It may sound blasphemous to those in an industry that is as data dependent as it is, but experts have this advice for those clients grappling with their cyber liabilities: Maybe don’t collect certain information in the first place. Assess what you’re collecting, what you’re doing with it, and depending on who you are or who your clients are, consider encouraging stakeholders to get rid of some of it.
“How do you reduce that risk? Eliminate the data, right? It’s sometimes as simple as that,” said Carolyn Purwin Ryan, partner, data privacy and cybersecurity with Mullen Coughlin LLC in a recent AM Best panel discussion of experts from Munich Re and Mullen Coughlin, entitled Loss Trends in Cyber Liability Insurance.
Rob Barlow, cyber underwriter, Munich Re in the United States recommends taking stock of existing data, how long it is retained and whether cold storage is an option for any of it. “In the event that you have a threat actor in your system, you’re eliminating that risk by putting it separately,” Purwin Ryan agrees. “Take stock of what you have,” Barlow continues. “Figure out what you need, what you don't need and make all those changes now, because it'll be much more difficult later.”
The panel also discussed at length the prevalence and changing nature of threats, evolving liabilities, the shifting policy landscape and underwriters’ concerns in 2024.
“What companies need to understand is that this is going to continue. These things are just going to continue to escalate,” said Purwin Ryan.
Threat changes
Business email compromise attacks and ransomware are both increasing in severity, say panelists, but interestingly, they say wire fraud – where threat actors purporting to be the CEO or CFO, using deepfakes and other tactics, convince employees to transfer millions in some cases – is also rampant today, aided by artificial intelligence (AI) tools which can easily create convincing communications, including both emails and phone calls, that can be difficult to detect and question.
“Historically we would be able to identify phishing emails pretty easily,” says Maria Long, vice president, cyber underwriter and risk management portfolio leader, Munich Re Specialty, global markets. “With ChatGPT you’re able to produce templates and really amp up the sophistication and also the spread of your phishing campaign.”
Ransomware threat actors today are also not bothering to encrypt data, instead preferring to simply take it slowly and without notice until it’s too late. Although the industry has seen a slight dip in ransomware in recent years, it has since returned to previous high levels. Harassment campaigns are also being taken to new levels in recent years, they say.
“Ransomware is the one that makes the news but wire transfer fraud, believe it or not, is one of the most rampant things that I’m seeing out there. We’re seeing a lot of companies get very duped, very quickly, using a lot of tactics including deepfake tactics,” Purwin Ryan says. “I’d also be remiss without saying ransomware. It is at the top of everybody’s mind.”
Finally, the panel also discussed the threat of technologies built by third parties – many of which have their own data collection efforts underway. “As a company, you’re responsible for the vendors that you’re choosing,” she points out.
Liability changes
Wrongful data collection is a growing concern for panelists too. “That can take many forms,” says Long. “Have your lawyers take a look at those contracts and see what the obligations are back to you,” Purwin Ryan adds, referring to when companies make use of third-party software and applications – many of which may be collecting a lot more data than companies realize.
As is the case in other business lines as well, the panelists also add that they’re seeing more cyber litigation than ever – a race to the courthouse whenever class action lawyers catch wind of cyber breaches, either through the media or when the news is made public to victims and regulators.
“We talk about where your data is going all the time. Plaintiff’s attorneys are out there; they are very cognizant. They’re asking about security measures,” Purwin Ryan says.
Shifting policy landscape
Against this backdrop, then, it’s not surprising to see that insurers are working on policy languages, coverages and exclusions constantly, with the shifting landscape resulting in policies that can be notably different from year to year.
In discussing coverages, for example, ransomware and its associated fallout would almost certainly be covered under an insurance policy, but regulatory penalties for failing to safeguard information are generally excluded, with the exception of defence costs, in some cases.
