It may come as a surprise that cyber liability insurance has only been in existence since the late ‘90s. In those days, policies were taken out to cover errors in data processing or online media.
Nowadays, those problems may seem quaint compared to what most companies have endured in the last 10 years. Large-scale security breaches and the evolving sophistication of external hacks have exposed how vulnerable online and interconnected data has become. As a result, cyber-insurers are redrawing their underwriting requirements to meet some of the current challenges.
The Unknowable Threat of Ransomware
The evolution was spurred by three major developments in the past decade. The first was the onset of major data breaches in 2014 and 2015. The second is happening as we speak: the recent epidemic of ransomware attacks going back to 2019. Finally, successful companies are working more closely by sharing sensitive data but increasing the risks.
Ransomware presents a host of problems that nearly dwarf the impact of data breaches. Losses from ransomware have more than doubled in the past three years; Fitch Ratings reported cyber-loss ratios in 2020 hit 73%, up from 34% in 2018.
Another problem is ransomware’s unprecedented ubiquity. Attacks are not industry- or size-specific, making it nearly impossible to predict how much and how significant resultant losses will be. This has made risk evaluation extremely difficult to perform.
Indeed, cyber insurers have updated their question sets to generate more qualitative information than a typical “yes/no” questionnaire can supply.
Assessment Tools Come to Foreground
Cyber risk assessment tools are not new to cyber insurance companies or their clients. But they’ve never been more prevalent than in the last three years, especially applications that evaluate cybersecurity via a rating system.
In the past, rating applications were more score-based, giving policyholders’ cyber systems a numeric value to gauge their risk exposure according to a scale. That practice has evolved to a more precise evolution of specific, known vulnerabilities that underwriters use to build policies (or, potentially, decline coverage). This data is fed through algorithms to evaluate ratings and risk probability.
Underwriters have two primary areas of concern that modern risk assessment tools address. Open or unused ports, which are increasingly easy for outsiders to exploit to hack onto a network, are considered especially vulnerable.
Common vulnerabilities and exposures (CVEs) also cause shudders among underwriters. These are software vulnerabilities that companies have been forthcoming about, recorded in a public database kept by the MITRE Corporation. Ransomware activity has been linked to CVEs in the past, some of it happening well before the companies reveal the vulnerability.
Information Gathering on Applications
Cyber-insurers are ramping up their application forms to account for new ransomware issues. Most of the new information they gather comes in the form of supplemental forms addressing prevention and recovery, which new applicants must fill out.
These improved applications consider security measures from a must-have or nice-to-have perspective. The must-haves often include mandatory practices like backup, multi-factor authentication, controls for Remote Desktop Protocol, and removal of obsolete operating systems.
Supplemental questions help underwriters understand details about security domains, especially those that wouldn’t be detected in automated network scans (recovery protocol, administrative security controls).
Guarding Against Systemic Risk
Even with risk mitigation standards underwriters now impose, recent hacks on Microsoft servers and ongoing threats against SolarWinds have shown the obstacles in protecting against systemic risks. Some underwriters may be unable to identify these exposures, even with updated applications and risk assessment tools.
Part of the issue is the 12-month insurance cycle common to most kinds of insurance policies. Some insurers can’t react promptly to systemic events since they’re held back by annual renewal dates arising after the threat has manifested.
Benefits of Controlling Cyber Risk
Risk control has been a hallmark of standard insurance for decades, but only recently has it had any prevalence in cyber insurance. Clients are still largely unaware of the importance of risk mitigation, treating it more as an optional obligation after the necessary step of securing a policy.
This perception is slowly beginning to change, however, as more clients are becoming aware of the benefits of cyber-risk management. It’s the best way to detect and rate system vulnerabilities, hasten reaction on remediation, and make employees aware of cyber risk through education and training sessions.