Cybersecurity continues to rank high on the list of concerns facing executives. The insurance industry has seen an influx in the number of claims over the last ten years with the largest spike during the pandemic. The increase in claims during that time, as well as the increasing sophistication of attacks, caused the cyber insurance market, as a whole, to become very unprofitable. Insurance companies quickly pivoted from needing little to no information in order to issue a cyber liability policy, to requiring lengthy, often confusing, applications in order to qualify for coverage. If coverage was available, many companies faced significant premium increases. The good news is that, with the increase level of security at an insured level, the cyber insurance industry has started to stabilize. While the number of attacks has declined from the peak we saw in 2020 -2021, cyber attacks are still very prevalent and can be devastating to a business if unprepared. It is important to remain focused on the evolving risk. Here are some of the trends we saw in 2023:
Industries Affected: According to both Chubb, one of the largest writers of Cybersecurity in the world, and Kroll, a leading cybersecurity firm, Professional Services remain the top industry to face cyber incidents. This is not surprising given the type of information processed and stored within these networks. Behind professional services, manufacturers, financial institutions, healthcare and technology sectors round out the top five industries affected.
Most Common Attacks- Email compromise tops the list for threat incidents in 2023 according to the same Kroll report. Threat actors will gain access to an email account and then use it to impersonate key personnel with the motive of defrauding the company’s employees, customers or business partners. These attacks continue to evolve with the improvements in technology like AI. Not only are threat actors using emails to impersonate others, but technology now exists to allow these attackers the capability to create realistic audio and or video to deceive others. This only amplifies the need for continuous employee training.
Evolution in Ransomware- Ransomware continues to be a common form of attack, but a new version called Ransomware Denial of Service (RDoS) has emerged. Traditional ransomware attacks would attempt to encrypt a company’s data rendering it inaccessible until ransom is paid. Fortunately, technology has improved and backups are able to more protected. RDoS instead, makes a service or network resource unusable until a ransom is paid. This is typically done through flooding the site with traffic until it is unusable. Similarly, some threat actors will threaten to release data to clients or customers until certain payment demands are met.
Coverage Restrictions– Each cyber policy is a contract with a unique set of conditions. A business must understand the limitations of the policy. We are starting to see more exclusions around failure to maintain security measures, catastrophic events that affect the key cloud servers, and vague War and Terrorism exclusions which could cause problems in the event of a claim arising out of a nation state attack. Insurance companies are challenged with actuarially planning for risk that is constantly changing.
Increase in Contractual Requirements- The surge in contractual demands for cyber insurance, coupled with heightened expectations for robust mitigation measures, underscores the escalating significance of cyber risk in the contemporary business landscape. Noteworthy among these requirements is the SEC’s recent implementation of cyber incident rules, signaling a broader acknowledgment and emphasis on the critical importance of maintaining a robust cyber security program.
Even with the vast improvements many companies made over the last five years, this risk is evolving quickly, and it should remain a key focus in your risk management program. We always recommend clients engage with qualified cyber security consultants to continually analyze opportunities to improve network security. Employee training will also be critical to limiting exposure. Finally, understand that not all cyber policies are created equal therefore, you should partner with a broker who understands your business and the market.