Cybersecurity and cyber insurance: The multimillion dollar ransomware industry and current state of play
By Edward Brennan: Executive Director, Head of Howden FI Retail ; Neil Warlow: Associate Director – Legal, Technical and Claims, Howden Insurance Brokers
Published: 28 June 2021
Asset managers have historically considered themselves relatively insulated against cyber incidents compared to other finance sectors. They have no major public-facing network exposures, and an income stream that is somewhat shielded against interruptions. However cyber security and ransomware is big news. Attacks are more frequent, more sophisticated and more severe, and the asset management space is certainly not immune. Recent reported examples include an attack on TCW and MetWest Funds in June 2020, and in Q4 2020 data from asset and wealth management companies was found on public data leak sites by ransomware operators Sodinokibi and NetWalker.
With these recent attacks, attitudes now appear to be changing, with increased investment in cybersecurity and cyber insurance. That is not before time. In the ongoing game of chicken and egg, investment in cybersecurity in other sectors risked the asset management industry becoming ‘low hanging fruit’ for cyber criminals.
Attacks on major institutions indicate, though, that increased cyber security is not a complete answer to the issue. Cyber insurance offers a key complementary means of protection — but the cyber insurance market is heavily impacted by recent developments and in a state of significant flux. So what are the key developments, and what do policyholders need to know when they come to consider their exposures and policy renewals? We’ll seek to answer those questions below.
Ransomware — big news; even greater cost
Ransomware attacks are now frequently in the press — first coming to public attention with the NotPetya attack in 2017 and progressing through to recent examples such as the attack by the DarkSide group on the Colonial Pipeline in the United States. Publicly reported examples are, however, the tip of the iceberg and there are a number of factors at play that have driven this.
First, frequency of attacks has increased as barriers to entry have reduced (in terms both of skills and cost). Ransomware-as-a service (RaaS) is now a common business model, with a central developer providing specialist software development and operation, and charging fees for use by either third party or affiliated groups who conduct the attacks themselves. Some of the most high profile and sophisticated groups operate in this manner, using a closed list of associates – including for example the REvil/Sodinokibi group, whose attacks crippled Travelex in late 2019 and have more recently targeted Acer and Pierre Fabre with US$50 million and US$25 million demands respectively.
The nature of attacks also continues to develop. Traditional ransomware attacks involved only encryption of data, but from late 2019 there was a shift to include theft of files prior to encryption. That has now developed such that there are dedicated data leak sites for each ransomware operation. This, in turn, appears to be extending to attackers contacting journalists, emailing major customers directly, and now even reaching out to market traders and offering inside information (allowing investors to avoid losses when the attack becomes public). The theft of data and threat of public shaming provides attackers with additional leverage even in the event that the target is able to restore their systems. All of this increases the complexity and cost of response, both financially and in management time, as well as potential future related exposures.
Finally, ransomware attacks have not only grown in frequency, but have grown exponentially in cost and severity. The average ransomware payment rose from approximately US$100,000 in Q1 2020, to US$233,817 in Q3 2020, though has fallen slightly since (driven, it is suggested, by increased unwillingness of victims to meet demands). That cost is, though, only part of the relevant loss. The average cost to rectify the impact (considering downtime, people time, device costs, ransom and other costs) has been calculated at US$732,520 for organisations that don’t pay the ransom, rising to US$1,448,458 for organisations that do pay — indicative both of the ransom cost but also the more complex nature of those incidents.
How is the cyber insurance market responding?
The increased frequency and severity of cyber incidents generally, but ransomware attacks in particular, has had a direct impact on the profitability of insurers’ books of business. Insurers are also concerned by a number of other factors — including increased exposures due to the rise of remote working; increasing regulatory risk globally; and attacks on software and managed security service providers which potentially impact thousands of companies (such as the recent SolarWinds and Microsoft Exchange hacks). Increasing loss ratios and the prospect of claims aggregation (multiple linked claims) is attracting more attention from senior executives and reinsurers. This is putting pressure on underwriters to raise rates and manage exposures and line sizes.
The industry has responded with upwards pricing momentum, which started in 2020 but has increased considerably in the early months of 2021. Insurers are applying increasingly stringent underwriting guidelines, and/or have pulled back from writing certain classes of business or reduced their available limits of cover. This has resulted in significantly increased costs, with projected rate increases starting anywhere from 30% to 50% on average (even where the insured has not itself been subject of an incident). This has impacted not just primary layers of cover, but also excess layers given the increase in claim values — the exposed ‘burn’ layer for large privacy risks, for example, has increased considerably.
Cover does of course remain available, and the benefits of that cover are considerable. However insurers are able to be selective in their underwriting and pricing. It is therefore critical that to mitigate the impact of the market, clients engage early and positively with their broker ahead of renewal, and ensure that adequate responses are provided to insurer questions where possible.
What is ‘silent cyber’ and what additional impact does that have?
Whilst individual client risks are increasing, insurance industry-wide changes also mean that specific cyber insurance policies are more important than ever for asset management firms.
This has been ultimately driven by the requirement from 1 January 2021 for the insurers known as ‘Lloyd’s syndicates’ to clarify their position on ‘silent cyber’ in professional indemnity (PI) policies. ‘Silent cyber’ is the term used for potential cyber exposures in traditional property or liability policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in ambiguous coverage, an increased risk of disputes, and cover that doesn’t match policyholder expectations.
Lloyd’s of London, insurers and regulators are concerned that underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided. The Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) have made insurers put into action plans to reduce those ‘silent’ exposures - either by excluding them, or providing affirmative coverage.
The process is likely to be ongoing for some time. However given the mandate and the short timeline, most Lloyd’s syndicates have initially moved to exclude rather than to affirm cover – and they have been followed by company insurers (given the PRA intervention). Some had already started to put this in place before the deadline, while others are only now responding or have not yet reacted.
The ultimate impact is that policyholders are likely to see cyber exclusions being discussed and potentially applied to their PI policies on renewal. Exclusions vary in scope, but even if narrowly framed the intent is to ensure that specific cyber insurance policies are now the core ‘home’ for cyber-related exposures — both first party costs and third party liabilities.
Accordingly, policyholders will need to carefully review their current policies alongside their broker and examine any exclusion proposed, to ensure that it is fully understood and not overly broad. They should also assess the extent to which they already have cover for cyber liabilities in place. Despite the difficult market discussed above, in many cases a standalone cyber policy will remain the best solution to ensure coverage and fill gaps resulting from a silent cyber exclusion.