October is Cyber Awareness Month, which offers a great opportunity to reach out to your clients and prospects to discuss risk profiles and cyber coverage. The following interview with Steve Ventre, Senior Vice President, Management Liability & Surety, at The Cincinnati Insurance Company, offers some talking points you can share. The trends and insights shared by Steve are helpful in understanding the nuances of cyber insurance and will enable you to better communicate the benefits and limitations with your target audience.
We asked Steve to provide some feedback on the trends seen from claims experience over the last year, to share some of the challenges within the industry stemming from lack of standardization, aggregation of risk and 'silent cyber.'
What are recent cyber claims trends? Today, a leading cause of claims involves ransomware. Ransomware is a malicious software (aka malware) that denies access to critical data by encrypting it until a ransom is paid. Ransomware is commonly introduced through phishing emails. System recovery - if possible, depending upon the quality and availability of back-ups - can be an arduous process that may not be successful. As a result, some victims do pay to recover their files. To minimize detection, the ransom demand is often in cryptocurrency. Even if the ransom is paid, there is no guarantee that system recovery will be successful.
The frequency of ransomware claims has accelerated for multiple reasons:
- Criminals have become more adept at introducing ransomware.
- It can be a successful endeavor for the criminal, encouraging further attacks.
- Cyber risk insurance has rapidly become more accepted in the market. Not only are larger accounts purchasing cyber coverage, but now small-to-middle market accounts are as well. Businesses in the small/middle market segment may have less sophisticated controls in place and may be more susceptible to ransomware.
The rise in the number of ransomware claims is only part of the story, though. Ransomware demands, while generally modest for small businesses and individuals, have been increasing. Additionally, the ransomware attacks have become increasingly focused on larger businesses in the hope of securing even higher ransoms. Of late, local governmental entities and schools have been the victims of organized ransomware attacks. Because of this, the U.S. Senate recently introduced legislation authorizing the Department of Homeland Security to assist entities – both public and private – with risk management advice and incident response plans. Learn more at the Department of Homeland Security site.
Ransomware is a legitimate threat – and that threat is not going away. Here are some practical steps for anyone to help mitigate the threat of ransomware:
- Update software with the latest patches. Older applications are more vulnerable.
- Maintain your security software (e.g., firewalls and anti-malware software).
- Use training material and resources to help staff identify likely phishing attacks.
- Use multi-factor authentication and virtual private networks for remote access to your network.
- Regularly (daily or weekly) back-up important files and data securely and separately from your own operating systems.
What are cyber challenges facing insurance agents? The rise in the acceptance of cyber insurance by businesses is encouraging. What was an often quoted, but not written coverage, has transitioned to a line of business regularly opted for by policyholders. Cyber is the first true new revenue-creating line of business since the emergence of Employment Practices Liability 25 years ago, but cyber is not without challenges. Perhaps the biggest challenge facing agents is that product standardization has not occurred, leading to inconsistency between carriers. This can make the analysis of options on behalf of their clients difficult.
As an analogy, recall when EPL was a newer line of business in the early-to-mid 1990s. Coverages, underwriting and pricing approaches varied widely between insurers, and product updates were frequent, putting agents in the difficult position of discerning the most appropriate EPL carrier for their client. It wasn't until around 2000, when the EPL market began to achieve broader standardization, that agents could expect relative consistency between most insurers.
Fast forward to today's cyber environment. Agents are in a similar predicament with coverage, underwriting and pricing inconsistency coupled with frequent product updates. While it took a few years for the EPL environment to accomplish standardization, the runway for cyber consistency appears to be longer. Today's cyber environment is rapidly evolving not just from a regulatory and legal standpoint, but also from a technology standpoint. It may be a few more years before there is wide industry uniformity.
The take-away for agents is to familiarize themselves with carrier offerings and to pursue continuing education for this ever-evolving risk.
Can you define cyber aggregation risk and how it impacts both the insurer and insured? In the cyber environment, aggregation risk exists because of the inter-related, systemic exposure technology presents involving large number of businesses or individuals impacted by the same cyber event (i.e., they share a common point of failure). Think about a malicious and sustained outage at a leading cloud service, operating system or email service provider. An event of this magnitude can create disruption and financial loss on a wide scale. In terms of natural disasters, it's akin to a hurricane hitting all 50 states.
As illustrations, there were two larger scale 2017 events: NotPetya and WannaCry. These malware attacks spread worldwide. Both inflicted significant economic losses, however not many businesses had cyber risk insurance, mitigating the loss for our industry. That factor is decreasing in impact as more businesses secure cyber risk insurance.
The systemic catastrophic exposure is certainly recognized. The key, however, is assessing the scope of the potential event. To that end, the industry is now assertively attempting to quantify aggregation cyber exposure through the use of models. Models have long been used for natural disaster aggregation assessment and, following the events of September 11th, terrorism models were developed to address a man-made event – much like an event we could face with cyber.
While modeling is an established practice in the industry for natural catastrophes – and there are some parallels – there are some key challenges related to cyber:
- Property catastrophe models have been used for more than three decades. Cyber models are in their infancy.
- Property models have many historical events to reference in developing predictive outcomes. That's not the case for cyber models.
- Property cat models operate within defined geographical boundaries. This increases the reliability of projections. Cyber events can be worldwide.
- The digital economy is in a constant state of evolution, meaning the scenarios triggering events are constantly changing.
- As with terrorism, cyber is a man-made peril. Individuals are striving to inflict adverse consequences in what may be a completely unique scenario. Past experience may not be indicative of the future.
Cyber presents both opportunity and uncertainty to the industry. The challenge ahead is not merely responding to the individual policyholder event, but more critically, the likelihood of a widespread event.
Can you address affirmative v. non-affirmative cyber and what it means for the industry? These two terms can be confusing. As a brief primer:
Affirmative cyber – those cyber-related coverages (e.g., data breach, cyber extortion and computer attack) that are specifically underwritten, priced for and purchased by a policyholder in a dedicated cyber insurance policy.
Non-affirmative cyber – also commonly known as "silent cyber." This refers to the exposures created by cyber perils that may unintentionally trigger coverage in traditional property or casualty coverages. Potential examples include:
- Property, general liability and workers' compensation - a cyberattack on a network-controlled system causes a manufacturer's furnace to explode. This results in damage to the manufacturer's property and neighboring properties and causes bodily injury to employees and other third parties.
- Professional liability – an attorney's office incurs a data breach of sensitive client information. Failure to adequately protect a client's data may be considered a malpractice event, if not otherwise excluded.
Non-affirmative cyber has created uncertainty in the industry and can further compound the traditional accumulation and aggregation exposures presented by affirmative cyber exposures.
Carriers are identifying possible non-affirmative cyber scenarios across the spectrum of coverages and, along with modeling affirmative cyber, are attempting to model the impact of non-affirmative cyber exposures.
The industry is now facing a decision point of sorts regarding non-affirmative cyber with the objective of delineating specifically what is intended to be covered and what is not. There may be broad strokes taken or potential outcomes may vary depending upon the specific coverage feature. Possible changes include:
- Excluding non-affirmative cyber coverage entirely from traditional P&C lines making affirmative cyber the single source for coverage.
- Maintaining non-affirmative cyber, but separately underwriting and charging for the exposure.
- Maintaining non-affirmative cyber, but subjecting it to sublimits.
By proactively recognizing the possible consequences of non-affirmative cyber and responding in a responsible fashion, the industry will be better positioned to provide a stable cyber-related market.