that different businesses have different risks (healthcare, financial data etc) which require additional knowledge of the company being insured.

?Policy Exclusions

An exclusion is any event which an insurance policy will not cover, all standard policies will typically have several exclusions (they simply do not cover everything). These policy exclusions enable the insurance companies to create a balance with fortuitous losses and claims. (“Fortuitous means loss or damage that is not knowingly about to occur” (Law Insider.com, 2022)).

A typical example of an exclusion is a homeowners insurance policy which does not include flood insurance requiring homeowners to purchase additional insurance for this exclusion.

Some common exclusions are described below:

·??????Illegal actions: Most insurance policies feature exclusions which void the insurance contract if the insured party has conducted a criminal action.

·??????Intentional actions: the purpose of a policy is to protect from misfortune beyond the insurers control, if you intentionally do something leading to the loss, most policies will not pay for losses derived from such events.

·??????Poor security processes, human errors: if an attack has happened as a result of an organization having poor, no or ineffective security measures in place.

·??????Prior breaches: insurance policies are only in place from the day purchased and any events or attacks prior to that day are not covered (generally regardless of when they are / were discovered)

·??????Catastrophic exclusions: Hostile Acts, Act of War and Acts of God (natural disasters) are sometimes referred to as catastrophic exclusions which protect the insurance company from paying out on low probability, high widespread and cost events.

Some Cyber-attacks now also considered hostile, acts of war

Insurance companies constantly review events along with claims and any excluded events will prevent the insurance company from paying out on the policy.

A well-known example of this was in 2017 when the NotPetya ransomware which infected millions of machines around the world, estimated to have caused global losses of around $10 Billion. The Russian Security Services were blamed on NotPetya by the SBU in Ukraine (Polityuk, 2017). This led to cases where insurance providers refused to pay out related claims, an example of this can be seen with Mondelez international, headquartered in Chicago, NotPetya infected the computer systems of Mondelez, disrupting the company’s email systems, file access, and logistics for weeks. After the dust settled on the attack, Mondelez and Merck both filed insurance claims for damages.

Merck claimed $1.4 billion from Ace American Insurance Company and Mondelez claimed $100 million from Zurich American Insurance Company. Both companies had an ‘all-risks’ property insurance, but both claims were rejected based on a war exclusion clause. Both later filed suit against their insurers and in January 2022 Merck received a summary judgement, but the Mondelez claim of $100 million was still ongoing.

In his decision on the Merck case, the New Jersey Superior Court Judge Thomas J. Walsh said, “Given the plain meaning of the language in the exclusion,” he wrote, “the court unhesitatingly finds that the exclusion does not apply.” But he also added, “Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks… Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.” (Townsend, 2022)

This ruling caused insurers to re-examine their wording, especially regarding war exclusion clauses, to include cyber risks along with physical risks some even modified prior to the final judgement of this case as can be seen below from the LMA.

Lloyds Market Association (LMA) Adjusts exclusion clauses to include cyber war

Lloyds Market Association (LMA) a global marketplace for complex risk updated their cyber war and cyber operation exclusion clauses in November 2021 to include "not cover any loss, damage, liability … directly or indirectly occasioned by, or happening through or in consequence of a war or a cyber operation" (Lloyds Market Association, 2021).

In Lloyds exclusion No.1, they define War as “the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority, whether war be declared or not.” (Lloyds Market Association Bulletin, 2021)

Insurers now picking and choosing who they will insure!

To further decrease their losses, insurance companies are becoming more cautious in who they will insure. To do this, they request evidence of effective cyber defences prior to accepting any new clients, this is performed generally via questionnaires which can be up to 20 pages long and include detailed questions regarding what the client is doing to protect their network, training for employees, existence of incident response plans and even educated board members in cyber security and data protection.

Cyber insurance questionnaires, a barrier to entry?

Where some questionnaires simply include questions relating to the coverage required, details of previous incidents and a signed declaration. (GFIAinsurance.org). Others include questions relating to the data collected (to include the number of records stored and processed annually as well as the existence of policies and specific security controls. (CRC Group, n.d.)

These questionnaires are getting longer with one identified as being 49 pages long which included applicants hiring processes and questions asked whether they include drug testing, criminal convictions and credit checks amongst others (Risk, n.d.) .

Obviously, these questionnaires must be answered honestly, Aviva states in their questionnaire that “The questions are designed to provide a view of the maturity and set-up of your IT and data security within your organisation. Your answers will assist our risk assessment and underwriting process in order to provide cyber insurance to you. Please ensure they are accurate, comprehensive and understandable, otherwise it could affect the extent of cover provided or invalidate your policy. We would suggest that someone within your organisation who is responsible for IT security should answer and sign the Questionnaire or support the person who is doing so and be a counter-signatory” (Aviva, 2021) They like others also further explain that the questionnaire is not exhaustive and that “after evaluating your answers we might have additional questions.”

How to answer Cyber insurance questions

It is imperative that the questionnaires are answered as accurately and as truthful as possible, this requires an understanding of the policy and the security program and related terms. To complete these, you will need to identify people in your organization who deal with contracts (lawyers, managers) and technical experts who manage your infrastructure and security program as well as personnel who are responsible for the organizational processes and procedures, this may require organizations to employ external consultants or consultancy firms to aid in the assessment and filling out of these questionnaires.

