Operating in the world today without the internet is fairly impossible, as its reach extends to virtually all people, homes and businesses. Being connected also brings more unanticipated risks than ever before. Cyber risks like ransomware and email “phishing” are just a click away, and they’re not going away anytime soon — meaning cyber claims aren’t either.
To understand the cyber claims space in 2019 and beyond, common attacks by cybercriminals and how cyber policies factor into the bigger picture for companies, Claims reached out to experts from QBE North America, Travelers, HORNE Cyber and others to better understand what they are seeing in the market. Their answers were condensed for brevity and clarity.
Claims: What’s driving cyber claims in 2019, and what should we keep an eye on in 2020?
Eric Lidman, assistant vice president, professional & cyber liability, QBE North America: Email “phishing” (business email compromises or “BEC”) remains 2019’s top cybersecurity threat resulting in insurance claims. Looking toward 2020 (and beyond), phishing scams designed to provide hackers access to cloud-based Microsoft Office 365 accounts are increasing at an alarming rate, as cybercriminals recognize the wealth of corporate and client information they can harvest once such accounts are compromised. As long as email remains an essential business tool, phishing schemes will continue to evolve in 2020 and beyond, resulting in significant insurance claims.
Ransomware attacks follow close behind phishing as a substantial source of cyber claims (though the two are often linked). However, their overall number has decreased in 2019 as cybercriminals focus fewer attacks on larger businesses, which are more likely to pay ransoms than risk extended interruptions of crucial operations.
Ransomware attacks are increasingly targeting government entities that perform essential public functions, but are generally perceived by hackers to lag behind the private sector in terms of cybersecurity protection. For example, ransomware attacks on U.S.-based state and local governments continue to make headlines and result in significant insurance claims, with no end in sight. In September, over 20 Texas government entities were subject to a coordinated ransomware attack. Similarly, the City of Baltimore was subjected to a highly publicized ransomware incident in May 2019, which resulted in the loss of considerable data. Other such malware attacks in 2019 targeted small cities in Florida, Georgia and New York; school districts in Louisiana; the court system in Philadelphia; and countless similar entities across the U.S. (and around the globe). These government-focused ransomware incidents will continue to drive cyber claim activity through the remainder of 2019 and into 2020 (especially as national elections approach and voter databases and voting systems emerge as high-profile, time-sensitive targets).
In addition, the ripple effects of the EU’s General Data Protection Regulation (GDPR) are finally starting to reach cyber carriers, as subject companies begin responding to stricter breach disclosure requirements and regulatory inquiries. These claims will certainly see an uptick in 2020.
Examining 2019 cyber claims activity from an industry perspective, professional firms (phishing), financial services (increased use of poorly-protected third-party vendors), manufacturing (ransomware) and retail (point-of-sale malware) lead the pack, with the aforementioned public sector coming on strong.
Claims: What are common forms of attacks cybercriminals deploy?
Keith Novak, associate managing director with cyber risk practice of Kroll, a division of Duff & Phelps: The two most common attacks Kroll is investigating are ransomware and business email compromise. Ransomware attacks have been on the rise lately as [it’s] an easy way for an attacker who has compromised a computer system to extort payments by encrypting all its files and requesting a “ransom” payment (usually in bitcoin) for the key to recover the information. Business email compromises have been pretty steady as of late as attackers continue to use sophisticated phishing emails to lure unsuspecting employees to provide their credentials, granting the attacker access to an employee’s email account in an attempt to redirect wire transfer payments.
Claims: What’s covered under a general property policy versus a cyber policy, and when is the latter needed?
Jeff Dennis, head of privacy and data security practice at the law firm Newmeyer Dillion: While general property policies will cover claims for property damage, most carriers are specifically excluding cyber-related claims from property policies. As a result, standalone cyber liability insurance policies are now more important than ever before — due to the fact that most carriers will not cover a cyber incident under a property policy. Carriers are paying close attention to the concept of “silent cyber” coverage, and are specifically either including or excluding, cyber coverage from most policies. This was due in large part to an edict from Lloyd’s of London — which has trickled throughout the global insurance marketplace.
Claims: What steps can be taken to prevent cyber claims?
Tim Francis, enterprise cyber lead at Travelers: Companies of all sizes should educate their employees about cyber risks: what they are and how incidents can occur. Having the proper safeguards in place can help prevent an attack from happening. Beyond prevention, companies should be prepared in the event something does happen, including insurance policies to manage financial risks and a crisis communications plan for internal and external parties.
Claims: Attackers are constantly changing their methods and targets. What can agents, brokers and companies do to make sure they’re as prepared as possible?
Francis: For businesses, being proactive is key. Educating employees and putting proper risk management systems in place, including cyber insurance coverage, should be a high priority. Obviously, agents and brokers will want to discuss potential cyber threats with their customers, taking into account their customer’s industry and the various types of exposures that might be present.
Claims: What would you tell a small or mid-sized business that believes they’re not likely to be targeted due to their size? Why should they be most concerned about cyberthreats?
Tony Dolce, Chubb’s cyber leader for claims in North America: Small and medium-sized businesses are not immune to cyberattacks. In fact, this attitude is what makes small- and mid-size businesses prime targets for hackers: a lack of concern means business owners are less likely to implement necessary safeguards, which makes them easier targets.
The Chubb Cyber Index shows that 71% of all cyber events at small companies over the past two years were the result of external factors, versus just 32% for companies larger than $500 million in revenue. Small business’ security measures are often outdated or under prioritized, and therefore can allow cybercriminals to deploy attacks quickly, cheaply and anonymously — increasing both the likelihood that they will be targeted and that most attack attempts will be successful.
Chubb encourages small business owners to ask for help — especially when educating their employees, as it is among one of the most important elements to protect businesses from experiencing and bearing the financial weight of a cyber incident. In addition to employee training, small- and mid-size businesses should employ the following to protect against cyberattacks: adequate antivirus software, multi-factor authentication, password security and hygiene, monitoring of all network activity and updated operating systems.
As cyber threats continually evolve, cyber insurance — in connection with these other preventative measures — can play a key role in the awareness, preparedness, and resiliency of small and midsize businesses.
Claims: Do you have any figures on the cost of an average cyber claim?
Mike Skinner, partner in charge at HORNE Cyber: NetDiligence reported the 2018 average cost of a breach as $604,000. Of this amount, crisis services averaged over half that amount with legal defense and settlement making up the remainder.
Claims: How do you think 5G networks will impact cyber claims? Do you predict more or less cyber claims as a result?
Skinner: With more devices connected and exponentially faster speeds, 5G technology provides threat actors with an even larger attack surface than today. The same efficiencies that industries will gain through leveraging 5G will translate to attackers — faster and larger-scale attacks. I predict there will be more (and more expensive) cyber claims as a result of 5G.