The hidden cyber protection gaps

When people think about the insurance protection gap, cyber may not be the first area that comes to mind. But Stephanie Snyder, senior vice president and commercial strategy leader of Cyber Solutions at Aon, says cyber risk has “many tentacles” that affect less obvious areas such as M&A and pension funds. With insurance premiums facing upward pressure, she argues that better clarification is required from both businesses and insurers in assessing the evolving risks of cyber.

Clear and present danger

There’s no question that cyber attacks are on the rise, with ransomware incidents regularly hitting the headlines. Ransomware encrypts data and can render a company's IT system inoperable until a ransom is paid causing business interruption losses and potential reputational damage.

“We expect to see $20 billion in losses resulting from ransomware attacks by next year,” Snyder tells Intelligent Insurer. She says that hospitals and companies where technology access is integral, which covers most organisations these days, are especially vulnerable to ransomware attacks. In 2017, the UK National Health Service (NHS) was hit by the ‘WannaCry’ ransomware attack which reportedly cost the NHS £20 million during the week of the attack and an additional £72 million in cleanup and IT upgrades according to Aon’s 2019 Cyber Security risk report, published in February 2019. Snyder warns that small and medium sized companies may not be sophisticated enough to prevent ransomware attacks.

In the second half of 2019 there was a significant spike in ransomware losses when the average loss jumped from $500,000 to well over $1 million, according to Willis Towers Watson’s (WTW) report - ‘Insurance Marketplace Realities 2020 - Cyber risk’- published in November 2019.

Ransomware response firm, Coveware, says the average ransomware demand in the third quarter of 2019 rose to $41,198, which is triple the average demand seen in the first quarter of 2019.

The WTW report notes that as ransomware attacks become increasingly more effective, with larger sums demanded, the cyber insurance rates needed to cover the attacks are facing upward pressure. “Primary and excess cyber renewals are now averaging premium increases in the 5 to 10 percent range,” the report says.

But there is hope for narrowing the cyber protection gap. Snyder believes the competitive nature of the cyber insurance market could act as a counterbalance against increasing losses. “Losses will drive overall performance and pricing but cyber coverage is still profitable and we will continue to see market entrants. These new players should help maintain competitive pricing,” she says.

Increased transparency

The lack of clarity in relation to the cyber risks businesses are exposed to and the need for greater transparency on what certain policies cover is an ongoing issue in the insurance market and something that has received increasing attention from both the Bank of England and Lloyd’s of London.

In July 2019, Lloyd’s recognised the need for affirmative cyber policies and issued a mandate designed to bring clarity to technology exposure that is covered under non-cyber specific policies. Underwriters are now required to ensure that their property damage policies specifically affirm or exclude cyber cover.

However, Snyder says: “There is a distinct lack of clarity and misinformation about cyber insurance. Cyber risk has so many tentacles and because technology is so vital for companies, it can be hard for them to understand what their actual cyber risk exposure is.”

"Silent" cyber risk and non-affirmative cyber policies with an absence of clarity around cyber-security leave business exposed because they lack the specialist insurance to protect themselves, she says. Companies are still relying on non-affirmative traditional property and casualty insurance, she adds, and while some of these policies have extensions for cyber, they are not extensive enough.

Research from US-based broker Gallagher, published in February 2020, further highlights the protection gap. It shows that less than 18 percent of businesses in the UK have a standalone cyber insurance policy because many believe traditional insurance will cover them. Many business owners buy a policy directly from an insurer without the advice of a broker, leaving them potentially unaware of the risks their business may be exposed to.

"The inconsistent language of different carriers' cyber insurance policies is of concern, but Aon is pushing for markets to provide clarity in their policy language, Snyder explains.

“The market is definitely moving away from non-affirmative cyber cover but I think a specialist cyber insurance broker is needed to accurately address these issues.”

Everything stops

Business interruption continues to be an area of concern for underwriters, according to the report from WTW, which highlights the cyber insurance gap in aviation, manufacturing and transportation as particularly exposed sectors with increased underwriting scrutiny.

“Cyber underwriters are working more closely than ever with their counterparts in other lines. Cyber and property underwriters in particular are combining forces as carriers continue to expand their coverage offerings in business interruption. Given the experience and understanding of how business interruption losses play out, it is a natural pairing that should help cyber underwriters understand what they face in claim scenarios,” the report says.

Threats to M&A

During M&A, a cyber breach could have a significant impact on a business from both a reputational and financial standpoint. It is therefore crucial to consider cyber risk before capital is released, according to Snyder.

Aon’s 2020 cyber security risk report, published February 2020, points to a number of material risks that cyber threats pose to investors’ capital during M&A. These include customer data or intellectual property actively being sold on the dark web; historic data breaches; regulatory noncompliance; and the vulnerability of networks linking a number of different systems.

“M&A is a very active environment in insurance right now, but deals move so quickly that the purchasing company may not have an in-depth understanding of the target company’s cyber posture. It could therefore unintentionally purchase vulnerabilities. This is why I believe it is crucial to incorporate specialist cyber due diligence as part of the M&A process,” says Snyder.

Allianz’s risk barometer 2020, published January 2020, warns that the acquiring firm could be liable for any damage from incidents which pre-date a merger. In 2018, the Marriott Hotel chain announced that one of its reservation systems had been compromised. The breach was traced to an intrusion in 2014 at Starwood, a hotel group it acquired in 2016.

Pensions under attack

Less appreciated areas at risk of cyber attack are retirement plans and pension funds, according to Snyder. “Organisations hold false confidence in the security of retirement plan data. What’s more, these retirement funds contain vast sums of money and in the US a third party custodian holds these funds, raising questions on who bears the risk,” she explains.

In June 2016, a US municipality retirement plan with $3.6 billion in assets reported that $2.6 million was taken in the form of unapproved loans from 58 accounts. Participants personal information was used to set up web profiles that allowed loans to be taken, according to Aon’s cyber security risk report 2020.

State actors

Growing geopolitical tensions in the Middle East and Gulf region are leading to concerns that nation states may leverage cyber attacks to target intellectual property and cause widespread disruption.

“Growing tensions in the Middle East have led to international shipping being targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns. Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation state involvement is providing increased funding to hackers. Even where companies are not directly targeted, state-backed cyber-attacks can cause collateral damage. In 2017 the NotPetya malware attack primarily targeted Ukraine but quickly spread around the world,” according to the Allianz Risk Barometer 2020. But Snyder says that while we are starting to see more sophisticated actors and hacking groups, there has not been a seismic loss, yet.

Overall, the increasing threat of cyber attacks in all forms is creating a dynamic shift in how businesses and insurers assess their risk. And, given that cyber risk was voted as the top peril facing companies according to Allianz Risk Barometer 2020, it is not a threat that is being taken lightly. Snyder says that, because of the weight of cyber risk, a degree of corporate social responsibility is now attached to it.

“I believe we will continue to see a transitional market with slight hardening of excess rates. There now needs to be a lot more consideration from companies in terms of their overall cyber security posture as well as more specific cover offerings from insurers,” she concludes.