The demand for Cyber & Privacy Insurance products has exploded in 2020 based on both natural market growth associated with ever-increasing threats to online systems and the COVID-19 impact that has accelerated the working from home trend, video communications and the need for other high-tech systems to support business and personal needs.
Ransomware, social engineering and other digital attacks have consistently grown as a threat to IT systems for several years. The coronavirus has added additional strain as criminals try to exploit the most popular headlines to increase success rates. The FBI recently reported that the number of complaints about cyberattacks to their Cyber Division has risen to 4,000 or more daily. That represents a 400 percent increase from what the FBI was seeing pre-coronavirus. Interpol is also seeing an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure.”
This migration to a more fully online environment (cloud services, remote desktops, video communications, etc.) for businesses happened virtually overnight for many. So has the selling of products or services directly online, and/or delivery. Given the speed in which these systems have been set up or redirected, many of the businesses making these investments weren’t able to conduct quality assurance, training and other efforts designed to mitigate cybercrime activities. Restaurants for example created online ordering platforms for takeout as a way to not just thrive but survive. Other retailers also shifted their entire selling platform to an online world.
Even school districts haven’t been spared the brunt of ransomware activity. Since 2016, there have been 855 cyber incidents publicly disclosed by U.S. schools and districts, according to data from the K–12 Cybersecurity Resource Center. A total of 348 in 2019 alone, nearly three times the number in 2018. Comprehensive data for 2020 or since the pandemic isn’t out yet, but the stories of crimes are everywhere. A student was arrested for launching a cyberattack on Miami-Dade County Public Schools in early September 2020. That same month Fairfax (Virginia) School District is believed to have been victimized by cyber criminals behind dozens of ransomware attacks in the U.S. Other examples seem endless. Simply put, this rush to adapt has opened up many vulnerabilities that organizations were not fully equipped to deal with.
Another risk factor that has grown since the pandemic is the increase in cross-device use within households. With one or two working parents and students of all ages now operating in a remote learning capacity, work-owned devices are more likely to experience some form of compromise or viruses with household members sharing laptops, tablets and phones. Software patching and running up to date anti-malware protection will become more important as multiple users will increase the risk through a wider variety of websites visited, as well as additional email and other communication services being accessed through a single device. Employers forced to use contractors can also suffer increased risks because of added unsafe connection points.
Industry trends have increased demand
As the threat has risen, demand for Cyber & Privacy Insurance policies have drastically increased, which has kept specialists within this space busy. Many Cyber policyholders are first-time buyers who are now just realizing the benefits – and the need – that they provide. Our team has witnessed this influx in demand first-hand, and we’ve taken on the responsibility of hosting remote educational sessions and training on policies, options, trends and more, so that clients can make informed decisions.
Insurance brokers and agents are assessing carriers, while proactively working with business owners to reduce risk, all while keeping an eye on their own bottom-lines. That is causing them to simultaneously review gaps in their current base to determine the amount of capacity they should recommend to clients within their portfolio.
Premiums are also in the rise
More risks and higher demand have also driven premiums higher and a tightening of market began to more fully emerge in the second quarter of 2020. The trend was already heading in that direction given the number of losses that carriers have experienced in the last couple of years, mostly due to increasing claims—more specifically invoice manipulation, electronic funds transfer fraud, and ransomware attacks.
The primary means of communication for most businesses continues to be email which covers sales, marketing, internal announcements, and accounting functions. For this reason, account access is heavily targeted by criminals resulting in invoice manipulation and electronic funds transfer fraud. Ransomware is another item of concern for insurance carriers and a significant coverage need from policyholders.
The pandemic did not create this tight market, but it hasn’t helped either.
Our data is showing a 10 percent increase in Cyber Insurance premiums when compared against rates in 2019. This is based on a number of factors including: increased claims frequency and severity surrounding ransomware and business email compromise attacks; increased record counts within organizations; and an ever tightening privacy environment across the U.S. at both the federal and state levels.
Creating internal policies can make businesses more insurable
Insurance carriers are also taking a closer look at their potential policyholders in an effort to evaluate their security protocols in place, from offsite or offline data backups and wire transfer verification to use of firewalls and multi-factor verification methods. Various state and federal laws require significant documentation from businesses detailing their cyber security policies. It is recommended that every business create a written information security plan at a minimum. This critical document will address three main concerns every business should have—protecting its intellectual property, complying with regulatory and state obligations, and demonstrating to clients and vendors that you take the security of their data seriously.
The combination of coverage and enhanced resources available to clients has evolved significantly over the past several years making Cyber Insurance a stronger investment for organizations of all sizes. Carriers are making educational, proactive resources available to their clients, such as automated scanning for vulnerabilities, risk management and compliance guidance, legal consulting and more. Some carriers have even established partnerships with cyber security firms to provide further assistance with the goal of reducing claims, thereby making these policies more valuable.
Similarly professionals will likely spend more time in the months and years ahead conducting Cyber Insurance audits on behalf of policyholders to ensure that their coverage is adequate. The definitions of Cyber policies continue to evolve and the coverage always needs to properly align to potential risks so that the policies remain timely and relevant.
The expectation is that the market for these policies will continue to grow. That is because organizational losses will likely mount as criminal activities continue to surge. Cyber & Privacy Insurance will continue to evolve with more hybrid structures being put in place to meet the needs of a changing business and threat landscape.
We don’t see the tightening of the market changing anytime soon, even after the direct impacts of COVID-19 wane. Yet, with demand on the rise, there will be both growth opportunities and added challenges for the foreseeable future.
Contributor(s): David Derigiotis, Senior Vice President, Professional Liability Practice Leader, Burns & Wilcox
This commentary is intended to provide a general overview of the issues contained herein and is not intended, nor should it be construed, to provide legal or regulatory advice or guidance. If you have questions or issues of a specific nature, you should consult with your own risk, legal, and compliance teams.