It’s no question the cyber crime landscape is constantly evolving, keeping large and small businesses on their toes. But another industry is rapidly changing, and if businesses don’t keep up, they risk being caught off guard, experts say. That industry is cyber insurance.

“Now is the time to take comprehensive action and ensure that your company isn’t caught off guard either by a cyber criminal or the insurance renewal process,” said William Shortt, director of cyber diligence and head of M&A cyber strategy at Aon M&A and Transaction Solutions, delivering advice to insurance buyers.

This is because to keep up with the changing threat landscape, insurers are working hard to raise the stakes on cybersecurity, Shortt said. This means it’s imperative that companies implement core security controls before approaching the insurance market, he added.

“Where insurers may in years past have asked limited questions, they’re now digging into all areas of your security program,” he said.

Much of this has been due to the proliferation of ransomware attacks. Carrier Management previously reported on some of the biggest attacks of last year, which included a July ransomware attack in which the Florida information technology firm Kaseya saw its management system hacked. REvil, a Russia-linked cybercrime syndicate, took credit for the breach.

In June, REvil also extorted an $11 million ransom out of meatpacker JBS after compromising its supply chain. Earlier in May, an intrusion by another Russia-linked group at U.S. fuel transporter Colonial Pipeline led to the shutdown of 5,500 miles of critical infrastructure, causing panic buying and gas shortages all along the East Coast.

“Where insurers may in years past have asked limited questions, they’re now digging into all areas of your security program.”

William Shortt, Aon M&A and Transaction Solutions

“While ransomware has gained traction over the years, it jumped to the forefront of the news [in 2021] with high-profile attacks that had impacts on the day-to-day lives of millions of people,” said Jason Rebholz, chief information security officer at InsurTech Corvus Insurance.

A Shift in Strategy

The severity of these events is only expected to increase in 2022, said Shawn Ram, CEO of cyber insurance and security provider Coalition.

“As organizations increase their reliance on cloud software and IT service providers, they open themselves up to increased risk—a risk they struggle to control,” he said.

Darren Thomson, head of cybersecurity strategy at cyber risk analytics platform CyberCube, agreed. “There is no data to suggest that frequency or scale will decrease,” he said. “The combination of the targeting of common SPoFs (single points of failure), supply chains, the increased maturity of threat actors and the use of new technology such as machine learning will increase both of these factors in 2022.”

“As organizations increase their reliance on cloud software and IT service providers, they open themselves up to increased risk—a risk they struggle to control.”

Shawn Ram, Coalition

Marc Voses, partner at London-based global law firm Clyde & Co., said that while he believes the attack landscape for smaller, direct-to-consumer businesses will decrease, business-to-business service providers will face an uptick in attacks as cyber criminals aim to target multiple victims at once, leading to higher payouts.

“The reason for this is because attacking a business that services other businesses—think cloud service provider—would likely bring more stakeholders to the negotiating table, resulting in a higher likelihood of payment and a higher payment amount overall because of the number of businesses affected,” he said.

The ongoing COVID-19 pandemic hasn’t helped this trend, either, providing further opportunities for threat actors to disrupt businesses, said Kevin Hall, director and head of cybersecurity consulting for mergers & acquisitions clients in the EMEA region at Aon Transaction Solutions.

“Crisis situations provide the perfect avenue for threat actors as people are more likely to make poor decisions, like falling for phishing emails, due to fear and stress,” he said.

“The manipulation of data may not show up as business interruption right away since systems may appear to function normally with the business running on corrupted data,”

Darren Thomson, CyberCube

Rebholz agreed, adding that widespread crackdowns on cyber attackers’ current strategies will likely lead to yet another shift in the threat environment.

“Attackers are nimble—and although they’ve had a ‘playbook’ over the past couple years…we expect things to shift,” he said in a Corvus press release. “We have already seen the opening moves from threat actors.”

He said this shift is expected to come in the form of extortion-based attacks, such as data theft or account lockouts, which don’t require the encryption of data. Thomson said, however, that he expects to see cyber criminals move away from data theft this year toward data manipulation instead. This type of attack can be particularly challenging, he said, as traditional methods of malware detection may not be effective.

“The manipulation of data may not show up as business interruption right away since systems may appear to function normally with the business running on corrupted data,” he said. “From an insurance perspective, this will be particularly challenging due to the unclear implications and impacts that an attack like this would create.”

Too Big a Risk?

As shifts in attack methods point to the need for new tactics to mitigate threats, experts said, a shift is also happening within the cyber insurance space itself.

“Taking that first step is the hardest for businesses as they are unsure where to place their foot. This highlights the positive impact that cyber insurance carriers can have on raising the bar of security.”

Jason Rebholz, Corvus Insurance

“In 2022, we will see many companies unable to secure a cyber insurance policy due to deficient security controls,” Shortt said.

