The Zebra Newsroom

How insurance companies are handling ransomware threats

hero image

Cybersecurity incidents have seen a huge uptick in frequency and severity in the past few months – just within the first quarter of 2021,  nearly 140 organizations across several industries reported experiencing a supply chain attack, a 42% increase from the same period last year. As the need for robust cyber insurance grows, here are some recent preventative measures companies, insurance carriers and the government are taking to protect their businesses and customers from cybercriminals. 

Lately, ransomware attacks are being reported by all different types of businesses. The University of California-San Francisco  submitted to paying cybercriminals $1.1 million  last June after dealing with a data breach. In December 2020, software company  SolarWinds  was hacked, putting thousands of companies at risk simultaneously. In late April, the  Washington D.C Metropolitan Police Department  experienced a ransomware attack that leaked data of arrest records and internal memos. In addition,  Allstate Identity Protection (AIP) reported that  unemployment fraud in 2020 increased by more than 17,000%  and expects cases to triple throughout 2021. Most recently, the Colonial Pipeline shut down for five days due to a ransomware attack, putting the  product delivery supply chain on pause for one week  and a  $5 million ransom payment

Growing need of cyber insurance 

The attacks not only shed light on how crucial a role cybersecurity plays in all types of business operations, it also served as a wake-up call to insurers about the  potential for cyber risk to accumulate around vital infrastructure or technology systems that affect larger numbers of connected organizations. Cyber insurer  Coalition Inc.  reported that  risks of cyber claims have accelerated in light of the global pandemic  with increases in employees working remotely giving hackers more opportunity to gain access to computers and sensitive information. 

While some companies — such as financial institutions — have invested heavily in cyber-security, others have followed a pattern of  ignoring or minimizing the need for safeguards to save on costs. First,  cyber-insurance claim payouts on average can now exceed 70% of what is paid in premiums, prompting some insurers to drop this type of insurance altogether. Second, companies are hesitant to reveal breaches that happen in fear of being hit with lawsuits if disclosed too soon. Third, some insurers require the completion of a supplemental application for ransomware coverage, with rates, terms and conditions being determined by the company’s response to the application and reflecting in the premium and coverage terms. Others are imposing sub-limits and/or coinsurance on ransomware coverage,  potentially making it more difficult to obtain

Insurance carriers hit by hackers in 2021

Insurance companies in particular have been an easy target by hackers. As carriers continue to develop digital advancements to enhance consumer’s experiences in insurance quoting and claims processing, they have been particularly vulnerable to cyber-attacks, according to  Sontiq. Not only do carriers’ websites provide a sweet spot for hackers to collect customers’ NPI, but agent-only websites have also been compromised through  “credential-stuffing”. Here are some carriers that experienced a breach so far this year: 

Taking appropriate preventative measures

On a federal level, President Biden recently signed an executive order in early May to improve information sharing about cyberattacks with the private sector and adopt better safety practices throughout the government, in addition to  improving the government’s response to major cyber attacks. IT service providers with government contracts will be required to share information about cyber-incidents with the U.S. within specific timelines and sliding severity scales. 

In May, the state of  Maine  took matters into its own hands and passed the  Maine Insurance Data Security Act, requiring  insurance carriers in the state to develop, implement and maintain a written information security program that aligns with the size and complexity of their business based on a risk assessment. Based on  NAIC’s model data security law, this act will take effect on January 1, 2022, making Maine the 12th state to enact this type of legislation.

In addition to regulations made by the government, some cyber insurers have undertaken more rigorous underwriting standards requiring that companies have specific cybersecurity measures in place in order to obtain coverage. For example,  New York’s Department of Financial services  (DFS) issued a cyber insurance risk framework of best practices for managing all types of cyber insurance, which calls for insurers to establish a formal cyber insurance risk strategy as well as recommends cyber insurers to manage and eventually  eliminate “silent” risks

According to  Resilience Cyber Insurance Solutions, the best thing insurers can do is think about how their insureds  address cyber hygiene, learn from previous losses, and advise clients on ways to improve. Rapidly informing regulators about  possible breaches and the digital fingerprints hackers have left behind can be critical to identifying and preventing other intrusions. Limiting exposure and deploying robust analytics are also great ways to maintain the severity of cyber attacks. While no one can predict when attacks will happen and knowing that no perfect or complete solution exists, being equipped with the right tools, maintaining transparency, and having a proactive and consistent approach to cyber risk management can take a company a long way in developing best practices.

Don't forget to share!