Cyber Underwriting Changes: Is It Too Little, Too Late?

With primary rate changes approaching 50% and underwriting questions about network controls becoming more and more detailed, cyber insurers and reinsurers are reacting to an onslaught of ransomware attacks against policyholders and prospects.

But are the actions enough to keep ahead of the bad guys? Did they react too slowly?

Questions about the adequacy of underwriting actions came up more than once at industry conferences this year. At the Casualty Actuarial Society Seminar on Reinsurance, Brad Gow, global cyber product leader for Sompo International, revealed just how far ahead threat attackers have moved.

“During their reconnaissance phase, they began to rift through the financial files looking for cyber insurance information [to] identify how much in limits was potentially available,” he reported as he described an escalation in the frequency and severity of ransomware attacks that once focused on target companies with roughly $200 million and are now zeroing in on businesses with $1 billion or more in revenue. “We saw this happening. That changed the game. That sudden increase in severity along with the unchecked frequencies of these attacks really forced underwriting teams and carriers to respond,” he said.

Gow spoke after Alexander Podmore, assistant vice president and cyber underwriter for Swiss Re, serving as moderator of the CAS conference session, reviewed the history of cyber coverage from its beginnings in the late 1990s — when the coverage took the form of extensions on professional lines policies covering Internet security liability, online media liability and errors in data processing — to the standalone policies available today. He reviewed product developments in the 2000 and 2010 decades that saw third-party coverages expand to cover regulatory defense and fines and penalties related to violations of emerging data protection regulations and first-party coverages put in place, emphasizing service offerings for breach notifications and credit monitoring. Later additions to first-party coverages included business interruption and extortion as a consequence of ransomware, as well as costs of data restoration.

“How has the market responded to this ransomware epidemic that we’ve seen?” Podmore asked Gow in the wake of news about ransom attacks on CNA, Colonial Pipeline and JBS, a meat producer.

Slowly, Gow said.

For so long, cyber portfolios were generally profitable, he said, referring to experience throughout much of the history of the coverage from 1997 through 2018. “And you had underwriting teams, many of which had seen nothing but a soft market — and many, many of which were in simply market share mode looking to grow their cyber books as quickly as they could. Then ransomware snuck up on us,” he said, noting that Sompo International saw its first multimillion-dollar ransomware event in the second quarter of 2019.

“It certainly surprised us,” he said, noting the carriers saw an uptick in ransomware activity through the balance of that year and into the beginning of 2020. “We, like the rest of the market, having seen this as a consistently profitable line, took a wait-and-see attitude” as the activity picked up steam. “It was certainly a concern, and we certainly understood the implications, but nobody was making any moves. No one was restricting coverage or doing anything material other than possibly asking for single-digit rate increases for renewal business.”

According to Gow, the game changed midyear last year. “The bad guys began more and more to exfiltrate data along with doing the network encryption.” This meant that companies with the ability to restore their own networks from backups could still be threatened by the release of this stolen information. At the same time, threat actors also began going after the larger targets. “That sudden increase in severity along with the unchecked frequencies of these attacks really forced underwriting teams and carriers to respond,” he said.

Insurance market responses have included changes in risk selection, decreased line sizes, sublimits for ransomware claims and more, Gow and others reported.

“Municipalities and law firms have historically weak network security environments that can be exploited,” Gow said, speaking to the risk selection changes.

Speaking at a separate event, S&P Global Ratings 37th Annual Insurance Conference, Turab Hussain, chief risk and actuarial officer for PartnerRe, weighed in on the line size changes. “10 is the new 25,” he said. In other words, “Companies that have been historically putting out primaries [primary limits] of $25 million are now talking about $10 [million],” he reported. “Towers can still be built, [but] it’s going to require more carriers to build them. The layers are going to be smaller.”

At the CAS meeting, Gow said, “In many cases, $10 million limits come down to $5 [million].” If an insured is hit with ransomware, that often “ends up being a limits loss” for the insurer. “So, limits management is a key way for carriers to protect themselves,” he said.

Describing the progression of cyber insurance rate hikes, Gow said they began with slight increases toward the end of last year, moving up to approach double digits around the time of 1/1 renewals.