Brian Alva, vice president of cyber underwriting at Corvus, said for insurers, 2022 will be about analyzing the impact of better security controls and providing policyholders with tools to improve their security posture as cyber insurance remains an essential part of an organization’s security and business strategy.

“What we’re seeing now is an important shift in how insurance deals with cybersecurity,” he said.

This move goes beyond ensuring proper security controls are in place before granting coverage, however. For some carriers, cyber is beginning to be seen as too big of a risk to insure altogether, leading to additional coverage challenges, said Shawn Ram, head of insurance at cyber insurance and security provider Coalition.

“The challenge will be mostly for larger companies that will struggle to find adequate coverage,” he said.

Reuters reported that insurers have halved the amount of cyber cover they provide to customers after the pandemic and work-from-home drove a surge in ransomware attacks.

“Attacking a business that services other businesses—think cloud service provider—would likely bring more stakeholders to the negotiating table, resulting in a higher likelihood of payment…”

Marc Voses, Clyde & Co.

Industry sources told Reuters on condition of anonymity in November that Lloyd’s of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business in 2022. A Lloyd’s spokesperson in an email to Carrier Management referred to Lloyd’s December 2021 message to the market, in which Chief of Markets Patrick Tiernan said the insurer expects the cyber class to grow by around 30 percent in 2022 and is “categorically not closed to new cyber business.” However, he added that to protect this growth against the potential of high systemic losses, the insurer is taking “a strong differentiated approach in this class of business.”

“This approach is based on each syndicate’s end-to-end expertise in the cyber class and their past performance,” Tiernan said in Lloyd’s message to the market. “In regards to new entrants, capacity has principally been granted for those looking to follow established, profitable incumbents.”

Some carriers are seemingly finding cyber more difficult to underwrite as the market grows riskier. U.S. insurer AIG said in August it was cutting cyber limits, and Hiscox Ltd. said in a statement that it is “refining” its appetite for the business and focusing on smaller U.S. customers.

“Crisis situations provide the perfect avenue for threat actors as people are more likely to make poor decisions, like falling for phishing emails, due to fear and stress.”

Kevin Hall, Aon Transaction Solutions

While Justin Herring, executive deputy superintendent at the New York State Department of Financial Services (DFS), told Insurance Journal in an August webinar that DFS sees cyber as “the biggest risk for the financial services industry at large,” it’s not necessarily an insurmountable problem for insurers, especially the big players in the industry.

“But it is a challenging problem because this is an area where change happens rapidly,” he said.

Raising the Bar

Many of these changes for the cyber insurance industry are coming to light within the underwriting process.

“[Corvus] expects that underwriters will continue to evolve their approach as security knowledge becomes more infused in the underwriting process,” Rebholz said. “There will be a large emphasis on educating underwriters on various security controls, why they are effective, and the impacts not having those controls can have on the frequency and severity of security incidents.”

Lauren Winchester, vice president of risk and response at Corvus, said in a company press release that in 2022, it will become increasingly necessary for policyholders and their insurance providers to work even more closely to identify new areas of vulnerability and cyber threats as they arise.

“It is a challenging problem because this is an area where change happens rapidly.”

Justin Herring, New York State Department of Financial Services

“Insurance providers that wish to truly combat risk and mitigate the destructive impact of cyber attacks will lean into tech-enabled policyholder engagement, helping policyholders recognize gaps in their existing cybersecurity controls and quickly identify new threats and how to mitigate them,” she said.

Insurers already doing this are seeing the fruits of their labor, experts said.

“Over the past year, the market has required better basic security controls of policyholders, and it is having a positive impact,” Alva said.

Indeed, Rebholz said Corvus policyholders routinely express concerns over where to focus their security efforts.

“Taking that first step is the hardest for businesses as they are unsure where to place their foot,” he said. “This highlights the positive impact that cyber insurance carriers can have on raising the bar of security.”

This is because with technologies like multifactor authentication becoming a barrier to entry for securing a cyber policy, more organizations are investing in the technology—something they may have been putting off for years, he added.

Mike Karbassi, chief underwriting officer at Corvus, added that all of this has led to heightened attention on the cyber insurance industry and how it can step in to mitigate attacks.

“This past year, it’s been really enlightening to see attention on cyber insurance, from as high up as the White House, commending cyber insurers for raising the bar in security,” he said in a Corvus press release. “That’s because of our role in helping to bring basic security requirements—which security professionals begged for, for years—up to the level of attention they deserve.”

Ram said as digital risk is constantly changing, it will require even more innovation from insurers to adequately protect businesses from all types of threats. After all, he said, “cyber insurance is not designed as a one-size-fits-all.”

Karbassi agreed.

“In 2022, we need to continue to collectively raise the bar to ensure policyholders are in the best position possible, to keep themselves secure and keep the cyber insurance space viable,” he said.