Cyber Insurance: Navigating A Tough New World In the Age of Ransomware

This week, REvil ransomware operators exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key for all victims of the Kaseya attack. To put that in context, last year, all ransomware extortion payments were calculated at $350 million in cryptocurrency. Insurance carriers are paying those claims, but the increased cost and frequency/timeline to pay is outside the scope of traditional insurance.

No market segment or industry group has been spared by ransomware. In this threat environment, two things are certain: organizations need better security stacks/fewer bugs, and they need to transfer risk via cyber insurance. Unfortunately, a lot of companies viewed this as an “either/or” proposition and that has driven losses and dramatic change in the way that insurers price cyber risk.

Marsh Insurance reported a 35% increase in cyber insurance premiums last month, the largest in 5 years. Unsustainable loss ratios have led to higher premiums for less coverage and higher retentions (deductibles). Many companies will not qualify for renewal if their tech stack is not up to par. Brokers report all markets are requiring higher technical standards and many now require EDR. Companies that don’t present well will not qualify for coverage.

For those that are new to this area, Cyber insurance is a two-tiered market. You need a broker to purchase the coverage from a carrier (AXA, Chubb, etc.). The carriers use Reinsurance to share the losses, and now the reinsurers are tightening their guidelines under their ‘treaties’ with carriers and reducing capacity.

Brokers must navigate the risk management issues with each client as they attempt to secure coverage. It’s a lengthy process and ‘real-time’ network security reports are difficult to obtain. Most company-specific cyber analysis reports are from the outside of the network, looking in. While this data is useful, it doesn’t tell you what evil may be hiding on systems inside the company.

What should companies expect during the new underwriting process? We spoke with several Cyber insurance brokers to determine how companies can qualify for cyber insurance given the stringent new guidelines.

Our panel of experts include:

  • Chris Keegan, Sr. Managing Director of Beecher Carlson
  • Anthony Dagostino, EVP at Lockton Companies
  • David Lewison, EVP of AmWINS Insurance
  • Jesus Gonzalez, Cyber Chief of Staff, Aon Insurance

Are your clients able to keep their Cyber policy coverage intact? How has coverage and policies changed?

David: The main reaction to the ransomware pandemic is to cut limits. A small handful of insurers are pushing coinsurance for all ransomware related expenses. The rates are unpredictable at the moment. The underwriters don’t want to lose good risks – at least those they think are good. Retentions are rising. Brokers would rather sell higher premiums than restrict coverage. The last thing we want is to see premiums paid, but losses not covered. Many markets are making their ransomware applications mandatory. Any answers that they don’t like and they won’t quote or stay on a renewal. They used to just charge more if a risk didn’t look as locked up. Now they walk. It’s made it tougher to find a home for the companies that are behind on their security posture.

Anthony: Many are in-line but some high, much higher, and some lower. It depends on the industry, loss history and controls in place. Capacity is getting a bit more strict and large clients are seeing a push to higher retentions in some cases.

Chris: As we started the first quarter of 2021, we were aware the frequency and severity of ransomware claims would require cyber insurance markets to make major adjustments to their books. Directionally this meant reducing limits, increasing premiums by 30% to 40%, and in some cases, reducing their exposure to ransomware through sub-limits and coinsurance.

All relatively manageable, but as we come towards the end of Q2, the landscape has changed dramatically with increases for large clients in the 40% to 50% range and some smaller clients seeing increases of over 100%. Markets have contacted us that they are pulling out of the cyber insurance market entirely. Furthermore, insurance carriers are informing us they have a limit to how much business they can write. In other words, once they’ve reached a total number of exposed limits, they are done for the year. BCS, who support us on a number of large accounts that renew in Q4, contacted us to say they have only half the limits available and to reserve those limits now; and as for the large leading markets, namely AIG, Chubb and Axis, be prepared to have limits reduced by half.

Whether we continue to see carriers leaving the market or not, one thing is for sure, the underwriting process is much more intense and we need to be prepared to help assess our clients risk, determine where our clients are in their cybersecurity maturity lifecycle, and assist in creating a plan forward towards a comprehensive solution.

Jesus: On January 1, 2021 many reinsurance treaties renewed albeit at a significantly higher cost due to loss ratios and coupled with more stringent underwriting requirements. The term ‘hardening’ insurance market took on new meaning for network security and privacy liability (cyber) space due to recent events including SolarWinds and MSFT exchange server vulnerabilities. In terms of coverage changes, a handful of insurers are injecting coinsurance as part of the cyber extortion (ransomware) insuring agreement. This has not previously been seen in the cyber insurance space.

