Kelly B. Castriotta, Esq, is a Managing Director, Global Cyber Underwriting Executive at Markel Corporation (NYSE: MKL). The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of Markel Corporation or any of its subsidiaries or holdings. The information providing with this article does not, and is not intended to constitute legal advice; instead, all content within is for general informational and research purposes only.
With daily headlines flooding our inboxes re: all things cyber, sometimes it helps to reflect over the timeline of a year and analyze the major themes for cyber insurance over the course of 2021. I will go ahead and call this a ‘banner year’ for cyber insurance in terms of our community—carriers, brokers, incident response teams, MGA’s, insuretech, and all other partners in this space—grappling simultaneously with two massive attack fronts, COVID-19 and ransomware, while still embracing a necessary and viable product.
To start, let me disclaim that my point of view on this is my own, clearly from my experience employed with big insurance. Please forgive the generalizations I have to make here as I am trying to synthesize a great deal of information.
1. “Systemic” attacks
There was no shortage of supply chain attacks this year. An EU study predicted that there would be more than 4x the amount of such attacks in 2021 than 2020. Jury is still out as to whether that prediction was entirely correct, but we have seen significantly publicized events this year, including the Kaseya ransomware attack. It is unclear whether any of these were “material” in terms of either being: 1) a capital event from the perspective of either a carrier; or 2) a catastrophic event, as defined by any credible third-party source. (*Note that as of the date of this blogpost, the Log4shell flaw is now widely publicized, and we have yet to understand the loss potential of such zero-day exploit.) Despite a lack of significant loss magnitude from these type events so far, the industry needs to learn from what has happened to date and better understand software dependences and supply chain dependencies within their books of business as well as their own companies. Perhaps the way these events play out will also put additional pressures on tech/software companies, shaping their roles and responsibilities in keeping insureds cyber-secure, including changes in indemnification terms and changes in the practices of carriers seeking subrogation.
2. Ransomware, ransomware, ransomware
Are we sick of this yet? Yes. Are we done with this yet? Unfortunately, no. Ransomware continues to plague the globe, our insureds, the headlines. It continues to drive underwriting decisions. There’s really too much to cover here, and I’ll try to address some more ransomware topics in separate subsets. Some carriers are now stating that there is less ransomware activity than there was 6 months ago. Cyber loss ratios reached an all-time high in 2020, as reported in June 2021, and were largely attributable to ransomware losses. Since then, anecdotally at least, loss ratios seem to be improving, but it is hard to say whether this is in fact to do with an improved threat environment or the tremendous rate that carriers are now seeing on their books. In fact, cyber vendors tell us there is no slowdown of incident response/remediation work and that ransomware threat actors’ methods continue to be innovative. Some reports suggest that ransomware went from 10% of all breaches to 20% of all breaches from 2020 to 2021.
One of the other debated issues here is whether businesses are further penalized by regulators and insurance companies for being victims of such attacks. This is an extremely complex debate. I see this as a multi-front approach. Certainly, businesses must come to realize the realities of the threat environment and be better at prevention, but more importantly, better at resiliency, especially since threat actors continue to evolve. But let’s face it, the ransomware-as-a-service (“raas”) model has been successful and relatively easy to perpetuate. We need more concerted prosecution of the threat actors as well as disruption—technological and monetary—to the raas model. We have started to see both high profile arrests as well as other types of disruption this year, but clearly, we have a long way to go.
3. More Ransomware
A debate as to whether ransoms should or should not be supported by insurance coverage continues. There continues to be a lot of misunderstanding in the public and private sectors as to how ransomware events are actually resolved and the role of (re)insurance. As an antidote to the way in which ransoms are funded, many different government agencies have been issuing guidances and proposed legislation. Clearly, something must be done to disrupt the ransomware epidemic, but disparate approaches have left us wondering if this maze of guidance and regulation is the best, most efficient approach as to disrupting the raas business?
