These days, many organizations are choosing to carry cyber insurance coverage as part of their defense arsenal against cyber threat. But with the explosion in ransomware attacks and an evolving regulatory environment, the cyber insurance landscape is changing fast. It’s a good time to look at what’s happening in the marketplace, and how it could affect your coverage today and tomorrow.
Premiums on the Rise
It’s not news that ransomware and other cyber attacks are on the rise. Consequently, both the frequency and severity of cyber insurance claims are climbing. The growing sophistication of hackers, the relative ease of acquiring hacking tools on the dark web, and an increased threat surface of people working from home created by the COVID-19 pandemic have conspired to create ever more serious threats to business. And the costs of cyber incidents are broadening as well as rising – more and more attacks are combining data exfiltration with ransomware, so regulatory penalties and customer restitution are additional expenses on top of downtime, expert retainers, and any payments made to unlock systems.
These increased costs are being reflected in the premiums charged for cyber insurance coverage. Reuters quoted Robert Parisi, U.S. cyber product leader at Marsh & McLennan Companies Inc., as observing that cyber insurance premiums started rising a “dramatic” 5% to 25% in late 2019 – before the pandemic hit. A report from Canadian Underwriter indicates that loss ratios (claims losses and expenses divided by premiums) in the cyber space rocketed to an unsustainable 498.9% in 2020 Q2. Premiums are sure to continue to climb in 2020, while insurers are reassessing coverage in a variety of ways:
+ Dramatic increase in deductibles, or introduction of “co-pay” arrangements with the insured covering 20-30% of an incident expense.
+ Separation of ransomware from other types of cyber attack for the purpose of targeted insurance premiums or special policy exclusions.
+ More intense underwriting and coverage qualifications, including proven data backup/recovery procedures, to reduce the likelihood of having to pay ransoms.
+ Declining to renew policies, or even exiting the market altogether.
It’s important for anyone holding or considering cyber insurance to have discussions with their brokers and insurers to evaluate the continuing affordability – or indeed, availability – of cyber insurance coverage.
Further complicating the insurance coverage discussion is the current regulatory landscape. In Canada and the United States, anti-money laundering laws prohibit payments to designated organized crime groups, terrorist organizations, and rogue nations; therefore, paying a ransom may per se be a criminal act (in addition to supporting and encouraging criminal elements).
This month, the U.S. Treasury Department issued ransomware advisories highlighting the “implications for persons involved in facilitating ransomware payments”. The specific ransomware advisories were issued by the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC). The OFAC bulletin emphasizes the importance of conducting due diligence to confirm that the recipient of any paid ransom is not on OFAC’s list of sanctioned organizations. Understandably, since the cyber criminals are likely not going to be readily willing to identify themselves, this may not be a simple matter. The company under attack or its agents negotiating the ransom are encouraged to coordinate with OFAC in order to avoid making a bad situation worse.
Broadly, Canada’s anti-money laundering and terrorist financing laws are codified in two statutes: the Criminal Code and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTA). The statutes impose restrictions on knowingly dealing with terrorist organizations and any other designated parties. And changes are coming that will affect companies who are handling transactions in bitcoins or other virtual currencies – the same financial instruments favoured by ransomware attackers. Some changes to virtual currency handling definitions with the Financial Transactions and Reports Analysis Centre (FINTRAC) took effect June 1, with further rule changes coming into force June 1, 2021. The changes will place even more of an onus on companies to take great care before considering ransom payments.
Long story short: even if your cyber insurance coverage includes ransom payment relief, it may not be legally enforceable depending on who is extorting money from you.
Given the changing landscape and potential pitfalls, it’s essential to understand the potential limitations on ransomware payments beforehand, and assess your cyber insurance policies and strategies in advance. While it isn’t a “technical” exercise, managing ransomware demands must be a key part of your organization’s incident response planning and testing processes.
Experts speculate that even directors and officers (D&O) insurance may be affected: as the loss ratios for insurance for corporate leadership have climbed, premiums for that coverage are expected to rise as well. While some D&O policies are introducing specific exclusions for cyber incidents, note that most D&O policies already carry exclusions for terrorist acts: an insurer may choose to consider a cyber attack an act of terrorism, and attempt to take an off-coverage position.
Prevention is the Best Medicine
You don’t drive recklessly just because you have car insurance. You have smoke detectors and you lock your doors, no matter what kind of property insurance you have. Similarly, it’s essential to be “cyber smart” with or without cyber insurance coverage in place.
ISA Cybersecurity can help with a wide range of cybersecurity offerings, running the gamut from risk assessment and cyber awareness training to hosted/managed cybersecurity services and top-flight incident preparedness planning. Contact us to discuss your concerns about cybersecurity and the potential limitations of your cyber insurance coverage.
With nearly three decades in the cybersecurity field, we’re well-equipped to share our real-world experience and advice to help you manage risk and defend against the constant danger of cyber attack.