Ransomware surge could see cyber become next Covid-related crisis

While Covid-linked business interruption (BI) claims dominated the headlines in 2020, cyber insurance claims could be the next crisis to unfold following concerns from commentators within the insurance market.  

According to Howden’s Cyber Insurance: A Hard Reset report, published in July 2021, the number of ransomware attacks have increased by 170% worldwide in quarter four of 2020, compared to quarter one in 2019.

This surge subsequently pushes up both the costs of and need for cyber cover - for example, Howden’s study further revealed that cyber insurance pricing has climbed 32% on average year-on-year, as of June 2021. 

Furthermore, the average cost of ransomware remediation globally has also increased, rising from $700,000 (£506,320.50) to $185m (£133m) in 2020. 

Inigo’s chief executive and co-founder Richard Watson told Insurance Times: “The big challenge for the insurance industry post-Covid is how [it responds] to risks that cannot be easily aggregated or controlled. 

“Cyber is a great example of ‘is that going to be the next Covid?’

”[Covid] has helped the industry understand that there are these large, unquantifiable risks that could happen. The trouble with the soft market is you get tempted to cover it. Our company is worth nothing if we don’t pay claims.” 

Insurance Times explores how the insurance industry can navigate emerging risks surrounding the cyber insurance market and what drivers have pushed up pricing. 

Shift to hybrid working  

A ransomware attack is a form of malware that encrypts a victim’s files - the cyber criminal then demands a ransom to restore access to the data.

Research published in July 2021 from SJL Insurance found that British businesses have suffered losses amounting to £223,516 on average from cyber attacks, with 17% of businesses experiencing more cyber attacks since employees began consistently working from home due to the pandemic.

Jacob Palmer, director of consulting at CyberCube, said: “We expect cyber to be the most important property and casualty news story of the coming years.

”This rise in both frequency and severity of cyber attacks has partially been enabled by the increase in home working.  

“Criminals are exposing gaps in many companies’ cyber security practices, with ransomware being a primary attack vector of choice.

”Cyber losses for 2020 have outstripped previous years, with many insurers experiencing over 100% loss ratios for their standalone cyber books. While some of the vulnerabilities have been patched, the move towards hybrid working could allow the door to remain open for some time.” 

Lindsey Nelson, cyber development leader at CFC Underwriting, disagreed, however. She feels that cyber cover will not need to be altered to accommodate a hybrid working model because there has always been the assumption of some remote working occurring, even pre-pandemic.

In terms of other drivers of cyber crime, broker Howden believes the reason for the spike in ransomware attacks is due to low-cost ransomware kits, or ransomware as a service (RaaS), combined with a new attack method that involves both data encryption and the publication of stolen data – this is known as double extortion. 

Business interruption

CyberCube, meanwhile, expects to see a rise in cyber-related BI. According to Palmer, this is because the increasing complexity of the digital supply chain exposes companies to many single point of failure (SPoF) vulnerabilities.  

For example, in May, infrastructure provider Fastly had an internet blackout which knocked out some of the world’s biggest websites, including Amazon, Reddit, the Guardian and the New York Times.

This was reportedly triggered by a bug in the firm’s code that had remained dormant until a single customer tried to update their settings.

“Although not expected to be a major cyber event, the Fastly downtime is a prime example,” Palmer said.

”Understanding the SPoFs a company is exposed to will be critical - both for companies to secure the digital infrastructure and for underwriting decision making.”   

While cyber policies have historically been centred around privacy and data breaches, Nelson explained that the uptick in ransomware over the last 12 months has led policyholders to increasingly seek cover for cyber-related business interruption rather than solely focusing on the reimbursement of extortion.

This is because BI and reputational harm following a ransomware attack tends to be more costly for firms.

For Nelson, the main differentiator between BI and cyber policies is the trigger - cyber cover is typically related to systems and digital assets, while BI is mainly based on physical perils causing a loss of profits. 

“Systems BI under a cyber policy carries both waiting and indemnity periods, similar to what would be observed under traditional property business interruption cover. However, [for] the latter, periods [can] range anywhere from 30 days to 12 months in the current market,” she continued.  

Systems BI in a cyber policy is often triggered by a downtime of systems caused by a cyber event, such as an employee error or systems failure. 

In recent years, cyber cover has broadened to include dependent or contingent business interruption – where clients’ cover extends to include downtime of third parties the client relies on to generate their own income, such as cloud computing providers.  

For Nelson, cyber-linked business interruption cover “should be viewed as vital” because policyholders are more likely to suffer this type of event compared to a physical loss, such as a fire. 

Policy evolution  

In addition, the severity of today’s ransomware losses has prompted a shift in cyber insurers’ responses, which has a knock-on effect on brokers, Nelson noted.

She said: “Brokers should absolutely be expecting cyber insurers to have in-house cyber claims capabilities rather than outsourcing this function to a third party partner.”

Plus, brokers should ”provide meaningful sanctions checks on behalf of policyholders”, creating an ”objective and transparent report” that can help insurers decide whether policies should ”respond on the reimbursement of extortion payments from a regulatory perspective”. 

As for policy wordings, Nelson added: “We’re seeing a wave of exclusions, warranties and conditions new to the market in the last year – some of which we haven’t seen in the market for years with respect to systemic risk exclusions, coinsurance provisions and systems maintenance conditions for policy response.” 

However, “what’s absolutely certain is that there is rarely uniformity across cyber policies”, Nelson conceded.

“It’s often what is beyond the words on the page that speak louder to the credibility of [the] cyber insurance market over the policy documents themselves.”