In our Q1 2021 whitepaper entitled “The Evolution of the Cyber Insurance Market: Welcome to the Teenage Years” we discussed the similarities between navigating the cyber marketplace and parenting a teenager. This comparison struck a chord with many in the insurance community, as the response from the media, carriers, and our retail agency partners has been overwhelming. The search for identity, the irrational behavior, the increasing costs, the need for boundaries – the parallels are definitely there, and these continue even more so as we enter the third quarter.
There are many words to describe the state of the market at this point, many of which contain four letters and special ch@r@c+er$ to make them suitable for print, but we are also witnessing a maturation process that is needed to ensure the long-term viability of cyber insurance coverage offerings. Changes in underwriting requirements are coming very, very quickly.
MFA or the Highway
If there is one acronym that agents and brokers selling cyber insurance need to familiarize themselves with right now, it is MFA. I like how the National Institute of Science and Technology (NIST) explains MFA in simple terms: “MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”
As of this writing, nearly all insurers are now requiring, or will soon be requiring, MFA to be in place for remote access to all sensitive information in order to qualify for a cyber insurance policy – new or renewal. This includes the carriers on the RPSSmallBusiness.com portal. Click here for useful MFA information to help you come through for your clients.
While this represents a change in requirements from insurers, and could mean an additional burden of process and cost to thousands of insureds, the path to implementing MFA is not as complicated, or expensive, as many would think. In fact, in many cases, the software platforms currently in use by insureds already have an MFA component available for no cost. For those who do not, it is possible to implement MFA for costs as low as $3.00 per employee-per month. To put into context, the average SME insured could drastically improve their ability to thwart ransomware attacks on their business by implementing MFA for less than the cost of the deductible on their cyber insurance policy. For a business with 10 employees, this translates to $360 per year. They spend more than this on their coffee.
While no single IT security process, patch or software is a silver bullet for preventing 100% of cyberattacks, insurers have identified MFA as being among the most effective risk management tools for preventing ransomware attacks. Research from both Microsoft and Google suggests that MFA can block over 99% of account compromise attacks. Thus, we are seeing the requirements from virtually every insurer. For those insurers that do not require MFA, they are utilizing scanning technologies and in-depth underwriting to determine if insureds have compensatory controls in place to make them insurable in today’s environment. They are also looking for additional foundations of cyber hygiene, such as Endpoint Protection and Response (EDR), solid backup procedures that segregate or “air gap” backups of critical and sensitive data from the primary network (i.e. in the cloud), and regular employee training that involves phishing simulations.
The challenge among us: reports suggest that only 57% of global businesses are using MFA now. Bottom line is that in order to make cyber insurance available, insurers need to know their insureds are taking deliberate, meaningful steps to protect their systems. MFA is now to cyber insurance as sprinkler systems are to commercial property insurance: a must-have.
Carriers’ Changing Appetites
Public Entity and Education are still among the most difficult classes for cyber coverage placement. If MFA is not in place, these renewals are generally not finding coverage.
A good example of how the market is playing for public entities: A large county was set to renew their $125M cyber tower on 7/1/21. The renewal process began approximately 5 months prior to July. After an extensive marketing effort involving more than 50 carriers (the county was too large for many markets to even approach), the insured was able to obtain $10M in limits. The pricing on that $10M program was nearing what they previously paid for $125M in coverage in the prior term. And this was a county with excellent loss control procedures in place.
The well-documented increase in frequency and severity of ransomware attacks is also leading to significant pull-backs on dependent business interruption coverage. Our customers’ suppliers cannot be underwritten, thus carriers that were once offering full policy limits with no questions asked are now diving deeper – both with respect to dependent providers that provide IT services, as well as dependent providers representing other parts of the supply chain.
We noticed a marked change after the May 2021 Colonial Pipeline attack. Underwriters are wanting to gain a better understanding of an insured’s exposure to single-source supply chain providers. This insurer trepidation was further exacerbated with the Kaseya Ransomware attack that took place in the first week of July. This new mode of attack is of particular concern because hackers were able to use this managed service provider as a means of delivering ransomware to its customers, instead of protecting them.
