Authored by John Coletti – Chief Underwriting Officer, Cyber & Technology, AXA XL and Jeremy Gittler – Practice Leader and Head of Cyber Claims, Americas, AXA XL
Hackers and cyber thieves are growing in number and in the sophistication of their attacks. Attacks that do not require hackers to directly breach systems – fileless attacks – are ten times more likely to succeed than file-based attacks. These fileless attacks, also known as zero-footprint, macro, or non-malware attacks use legitimate applications or even the operating system. These types of attacks don't install new software on a user's computer, so antivirus tools are more likely to miss them.
Cyber thieves are setting their sights higher, as well, shutting down systems and demanding expensive ransoms.
In 2017, the insurance world saw the significant threat of ransomware in the forms of Petya, NotPetya, and WannaCry malware attacks that infected computer systems in over 150 countries and ground operations to a halt across numerous industries, including universities, hospitals, shipping companies, and governments.
While the exact losses associated with these events may never be known, estimates for the NotPetya attack stand at $10 billion; the total from the WannaCry attack, $4 billion. Some estimates have the Petya attack costing 10 times that of WannaCry.
Even with such high-profile cyberattacks, the market for cyber insurance is still flush with availability. With more demand for cyber coverage coming from buyers and relatively few major cyber loss events, the number of carriers offering cyber coverage has grown significantly; there are 170 carriers writing cyber liability, with 30 new market entrants this year and 26 new entrants in 2016. As a result, pricing has remained low and capacity is plentiful.
2018: Risks up close
The abundance of coverage does not indicate a lack of risks, instead, quite the opposite. 2018 brought these changes to the cyber market:
Increased Ransomware Attacks
While last year's major ransomware attacks did not impact the US market significantly in terms of their severity, the increase in the frequency of these attacks is cause for concern. Today, most cyber breaches are ransomware attacks. The reason: the ransoms have gone up exponentially. When ransomware attacks first appeared, most ransom demands were low enough to avoid a police investigation: typically, $300. However, in 2018 the industry saw ransom demands increase to an average of $30,000 to $50,000. In one case, cyber thieves demanded a $500,000 ransom.
More Sophisticated Thieves
Social engineering hit its stride in 2018. Hackers turned their attentions away from hacking into systems to using reconnaissance on individuals within a company to breach security measures for financial gain. By convincing employees or IT departments that a system access request is coming from the CEO who is traveling in another country, hackers were able to gain easy entry and carry out their plans.
A New Regulatory Environment
As ransomware attacks increase, so will the risks of exposing customer and company data. The General Data Protection Regulation (GDPR) took effect in May 2018, putting pressure on companies across the globe to protect the data of EU citizens. As domestic companies looked to cover their exposure, the states began to enact their own privacy regulations. The California Consumer Privacy Act of 2018 (CCPA) gives consumers comprehensive control over their personal data and puts additional pressure on companies to ensure that personal information is protected.
The Evolving Buyer Influence
Along with the risks, other changes within the cyber market are impacting capacity and coverage options.
Buyers in charge
With so much coverage availability, buyers are in the driver's seat, a fact that is evidenced by the demands buyers are placing on cyber insurers. Buyers are turning to carriers for comprehensive pre-breach and post-breach cyber risk management services, and carriers are responding, either directly or by offering these services through third parties. Some of these services include network vulnerability scanning, penetration testing both internally and externally of the network, assistance with business continuity planning, GDPR readiness and more.
Expanded coverage
Another change among buyers: more inclusive coverage. From endorsements to expanded coverage language, carriers are amending policies to meet many more pain points for their buyers. Several endorsements have begun to appear, covering things like: system failures, social engineering losses, consequential reputational loss, and hardware loss. Likewise, some endorsements give buyers the choice of electing which policy will handle their claim in the case of a business interruption loss where there may be overlapping coverage with their property policy and/or a social engineering loss in which their crime policy may respond.
More claims pressure
More demanding buyers are also beginning to test policy parameters at claim time. Even indirectly related cyber events are being filed as cyber damages. Carriers are looking to bring clarity to coverage terms. As coverage is becoming even broader, how claims under these new insuring agreements will be treated is unprecedented.
More InsurTech
2018 may be remembered as the year InsurTech took root. For cyber insurance, InsurTech has delivered a better customer experience from purchasing to servicing due to efficiency in the underwriting process and policy delivery. It has also enabled carriers to get new products and enhancements to market faster. As the number of insurtech delivered cyber policies increase, Carriers will be looking for more data analytics to better improve and understand this process.
Predictions for 2019
As 2019 begins, we expect to see buyers continue to put pressure on their carriers to deliver more comprehensive coverage options and services. Buyers will continue to turn to their carriers for risk management services. For now, we predict the market to remain stable with policy language evolving and buyers continuing to influence changes to policy language and endorsement offerings.
As discussed above, the industry will also see a continuation of coverage expansion and claims for events not typically thought to fall under the cyber liability umbrella. Most relevant, will be the crime and property policies. The question to answer: under what policy is the risk insurable?
To answer that question, carriers will be looking to clarify policy language. Buyers should work with their brokers on addressing other insurance clauses to avoid ambiguity when a claim or incident arises.
In some ways, data and analytics may help bring that clarity. We predict the use of data and analytics to write cyber coverage will increase in 2019. As carriers look for ways to mitigate the impact of an aggregate event that could affect multiple policies, they will be relying on more outside data and analytics to drive more efficient and ultimately, more profitable underwriting efforts. The traditional method of using standard questions to underwrite cyber risk will eventually be replaced by data-driven underwriting and risk engineering that can speed underwriting decisions on a case-by-case basis, providing more accurate policy coverage.
The use of data and analytics may also influence the ability of carriers to succeed in the cyber market, with more accurate underwriting capabilities being a potential differentiator among robust competition. Another differentiator: experience. As new carriers enter the market, buyers should be looking for carriers that have built a solid claims history and have a clear understanding of the cyber landscape.
The steady market we are experiencing now could shift in the aftermath of a major event. Catastrophic claims in cyber liability are inevitable as breaches and ransom events continue to evolve. Companies should work with their carriers to understand their unique risks and put sound risk management and cyber coverage in place to decrease their exposures.
