The ongoing ransomware outbreak has led to frequent and significant security incidents at organizations across the globe, such as the recent DarkSide attack that disrupted a major fuel pipeline — one that transports almost half of all fuel consumed on the East Coast of the United States. As if such incidents were not enough of a problem, recent notifications related to third-party software vulnerabilities including SUNBURST and Microsoft Exchange Server exploits have put pressure on cybersecurity defenses, even for some of the most sophisticated companies in the world. Now more than ever, cyber insurance is being leveraged to financially support breach response services, business interruption and recovery efforts due to these attacks.
For those that have followed the evolution of the cyber insurance industry, a long run of profitability over nearly 20 years led to a highly competitive environment. As a consequence, stringent underwriting evaluations that would encourage stronger controls to create a better risk profile were not embraced by all insureds. Unfortunately, macroeconomics prevailed, and competitive pressures required cyber insurance carriers to offer increasingly broader and lower-cost cyber insurance. Simultaneously, the insurance carriers were unable to demand or even significantly influence the most impactful IT hygiene practices and more advanced solutions, although it was always a top priority of underwriting to promote better hygiene every year.
Then came 2019, a year that experienced a rise in ransomware frequency and a spike in multi-million dollar ransom demands and payments. The insurance loss ratio (the ratio of claims paid by an insurer to premiums earned, usually for a one-year period) was heading in a direction that was cause for concern for the insurers. This made the industry take notice and begin to more strongly encourage the IT changes they had been seeking to influence.
The Shift in Profitability Ratio Introduced a New Era in Cyber Insurance
In 2020, COVID-19 and the subsequent work-from-home movement transformed the dynamic. Workers were forced to connect remotely, and organizations found themselves unprepared for the surge in the number of attacks, which was already on the rise. At the same time, the cyber insurance industry was heading down the road of unprofitability, and the proverbial dam was about to burst. Changes were needed, but they were happening more slowly than the frequency and severity of ransomware attacks. In response, the new year brought significant changes and some of the largest cyber insurance carriers in the world have now started to substantially reduce insurance limits, quote sublimits for ransomware events and offer co-insurance as an additional policy amendment. We have observed increases in premiums in excess of 20% on the low end, with public reports indicating much greater increases in recent months and extremes exceeding 100%. In some instances, premium increases are not enough to accept risk, and it is not uncommon for an incumbent cyber insurer to decline to offer renewal terms based upon an unacceptable risk profile. Some insurance carriers have been put into this situation because they often have a blurry and incomplete view of an organization’s incident response plans, backups, multifactor authentication, endpoint detection and response capabilities, privileged access management solutions and testing activities. Previously, many underwriting strategies were to offer broad and generous terms and conditions to gain enough premium volume across a portfolio to sustainably offset losses. But the risks are proving too systemic for this approach to succeed.However, the tide is changing. Insureds are now being underwritten by insurance companies more closely and with extensive analysis. Underwriters are requiring greater transparency into security programs to gain a better view of the true exposure, and increasing their emphasis on proactive measures that insureds must take to better protect their business from cyberattacks. As recently stated by Dan Trueman, Head of Cyber at Axis Insurance, “The cyber liability market has reached an inflection point. The competing pressures of rising demand, growing losses (including last year’s spate of ransomware attacks) and the increased sophistication of threat actors have coalesced to pose a market-defining challenge for cyber insurers, brokers and policyholders.”
Cyber Insurance Is Crucial but Not a Substitute for IT Security and Hygiene
The solution is not to perfectly understand the insureds or the complex undercurrents of the cyber risk landscape — that’s an impossible bar to reach. But simply removing the bad risk from insurers’ portfolios would go a long way to a healthier ecosystem. Moral hazard in this line of business is a persistent challenge, and too many companies treat insurance as a substitute for diligent IT security and hygiene. But the industry has arrived at a point where there may be an opportunity to steer and incentivize clients toward stronger, more proactive security postures and more transparent discussions with their brokers and insurers.Here are some suggestions for areas on which to focus:
- Expand the interview process. Basic questionnaires and a two-hour interview are clearly insufficient. More rigorous information gathering is required, particularly because the most significant security measures and sources of risk vary widely from customer to customer. Healthcare and environmental liability policies already require a more proactive and transparent approach, where “all cards need to be laid on the table” before being entitled for insurance. That precedent needs to expand to cyber coverage.
- Require security and risk teams to participate. Many insureds have a communication gap between risk managers/finance that purchase insurance and the security managers whose work reduces that risk exposure. According to Duane Folkard, Executive Director – Head of Retail, Cyber and Commercial E&O at Aon, the “disconnect can make translating the importance of cyber risk transfer internally more difficult.” Purchasing insurance should require alignment between — or at least participation from — the CISO, IT, legal counsel, cyber risk manager and the C-suite.
- Emphasize security, not compliance. Assessments should focus on the quality and combined effects of an organization’s security measures, not on checking a box. The existence of an incident response plan means little unless the responders are familiar with it and can execute it. The presence of a firewall means little unless the rules it enforces meaningfully reduce the likelihood or impact of an attack. Properly understanding an organization’s security means considering all of the layers of its defense-in-depth posture, how they work together and where gaps exist.
- Take a broad view. No single control or combination of controls guarantees security. But there are basic practices that, if absent, are likely to raise an organization’s risk profile. At a minimum, it’s worth evaluating the following:
- Asset and configuration management
- Identity and access management, including privileged access management
- Business continuity and recovery plans
- Third-party risk management
- Network and cloud security controls
- Endpoint security controls
- Vulnerability management
- Detection and monitoring
- Technical and enterprise-level response
Additional Resources
- Learn about the pre-breach, breach and post-breach services offered by CrowdStrike.
- Read about some of the practices that the CrowdStrike Services team recommends most frequently in this blog, Ransomware Preparedness: A Call to Action.
- Download the CrowdStrike 2020 Cyber Front Lines Report for more information about the staggering rise in the volume and velocity of ransomware attacks in 2020.
- Learn about the protection offered by the CrowdStrike Falcon® platform by visiting the product webpage.