Author: John Doernberg
The sustained surge in ransomware attacks has hit the cyber insurance market hard.
The surge started a couple of years ago and accelerated since early 2020, and it has caused both greater frequency and severity in the claims made under cyber insurance policies. Ransom payments toward the end of 2020 averaged in the hundreds of thousands of dollars, with some in the millions.
Beyond the cost of the extortion payment itself (when paid), ransomware typically triggers many other losses and expenses that can be covered by cyber or cyber/E&O policies. Some of these include breaches of personal information, business interruption and extra expense, data recovery, regulatory investigations, fines and penalties, and (in cyber/E&O policies) liabilities for the failure of products or services. Such costs are often several times greater than any ransom payment.
Cyber insurers respond to the new marketplace due to ransomware
Cyber insurers are scrambling to try and stanch their losses. They have increased their premiums for both new business and their own renewals, often in the range of 15-50% or more. They have in many cases imposed coverage limitations, including sublimits on certain key coverages and even outright exclusions, based on vulnerabilities to specific high-profile breaches such as those involving SolarWinds, Microsoft Exchange Server and Accellion.
Insurers have adapted their underwriting practices as they scramble to keep up with the changed exposure landscape caused by the explosion in ransomware. They have also examined their ransomware claims, seeking to identify vulnerabilities commonly exploited in successful attacks. Their findings have driven them to ask more probing questions during the underwriting process and to raise their thresholds for what they consider to be satisfactory responses.
As a result, organizations buying cyber insurance programs in the last few months have had to answer more extensive and probing questions from underwriters. The premiums quoted and the quality of the coverage terms offered are now far more sensitive to underwriters' higher thresholds for satisfactory answers.
Many cyber insurers are now requiring insureds to complete special ransomware supplemental applications as a condition of coverage – or even of offering terms. Some cyber underwriters mandate use of their own applications (there are more than a dozen currently in use) for renewals, although most will accept competitors' applications to quote what would be new business to them. They are also asking additional questions during the underwriting process. Some who accept competitors' applications in order to quote will still require submission of their own applications prior to binding.
Ransomware concerns and best practices on addressing them
Insurers are looking for the use of security controls that they consider effective at preventing, detecting and remediating malicious activity at various stages of the ransomware lifecycle. While cyber insurers ask a wide range of questions in their applications, certain central themes have emerged that point to their principal ransomware concerns and the security controls they believe best address them. Below are some of those concerns, with what appear to be the most frequently mentioned controls italicized.