The cyber insurance industry is coming off a 2020 that was likely the toughest in its brief existence, as ransomware costs almost doubled to $20 billion from the $11.5 billion recorded in 2019.1
Despite adverse claims and a hardening rate environment, the National Association of Insurance Commissioners projects that the cyber insurance industry will grow to more than $20 billion in direct written premiums by 2025 from $3.15 billion in 2019.2 As both premiums and claims are increasing sharply, it's probably no surprise that the New York Department of Financial Services (NYDFS) issued Insurance Circular No. 2 (2021) dated February 4, 2021, guidance for insurers about cyber risk, recommending insurers adopt its Cyber Insurance Risk Framework.
The NYDFS guidance recommends several steps insurers can take to manage cyber risk more effectively, including actively identifying and managing so-called “silent cyber” exposure on non-cyber policies, more rigorously measuring both systemic and attritional risk, and promoting better cybersecurity among insureds. The NYDFS best practices framework is the first of its kind among insurance regulators in the United States.
Actively identify and manage silent cyber exposure on non-cyber policies
It is commonly known that cyber exposure is not limited to cyber insurance policies. Digital networks influence virtually every facet of our lives. But those networks can also expose us—our processes, organizations, and devices—to digital disruption. This has given rise to silent cyber exposures—the ability for high-tech, network-driven attacks to cause losses on traditional property/casualty policies that do not expressly address cyber losses.
Accordingly, the NYDFS framework recommends insurers root out silent cyber exposure, making efforts to understand where the exposure lies in their portfolio and specifically excluding or affirming cyber coverage as necessary. By seeking out and affirming or excluding cyber coverage, insurers can increase pricing accuracy, reduce risk volatility, and address stacking of limits.
The NYDFS recommendation follows similar efforts to eliminate silent cyber exposure at Lloyd's of London, requiring that all property and casualty policies “must be clear on whether coverage is provided for losses cause by a cyber event.”
More rigorously measure both systemic and attritional cyber risk
It was inevitable that as the cyber insurance industry matured it would need to contend with systemic cyber events. In 2017, WannaCry and NotPetya, two notable malware variants—one an actual piece of ransomware and the other a malevolent piece of software that destroyed data while pretending to be ransomware—both managed to achieve global impact in mere minutes.3
NotPetya alone caused more than $10 billion in damage,4 and only $3 billion of that was insured.5 About 90 percent of the insured damages were claimed on property policies due to silent cyber exposure.6 WannaCry and NotPetya are examples of systemic, or large-scale, attacks. But 2020 showed the potential for significant non-systemic, or attritional, cyber loss, costing businesses an estimated $20 billion from smaller, targeted attacks.7 Both varieties of losses, systemic and attritional, demand that insurers redouble their efforts to understand and underwrite cyber risks more effectively. This can involve bringing greater cyber security expertise in-house at insurers and movement towards a more consistent, universal framework for understanding cyber risk—one that’s more attuned to risk drivers than reactive to the news cycle.
Promote better cybersecurity among their insureds
The cyber insurance industry has seen several creative efforts to promote cybersecurity among insureds, though unfortunately, none have seen ubiquitous adoption. These efforts have been further hampered by the very soft nature of the cyber insurance market, with premiums driven down by competition much faster than they've driven up a sophisticated understanding of cyber risk. This can leave insurers struggling to promote better security hygiene among insureds, who often find that implementing security controls can cost significantly more than purchasing insurance.
While the NYDFS guidance “recommends against making ransom payments,” the industry isn't without recourse, depending on individual insurer appetite. Insurers can look to take action on ransomware payments by providing corresponding coverage. Alternatively, other insurers may take steps to minimize exposure to ransomware, including via reduced sublimits, increased retentions, coinsurance or expressly eliminating coverage.
Cyber risk ultimately remains relatively new
The constant demands of new technologies, new frameworks, and new regulations can render knowledge obsolete quickly. This rapid change of pace has made cyber risk especially challenging for insurers to grasp. There is still a lot of new ground to be broken in figuring out the best way to quantify and understand cyber risk. And it's only through an expanded partnership between the insurance and security industries, greater expertise, information sharing, experience, and time that it will be possible.
In the meantime, Verisk can help speed insurers along their cybersecurity journey. From cyber underwriting tools to quickly assess a company's perimeter security, to an industry-wide cyber data exchange and cyber risk modeling, we can help. To learn more about cyber risks, sign up for Verisk's upcoming Cyber Monday Series! These four one-hour webinars will take place every other Monday starting April 26, 2021.
To learn more, please email Michael Rastigue at mrastigue@verisk.com. Michael is Senior Manager for North America for Verisk Cyber Solutions.
- “2020 Ransomware Statistics, Data, & Trends,” PurpleSec, https://purplesec.us/resources/cyber-security-statistics/ransomware/, accessed February 26, 2021.
- Matthews, Denise, “Report on the Cybersecurity Insurance and Identity Theft Coverage Supplement,” National Association of Insurance Commissioners, December 4, 2020, accessed February 26, 2020.
- Greenberg, Andy, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/, accessed February 26, 2021.
- Greenberg, Andy, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/, accessed February 26, 2021.
- Bateman, Jon, “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” Carnegie Endowment for International Peace, October 5, 2020, https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819, accessed February 26, 2021.
- Bateman, Jon, “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” Carnegie Endowment for International Peace, October 5, 2020, https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819, accessed February 26, 2021.
- Bateman, Jon, “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” Carnegie Endowment for International Peace, October 5, 2020, https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819, accessed February 26, 2021.