What I think is a more successful path is one of partnership. We are foolish to believe that there is any one solve coming from private or public sector. In a recent blogpost, General Paul Nakasone said:
“Cybersecurity is a team sport: the scope and scale of the problem are too large for any single organization to tackle alone. The private and public sectors, including state and local colleagues, must increasingly rely on and complement one another to combat these threats and improve collective defense.”
We have seen such concerted efforts to bridge the efforts of private and public sectors, including from CISA as well as our own industry. I hope there is more of this in the new year.
Many of us followed the activity this year regarding the delegated relationship space, including many rounds of successful financing for InsureTech companies. There is a generally-recognized capacity crunch across the insurance and reinsurance industry for affirmative cyber offerings. What will it mean for cyber MGA’s and insuretech as we approach 2022? We shall see where this market goes as we approach 1/1/2022 treaty renewals and beyond. Perhaps there will be more insuretech establishing captives.
I maintain that there is an important place for insuretech in the cyber insurance space, but we also need to see the evolution of its value proposition. The market is there knocking at our doors, and I wonder whether carriers are seeking access to the distribution channels for cyber that they were seeking 12 months ago. At the same time, we have seen carriers invest in developing or adapting the very technological capabilities that insuretech purports to set them apart. Personally, I would like to see bigger investments of that VC capital into technology and risk mitigation development rather than the slew of high-profile hires that we have seen in the past six months. On balance, hiring industry experts and placing them in meaningful leadership positions in these companies is mission critical.
Insuretech has an advantage from being smaller, scrappier, and more agile than big insurance and therefore better-positioned to collect and leverage data. But I fear that there may still be misalignment with how big insurance (and its perspective on CAT and capital allocation) ultimately views cyber risk. Here’s towards working towards leveraging the capabilities of insuretech over the course of 2022!
5. Contract Terms
Although cyber coverage terms had stabilized a bit from 2017 through 2019, we are at another inflection point. From AIG’s coinsurance wording for ransomware to Chubb’s recent Widespread Event coverage to Lloyd’s recent war exclusion revisions, cyber coverage is certainly evolving. It’s no surprise that we have to adapt as the threat environment changes. I’m excited to see where this goes as many carriers begin to think about how to curtail the impact of ransomware and systemic events on their books. So far, there’s been little progress on concepting of what would constitute a systemic and/or catastrophic event on paper, for insurers and reinsurers. The most recent efforts could be a good step in the right direction in terms of clarifying carrier’s intent and being able to provide more capacity (or controlled capacity) for all types of cyber events.
Finally, although ‘silent cyber’ has also taken a back seat to ransomware headlines this year, the industry and the courts continue to address non-affirmative cyber risk on their policies. The Bermuda Monetary Authority also weighed-in on this topic this year. We will likely continue to see the involvement of regulators in this space and more progress being made as to understanding and clarifying carriers’ positions on silent cyber, especially as the topic dovetails with the concern in subtopic #1, Systemic Cyber Events.
6. Data Privacy
CCPA and GDPR headlines were upstaged by ransomware this year. Let’s not forget about this, please? Although this has been quiet, we have seen significant GDPR fines this year, including Google, WhatsApp, and Amazon. Fines like these tend to have longer tails than those associated with ransomware attacks. Perhaps this is one explanation why there has not been as much focus.
We are continuing to watch more concentrated efforts for federal legislation as to data privacy, while the states continue to advance their own bills (or modify existing laws such as the CCPA). Senator Catherine Cortez Masto (D-NV) reintroduced the Digital Accountability and Transparency to Advance Privacy Act SB 3065 ( ‘DATA Privacy Act’). Senators Rubio (R-FL) and Warnock (D-GA) have also announced that they have introduced the Protecting Sensitive Personal Data Act, S 3130. We shall see which bills, if any, gain traction.