“Now, I think we’re looking at closer to 30% to 50%,” he said, also noting that while some carriers tried to impose sublimits for ransomware events or coinsurance participations by insureds as a condition of coverage, “we don’t see that sticking.”

Rate Is Not the Only Answer

Annamaria Landaverde, senior vice president and cyber practice lead for the Reinsurance Division of Munich Re, US, confirmed Gow’s description of pricing trends. In early 2020, “we saw the single-digit rate increases and we were thinking, ‘Great, we’re getting some rate increase.’ But what we found was it was just not enough.

And as the year progressed, those rates astronomically changed by November and December and at a pace that no one was really expecting.”

“We probably ended 2020 somewhere in the 20% range. … Then we entered 2021. And the big question that everyone had on their minds was, ‘Did we get enough rate and is ransomware going to quiet down?’ And we saw all of a sudden this new type of event that could potentially lead to some systemic losses,” she said, referring to an early March attack in which hackers exploited vulnerabilities in Microsoft’s widely used Exchange business email software, and the hacking of U.S. software maker SolarWinds, which compromised nine federal agencies and hundreds of private sector companies late last year. “All of a sudden, we needed to underwrite to ransomware plus systemic events plus whatever is coming next. And the rate change that we’re seeing now is 30% plus,” she said, reporting, however, that there is some variation in that figure between primary writers and excess writers, in rates for SME vs. large risks, and also among those that write tech E&O vs. standalone cyber.

The rate levels are likely to continue to increase throughout 2021, she believes. “I can’t speak to next year yet, but I’ve been in this market for 17 years, and one thing I’ve learned is that sometimes this market has a short memory. So, I do think that eventually those rates will level off. We won’t see the 30% for years and years. … But once those rates flatten, underwriting actions [now] being taken [that] focus on the security controls of these organizations need to be front and center of that underwriting process,” she stressed. “That can’t go away.”

“Rate is not the answer — or not the only answer,” Gow agreed. “We have seen many cases where three weeks into a $23,000 premium account policy term, we get hit with a ransomware attack and see ourselves with a $2 million loss. An extra 10% or 15% of premium does not solve that problem. … It all comes down to controls and assisting our insureds to improve their network environments,” he said, opining that more rigorous underwriting is the most important change that cyber insurers have made.

“The industry has gotten very serious about underwriting to compensating controls, network security controls. That’s really the future. Two years ago, we were not asking detailed questions around the flavor of endpoint protection that’s being used or the degree to which RDP [remote desktop protocol] ports are being secured, technologies used for backup. Now we are.”

“That’s extremely necessary,” he added. “Given the importance of the coverage in this ransomware environment, I think that’s one area where the insurance industry can really add value in terms of driving baseline insurability or baseline standards for eligibility to purchase cyber insurance.”

At a separate session of the CAS Seminar on Reinsurance, Conan Ward, president and general manager of RibiQon Risk and Insurance Services/RubiQon Re, a managing general agency subsidiary of QOMPLX (an intelligent decision platform provider), also stressed the need for deeper underwriting to look inside client networks — and the need for risk management services.

Cyber insurance, Ward said, is “the most challenging line of business the industry has ever faced. The losses themselves are not fortuitous. There’s an intelligent agent involved who’s actively trying to breach a network that is designed by its nature to have open access, or otherwise be useless.”

Faced with the challenge, “the industry’s focus heretofore has really been on windows and doors, and we need to be looking more inside the networks of our clients — and really taking more of a joint risk management, insurance-driven approach [like] we’ve done for technical risks in the property sector,” he said, noting, for example, the risk-managed approach that insurers take when providing boiler and machinery coverage.

“I don’t agree that shortening our limits for ransomware is really the approach. Ransomware is a symptom to a broader problem. The broader problem is networks are fundamentally insecure, and if you don’t have detection technology inside that network, you’re going to continue to see some of the same issues that you see now,” Ward said.

Landaverde also drew parallels to the property market in describing needed cyber insurance underwriting changes, as well as positive trends of bundling pre-breach service offerings with insurance for clients to improve their cybersecurity postures.

“When you think about how a sprinkler system is mandatory in order to get homeowners insurance, then we, as a cyber market, need to determine if the minimum requirement for cyber insurance is closed RDPs? Is it multifactor authentication? What are those requirements?

