Since the start of the war in Ukraine, the number of cyber incidents in the U.S. has increased, and underwriters will need to adapt, according to a panel of experts at the PLUS Cyber Symposium.
“There’s no doubt that attacks overall are up, whether they’re coming from individual groups or nation-states,” said Nick Graf, vice president of cyber risk control at CNA, during the event held earlier this month in New York City.
He pointed to conversations that he’s had with colleagues as an example.
“A colleague of mine that works at a large U.S.-based manufacturing company…just yesterday [Feb. 28], they experienced the most phishing attacks they’ve ever experienced from as long as they’ve been keeping records,” he said. “This has been a huge uptick starting about a week ago, and yesterday was the high point of that.”
Concerns about increased cyber incidents across borders have been raised since Russia launched a full-scale military invasion of Ukraine on Feb. 24. The Harvard Business Review reported that while Ukraine has been a target of Russian cyber attacks for years, incidents resulting from Russia’s recent invasion could quickly spread beyond Ukraine.
“The minimum acceptable standards have certainly been raised, and that would apply to everybody, even a Main Street shop.”
Patrick Thielen, Chubb
“The recommendation really is to double-check everything, batten down the hatches, start on the outside, look at your external perimeter, your web servers, your firewalls, things like that,” Graf said. “You need to be doing all the things you should have been doing—make sure MFA [multi-factor authentication] is in place, make sure your systems are patched, make sure you have conducted training with your employees and that they’re aware these attacks are out there.”
Manish Karir, vice president of data at CyberCube Analytics, said based on historical data analysis, organizations that tend to have data breaches are the ones that exhibit symptoms of mismanagement. As a result, underwriters are exercising more caution.
“The minimum acceptable standards have certainly been raised, and that would apply to everybody, even a Main Street shop,” said Patrick Thielen, senior vice president of cyber insurance at Chubb.
The challenge for these Main Street shops and small or medium-sized enterprises (SMEs) is that historically, they haven’t given much thought to cyber control, panelists said.
“They bought the coverage that they needed to, that they were contractually obligated to, but many times, it was not their focus,” Graf said. “Many of them are just struggling to survive; they’re focused on surviving, on acquiring customers and doing what their business takes. But obviously, we need more than that.”
He said expectations for small businesses differ from larger firms, but underwriters are still carefully scrutinizing even the smallest companies before granting cyber coverage.
“I’m not expecting them to have a chief information security officer or 15 people on staff and all of these expensive tools,” Graf said. “But there still are some basic things that they can be doing that will greatly reduce their risk. It’s never going to be zero, but we want to greatly reduce it to a point where we probably can offer them a limit of some reasonable amount.”
He said steps small business can take include implementing MFA—an authentication method that requires multiple verification factors, such as a password or a thumbprint—to gain access to a system or account; ensuring their websites are housed on secure platforms; and carefully vetting third-party vendors.
“Those choices that they’ve made even as a small business will make all the difference when it comes to risk assessment and what premiums they should be charged as well,” Graf said.
Thielen said that it’s important for businesses, large and small, to also consider their peripheral exposures.
“In this day and age, anybody in this room without technical controls or technical know-how, if you are so inclined, can go buy an exploit kit on the dark web and go buy a list of vulnerable assets and focus on exploiting a particular vulnerability.”
Nick Graf, CNA
“We have this conversation all the time, where we hear that [this asset] over there doesn’t matter for whatever reason, either because it has compensated controls layered on top of it or there are no critical operations tied to that asset,” he said. “But getting into the perimeter management around access vectors to your organization is becoming a more prominent focus for CSOs [chief security officers].”
Another big topic among underwriters this year has been end-of-life systems, according to Graf, or hardware that is in its final stages of existence and no longer has the needed support available.
“That has been probably one of the most frequent, painful conversations that we have had this year in talking to insureds,” he said. “There are a lot of insureds that have end-of-life systems that have been kicking around the network for years, sometimes coming up on a decade. The perspective that we’re taking is that it is difficult to get off these systems, but at some point, you have to rip off the Band-Aid because it’s not getting any better.”
Despite these challenges, he said the good news is that a change in awareness is occurring regarding the importance of cyber risk even among the smallest businesses.
“Five years ago, it was pretty common that most agents and their small customers would have had myths in mind about how they’re not a target. [They would say], ‘Because I’m a small company in Des Moines, nobody’s targeting me’ or, ‘I’ve outsourced my security responsibilities to some combination of vendors.’ You know, we’ve all heard those objections, right?” he said.
As ransomware has proliferated, cybersecurity awareness has also grown.
“In this day and age, anybody in this room without technical controls or technical know-how, if you are so inclined, can go buy an exploit kit on the dark web and go buy a list of vulnerable assets and focus on exploiting a particular vulnerability,” Graf said. “And the world’s woken up to that reality, right? So, I think small businesses and their agents are more receptive to these conversations now than they have been.”
“We’re finding that we have to do a much more diligent underwriting process, and we thought [insureds] would be thinking, ‘Well, who are these insurers? They are asking me all these questions,’ but really, we found that it was the opposite.”
Manish Karir, CyberCube Analytics
Karir agreed, adding that because of the recent increase in cyber incidents, cyber insurance coverage is becoming a standard part of risk management for insureds. Additionally, underwriters are far more knowledgeable than they have been in the past.
“We’re finding that we have to do a much more diligent underwriting process, and we thought [insureds] would be thinking, ‘Well, who are these insurers? They are asking me all these questions,’ but really, we found that it was the opposite,” he said. “They’re saying, and I’m very often hearing, ‘Yeah, you’re asking the right questions. We should be doing those things. But we have limitations. We have limitations on resources and funding and priorities,’ but they are working with us and engaging with us. And I think they value getting the feedback.”
The ongoing challenge with cyber, Thielen said, is that while many other lines of insurance—property being one example—are limited to certain geographies or time frames, cyber threats tend to be more widespread and ubiquitous.
“I think that two constants that we’re going to see is No. 1, we’re always going to be playing catch-up with regard to how we underwrite and how we price the business,” he said. “And No. 2 is that the threat of systemic risk is fundamentally different for cyber than it is for practically all other lines of insurance.”
With this in mind, he said it will take collective action among the tech, government and insurance sectors to adjust to the threats and address these challenges.
“There is no one company, there’s not even one industry, that’s going to ever solve cyber risk because it’s always evolving,” he said. “Really, cyber underwriting has changed forever.”