Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
For many organizations, it’s time to bite the bullet and start (or more likely, revisit) the conversation around the importance of cyber insurance. Questions may go a little like this: Do we need cyber insurance? What are examples of cyber insurance claims? What does cyber insurance not cover?
Even as cyber liability insurance has been established as a mainstay of the commercial insurance bundle, buyers still wonder exactly how it works. We’ll explore the traditional role cyber coverage plays in protecting your organization, as well as its newer evolution — and how the very definition of “cyber insurance” has changed. (Hello, proactive cybersecurity risk mitigation!).
A traditional, narrow definition of commercial cyber insurance goes something like this: a contract between an insurer and an organization that defines when and how much the insurer will pay the policyholder for costs stemming from a variety of cyber incidents, including cyberattacks such as data breaches, fraudulent funds transfers, and ransomware attacks that impact business operations.
If you want to think a little bigger picture, cyber insurance is risk transfer. Like any other kind of insurance, it is a transfer of risk from the policyholder to the insurer, up to a defined limit, in exchange for a fee (the premium paid by the policyholder). Cyber policies cover a variety of things that can happen via a policyholder’s IT system, like a fraudulent transfer of funds, or to a policyholder’s IT system, like damage that requires replacement of hardware. Those costs can be categorized as first party (direct losses accrued by the policyholder) or third party (losses that a third party — such as a policyholder’s customer — experienced as a result of the incident).
When buying insurance — whether it’s your first time or thousandth — there are two main considerations to jumpstart the process:
Let’s consider general liability insurance, which wasn’t made with cyber in mind. These policies typically don’t include language that explicitly includes coverage for cybersecurity events, and if they have cyber coverage at all, it’s limited. With that in mind, you’ll be left vulnerable in the event of a breach, ransomware attack, or most cyber incidents — leaving your organization to take on an abundance of risk alone.
If you decide the risk warrants the investment, then it’s time for the tricky part. Mainly, determining how much of an investment is necessary. Other considerations, such as what coverage is adequate for your business, what is included in your cyber policy, and what may be sublimited or excluded, all weigh in on the decision-making process.
We’ll be the first to admit that when it comes to cyber, the answers might not always feel so black and white. Technical terminology, fluctuating markets, and non-standard language can make it a challenging purchase. Working with seasoned brokers — people who really understand the market and cyber insurance trends — can make it less daunting, since they know exactly where to look for these coverage nuances.
With the looming reality of financial losses, reputational damage, and an increasingly all-encompassing digital landscape, getting the right coverage matters. According to the FBI’s Internet Crime Report, internet scams cost $6.9 billion dollars in 2021 alone, up from $4.2 billion in 2020. Not exactly chump change. We can give you a general baseline of what to expect to help you get started, but the only way to know for certain is to read the policy language yourself.
Consider the big-hitters: data breaches, business email compromise, ransomware, and social engineering. The costs associated with first-party coverage typically include ransom negotiations, forensics (to restore systems and data loss), legal expenses (to review any state or legal liabilities), and business interruption (lost revenue when systems were down). Basically, the cost that your organization incurs from a cyberattack or security breach.
When handling client or consumer data, the onus of responsibility for that data falls on you. Third-party liability covers costs that arise when your cyber incident impacts others, and clients or consumers are looking to hold you at least partially responsible for damages they’ve incurred from your cyber incident. This includes the costs of legal representation, settlements, regulatory fines, and any court-ordered damages caused by the security incident.
We noted at the top that our first definition was a traditional one. That’s because as the market for Cyber Insurance developed, startup underwriters specializing in cyber policies and cyber crime coverage had an opportunity to think outside the box. With a new line of coverage, they weren’t bound by tradition.
Now, several years into a boom in cyber insurance, the offerings available don’t start and stop at paying out cyber claims. It’s a new type of relationship between insurer and insured, where it’s not just about a risk transfer, but a proactive approach to cyber risk mitigation for an entire policy period.
How did the evolution to this new definition happen? Briefly, cyber insurers first began by using new technologies to assess cybersecurity risk management. They integrated these findings into the cyber underwriting process but also used data to guide conversations with policyholders about why they were (or weren’t) given particular insurance options or prices. Then, due to the complicated nature of cyber incidents, insurers began to step in to act as an expert guide or conduit, to send policyholders to the right specialists for responding to critical situations.
These earlier uses of technology and data bloomed into a fully-fledged product and service offering. Policyholders are proactively given access to data about their risk and cybersecurity mitigation advice to make them safer (and to make renewals easier).
Cyber insurance warrants significantly more engagement between policyholder and carrier than other lines of business, mainly due to our human adversaries. As organizations improve security postures and defenses, cyber criminals and threat actors come up with new ways to circumvent them. Things move fast; throughout a policy term, active outreach is necessary. Whether it’s vulnerability alerts, scans of the insured’s public-facing web infrastructure, or a regularly updated platform designed to tailor to a policyholder’s cybersecurity needs, the relationship between carrier and policyholder has never been more important to combat cyber attacks.
As everything went digital in the last decade — food delivery, taxi services, our entertainment — there was a push for insurance companies to do the same (no one wants to be Blockbuster). But in the rush to bring risk mitigation to our fingertips, there was an unrecognized missing piece of the puzzle — expertise from insurance industry veterans. No line of business seems as perfectly positioned to succeed at being tech-savvy as cyber, but being aware of what’s worked in the past is just as important. The secret sauce? Knowing when to let smart insurance technology shine, and where to let tradition continue.
At Corvus, there’s an emphasis on making the broker experience easier, not removing them from the picture altogether. Due to the nature of the digital landscape, cyber has a natural leg-up with large swaths of data in the wild. We can use this data to address and understand risk when underwriting cyber insurance. When it’s cleaned up by data science experts, those once unstructured novel, and unique sources of information drive our pricing models (allowing us to offer bindable quotes in minutes) and help us modify our underwriting practices to stay nimble within the cyber insurance market.
At the end of the day, cyber is still rapidly evolving. Coverage wordings will change and new threats will unfold, but we can only keep getting better in our approach to mitigating and understanding cyber risk.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.