Moreover, the evolution of the Illinois Biometric Information Privacy Act (and similar legislation) continues to be a hot topic: how to comply? Under which coverage products is it covered? Is this a state or federal litigated issue—or both? We will continue to see this ironed out in the aftermath of Twin City Fire. Ins. Co. v. Vonachen Servs., 20-cv-1150-JES-JEH (D.C. Ill. Oct. 19, 2021), and the (approximately) twenty-seven other states that have BIPA-modeled legislations pending as of June 2021.
7. Cloud Exposure
In March, Allianz and MunRe announced a unique offering for managing outage exposure for Google Cloud. Cowbell announced a similar offering regarding AWS this year. Subsequently, both Google and AWS had note-worthy outages this year. Is this the potential future of the cyber product? An entirely different product? Certainly something to watch over next year, especially as cloud dependency has skyrocketed over the course of the COVID-19 pandemic.
8. Colonial Pipeline
I wanted to point to the Colonial Pipeline ransomware event because it brings together so many of the themes we are looking at this year: ransomware, silent cyber, the delicate state of the U.S.’s critical infrastructure, government intervention, cryptocurrency’s role in the ransomware, etc. A real-time unfolding is nicely set forth here, but the Monday morning quarterback view is also good. Here, we have the CEO of the pipeline giving a heart-felt explanation of why he thought the ransomware payment had to be made. This is what we need to listen to when we think about how complex a ransomware event is from an incident response perspective but also from a corporate point of view. We can contain an event with the help of our tech partners, but at the end of the day, there are business decisions that are made. And that is why underwriters continue to underwrite to corporate culture in the cyber space.
This event also demonstrates to the public that the cyber insurance industry can help our insureds, our nation, our world in times of crisis. A lot of good came out of this attack—further exploration and execution into potentially recovering part of that ransom payment, a whole lot of awareness about the pervasive threat of cyber attacks upon our businesses and infrastructure, as well as an Executive Order on National Cybersecurity and new cybersecurity requirements for critical pipeline owners and operators from the Department of Homeland Security.
9. Where are we going with this product?
It is clear that ransomware is an existential threat to many global businesses, including those insurance companies that provide cyber insurance, but is it also an extensional threat to the cyber product? An emphatic “no” from me, as we continue to adapt to the marketplace and improve from the deterioration of margin we saw in 2020. Cyber underwriting has become more vigilant than ever, requiring MFA and more penetrative underwriting in the past, many requiring validation of self-expressed answers through risk assessment tools. We have heard from brokers and risk managers alike that compelling insureds to improve their cyber hygiene and resiliency plans are making these companies more ransomware-ready. This is exactly what we need — a ramp-up of our own defenses and creative solutions as to bringing risk mitigation solutions to the insured. This, combined with ongoing efforts to address systemic event exposures. We are headed in the right direction.
Yet, what will the future bring? We are seeing the prolific adoption of artificial intelligence throughout various industries. Although this is typically seen as a value-add, adoption of AI can also have negative implications for cybersecurity. We also have the threat/opportunity of Q-day, which may prove to be a leap into better cybersecurity for the have’s and a detriment to the cybersecurity of the have-not’s.
10. Cyber Community
If I may take a moment to be sentimental, I’d like to thank the cyber community for helping each other get through the year. There was no doubt a lot of talent moving around the cyber industry this year. Congratulations to all that achieved better opportunities for themselves and to all that continue to seek better opportunities for themselves. Keep going —YOU are creating the future of this product and this product is the future of our industry.
Conferences were back in swing for the cyber community, and I was fortunate enough to see friends and colleagues at NetD in Philadelphia and Santa Monica and at PLUS in Dallas. We also saw a lot of effort from the cyber community for virtual engagement. Overall, people are working really hard to get this right and are willing to have many conversations, late night meetings, and scoping calls to protect our insureds and our businesses from cyber threats.
Proud to be a part of this community and thank you for your contributions.
Happy Holidays, all!
Leave a Reply