Wire transfer fraud, meanwhile, falls under a broader rubric of cybercrime, says Barlow. “What we’re finding is, because it was conducted through a computer, that there is an urge to try to push this onto a cyber policy,” he adds. “What many insurance carriers are doing for the crime portion of the policy, they’re sub-limiting that cover.” That said, he also adds that companies are still experiencing substantial losses from such events.
War remains a typical exclusion too. “I think I’m contractually obligated to mention the war exclusion,” he jokes. “Some other exclusions that buyer or insured should be aware of (include) the infrastructure exclusion – carriers generally want to exclude any claim arising out of a total or partial failure of utilities, internet satellite systems, telecommunications systems, etc.,” Barlow says. This includes when systems fail as a result of non-malicious factors, as was the case in the CrowdStrike outage.
“Insurance carriers added system failure cover, which is essentially non-malicious cover, back in the soft days of the market in 2016, 2017,” Barlow says. “Carriers are now going to have to start to wrestle with whether or not we really intended to provide widespread system failure cover, or do we really only intend to cover widespread malicious acts? Then also with contingent business interruption,” he adds, “When a system goes down from a vendor that you rely on heavily, how much coverage should we be providing?”
In the case where a third party, professional services firm fails in their technology stewardship obligations too, carriers are beginning to ask if these events should still be covered. “Was that ever intended to be covered by a cyber policy? I think we’re going to have to really start, as an industry, to go back and take a look at some of these broad coverage grants that existed in the soft market, that somehow skated through the hard market in 2020 and 2021, and really evaluate if that’s really wise to continue to provide going forward.”
Finally, he also mentions unlawful collection of data, saying carriers generally want to exclude this. “There are generally defense costs provided for that, but you want to know how broad that exclusion is.”
Underwriting concerns in 2024
When it comes to vendor management, they say organizations need to make sure they actually have stakeholders dedicated to managing who the organization is working with, who has access to the company’s information and understand whether or not there’s ownership of the related responsibilities.
Long also points out that it is necessary to ensure that vendors have their own adequate insurance coverage in place, along with adequate risk management programs that will protect the organization leveraging the vendor’s solutions.
Beyond this, in addition to how the organization is viewed outwardly and the solvency of their business overall, Long says underwriters today are looking at four areas: Company controls, resiliency, governance and investment.
She says immutable backups (those which cannot be changed), stakeholders who question how much data is being collected in the first place and the sophistication of a company’s risk management program all come under the microscope in underwriting.
“We’re trying to understand what key controls are out there,” Long says. This includes the most basic firewalls, encryption of information – both resting and in transit – and, especially in the case of organizations managing a large number of records, underwriters will also look at endpoint security. “Are there appropriate controls that sit on each endpoint that a user is interacting with?” she asks.
Patching efforts across the organization will be examined and, in addition, she says it is important that controls are configured properly and regularly.
“If you do buy these best-in-class controls to prevent something from happening, are you actually making sure that they’re tuned to the environment and configured correctly? If they’re not, they’re completely worthless,” she says.
Also under the topic of controls, she points out that underwriters will also be concerning themselves with the organization’s human risk. “We want to ensure that organizations are actually training their employees frequently around risks that actually make sense against the current environment. Right now, we should be training our employees to understand deepfakes and understanding the keys to social engineering.”
When it comes to resiliency, Long says underwriters will want to see backups that are immutable, tested and encrypted. “We’re looking to make sure that the organization can recover if something does happen,” she adds. “Do we have the appropriate backups and what is the health of those backups? Have you separated them from the environment? Are they encrypted? Are they immutable, meaning they cannot be changed? And are you testing them to see how long it takes you to recover?”
Governance considerations include whether or not a board and senior executives support cyber resiliency and recovery efforts, absent any immediate threat, and investment refers to whether or not the organization improves its controls from year to year. “We want to ensure that we don’t have a set it and forget it type of environment,” Long says. “Really have the right stakeholders in the game trying to understand what’s on the horizon so that you can prepare for it instead of waiting until it happens to you.”
