Across industry lines, cyberattacks have surged in both cost and frequency, resulting in a rise in cyber liability claims and subsequent underwriting losses.
Although the last few years have seen increased competition among cyber insurance carriers, higher capacity and expanded coverage terms, rapidly evolving cyber threats have led to a hardening market. In fact, according to recent research from IBM and the Ponemon Institute, the average cost of a data breach in the United States jumped to $8.19 million in 2020—representing an increase of 5.3% since 2019. Driving factors contributing to this hardening market include remote work exposures as a result of the ongoing COVID-19 pandemic, elevated ransomware concerns, regulatory ramifications surrounding data privacy and fallout from the SolarWinds hack.
In light of these market conditions, we predict that most policyholders will experience higher cyber liability insurance rates in 2021. Besides increased premium costs, insureds may also encounter coverage restrictions or exclusions for losses stemming from specific types of cyber incidents (e.g., ransomware attacks), while still having more generous coverage terms for other exposures. Policyholders who operate in industries with more pronounced cyber exposures (e.g., education, technology, health care, finance, retail and hospitality) or generate higher revenue levels may experience more severe rate increases.
2021 Price Prediction for Cyber Liability:
- Overall: +10% to +30%
Trends to Watch:
- Push for standalone policies—While many businesses have sought to secure protection from cyber exposures within their traditional property and liability policies throughout the past decade, standalone cyber liability policies have become an increasingly important purchase for establishments across industry lines. In the midst of growing cyber risks and a surge in both the cost and frequency of cyberattacks, most standard property and liability policies have begun implementing exclusions for cyber exposures to avoid unexpected underwriting losses—leaving businesses without a standalone cyber liability policy unprotected. As such, it’s critical for organizations to have a clear understanding of the extent of coverage that their traditional policies provide for cyber-related losses, as well as seriously consider securing a standalone cyber liability policy to avoid potential insurance gaps.
- Remote work exposures—The COVID-19 pandemic forced many organizations to make the transition to remote operations, with a significant number of employees working from home for the first time. Unfortunately, these telework arrangements led to a rise in cyberattacks, as many cybercriminals have targeted remote employees in various phishing and hacking incidents. This is the result of many employees’ home networks and software lacking the same level of security as that of their workplace.
- Ransomware concerns— Ransomware is a type of malicious software that cybercriminals use to compromise a device (or multiple devices) and demand a large payment be made before restoring the technology—as well as any data stored on it—for the victim. A ransomware attack is one of the most expensive and disruptive forms of cyberattack for organizations to deal with, with the average loss from such an attack exceeding $1 million. What’s worse, the number of ransomware attacks has practically exploded in the past few years. In response, some cyber liability insurance carriers have implemented revised coverage conditions related to ransomware incidents.
- Regulatory ramifications—As workplace technology and its associated cyber threats continue to evolve, so have data privacy regulations across the globe. A multitude of both international and domestic jurisdictions have recently debuted new data protection laws aimed at increasing responsibilities and compliance considerations for organizations that handle sensitive data (e.g., employees’ contact information or customers’ credit card numbers). Examples of such laws include the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act. Looking ahead, more and more states are expected to pass similar legislation—increasing employers’ regulatory exposures in the realm of data protection.
- Fallout from SolarWinds—In late 2020, the U.S. government revealed that presumably, Russian hackers had orchestrated a supply chain cyberattack earlier in the year in an effort to compromise several federal agencies and organizations. The hackers initially infiltrated the technology company SolarWinds’ network monitoring platform via malware before using that platform to gain access to sensitive data and emails from a range of U.S. government departments and private organizations. The attack—which has been dubbed as one of the largest and most sophisticated breaches the world has ever seen—is estimated to have impacted over 18,000 of SolarWinds’ customers and incurred as much as $90 million in total losses. The fallout from this large-scale attack has motivated many businesses to take a closer look at potential security risks stemming from their supply chains and make necessary adjustments to ensure cyber resiliency. Looking ahead, underwriting guidelines are expected to become more stringent in regard to supply chain exposures.
Tips for Insurance Buyers:
- Work with your insurance professionals to understand the different types of cyber coverage available and secure a policy that’s unique to your needs. Carefully determine whether your organization should purchase standalone cyber liability coverage.
- Take advantage of loss control services offered by insurance carriers to help strengthen your cybersecurity measures.
- Provide remote employees with adequate resources, support and software to avoid cybersecurity concerns amid work-from-home arrangements.
- Focus on employee training to prevent cybercrime from affecting your operations. Employees should be aware of the latest cyber threats and ways to prevent them from occurring. After all, human errors are a factor in over 60% of all cyber incidents.
- Keep your organizational devices secure by utilizing a virtual private network, installing antivirus software, implementing a firewall, restricting employees’ administrative controls and encrypting all sensitive data.
- Routinely update workplace software to ensure its effectiveness. Keep employees on a strict software update schedule and consider using a patch management system to assist with updates.
- Establish an effective, documented cyber incident response plan aimed at remaining operational and minimizing damages in the event of a data breach or cyberattack. Test this plan regularly by running through various scenarios with staff. Make updates to the plan as needed.
- Consult your insurance professionals and legal counsel to determine your organization’s regulatory exposures in regard to applicable data protection laws. Make compliance adjustments as needed.
- Develop workplace policies that prioritize cybersecurity—including an internet usage policy, a remote work policy, a bring your own device policy and a data breach response policy.
- Be sure to consider potential supply chain exposures when establishing your organization’s cybersecurity policies and protocols.
For a more detailed look at 2021 predictions for cyber liability and other parts of the insurance market, check out this link:
Content copyright Zywave 2021