As far as capacity is concerned, we are seeing a vast range of behaviors; from many insurance market partners reducing their limits on any particular risk to non-renewing terms and conditions even for risks that have no claims history and better than average cyber controls. As far as business interruption coverage is concerned, many are pulling back on contingent business interruption (BI) coverage extended to cover an insured’s loss of income due to a vendors’ cyber event. Ensuring that the client has a strong vendor due diligence program in place is key to maintaining this coverage.

How does the Broker help the client maintain/secure coverage? Are you utilizing network scans or similar to meet with carrier underwriting requirements?

David: We don’t have any scan technology of our own so we rely on the offerings of the insuretech’s and carriers that have been doing that. One thing I’ve been watching is what scan is being used. A few insurtech’s have built their own scan while many other insurers are outsourcing, often to the same one or two vendors. If they all use the same vendor, do they get a competitive edge? If they don’t scan, are they going to be victims of bad risk selection? What if the scan is looking at the wrong things? I believe scans are good for assessing a portfolio of risks for the carriers.

Another interesting thing is who gets to see the scan. The insuretech’s share the scan data so clients can work on their weaknesses. Other carriers use the scan as part of risk selection, but don’t share it. The best way we have to maintain coverage is to be in tune with the huge range of insurers and their appetites. With 100+ insurers and fluctuating appetites, it’s very challenging to find the perfect carrier partner for every unique risk. We get there by collaborating and sharing what we are seeing across industry groups, revenue sizes, insurer appetites, loss trends, etc.

Anthony: We’ve really shifted over the past 12 months or so to more cyber risk management in addition to just the placement of the policy. We utilize risk quantification tools and network scans in some cases to preempt the underwriting response.

Chris: We are utilizing external network scans (Binary Edge) to allow our clients to see what the underwriters are seeing. For us, its advising where the most critical issues are from, combined with the underwriter’s perspective in helping our clients develop a narrative for those areas where there are weaknesses and helping them to express where they’re strong.

Will your larger enterprise accounts be able to keep their coverage at current levels or will the renewal costs be prohibitive or cause a reduction in coverage?

David: We are definitely seeing cases where the insurers are reducing their limits on larger risks and there aren’t enough insurers jumping in to fill those gaps. We’ve had some challenging placements higher up on towers as insurers have reduced limits and dropped lower where the premiums are higher. Higher retentions are one way for the client to share in the risk and find more interested insurers. Accepting a level of coinsurance for ransomware is another.

Anthony: It depends on the client, the program, and their approach to risk. Some have bought more limit in the environment given the exposures while others manage to budgets and explore higher self insured retentions, loss corridors, and increased captive use.

Chris: This is a work in progress at the moment. The capacity available is shrinking so towers are reducing. We are often working to replace gaps with Co-insurance from the clients captive. Decisions on risk transfer versus self-insurance are being made on a case by case basis looking at cost benefit. Going forward we think the market will find some level of equilibrium so we find many of our clients continuing to purchase the cover rather than self-insure where they can in the hope that they will be able to hold onto their programs through this period to a point where the market normalizes.

Jesus: Larger enterprise accounts, those defined by annual revenues of $2B or greater, can expect a 10-fold effort to renew their program and should allocate a sufficient amount of time by aligning internal resources including CISO, legal, compliance, and procurement to successfully address all insurance market inquiries surrounding their E&O/Cyber program. Cyber insurance markets are now requiring baseline application, supplementals (including ransomware), and a formal underwriting meeting to address any/all questions surrounding their cybersecurity hygiene. We are advising clients to start four to six months in advance of their renewal date.

Even if the large enterprise entity addresses all required underwriting information, we are still seeing renewal costs surge. All sensitivity analysis that were previously provided for budgeting purposes to clients have been completely blown, due to primary programs experiencing greater than 50% YoY premium increases in the second quarter for expiring terms and conditions on various risk profiles. As a broker, we have to provide the client options including raising the self-insured retention level, a reduction in total capacity, or removing some insuring agreements. We are seeing a significant increase in the use of captives to address capacity shortfalls or to maintain a reasonable pricing structure from the more sophisticated risk managers.

What is your best guidance for companies seeking new policies or renewals in this environment?

David: As is always the case in insurance, any uncertainty leads to higher prices and fewer options. Come prepared to be transparent with underwriters. They are being selective on risks and want to be sure they are getting good risks. If you hide details, they’ll just take a pass.

Anthony: Know the marketplace, know the key controls needed to get the best coverage, and work with your broker. If renewing coverage, start the process very early.

