Tag Archives: Cyberinsurance

GAO Says Insurers Limit Coverage in High Risk Areas

When insurance companies first started writing cyber risk insurance, it was unbelievably profitable. They were writing many policies and not processing many claims, so they were very happy.

Over the last few years customers discovered that it did not make any sense to buy insurance and not make a claim when a bad event happened. That started making insurance companies nervous. Events like SolarWinds only makes things worse.

Last fall, as part of the National Defense Authorization Act, the GAO was chartered to survey the cyber insurance landscape.

The GAO interviewed folks at the Treasury, industry trade associations, a large cyber insurance provider and others to understand the landscape and come up with some suggestions on what to do.

The first thing the GAO discovered is that the number of people who decided to be “self insured” has gone down a lot. Their report says that the percentage of insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020. No one likes writing a check for a million dollars out of their own checkbook. That is good because it increases the risk pool.

But cyber is different than many other coverages. It is not local. If there is a fire in one city it does not cause claims in another. But with cyber, attacks are not geographically constrained.

With an increase in claims, insurers responded.

For example, they reduced coverage limits to healthcare and education, two sectors that had finally decided that insurance was not optional. The healthcare sector saw one of the largest increases in demand between 2016 and 2020.

Recently, underwriting capacity has contracted, especially in high risk sectors such as healthcare, education and public entities. Brokers say this is due to the fact that insurers are worried that these sectors are not prepared to repel attacks. As a result, they are declining to write coverage or charging higher premiums.

In fact, the GAO says, underwriters are increasing scrutiny everywhere and for some that could mean that cyber risk coverage may become unaffordable. When underwriters review a company’s cyber risk program, they may decide that it is not strong enough and the risk of providing coverage is too high.

Policies are also becoming more clear about what is covered or, more importantly, what is not covered. That means that customers need to read those policies way more carefully than they have in the past. Insurance underwriters are unlikely to say “although we covered ‘x’ last year, we are not going to cover ‘x’ this year”. It is more like “see if you can figure out what we removed from the policy this time”. And, oh yeah, your premium is going up.

Part of this is due to the insurance underwriters’ inability to predict risk. When it comes to, say, fire insurance, underwriters have a couple hundred years of data to use to predict with and, if anything, buildings are becoming safer. When it comes to cyber, realistically, underwriters have 5-10 years worth of relevant data and the risk factor is anything but safer.

Another factor is the new rule by Treasury that paying ransoms could land you a 20 year all-expenses-paid vacation in a federal “crossbar hotel”. Insurance companies tend to pay the ransom as the least expensive way to fix their problem. If they can’t do that, costs – and risk – go up.

The industry says that they need more incident data. The bad news is that more data will likely show more previously unreported events, making underwriters even more nervous.

What does that mean to you and me? It means that it may be harder to find coverage, the underwriting process may be more invasive, the premiums may be higher and the coverage may be more restrictive. Plan for it.

Finally, if your broker is not an expert in cyber coverage, you may not get the best advice. A broker who writes a couple of policies every now and then is not going to spend the time to learn enough to give you the best advice.

Credit: Health IT Security

Cyber Insurance Demand Heats Up

Insurance brokers and industry attorneys say that cyber insurance is heating up.

They are seeing both an uptick in CLAIMS and an uptick INQUIRIES, likely as a result of an uptick in attacks.

Actually, the uptick in attacks is more like a flood since Covid-19 came around. Note that many of them won’t be detected until business as usual resumes – whenever that is.

The issue is that the move to work at home has increased the attack surface, for a lot of reasons, including the fact that companies did not have the time to plan for it.

At least some of you have cyber policies, so here are some questions to be asking. For those of you buying, this is a great time to ask questions.

First of all, do you have the right coverages. We have seen many policies that do not include ransomware coverage. Kind of a problem these days.

Insurance broker Marsh says that they are not seeing Covid-19 exclusions (or more generally pandemic exclusions) – yet.

But they are seeing carriers asking more questions – for example about disaster recovery and business continuity – things that would be very important to have during a ransomware attack and which, if not in place, will definitely cost the carrier a lot of money to spin up in real time.

Aon says they are seeing more scrutiny during underwriting. The carriers are asking about whether prospects have adequate security measures in place for remote working.

Then there is that wonderful catchall – do you maintain reasonable security measures? That is something that your lawyer and your insurance company’s team of lawyers can argue about for a long (expensive) time.

Zurich insurance says that businesses who are dealing with the pandemic should focus on risk mitigation and conduct cyber risk assessments to identify their specific risks.

Then there are basic questions like the definition of a computer network. Is your employee, using his or her personally owned computer, running on his or her personally owned WiFi connection, considered part of your computer network? What about personally owned hardware? Is it covered?

Whether the carrier wins that argument or not, they may try to wear you down.

And you need to understand what coverage you have when it comes to breach response costs. There may be sub-limits and restrictions and those costs may be deducted from the total coverage available.

Will there be coverage if your employee’s home WiFi was compromised years ago, the employee didn’t do anything to secure it or detect the breach and you get hit for a CCPA breach lawsuit for data leaking out that way? Running, potentially, in the millions.

These are all risks that you need to understand and before a breach would be a really good time to do that.

Credit: Law360

Is Cyber Risk Insurance a Cure?

Let me cut to the chase – the answer is no.  It is a way to help pay for the damage, but that is about all.

In the article referenced below, the author thoughtfully explains the role of cyber risk insurance –  a post-fail risk offset.

The key word there is fail.

Failing in the sense of failing to avoid the breach in the first place.

The after affects of most breaches is damage control and lawsuits that go on for years.  Some percentage of companies – a small percentage – go out of business after a breach.  Usually there are scapegoats – someone or some people have to be fired.

While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years.  Depending on the cost of the litigation, it might not even pay for all of the costs of litigation.  It won’t pay for you to find a new job and it won’t make customers come back to your brand.

Cyber risk insurance is an important tool but just a tool.  Like every other tool, it is important that it is the right tool.  While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.

And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer.  Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered.  In the case of cyber risk insurance this happens more often than with some other forms of insurance.  This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage.  My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies.  Insurance sales people are commissioned.  If cyber risk insurance represents a small part of their paycheck, you can figure out the rest.  If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area.  It is a bit of a wild west.  You are pretty much on your own.

All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.

Most of the time, cyber crime is an opportunistic crime.  Believe it or not, Equifax was not specifically targeted.  But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.

I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole.  It will reduce the pain, but that is not the same time.

So what should you do?

#1 – implement a great cybersecurity and privacy program

#2 – get some cyber risk insurance because stuff happens.

But do it in that order.

Source: Dark Reading