Lately it seems that each day brings a new cybersecurity attack or data breach, with yet another hacker locking a company’s computer system and threatening to publish sensitive data or permanently block access if the company does not pay a ransom.
Ransomware attacks have dramatically increased for two main reasons: First, since many recent data breaches have resulted in large payouts, cybercriminals are launching more attacks as effective money-making schemes. Furthering this issue, as insurance companies pay out cyber claims, extortion demands have risen steeply from five- to six- to seven-figure amounts. Second, companies in many industries have shifted to work-from-home setups because of the pandemic, but have not put sufficient corresponding cybersecurity measures in place. This has created more opportunities for malicious actors to hack into and exploit vulnerable systems.
As a result of the spike in ransomware attacks, companies worldwide are carefully examining their cybersecurity preparedness by both improving defenses and obtaining insurance policies specifically designed to protect against losses from cyberattacks. Whether a company is procuring a policy proactively to avoid losses from an extortion demand or evaluating options after suffering an attack, prospective policyholders should be aware of the common pitfalls and challenges they may face in the process of obtaining cyber insurance coverage.
Policyholder Preparedness During Underwriting
Policyholders must understand, negotiate and improve the terms of their cyber insurance policies before claims arise. With ransomware attacks becoming more frequent, insurers are more closely scrutinizing buyers’ cyberrisk management programs during the underwriting process. Insurers now expect prospective policyholders to have better controls in place to avoid and mitigate ransomware attacks. Specifically, underwriters are requiring more comprehensive submissions with extremely detailed information about a prospective policyholder’s security measures, personnel training, and overall knowledge of where and how data is maintained.
Before they will issue a cyber policy, many insurers are also requiring prospective insureds to supply a warranty letter along with a formal insurance application. Policyholders should note that the scope of those warranty letters can be extensive, so they should ensure these documents are carefully reviewed and negotiated before signing.
Accordingly, prospective policyholders must conduct detailed and comprehensive due diligence while applying to purchase a cyber policy. Policyholders should also try to provide as much information as possible during the application process. This will help guard against the risk of an insurer citing a lack of disclosure on the application and rescinding the policy once a claim is made.
In addition to more heavily scrutinizing buyers during the underwriting process, insurers are also adding restrictions to policy terms. There is significant variation in the coverage available under different cyber insurance policies. The good news is that many of these policies can be negotiated to include coverage enhancements, sometimes at no extra premium. However, to secure those enhancements and tailor coverage to fit their particular needs, policyholders must ask the right questions and make the right requests based on their risk profiles.
An insurer’s willingness to provide additional coverage and increased limits will depend on the number of records handled, the strength of the existing procedures to prevent security breaches, and the insured’s data breach claims history. Therefore, it is critically important for companies to make sure their IT professionals are well-prepared before introducing them to the insurer’s underwriting team. As the saying goes, you do not get a second chance to make a first impression.
Next, prospective policyholders must recognize that the current cyber insurance market is particularly challenging due to the dramatic increase in claims activities. Policyholders should expect to pay increased premiums on first-time and renewal cyber policies, and it is possible that an incumbent insurer may decline to renew a cyber policy altogether.
In May 2021, Marsh reported cyber insurance costs had increased by a third over the past year, which was tied to the proliferations of costly ransomware attacks on businesses. While these rate increases averaged 18% worldwide, Marsh saw a more decisive spike in the United States, where prices rose 35% during the first quarter of 2021—the highest annual increase for the product since 2015.
Another major concern is the addition of sublimits on specific coverages within cyber policies. Such sublimits are creating tension in the market because policyholders may not see the value in purchasing expensive policies that contain sublimits on common and costly losses.
Diligence on the front end during the underwriting process will minimize the likelihood of unexpected coverage gaps when a claim occurs. Companies pursuing dedicated cyber insurance policies should work with experienced coverage counsel and brokers to ensure that the policy purchased aligns with their risk exposure at the lowest possible cost.
Providing Notice After a Breach
You performed your due diligence, procured a cyber policy, and have now had a breach and must file a claim. At this point, one cannot overstate the importance of providing timely written notice of the claim. Cyber policies are commonly written on a “claims made” basis and any delay in providing notice of the claim may result in the complete forfeiture of coverage. Thus, the single most important action to take after a security breach occurs is to immediately notify the insurance company, even if the loss may not exceed any applicable self-insured retention.
Many cyber policies have significant self-insured retentions, and any costs incurred without the insurer’s knowledge of the claim or the insurer’s consent for vendors generally will not erode that retention. This makes it more difficult for the insured to meet the retention and begin collecting under the policy. It is worth noting, however, that some cyber policies have “approved vendors.” If the policyholder uses an approved vendor, the policy may not require immediate consent from the insurer in order to get the full value of the costs incurred, including eroding the retention.
In general, when timely notice and vendor approval are provided, cyber insurers appear to be covering claims. The main pressure point insureds are experiencing relates to what constitutes the “fix” for a cyber breach. Cyber insurers increasingly argue that the intent of the policies is to restore the insured back to its original position before the breach, from a cybersecurity perspective. However, policyholders argue that this is not a true fix because the company’s original position left it vulnerable to an attack in the first place. Thus, they argue, better security must be put in place to actually “remediate” the loss.
In addition, policyholders and insurers will often debate whether a system even can be put back into its original condition due to software and hardware obsolescence issues. Many insurers will account for this by including an endorsement that provides coverage for the “betterment” of security systems, but policyholders may have to be diligent during the policy placement stage and proactively ask for this endorsement to be added.
An Ever-Evolving Threat
Cyber insurance policies are crucial in the face of ever-increasing and evolving cyber threats and the shift to a work-from-home structure that has left some companies scrambling and exposed. These policies and corresponding claims can be difficult to navigate and should be closely reviewed, both during the underwriting/renewal process and the claims process, to ensure that any claims get paid for their maximum value.