Cyber insurance policies evolving to meet emerging risks — and premiums reflect it

Ohio-based State Auto Property & Casualty Insurance denied National Ink & Stitch's claim for replacing its computer system following a ransomware attack in 2016.

Last week, U.S. District Court of Maryland Judge Stephanie Gallagher ruled (read the full filing below) in the embroidery and screen printing company's favor, even though its policy wasn't specific to cybersecurity.

The National Ink & Stitch's policy covered electronic media and records, including software and electronic data processing. The company paid the ransom, but its systems lost "efficiency" and "ran slower," according to court documents.

The ruling in favor of National Ink & Stitch does not set a precedent for other cyber victims relying on traditional insurance policies. Ambiguity is a weak point of insurance. Traditional policies, such as property and general liability, fail to keep pace with emerging cyber risks.

Businesses relying on traditional policies for cyber coverage face disappointment. Cyber insurance policies are mission-critical to protecting the business bottom line as tension increases in the information security landscape.

Businesses relying on traditional insurance policies will have to fight for coverage they would otherwise be guaranteed under a cyber policy.

Cyber-specific policies "have continued to step up and cover cyber perils that the rest of the insurance marketplace has been reluctant to," Bob Parisi, U.S. cyber product leader at Marsh, told CIO Dive.

As cybersecurity risks mount, cyber insurance premiums are increasing too.

Cyber premiums can increase between 5% and 25%, reports Reuters. However, industry expects steady price increases to flatten out. In Q4 2019, the average premium increased 3%, said Parisi.

While cost containment is a consideration for insurers, they have yet to scale back coverage, according to Reuters.

"I think insurance has been historically viewed as an easy button for most organizations. But as time passes and claims histories and circumstances are better understood and analyzed, we should naturally expect cyber insurers to evolve policies to optimize for their business," Chris Kennedy, CISO of AttackIQ, told CIO Dive.

Ransomware's place in insurance

Even though National Stitch and Ink enlisted the help of a security vendor following the incident, its systems remain vulnerable. The company claimed that its systems likely still had "dormant remnants" of the ransomware and could be "re-infect[ed]," according to the court document.

Insurers want clients to be proactive in cybersecurity. "Companies should now focus on resilience — being able to function and work through the perils they face on a daily basis," said Parisi. "That requires more than just more technology — it requires an awareness and understanding of the risk and nuanced approach to managing the risk, of which insurance is a part."

Ideally, insurance should be a second thought to cybersecurity and not the sole safety net of an organization. Insurers could view defensive technologies, such as breach and attack simulation, as a reason to reduce premiums, said Kennedy. But insurance policies shouldn't be viewed as "an easy button" in lieu of security.

Security organizations have to be prepared to answer questions for insurers:

Where is the greatest risk?
What protective services are in place?
What does response look like in light of an event?
How will the business and insurer collaborate during recovery?

In reaction to potential losses, insurers are revamping how they underwrite policies, which could make them less forgiving in terms of a client's security hygiene, said Kennedy. "If, through cost modeling, cyber insurers can drive the company to improve security, the probability of claim goes way down."

With cyber insurance policies on hand, businesses are more willing to pay their ransom and get back to business.

"Ransomware attacks are moving from smash and grab to targeted," said Kennedy. With that in mind, while insurers have "carried some of this burden historically, I suspect that insurers are now looking for ways to limit this claim cost."

For context, it costs about $8 million and takes 287 days to recover from a ransomware attack across industries, according to Emsisoft.

Even though ransomware is a growing and threatening trend, "I don't think insurers forecast the growing success of ransomware," said Kennedy. "I think cyber insurance is historically a bit of a windfall product that is evolving into more of a loss leader based on breach trends."

Limits of traditional policies

Target's 2013 data breach cost $292 million. About $90 million was offset by its cyber insurance.

Without a cyber-specific policy, other victims of cyberattacks might have to fight for their payout.

Mondelez is still fighting its insurance provider Zurich on recovery costs following NotPetya-related damages in 2017. Like National Ink & Stitch, Mondelez didn't have a cyber-specific policy. Zurich maintains that the cyber terrorism clause of its property policy excludes losses incurred from cyberattacks.

Insurers have to clearly articulate what is an insurable event, such as whether "ransomware derived from state-sponsored actors is considered an act of war," said Kennedy.

Cases such as Mondelez and National Ink & Stitch will encourage businesses to reevaluate existing policies. Only 16% of organizations say cyber insurance meets all of their needs, according to data from Marsh and Microsoft. Nearly one-third of organizations don't know.

"No client that Marsh works with views cyber insurance as an alternative to solid policies and protocols to address cyber risk," said Parisi. "We have seen a movement amongst traditional insurers to remove non-affirmative, aka silent, cyber risk from their insurance products."

Traditional coverage and insurers are distancing themselves from "providing coverage for cyber risk that can't be linked to physical perils," Parisi said.