It’s become almost a cliche to say it, but the fact remains: cyber risks change rapidly. New vulnerabilities emerge, new attack types come into fashion, and IT systems constantly grow and mutate within organizations.
This makes it a distinct challenge for everyone in insurance, from brokers to underwriters to reinsurers, to figure out the best approach to analyzing, mitigating, and insuring cyber risk. The best we can do is recognize trends as they develop, and work to predict and prepare for what’s to come -- that’s why we gathered some thoughts from insurance and cybersecurity veterans, from Corvus and elsewhere, and shared where they see trends moving in cyber in 2020.
Prediction #1: Ransomware Will Menace More Industries and Smaller Organizations
Could we start the list with any other topic? Ransomware ruled the headlines in cybersecurity in 2019. To many in insurance, it felt like the sudden onset of an attacking style that, while not new, had never been so prevalent. In 2020, there are no signs of reining in the threat.
John Farley, Managing Director of the Cyber Liability practice at Gallagher, sees the lay of the land this way:
“In 2019 we saw cyber criminals use ransomware to expand their attack surface to a wide range of industries. Ransomware attacks impacted hospitals who could not efficiently treat patients, municipalities were unable to provide important public services, manufacturers halted production and schools closed their doors. Ransom payments reached multi-six figure amounts which was unthinkable just a few years ago. This has proven to be a lucrative business for hackers, and for that reason I expect it to persist in 2020.”
Security expert and Co-Founder of SideChannelSec, Brian Haugli, adds that he foresees an expansion of ransomware attacks “specifically into companies and organizations lower in the supply chains.” He advises brokers working in cyber liability to:
“Keep an eye on more local governments, smaller healthcare providers, such as dentists, doctors, nursing homes, and other professional practices -- these all have less mature security and high reliance on their data being available, which makes them prime targets for hackers to push ransomware and expect a payout.”
With an increase in activity, expect organizations to ramp up efforts to mitigate the impact of ransomware. Mike Karbassi, Corvus Head of Cyber Underwriting, says he expects organizations to establish processes to “more frequently back up sensitive data stored on their servers, create network redundancy, and regularly patch out-of-date software.” He also believes:
“We’ll continue to see the uptake of cyber liability policies, particularly as existing policyholders look for more sophisticated coverage that ensures the best defense for ransomware. Organizations will seek more comprehensive cyber insurance policies that indemnify the organization for first party losses and third party claims stemming from a cyber extortion threat.”
Prediction #2: Carriers (and Brokers) Will Finally Be Forced to Reckon With “Silent Cyber”
2019 was the year that the rubber met the road in the response to “Silent Cyber” risk, the name given to the lack of clarity around coverage for cyber-related losses in policies like Property or General Liability. Largely thanks to pressure from the Prudential Regulation Authority, insurers including Allianz, IG, and Lloyds of London announced new initiatives to segregate Cyber Risk from unintentional inclusion in Property and Cargo policies, effective on the first of January, 2020. With some exceptions, that means cyber is excluded from coverage in those policies. Phil Edmundson, our Founder and CEO at Corvus, notes that “Brokers are pushing back, negotiating exceptions to the exclusions and the battle is expected to continue on into the new year.”
Reinsurers of Cyber Risk, in the meantime, remain focused on the aggregation of risk. This anxiety is particularly pronounced around Business Interruption and Contingent Business Interruption coverage on Cyber Insurance policies. This coverage remains available, often to full policy limits, from several larger Cyber insurers including Corvus.
“Market response to this anxiety will depend mostly upon the next headline. One or two major Business Interruption losses will lead to action from major insurers in the form of higher premium, more detailed underwriting, and a return to sublimits by insurers that are unable to evaluate Cyber Risk digitally.”
John Farley of Gallagher says that, given the new requirements for clarity imposed on Lloyd’s underwriters through 2020 and 2021, he “expects U.S. regulators and the markets they oversee to follow Europe’s lead into 2020 as well.“
Expect to see more cyber exclusions, and debates about coverage continue.
Prediction #3: CCPA Is Just the Start: Privacy Regulations Will Expand and Gain Political Momentum in the U.S.
John Farley of Gallagher says that his team will “continue to watch data privacy regulation” in 2020 and that the CCPA “may pose challenges to companies that fall victim to hackers.”
As John explains:
“[CCPA] allows affected individuals to pursue a private right of action against organizations without having to prove harm occurred. I see that as a game changer, and it could sway the advantage to the plaintiff’s bar as these matters are litigated. CCPA paves the way for plaintiffs to collect statutory damages of $100 to $750 per affected individual, which could lead to a material impact to bottom line figures when data breach claims affect a significant number of people.”
And Californians aren’t the only ones who may be on the receiving end of privacy law. Stu Panensky, a Partner at FisherBroyles LLP and litigator focused on cyber risk, says he believes:
“The CCPA is a harbinger of the way a lot of laws are going to start to be passed in other states...to the extent that you self analyze and say ‘well I don’t meet those fundamental thresholds or I don’t really do business in California or with California consumers,’ I would still be mindful of the spirit of the CCPA.”
John Farley agrees, saying that “other states will likely follow California with similar regulation, which will compound compliance requirements and the potential for increased litigation and settlements.”