The cyber insurance market is currently undergoing the most significant transition since its inception as a line of business in the late 1990s. Over the past decade, demand for cyber insurance has been growing steadily across all sectors driven by a heightened awareness of cyber risk due to a continued uptick in cyber attacks and claims, wider adoption of technology and cloud resources, and new privacy regulations. In the past two years, ransomware attacks have had an adverse impact on the frequency and severity of cyber claims activity resulting in the adoption of stricter underwriting standards and more discerning risk selection by insurance carriers.
Today, ransomware is the predominate cyber threat confronting businesses of all sizes and has emerged as a national security concern following high profile attacks on critical infrastructure, including an oil pipeline, food processing and production facilities and IT service providers. This has prompted the FBI and other government agencies, such as NIST and CISA, to issue best practices and recommendations for minimizing the impact of a ransomware attack on a company’s network. As a result, organizations that lack the necessary security controls and processes considered crucial in mitigating ransomware loss may be unable to obtain cyber insurance entirely or face severely restrictive coverage, terms and conditions.
Customers are taking note, as revealed in the 11th Annual Information Security and Cyber Risk Management Survey of corporate risk managers and insurance buyers released by Zurich North America and Advisen Ltd. They are concerned with the changing market and what it will mean to their renewal process. Risk managers are looking for coverage that protects their business at the right price and are also looking for solutions to mitigate their risk. With so many unknowns, they may find that the answers to business resilience are right in front of them in the form of risk mitigation.
Carriers are now scrutinizing the security posture of insureds more carefully with a view toward adoption of certain critical security controls including regular and frequent backups, implementation of backup testing and restoration procedures, utilization of multi-factor authentication and privileged access management, timely patching, and a robust incident response plan including ransomware-specific tabletop exercises. While a comprehensive enterprise-wide strategy to IT and information security is ideal, certain controls known to be most effective at mitigating the impact of a ransomware attack are now considered “table stakes” for receiving a cyber insurance policy without any restrictions on coverage, including the application of sublimits, coinsurance and exclusions, which have gained traction in the current market environment.
Zurich’s Cyber Risk Engineering team has been a key resource in delivering risk insights to our underwriters helping to make risk selection and pricing decisions regarding an organization’s cyber maturity, as well as providing valuable consulting services to customers interested in improving their risk profile. As one of the first cyber insurance carriers with a dedicated in-house cyber risk engineering team to help underwriters and customers assess and improve an organization’s cyber posture, Zurich’s aim is to align our mutual goal of helping to avoid and reduce the impact of cyber claims and loss.
As we await possible action by Congress to enact federal cyber security legislation, cyber insurance carriers, Zurich included, are applying pressure on companies to implement stronger security practices as a condition of receiving insurance, which has the near-term effect of improving the cyber resilience of thousands of companies that buy cyber insurance and raises awareness of the risk ransomware poses to an organization’s business and the broader economy.