CyberGuide - Information Security and Cyber Risk Management

‘Significant change’ ahead for how industry handles cyber risk


This story first appeared in Advisen’s Cyber Front Page News. Learn how to subscribe to Cyber FPN.

By Erin Ayers, Advisen

Cyber insurance underwriters are still figuring out how best to underwrite the constantly changing risk, with insurers basically starting over while the industry contemplates sharing claims data to identify best practices, according to a panel of experts speaking at Reuters’ Future of Insurance USA event this week.

Brad Gow

Ransomware and risk aggregation will prompt a “very significant change in the way the insurance industry handles cyber exposure,” predicted Brad Gow, global cyber product leader for Sompo International. He

said insurers are returning to “square one” on risk controls, and the industry could add value by “settling on some established standards around insurability.”

“I can’t tell you where it’s going to end up,” Gow said of the cyber insurance industry, “but it’s not going to look like it has for the past five or 10 years.”

Meredith Schnur, U.S. and Canada cyber brokerage leader for Marsh, said she had been resisting the term “hard market,” but acknowledges the industry is there now.

“A hard market is when you cannot procure insurance. In certain industry classes and certain areas, we are there, whether it’s filling limits in a tower or just a one-layer limit program because they don’t have even the basic controls in place as of today and the underwriting community just doesn’t have the appetite to take on that risk,” she said.

Businesses want to implement the right security controls, but to do that, they need to know what works, Schnur added. Insurers should be sharing claims data to help identify the best options for success, she said.

“Cyber hygiene is the most important thing for these organizations and without this data to truly understand that ‘X’ control would alleviate or minimize cyber risk, we just can’t get to the next step,” Schnur said. “Once they’ve dealt with and gone through an event, they never want to go through it again. Unfortunately, it’s like being baptized by fire.”

The threat of ransomware became even more worrisome when cybercriminals’ business models shifted to data extortion. An October 2020 bulletin from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) added a layer of complexity to ransomware events, with officials warning against paying sanctioned foreign threat actors. The insurance industry has spent significant time trying to understand the full scope of the guidance.

“We’ve repeatedly tried to get clarifications, but it’s a strict liability environment,” said Gow. Even organizations with “the best intentions” might face penalties under the OFAC guidance, but the FBI has “gone out of their way to treat ransomware victims like victims” and not punishing entities that have paid ransoms.

The FBI officially discourages paying ransom, but has shown plenty of leeway and understanding amid the rash of ransomware since October 2020, according to Allyn Lynd, managing principal at Lodestone Security. The FBI possibly couldn’t enforce a ban on ransomware absent a change in federal laws.

“I’m not aware of anyone to date who has been penalized under the OFAC rules,” he said. “However, a lot of what they rely on to make that determination is whether the company really has a choice, how bad the situation is, and whether they’re cooperating with law enforcement.”

Lynd added, “[Attackers are] not going to come back and victimize an organization a second time. It’d be like going after somebody after their house was robbed and fining them for not having proper security on their doors.”

It’s still “open season” on paying ransom, though, Lynd said, with many businesses feeling reluctant to pay, but having no other option.

“That’s going to be a business decision they have to make,” he said.

Early on the ransomware epidemic, insurers saw companies knocked entirely offline by attacks, “absolutely panicked because they were literally dead in the water,” according to Gow, but operational resilience is improving.

“There are more companies fighting back, but it ultimately depends on how badly they’re compromised,” said Gow. Attackers don’t appear to be relenting anytime soon, having found a successful business model.

“They’re often described as criminal gangs, which gives the impression that if they weren’t perpetrating ransomware attacks, they’d be stealing hubcaps and breaking legs,” said Gow. “But that’s really not the case. What we’re seeing from an adversarial perspective is, we are fighting data scientists. These are very smart people who are interested in monetizing their access to networks.”

He added, “It’s like the Terminator. They’re just going to keep coming after you.”

Minimizing damage of attacks comes down to detecting attacks quickly and booting the bad guys out as soon as possible, according to Lynd.

“They’re going to get in. It’s a matter of keeping the dwell time as small as possible, the destruction they wreak as small as possible,” he said.

Organizations are “truly serious” about preventing ransomware and knowing how to respond if an attack does occur, Schnur said. The major disruption in the insurance market is reflective of insurers, brokers, and organizations all working together to figure out how to secure systems and underwrite effectively to keep the market sustainable.

“I think we’re gaining momentum and doing a lot better,” she said. “I think we’ll get there if we keep on the tracks we’re on right now.”

Editor Erin Ayers can be reached at [email protected]