By Russ Banham
Risk Management magazine
Ransomware has a stranglehold on the insurance industry.
According to NCC Group, ransomware attacks increased 288% in the first half of 2021 alone. As these attacks surge around the world, the impact on the already-hardening cyber insurance market has been severe. Multiple insurers have stopped offering certain coverages, causing a constriction in insurance capacity. Remaining cyber insurance markets tightened their coverage terms and conditions, pulled back on the limits of protection, and raised deductibles and premiums.
“As ransomware attacks increased in 2020 and over the course of 2021, the frequency and financial severity of cyber claims reached a point where the line became unprofitable for some insurers,” explained John Farley, managing director of insurance broker Gallagher’s U.S. cyber practice. “The extortion demands were in the six- and seven-figure range and, in some cases, the business interruption costs were five to ten times higher than the cost of the ransom payments.”
As cyber policies come up for renewal, risk professionals have faced severe scrutiny from underwriters. In many cyber policies, ransomware coverage is cleaved from other coverages as a separate class of risk requiring coinsurance and a substantial sublimit. “A $10 million cyber insurance policy last season at renewal has a 50% sublimit this season, meaning only half the financial limit is available for a ransomware claim,” Farley said. “That’s in addition to having to share in the cost leading up to the limit.”
Besieged by rising losses and fearing that future claims will be more frequent and severe, cyber underwriters are seeking “any and all ways” to limit their exposure, he said, adding that aggregate insurance and reinsurance capacity “has shrunk to where a $5 million limit is the new $10 million limit.”
In a dual blow for insureds, these lower limits often come with far higher premiums. “Rate increases in the 100% to 200% range are not uncommon—if we can get a quote at all,” Farley said. “Underwriters are hyper-focused and there are plenty of non-renewals happening.” To release pressure on the rate, brokers will negotiate higher deductibles, but this just adds to the overall cost in the event of a loss.
Making a bad situation worse, insurers are also narrowing cyber insurance coverage terms and conditions. Many cyber policies include exclusionary language related to certain types of software and email platforms with known vulnerabilities. If the organization has not invested in remediating these weaknesses or has experienced a recent network intrusion, it conveys a clear message of substandard cybersecurity and related controls. That means that insurance may not be available at all without investments to buttress vulnerable IT systems against such an attack.
In some situations, even if the organization has the world’s most secure network infrastructure, a ransom payment will still be uninsured. Following guidance issued in October 2020 by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), cyber insurers have legal grounds to refuse to cover the cost of a paid ransom. “OFAC came out and said that companies are forbidden to pay a ransom to a sanctioned entity, such as individuals in a known terrorist organization or in certain countries like Iran and North Korea,” Farley explained. “If you pay the ransom, you’ve violated the law.”
By not paying the ransom in such situations, a lengthier business interruption is likely, as it will take the insured longer to remediate the impact of the attack. Yet, cyber insurers are often also insisting on separate sublimits for business interruption coverage, Farley said.
Increased Scrutiny, Increased Collaboration
In many companies, the level of risk presented by ransomware, coupled with increased scrutiny from insurance carriers, has prompted a change in strategy. “Ransomware has compelled risk management and cybersecurity to break down the traditional silos between these organizations,” said Michael Phillips, chief claims officer at Resilience, a provider of cyber insurance and security products.
These threats are simply too large to be handled by one department alone. “It is critical for a chief information security officer to partner with finance, internal audit and risk management, educating them continuously on the evolving threat landscape and security best practices,” said Michael Peters, vice president of information technology at RIMS, the risk management society.
The need for better collaboration has been especially apparent during the cyber insurance renewal process as risk professionals have had to work with their information security colleagues to answer detailed carrier questionnaires that require substantial time and effort. “Our risk manager used to send me a single page of questions to answer about our cybersecurity threats and protocols” said George Finney, chief information security officer at Southern Methodist University. “This year, the amount of documentation I had to provide was in the hundreds of pages.”
According to Larry Glasser, director of risk management at air freight and cargo shipping services company Amerijet Holdings, uncertain market conditions made this year’s cyber insurance renewal especially arduous. “I spent multiple hours across many days with our information security manager and the IT department to get the submission completed on deadline,” he said. “I never had to do that before. It was easily the most painful cyber renewal I’ve endured.”
This year, the number of insurance application elements and the follow-up technical questions were overwhelming. “Considering I was trying to beef up our limits and obtain truly comprehensive coverages, I needed to send multiple questionnaires to the information security team’s experts on our systems and network,” he said.