Chris: Start preparing your submission for the insurance well in advance. For large companies that may mean six months or more in advance of the renewal. Critically review key controls for ransomware attacks and prepare your ID security team to be able to talk to those controls and provide a well-crafted presentation to the underwriting community.

Jesus: For new placements, our advice is that you work with an experienced broker to ensure that your company is prepared for the barrage of underwriting questions that will come across various domains including but not limited to:

  • Operational IT
    • Security Organization
    • Software/Network Connectivity (MFA in place across the firm)
    • Access Management (limited Domain Admin accounts)
  • Security Controls/Procedures
    • Intrusion Testing, Detection and Prevention (think endpoint protection, firewalls, etc.)
    • Policies & Procedures (documented and tested)
    • Hosting of Information + Encryption (DLPs)
  • Business Continuity & Incident Response Planning (documented, tested, updated)
  • Vendor Management (think SolarWinds)

For renewals, our recommendation is to start early. The risk manager should query the firm and gather as much intelligence in preparation for the renewal cycle from internal stakeholders to ensure the company’s risk profile has not changed significantly from the previous year, including a new acquisition/divestiture, new vendor partner providing key services (new MSSP perhaps), or new contract requirements stipulated a certain level of coverage and/or limits.

With an updated risk profile in hand, the risk manager should reach out to the broker to query all existing insurance partners for their concerns, appetite, and upcoming requirements but most importantly for their continued support of the risk transfer solution. Finally, the risk manager should confirm that the risk transfer program is in alignment with the corporate strategy especially since this ‘hardening’ market will impact budgeting.

What are your clients saying about the ransomware threat? Do they believe they are sufficiently protected? Do they expect insurance will cover their losses?

David: As a wholesaler, we don’t often get to talk to the clients. I know the clients are concerned about ransomware based upon the increase in first time buyers across the SME and middle market space. We’re not seeing companies dropping coverage, which they would do if they didn’t see value in the policy.

Anthony: It’s the biggest concern because it’s so real and in the news hitting all industries. Education and transparency is critical so they understand what’s covered, what isn’t, and how coverage may have changed upon renewal.

Chris: The more we are seeing ransomware events the more that our clients are becoming concerned about the threat. There are still companies out there who think that they are not likely to be a target even though some have controls that are less than they should be in this environment. They do believe that the insurance coverage will help them respond to ransomware attacks and cover their losses . The history has been very good in insurance markets making payments for ransomware.

Which industry groups are most concerned with the latest iteration of double ransom with data exfiltration? Do they expect the threat actor to delete data if ransom demands are met?

David: I would think any industry that holds a lot of PII and PHI or confidential corporate information would be the most concerned. Does anyone fully trust a threat actor?

Chris: Most companies are only now becoming aware of the double ransom and triple ransom in some instances where the threat actors are reaching out to the people whose personal information has been released and seeking extortion money from them. It seems that all groups of companies are concerned. Those companies without a large database of third party personal information are still concerned for their employee information.

What are Board Directors saying to management about steps they should take…most expedient way to get back online or follow the FBI guidance?

Chris: Almost all of the companies that we deal with are most concerned about the direct business impact and are taking whatever steps they deem necessary to most efficiently get their businesses back up. They are concerned about the OFAC and regulatory issues but are most concerned about their employees, clients and reputation.

Could the Federal Govt outlaw paying of Ransom demands in such a way as to not harm the victims further?

David: I’m concerned about this. The business interruption risk is already much larger than the ransom, otherwise why would anyone pay the ransom? If a company can’t pay the ransom, what’s the alternative? If the Govt wants to help, they need to counterattack or regulate cryptocurrencies. Without anonymous payments, the bad guys could get tracked down faster.

Chris: I don’t think so.

How does the recent Executive Order impact your clients? Are municipal governments able to secure coverage at reasonable rates?

David: We are already reeling from the majority of insurers getting out of municipal risks. By majority I’m talking about 95%+ of the market has left. I’d like to see the insuretech’s that purport to offer valuable risk management services come in and risk manage this class of business and insure them.

Chris: So far we have not seen any impact from the executive order. Municipalities is one class that is very difficult to find coverage for in the current market.

We would like to thank our expert panel for sharing their views. SentinelOne works closely with insurance carriers and brokers, to develop and deliver risk mitigation solutions. We believe the ransomware problem can be defeated and as our broker colleagues have stated, all solutions require a coordinated approach. If you would like to learn more about the SentinelOne insurance partners, contact us here.