The average cost for a ransomware cyber claim is $229,000, according to the 2018 NetDiligence® Cyber Claims Study—and the number of cyber claims involving data breaches from ransomware has increased a whopping 9,000% since the study’s inception in 2011.
Last year’s analysis of over 1,200 cyber claims found that criminal activity in general continues to grow, making up 80% of claims for incidents that occurred in 2013-2017. Ransomware is now a top cause of cyber loss at 15% of claims, along with hackers (21%), malware and virus (11%), and lost or stolen devices (9%).
And the insurance industry is taking notice. Although coverage for ransomware—a type of cyberattack in which an adversary takes data hostage by encrypting files or servers until the victim pays a ransom—was not commonplace five years ago, “most carriers are covering social engineering and ransomware these days,” says Ted Richmond, director, Royal Group Services Limited, LLC cyber insurance program managers. “It’s not an add-on anymore—everybody’s getting it.”
And at significantly higher limits than in the past: “Even though ransomware makes up a significant portion of cyber claims, the dollar amount for those claims is not bankrupting carriers per se,” Richmond explains. “When you have a social engineering hit, it’s $50-100,000, sometimes $500,000. But a lot of these ransomware claims are coming in under $25,000.”
Broadening coverage is how most cyber carriers are choosing to claw for business in a market that’s getting more competitive every year. “Capacity in cyber is up, which means there’s a lot of pressure to drive rates down,” says Shawn Ram, head of insurance at Coalition. But rates can only get so low, he notes: “As a result of this increased capacity and, frankly, increased demand, what we’re seeing is coverage improving in cyber more than it has in the past.”
“Demand” refers to not only awareness of the importance of cyber coverage, but also an increased interest in quality protection. Brian Thornton, president of ProWriters, points out that since his company launched an underwriting platform that rates six cyber carriers side by side, providing an overview of limit, deductible, price and more, “what we’ve started to see is that at least 75% of the time, clients are going with one of the two broadest options regardless of price. We’re seeing much more of a focus on coverage.”
In addition to ransomware, coverage for social engineering has gained traction in recent years, with carriers not only offering higher limits but also “extending coverage to things like client funds or funds in your care, custody and control, whereas in the past it only applied to your own funds,” Thornton explains, “or even things outside of money.”
For example, “what about a scenario where someone’s tricked into shipping a bunch of servers of a tremendous value to a client, and it turns out they didn’t go to the client?” Thornton points out. “That’s not necessarily money or securities, but we’re seeing criminals get trickier, and carriers are adapting to start to cover some of those risks.”
Over the past two years in particular, Thornton has seen cyber coverage evolve to include elements like not only ransomware and social engineering, but even bodily injury, property damage, dependent business interruption, and systems failure, “which are not the focus of the entire policy, but certainly relevant value-adds carriers are throwing in.”
Dependent business interruption, also known as contingent business interruption, would apply in a situation where something happens to a third-party business that renders it unable to provide a service which the insured relies on for business operations.
“That’s becoming a more common coverage,” says Richmond, who also points to extended business interruption as an up-and-coming cyber coverage to watch. In that scenario, “you’ve had a breach, you had a business interruption claim, you’ve now recovered from that and you’re back in business, but customers may not be coming back because of reputational damage.”
Similarly, Ram says there’s a growing trend around systems failure coverage. “If you’re using a cloud provider to provide services associated with managing logistics and supply chain, contingent business interruption coverage would provide coverage for when that cloud provider goes down due to security failure and you lose revenue because of it,” he explains. “But what happens if the cloud provider decides to proactively turn down their services? They didn’t have a security failure—they actually made the decision to shut down their services, or they accidentally shut down their service. That coverage is going to be a lot more prominent going forward than it has been in the past.”
Finally, due to cyber regulations like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act of 2018, Ram predicts “a dramatic shift is about to happen” related to the fact that the GDPR allows the EU to issue a fine or penalty that does not emanate from a security breach.
“Many cyber policies have always covered regulatory fines or penalties, but one nuance that’s occurring is that someone could simply not comply with GDPR and receive a fine or penalty,” Ram cautions. “The trigger for most cyber-related events is the security failure—you’ve had a breach. Coverages to facilitate this concept of ‘failure to comply’ are starting to expand in the marketplace.”
Jacquelyn Connelly is former IA senior editor.