Just to answer one question, Amerijet’s information security manager had to conduct a penetration test of the entire company’s IT systems. “If the test unearthed an issue, she had to provide a written explanation as to why this was the case and what was being done about it,” Glasser said. “I had to change the renewal dates of some of our other insurance policies just to concentrate on the cyber renewal—that’s how much time and effort it absorbed. Ultimately, we ended up changing insurers.”
At Pega, a provider of business process outsourcing products, the cyber insurance renewal process was so daunting that the company put CISO Carlos Fuentes in charge. Previously, Fuentes served on the boards of three multinational insurance companies and was the senior technology officer at AIG. “I had a good knowledge of the insurance policy renewal process, but I never expected it to be as long and as difficult as it turned out to be,” he said.
The company formed an informal team composed of Fuentes and leaders of the firm’s finance, internal audit and corporate risk management functions, and tasked the team with responding to and negotiating with the insurance markets. When the team met with Pega’s insurance broker to discuss the upcoming policy renewal, Fuentes said, “We were told right away that it would be much harder for us to get cyber insurance because of record claims activity across all industries.” He added, “We were also told it would be more expensive, with rates and deductibles both going up. We assumed a worst-case scenario.”
The team was prepared to answer inquiries from underwriters about Pega’s cybersecurity preparedness. “We pointed to all these wonderful certifications we have earned, the independent bodies that verify our security, and the third-party network penetration tests and purple team tests we routinely perform,” Fuentes said. In purple team exercises, a red team of attackers and blue team of defenders work together in a simulated attack on the organization to ultimately improve threat detection and response. This approach is a bit more sophisticated than standard penetration tests or threat assessments, which are already more than many companies typically preform regularly. “These were not easy conversations; they were painful,” he said. “But I understood the need on the part of the insurers. They were serious about the potential risk of a ransomware event.”
Ultimately, Fuentes was happy with the outcome. “I attribute what we were able to negotiate to our multi-pronged effort,” he said. “We had presented a unified front to the insurers, convincing them the company not only was aware of ransomware risks and was adequately mitigating them, but we are also prepared for what might come next, thanks to our third-party penetration tests and vulnerability scans.”
He added, “We tied our story together in a compelling narrative.”
Such narratives are crucial as cyber insurers want every possible risk to be detailed, in addition to the specific actions underway to mitigate exposures. To provide these details in full, risk managers must partner with peers across the organization.
“The insurers want full transparency, which is completely understandable in light of the ransomware risk,” Finney said. “To do that requires a very close working relationship between information security and the risk management function. We have this close collaboration, trusting one another to give insurers what they need to know.”
Given ransomware attackers’ increasing ingenuity, companies should expect next year’s policy renewal season to be just as difficult as this year’s. “Every time information security makes a move on the defense side, the attackers revise their approaches,” said Sam Rehman, CISO at software engineering firm EPAM Systems. “We have to be in a constant state of fluidity.”
He looks at it as a never-ending game of cat and mouse. “Really the only sensible approach is for cyberrisk management to be an enterprise function involving the CISO, the active cyber defense team, the incident response team, and risk management,” he said. “If something comes up that alters a company’s risk profile, everyone simultaneously needs to know about it immediately.”
According to Max Solonski, chief security officer at BlackLine, this approach will require a shift in thinking. “Risk management historically treated IT security as this technical thing with its own specific risks, controls and insurance needs,” he said. “But with the massive brand damage that a ransomware attack can cause, there is this high-level realization that this is truly an enterprise risk management issue. Given the crucial role played by cyber insurance, risk managers need to connect with their peers in information security, internal audit and finance.”
These collaborations can pay off for all parties involved. Risk professionals are provided with greater insight into the organization’s cyber threat landscape and the sophisticated tactics deployed to defend the enterprise, such as third-party penetration testing and purple teaming, while leaders in information security, internal audit and finance gain a better understanding of the nuances of cyber insurance and the resources available to them through a policy—or limited by policy terms market conditions. This partnership may also help clarify obligations or procedures IT must follow to ensure losses are covered in the event of an incident.
If a risk manager notes something as a potential concern in the insurance renewals, Solonski said it helps his information security team prioritize their work, adjust their controls or security risk management methodology, and efficiently allocate resources and investments to better align security initiatives with enterprise risk management needs. “It’s a dialogue,” he added, “one that is needed and will continue.”
Russ Banham is a veteran business journalist and author based in Los Angeles.