Setting the new standards

The cybersecurity policy questionnaires may seem excessive, but insurers are also trying to manage their risk of exposure to claims.

These questionnaires will undoubtedly set the new minimum cybersecurity expectations to be insured which in turn (due to third party contractual requirements) will set the new expectations for the industry. This can be seen already whereby insurance providers have refused insurance policies unless MFA has been implemented.(Thales, 2022)

?General Notes and Key Takeaway’s

Cyber risk is a major concern to all organizations regardless of size. Organizations need to assess and strengthen their cyber defences to manage risk via a combination of people, process, technology and insurance.

Steps to take to reduce cyber risk

1.??????Assess your posture: Carry out a security audit, identify vulnerabilities, threats and current controls.

2.??????Implement Controls: Based on the threats and risk (probability and impact) implement controls to treat the risk.

3.??????Insure: after carrying out the first two steps, now review policies and premiums to further reduce the residual risk to the business.

Prior to and during the insurance procurement process it is imperative that you:

·??????Identify threats, vulnerabilities and the overall risk and mitigate these risks through security controls

·??????Identify what existing cyber security defences you have (remember cyber insurance is not ‘the treatment’ it is a form of form amongst others to ideally transfer remaining residual risk.

·??????Understand the potential impacts of these security incidents to include regulatory sanctions etc.

·??????Acquire the necessary skills or personnel to assess and understand the policies to identify all exclusions and inclusions.

·??????Identify what cyber security services are included in the policy (support after the incident, digital forensics, incident response services etc.)

·??????Identify what are the requirements for claims (time periods) and renewals?

References

Aviva. (2021). Aviva Cyber Risk assessment questionnaire. Avivab2b.Co.Uk. https://connect.avivab2b.co.uk/brokerPublicProductDocuments/BCOCR14999?productCode=CYB

CRC Group. (n.d.). Cyber Liability Indication Questionnaire. CRC Group. Retrieved May 30, 2022, from https://www.crcgroup.com/Portals/0/Images/SectionDocuments/Cyber Short form-Indications.pdf

Cyber Insurance - Thematic Research. (2021). Globaldata.Com. https://hot-topics.globaldata.com/reports/cyber-insurance-thematic-research/

fitchratings.com. (2022). US Cyber Insurance Sees Rapid Premium Growth , Declining Loss Ratios. Fitchratings.Com. https://www.fitchratings.com/research/insurance/us-cyber-insurance-sees-rapid-premium-growth-declining-loss-ratios-13-04-2022

Fortinet. (2022). What Is Cyber Insurance ? Policies , Services , and Coverage. https://www.fortinet.com/resources/cyberglossary/cyber-insurance

GFIAinsurance.org. (n.d.). OECD QUESTIONNAIRE ON CYBER RISK INSURANCE TO THE PRIVATE SECTOR. https://gfiainsurance.org/mediaitem/3a6fadc9-8703-4d7d-b6ad-b4acf7868d99/GFIA-16-11 Response to OECD Cyber Insurance Questionaire.pdf

Insurance Journal. (2022). Global Insurance Rates Continue to Moderate in Q1 , Except Cyber. Insurancejournal.Com. https://amp.insurancejournal.com/magazines/mag-features/2022/05/16/667457.htm

Law Insider.com. (2022). Fortuitous definition. Lawinsider.Com. https://www.lawinsider.com/dictionary/fortuitous

Lloyds Market Association. (2021). Cyber war and cyber operations exclusion clauses. Lmalloyds.Com. https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx

Lloyds Market Association Bulletin. (2021). LMA5564 - War, Cyber War and Cyber Operation Exclusion No. 1. Lmalloyds.Com.

Polityuk, P. (2017). Ukraine points finger at Russian security services in recent cyber attack. Reuters. https://www.reuters.com/article/us-cyber-attack-ukraine-idUSKBN19M39P

Risk, C. (n.d.). Cyber Liability Questionnaire Cyber Risk Assessment. https://www.rapidfiretools.com/reports/Cyber_Liability_Questionnaire.pdf

Shey, H., Valente, A., & Carney, E. (2021). The Cyber Insurance Roller Coaster : As Demand Speeds Up , Some Insurers Disembark Effects Across Providers And Their Customers. Https://Www.Forrester.Com/. https://www.forrester.com/blogs/the-cyber-insurance-roller-coaster-as-demand-speeds-up-some-insurers-disembark/

Thales. (2022). Multi-Factor Authentication ( MFA ) for Cyber Insurance Hi there ! Are you looking for authentication , access SafeNet Trusted Access : The Smart MFA Choice for Cyber Insurance Thales helps French retailer meet cyber insurance MFA requirement Hi there ! A. Thalesgroup.Com. https://cpl.thalesgroup.com/access-management/cyber-insurance-mfa-requirement

Townsend, K. (2022). Court Awards Merck $ 1 . 4B Insurance Claim Over NotPetya Cyberattack. Securityweek.Com. https://www.securityweek.com/court-awards-merck-14b-insurance-claim-over-notpetya-cyberattack

Martin, A. (2020). Garmin 'paid multi-million dollar ransom to criminals using Arete IR', say sources. news.sky.com. https://news.sky.com/story/garmin-paid-multi-million-dollar-ransom-to-criminals-using-arete-ir-say-sources-12041468

Headline image retrieved from https://pixabay.com/illustrations/analytics-information-innovation-3088958/