Cybersecurity incidents have seen a huge uptick in frequency and severity in the past few months – just within the first quarter of 2021, nearly 140 organizations across several industries reported experiencing a supply chain attack, a 42% increase from the same period last year. As the need for robust cyber insurance grows, here are some recent preventative measures companies, insurance carriers and the government are taking to protect their businesses and customers from cybercriminals.
Lately, ransomware attacks are being reported by all different types of businesses. The University of California-San Francisco submitted to paying cybercriminals $1.1 million last June after dealing with a data breach. In December 2020, software company SolarWinds was hacked, putting thousands of companies at risk simultaneously. In late April, the Washington D.C Metropolitan Police Department experienced a ransomware attack that leaked data of arrest records and internal memos. In addition, Allstate Identity Protection (AIP) reported that unemployment fraud in 2020 increased by more than 17,000% and expects cases to triple throughout 2021. Most recently, the Colonial Pipeline shut down for five days due to a ransomware attack, putting the product delivery supply chain on pause for one week and a $5 million ransom payment.
Growing need of cyber insurance
The attacks not only shed light on how crucial a role cybersecurity plays in all types of business operations, it also served as a wake-up call to insurers about the potential for cyber risk to accumulate around vital infrastructure or technology systems that affect larger numbers of connected organizations. Cyber insurer Coalition Inc. reported that risks of cyber claims have accelerated in light of the global pandemic with increases in employees working remotely giving hackers more opportunity to gain access to computers and sensitive information.
While some companies — such as financial institutions — have invested heavily in cyber-security, others have followed a pattern of ignoring or minimizing the need for safeguards to save on costs. First, cyber-insurance claim payouts on average can now exceed 70% of what is paid in premiums, prompting some insurers to drop this type of insurance altogether. Second, companies are hesitant to reveal breaches that happen in fear of being hit with lawsuits if disclosed too soon. Third, some insurers require the completion of a supplemental application for ransomware coverage, with rates, terms and conditions being determined by the company’s response to the application and reflecting in the premium and coverage terms. Others are imposing sub-limits and/or coinsurance on ransomware coverage, potentially making it more difficult to obtain.
Insurance carriers hit by hackers in 2021
Insurance companies in particular have been an easy target by hackers. As carriers continue to develop digital advancements to enhance consumer’s experiences in insurance quoting and claims processing, they have been particularly vulnerable to cyber-attacks, according to Sontiq. Not only do carriers’ websites provide a sweet spot for hackers to collect customers’ NPI, but agent-only websites have also been compromised through “credential-stuffing”. Here are some carriers that experienced a breach so far this year:
- CNA Financial Corp reported that it paid a $40 million ransom after a cyber attack in March but did not report any impact on stored policyholder data, underwriting systems or records.
- Farmers Insurance experienced a data breach between January and February, tied to its online auto insurance quoting system.
- National General reported a possible data breach tied to its quoting system between last August and February of this year.
- Metromile disclosed a security breach from a bug in its application process in February, allowing the hacker to obtain driver’s license numbers.
- Geico reported a security breach allowing fraudsters to access approximately 132,000 customers’ driver’s license numbers from its online sales platform and apply for unemployment benefits between the months of January and March.
- Lemonade allegedly had a bug that allowed anyone to inadvertently access personally identifiable data from customers’ accounts.
Taking appropriate preventative measures
On a federal level, President Biden recently signed an executive order in early May to improve information sharing about cyberattacks with the private sector and adopt better safety practices throughout the government, in addition to improving the government’s response to major cyber attacks. IT service providers with government contracts will be required to share information about cyber-incidents with the U.S. within specific timelines and sliding severity scales.
In May, the state of Maine took matters into its own hands and passed the Maine Insurance Data Security Act, requiring insurance carriers in the state to develop, implement and maintain a written information security program that aligns with the size and complexity of their business based on a risk assessment. Based on NAIC’s model data security law, this act will take effect on January 1, 2022, making Maine the 12th state to enact this type of legislation.
In addition to regulations made by the government, some cyber insurers have undertaken more rigorous underwriting standards requiring that companies have specific cybersecurity measures in place in order to obtain coverage. For example, New York’s Department of Financial services (DFS) issued a cyber insurance risk framework of best practices for managing all types of cyber insurance, which calls for insurers to establish a formal cyber insurance risk strategy as well as recommends cyber insurers to manage and eventually eliminate “silent” risks.
According to Resilience Cyber Insurance Solutions, the best thing insurers can do is think about how their insureds address cyber hygiene, learn from previous losses, and advise clients on ways to improve. Rapidly informing regulators about possible breaches and the digital fingerprints hackers have left behind can be critical to identifying and preventing other intrusions. Limiting exposure and deploying robust analytics are also great ways to maintain the severity of cyber attacks. While no one can predict when attacks will happen and knowing that no perfect or complete solution exists, being equipped with the right tools, maintaining transparency, and having a proactive and consistent approach to cyber risk management can take a company a long way in developing best practices.