“We need to analyze the data that we’re getting in order to be able to determine what those requirements will be going forward,” she said.

Now We’re Getting Data. What Do We Do With It?

“We were getting to a point in this market where there was almost zero-question underwriting for pretty sizable risks,” said Landaverde. “That type of underwriting needs to go away,” she said, also stressing the point that as insurers start probing deeper and asking question about RDP ports and about whether insureds have MFA across the breadth of their organizations, they need to do something with it. “Let’s take the answers to those questions and tie them to the outcome for each of those individual risks. Were they able to respond to a breach or avoid a breach altogether? Let’s try to find those connections.”

The fact that the cyber insurance market “doesn’t have enough data” to support actuarial pricing has been a frequent lament over the short history of the line — and the newness of the product was one contributing factor, according to Norman Niami, vice president and actuary for the APCIA. In addition, claims trends continually shift in terms of the types of targets being attacked and attack types. “It’s literally changing almost every week or every month,” he said, going on to list other data challenges.

“Standardization of the data is also a challenge” because of policy variations, especially for larger risks, he continued, adding that carrier-specific data is often inadequate. “As of a couple of years ago, a handful of claims would literally drive the whole experience for a company. You might have thousands of claims, but literally a handful of them drive the whole claims experience.” In addition, he noted that some of the larger targets that grab headlines are not insured, making their data unavailable to insurers.

Niami went on to talk about differences of opinion relating to the appropriate exposure basis for cyber coverage. He noted that some say it should vary by industry and the various components of coverage should have different exposure bases ranging from number of end points, number of employees, number of devices and number of customers, while other carriers use revenue across the board or policy limits.

More positive trends moving in the direction of price adequacy have been the development of cyber catastrophe modeling and discussions of public and private working groups to pool anonymized incident data from various stakeholders to feed into models, he said. And such discussions may be on a faster track now, with the most recent ransomware attacks in the U.S. drawing the attention of government officials. “The government has started framing the issues as a matter of national and global security,” Niami said, suggesting that the result could be opening access to more data.

Picking up on the theme of government attention, Gow said: “It’s kind of humorous to see legislators in Washington holding companies to task for actually paying ransom. [And] it’s infuriating that we’ve got these criminal gangs operating outside of the reach of our law enforcement, and with the tacit approval of the leaders in the nations in which they reside, including Russia. … I hear talk of a whole-of-government approach and public-private partnerships. … The right noises are being made, but we’ll have to see what ultimately comes of it,” he said.

Niami suggested a government role in forcing upgrades in the technology infrastructure forward. “The technology is not up to snuff, especially for industrial manufacturing. [And] until the security nature and the infrastructure can improve significantly, it is hard to imagine this is going to turn into a totally different ball game within a few months,” he said. “Why do robbers rob a bank? Because that’s where the money is.

“In terms of cloud and not very sophisticated security measures, this is where the money is.”

Landaverde picked up on that idea, adding her view that going after the robbers in cyberspace might be a fruitless effort. “These hackers are criminals, right? Before there was ransomware, there were denial-of-service attacks. There were data breaches. There were other methods of these criminal hackers monetizing these cyber attacks.

“So, today’s trend is ransomware. If we do something to penalize or make examples of some of these hackers and ransomware goes away, then they’ll be off to the next way to monetize electronic crime.”

She continued: “There needs to be a better way, a different way. Maybe it’s looking at the cryptocurrency exchanges.

“I don’t know if going after these individuals is going to help because there are more individuals behind them, and behind them and behind them. [Perhaps] looking at the payment infrastructure and how these individuals are able to do what they do and monetize that is going to ultimately make a difference.”

Later Gow returned to discuss the criminal actors. “It’s not these thugs with leather jackets who would be stealing hubcaps or breaking kneecaps if the internet weren’t around. These are data scientists. These are very, very intelligent individuals who are very methodically exploiting weaknesses in corporate computer networks to extract money. It’s a business, and once something changes — for example, companies [start] doing a better job of restoring from backups — they’ll begin to exfiltrate data and continue to refine their methodology for extracting this money.”

“You’ve got a dynamic where there’s a very intelligent set of adversaries on one side. And then on our side, we’ve got computer networks that continue to get more and more and more complex.”