The firm’s cyber development leader believes ‘the last option we want is to remove extortion coverage’, but that applying sub-limits could be a viable route forward

The “common headline” that extortion insurance incentivises criminals to commit ransomware cyber crime is “misguided” and “distracts from the wider issues”, according to CFC Underwriting’s cyber development leader Lindsey Nelson.

Speaking as part of a panel discussion at the MGA’s virtual Cyber Summit event last month, Nelson argued that the perception that “extortion cover being available [incentivises] the criminals” is “quite misguided when we actually think about the fact that businesses around the world, only 15% of them are buying a cyber insurance policy”.

In fact, “the last option we want is to remove extortion coverage”, she said.

“What we could consider is sub-limits on that coverage, which then works in the client’s best interest to allow their policy limit to be available for what ultimately ends up being the more expensive part of the ransomware claim, so things like forensics and system damage costs and recreation and the business downtime,” Nelson continued.

“Providing the full limit on extortion actually erodes coverage available that clients will need and certainly when you balance it with the net profit of what a company is actually able to pay, we want to make sure that conversation is a little bit more balanced with clients.”

In terms of “what actually is fuelling cyber crime”, Nelson listed companies with “weak security controls that provide criminals with the path of least resistance to their systems”, “strict privacy laws that exist in various territories around the world where insureds are more likely to pay a ransom to avoid strict penalties and fines” and “crypto exchanges that allow criminals to monetise crime” as more likely drivers of ransomware attacks.

In her mind, however, “there’s a lot the cyber insurance industry can do proactively to help stop” these common factors behind cyber crime. She added that the insurance sector is “certainly not the cause of it - they’re helping fight crime rather than fuel it”.

“It really is everybody’s role to play a part here and within the insurance community specifically, there is a responsibility on us as insurers as well,” she said.

Speaking directly to the online audience of brokers, Nelson added: “It feels like a good call for action for some of our broker partners as well to help us at CFC and help the cyber insurance market change the conversation with clients that we’re having right now.”

For example, last month’s ransomware attack on US fuel pipeline network Colonial Pipeline was simply one of many that CFC saw, noted the firm’s head of cyber James Burns – he said incidents like this occur daily.

The visibility and scrutiny this specific attack garnered, however, is good for the insurance sector because it brings much-needed attention to the importance of cyber security, Burns continued.

Peak penetration

In terms of where conversations with clients are already having a positive impact on regarding cyber security, Nelson pointed to cyber insurance penetration within the SME market – she said this is now at “its peak point” thanks to insurance firms explaining to clients what a cyber insurance policy specifically does compared with other kinds of cover.

Additional ways to improve the uptake of cyber insurance for this demographic include “providing examples of how they benchmark against their peer group. What companies like them are experiencing in terms of cyber attacks. Putting things like case studies around that has helped massively,” Nelson explained.

Another strategy is to explain “cyber as a concept”.

“Today, what we see cyber insurance as is a proactive, service-driven policy,” Nelson explained.

“It provides you with a set of tools to help you become a better business from a security perspective. It gives you a team of security experts should the worst go wrong, as most small businesses can’t afford that, and really it works for you from the very first day that you bind a policy.

“That is what small businesses are buying for today and I think changing the conversation that way has helped massively with market adoption.”

On the flip side, “what doesn’t work well is the blanket one-size-fits-all solution of let’s talk about privacy liability, let’s sell it as a third-party policy, let’s take a FTSE company and try and relate that to a small business and hope they understand the merit to their business”, Nelson added.

Tom Bennett, team leader, cyber threat analysis at CFC Underwriting, also participated in the panel discussion. His top cyber security tips included using multifactor authentication, having robust patching and disabling macros on emails, which can help prevent phishing attacks.