The ripple effect is not yet known as of this writing, but the markets are watching closely and it has created a decidedly different tone in conversations with underwriters. Supplemental applications dedicated to this aggregate risk exposure are now being distributed on renewals and it is not uncommon to see dependent BI excluded or significantly sub-limited when the exposure is deemed to be too great. Given recent events, this will only increase.
Cyber Capacity Concerns
Perhaps the most concerning trend we are seeing is significant restrictions on available capacity. Cyber insurers are implementing aggressive de-risking strategies in an effort to reduce their exposure to catastrophic loss. $10M primary layers are becoming scarce. Instead, towers are more frequently built in fives (or less) with quota sharing and other means of spreading risk becoming commonplace. Specifically at Lloyd’s, which has long been a pioneer in the cyber insurance space, as markets take significant rate on their books, they run the risk of surpassing their maximum allowable written premium thresholds.
As a result, the underwriting process becomes more onerous, and the urgency for carriers to write new business has waned significantly. They don’t need the new business, they simply need the right business, and premiums are growing just fine on their own. In the first week of July, announcements from several cyber markets contained urgent notices: sub-limits or exclusions for Cyber Extortion (ransomware), lower ceilings on insured revenue size, major capacity restrictions, an inability to continue writing new business, even pulling existing quotes and binders. It is a new day in the cyber insurance world, and, while the changes are fast and punitive, they are necessary. The loss performance in this sector needs to improve in order for this capacity crisis to self-correct. It is no longer a buyer’s game.
The old argument of “How can our premium increase 70% when we’ve had seven years of loss-free performance?” doesn’t hold water any longer. Why? Because ransomware moved the goal posts.
The original cyber policies modeled themselves to address the risk of data breach – the unauthorized release of confidential information. When the prize moved from monetizing data like this on the dark web to extorting companies while restricting access to their systems, everything changed. So, unlike many of the long-standing insurance policy types such as property, general liability and commercial auto, whose fundamental risk factors rarely change, cyber is a different beast. It is changing constantly, and as a relatively young product, its maturation process is occurring before our eyes at light speed.
It was recently announced that seven cyber insurers have joined forces to create CyberAcuView, a company whose mission will be “to pool their data and expertise and take collective efforts to enhance cyber risk mitigation efforts across the insurance industry”1. AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance and Travelers will collaborate to “compile and analyze cyber-related data to enhance value and service to policyholders and help insurers sustain a competitive market for cyber insurance.”
Because the offense-focused nature of cyber risk is ever-evolving, the defense needs to utilize any tools at their disposal to keep up. Collaboration such as this, be it in the insurer community, the IT industry, legal community or government, will be necessary and we see these as very positive developments. Information sharing will be key and businesses should benefit greatly from these discussions.
Another interesting development on the horizon will be the increased integration of specific cyber defense software as a requirement to qualify for insurance. This goes beyond simply requiring MFA, but rather, looks more like this: “Download our cyber software suite if you want coverage from us.”
Many of the insurtechs that have entered the market in the last five years have done great things to move the ball forward with respect to cyber intelligence and more sophisticated underwriting. This development will take things to the next level – moving beyond underwriting questions and scans, into fully integrated software and insurance bundles. This has the potential to bring both great promise, as well as great risk, if not done correctly. From a loss ratio perspective, having a 24/7 read on clients’ network defenses sounds good, as these insurers will know exactly who is better protected and who is not. However, what happens when a claim occurs, and the attack occurs via the one endpoint that was not protected? Time will tell how questions like this are answered, but the general consensus is this: in order to thwart attackers who are increasingly using A.I. to execute their crimes, real-time A.I. driven defenses will have to be in place, and the insurance community needs to be closer to the action.
If you take away only one thing from this update, understand this: the next cyber insurance renewal, for your next client, won’t be anything like last year. Your client will need MFA in place for remote access to their systems. These are the new table stakes. And MFA is only the start. It will be an interesting, yet difficult journey over the next year. I can think of no better team in the business to help guide you along the way than RPS.