While the threat of ransomware has been around for a while, new more potent strains of this attack vector have emerged. From the May 2017 WannaCry dragnet, which held computer systems for ransom in more than 150 countries – all executed at blinding speed over a weekend – to the NotPetya attack on June 27, 2017, which wreaked havoc on many large companies, including the Danish shipping giant Maersk, which incurred an eye-watering $250 to $300 million in costs, to the more recent ransomware attack on the city of Atlanta, which successfully brought critical services in the city to a standstill, it is clear that attacks have grown more complex and motivations broader. Indeed, the newest cyber monster to hit the scene is the aptly named LockerGoga, which has successfully crippled industrial systems. While the origination and economic demands of each of these attacks may be different, they all invariably point to the growing cyber insurance market as a possible line of financial defense and remediation. Trust in this market is under strain due to high-profile claim denials.
Herein, the fact that insurance is little more than a promissory statement outlining coverage, exclusions and conditions are being laid bare and straining trust in this financial instrument, which is used to operating in black and white or binary claims scenarios. Cyber threats, by their very nature, are not only amorphous, but they are also extra-territorial and often lay dormant in a company’s systems for years undetected. Indeed, the average computer exploit goes undetected for an average of 206 days, often creating a veritable back-door into company or, worse yet, state secrets. This complex and hard to track risk landscape is prompting national security officials and public policy leaders to call for a complete overhaul of third-party and supply chain operating standards when it comes to cyber threats.
Against this measure, the Pentagon promises to roll out new operating parameters for government contractors and their first and second tier supply chain partners, on whom not only access to systems but critical data, is a requisite of their work. Operating on a one-size fits all approach from a standards point of view is one thing, which over time can drive improvements in cyber-hygiene, notwithstanding the risk that self-reporting on adherence can create. The backstop for these approaches, especially if cracks begin to emerge in the cyber insurance market, which can help companies shore up their financial war chest (or lack thereof) for cyber threats, compliance costs, and remediation, tapping a veritable digital fire brigade that many of the insurers have on call. This class of insurance is not only the fastest growing, with year over year growth rates of 33.8% projected between 2019 and 2024. In an industry that has taken many profit hits due to headwinds in the market and a volley of catastrophic losses, potentially risky bets on cyber insurance, especially for bundled policies, may prove to be a foolhardy exercise in hindsight. This is especially true given the hidden or systemic nature of cyber risk, for which many insurers are tacitly on the hook.
Large systemic claims courtesy of this new breed of sophisticated cyber-attacks is demonstrating the relative immaturity of the cyber insurance market, as well as the growing likelihood of catastrophic losses, which have been underfunded due to overly optimistic actuarial models, along with low penetration in key market segments. That WannaCry only yielded a pittance in ransom monies, netting approximately $300 per attack and total global losses of $100 million in bitcoin, does not mean the threat was not a potentially cataclysmic near-miss, hitting all the insurers in the 150-country dragnet all at once with the same type of claim. Herein, the “devil’s in the details” nature of insurance policy language has come to the forefront, as Mondelez, the Swiss-based firm, and owner of the Oreo cookies brand, takes on Zurich over its $100 million denial of a cyber claim arising from NotPetya. While the case is playing out, the defense argument largely hinges on the issue that NotPetya, suspected to have emanated from Russia, was, in fact, a war risk, triggering policy exclusions against force majeure claims.
Similarly, DLA Piper, one of the world’s largest law firms is fighting a similar claim denial in the UK over the very same ransomware event as Zurich, in this case embroiling Lloyd’s insurer Hiscox. Insurers generally take pride in their claim’s performance, especially for comparatively new classes of insurance, as this is a way of creating market proof that coverage works. While these types of cases are complicated, especially as cyber insurance cannot be viewed in isolation of other insurance policies in force or the contributory causes of an event, these types of examples are giving pause to the industry, while raising questions among insurance buyers about the efficacy of these programs. At the core, other than balance sheet prowess, insurance companies writing cyber risk aim to gain marginal differentiation at the policy language level and on what constitutes a covered peril. With ransomware, whose origins, motives and latency are difficult if not impossible to forensically trace back to its source, a force majeure or war risk exclusion could theoretically remain an industry ambiguity, eroding confidence in the sector and the insurance class writ large.
Additionally, the systemic nature of this risk, and aggregation issues of insurers exposed on multiple fronts to cyber risk, compounded with the impacts to smaller firm’s survival rates after a cyber-attack, a black swan scenario starts taking shape. A recent Lloyd’s study looked at this very scenario, examining the economic impacts of a large-scale cyber-attack taking down a cloud service provider. Their findings demonstrated that a cyber incident that takes a top three cloud provider offline in the U.S. for 3-6 days would result in loss estimates between $6.9 and $14.7 billion and between $1.5 and $2.8 billion in industry insured losses. When further examining the effect on smaller companies, who may be more likely to utilize cloud providers to avoid expensive infrastructure costs but are also more reluctant to take up cyber insurance, the repercussions and loss of confidence from these types of exclusionary languages becomes more problematic. Cybercriminals are known to prey on small to midsize firms as easy targets, and according to the National Cyber Security Alliance, 60% of small and midsized businesses that suffer a cyber-attack, go out of business within 6 months. With approximately 26 million small and midsize business in the U.S., the economic impact of a mass cyber-attack and corresponding insurance impacts would be far worse than the financial crisis of 2008 where a total of 800,000 businesses closed their doors over a prolonged period. The sum of these firms create a massive potential attack surface area and many of the providers they rely on, such as payroll providers, like ADP, may very well be systemic firms hiding in plain sight.
For these reasons, we have long advocated for a backstop against potentially catastrophic cyber events, as well as harmonization particularly among small to mid-sized enterprises, the weakest links in an economy or a supply chain, akin to the FDIC. The erosion of confidence in any one bank erodes confidence in banking. It would stand to reason then, that the emergence of high-profile, high dollar cyber claim denials potentially imperils confidence in this aspect of the insurance industry. While cyber insurance is fast growing, the adoption of stand-alone cyber insurance, which would respond to a covered claim on a first-dollar basis, remains low at 16% in the U.S. The remainder of the market, comprised of “Frankenstein” or hybrid policies that bundle some nominal form of cyber protection, low dollar amounts, and circumscribed coverage adds to market confusion, particularly among customers that do not hold personally identifiable (PII) records.
To the firm that treats cyber threats as merely a privacy and compliance driven risk, the business continuity lessons courtesy of this damaging new breed of ransomware attacks, which have moved down market to so-called “soft targets” should serve as a wake-up call. Cyber risk is first and foremost a business continuity issue, for which the speed of response, the scope of coverage and prevention are the best cures. If cyber insurers want to continue enjoying market confidence for this class of insurance, they would be well-advised to form a consensus on what constitutes a covered claim and ensure their customers, brokers, and agents know precisely what they are trading in.