Ransomware demand ’is 20 times more than what we saw in 2018’, says MGA’s head of cyber

BrokerFest 2021: Changes in the cyber insurance market, which is going through a period of sustained hardening, need to be fully understood by brokers in order to be communicated to clients effectively, according to James Burns, head of cyber at CFC Underwriting.

Burns was speaking as part of the cyber conference stream at Insurance Times’ BrokerFest 2021 event on Monday 11 October.

Prior to the cyber market’s recent hardening, Burns said CFC Underwriting had seen a rapid adoption of cyber insurance in the UK SME market over the last few years - this type of cover ”has been outpacing all of our territories”, he noted.

However, just as SMEs were recognising the value of protecting intangible assets, the cyber market embarked on a sustained period of hardening, cutting short this trajectory.

“We need to be aware of how fragile the fledgling cyber market is in the UK,” Burns said, as this will subsequently help insurers underwrite cyber cover in the long term as well as make sure it remains accessible for small businesses.

Shining a light on systemic risk

The Covid-19 pandemic shone a massive light on the challenges of systemic risk, Burns continued.

“The pandemic really crystallised the perception of how bad systemic risk can really be. Systemic risk is at the forefront of everyone’s mind. This perception is having an impact on capacity,” he added.

Over the last 12 months, CFC has witnessed a big uptick in the amount of systemic cyber events - this suggests they are becoming a bigger issue.

Burns continued: “We saw six cyber systemic events over the last 12 months, which together gave rise to 300 claims notifications over and above the normal attritional level of SME cyber claims we were getting in our portfolio.”

For example, the University of Cumbria’s software provider Blackbaud was hit by a ransomware attack in 2020. The data breach saw cyber criminals access sensitive information about both students and staff, such as dates of birth and addresses.

US non-profit organisation the Identity Theft Resource Centre recorded 12,813,995 victims from Blackbaud’s data breach.

“It demonstrates how quickly systemic risk can accumulate in a cyber portfolio. It’s a classic example of a single software provider with access to all of its client’s data leading to breaches in multiple countries,” Burns said.

He also noted the Microsoft Exchange incident last year, which saw 100,000 Windows credentials being leaked due to a vulnerability in its Autodiscover protocol. As result, Microsoft applied a temporary fix to mitigate the issue and will be permanently disabling its basic authentication in Exchange Online on 1 October 2022.

A further example is US-based Kaseya, an IT management software firm that was hit by a supply chain ransomware attack in July 2021. The attack was conducted by Russian hacking company REvil, which released a malicious patch on to Kaseya’s server and subsequently demanded $70m (£50m) in ransom.

“This caused an immediate impact around the world - no one had seen a ransomware attack executed in this manner,” Burns said.

He stressed the importance of having back-ups in place at an organisation, as well as investing in a good business interruption (BI) policy.

For insurers, the main concern is getting back-up systems up and running and questioning whether the hacker will release the data that is being held, Burns added.

Ransomware frequency rising

Kaseya is unfortunately just one example of a recent ransomware attack, as this type of cyber crime continues to escalate.

“The demand we are seeing today is 20 times more than what we saw in 2018,” Burns said. ”The reason for that is that attackers are getting smarter, demanding multiple victims [pay] relatively small amounts at the same time.”

As a result of this tactic, the cost of ransomware attacks for an insurer has gone up by a factor of 10, Burns calculated.

“This has very quickly put cyber insurers into loss making territory. What’s interesting about ransomware is that it has become more about frequency. Ransomware as in the number of claims [has] remained relatively stable - what’s gone up is the frequency of large losses,” he said.

This risk of evolving and bigger attacks is having an impact on pricing and driving the hard market because insurers are not sure what to expect, Burns noted.