Have you heard the term "COVID year"? It's the perception that one year lived during the COVID-19 pandemic feels like three years of life under more normal circumstances. The inconveniences introduced into our daily routines, sense of loss, worries about exposure, over-consumption of news related to the topic and general mental fatigue leads to the feeling that over the last two years, we feel like we've lived through six.

That's kind of what the last quarter felt like in the cyber insurance marketplace.

This market remains in a state of perpetual motion. You know things are chaotic when we can condense what would previously have been nearly a year of developments into a quarterly update. But such is the state of play in January of 2022.

Because so much transpired in the last three months, it's helpful to break down this update into four sections: Risk Environment, Carrier Developments, Regulatory Landscape and WIIFMC ("What's In it for My Clients").

Risk Environment

Q4 of 2021 showed no signs of slowdown in data breach, system failure or ransomware events. On the heels of the year's earlier widely reported events affecting the fuel supply along the East Coast, a major IT management software provider and a global IT consulting firm, Halloween was preceded with news of the nation's largest candy corn manufacturer suffering a ransomware attack. Cyber incidents were relatively indiscriminate on industry, stretching from media conglomerates like to utilities suppliers – even a workforce management provider reported widespread implications of the attack it suffered on customers' ability to receive their paychecks in a timely manner.

There aren't many things that will get people's attention more than messing with their favorite Halloween candy in October or their paycheck in, well, ever. Q4 2021 managed to accomplish both.

Reports in early December of outages at a major web services provider had a cascading effect on prominent websites across the world. And 2021's parting gift – the techy term nobody outside of IT circles knew before, but everyone has been talking about since – Log4J1– sent reverberations through the cyber underwriting community with even more voracity than the named aggregate risk concerns that preceded this exploit. We have seen everything from ambivalence to knee-jerk, draconian reactions in the underwriting community, specific to Log4J. These are discussed more in "Carrier Developments" below.

The good news is that we are witnessing great work from certain insurers in creating and deploying tools to effectively assess the true risk of this exploit and make meaningful real-time decisions to help their clients minimize risk. Insurtechs in particular are seeming to shine here. We see this as another example of how the insurance community is playing a pivotal role in cyber risk management – in stark contrast to allegations that the industry is contributing to the enablement of the ransomware epidemic.

The fourth quarter brought the proliferation of the COVID-19 Omicron variant, and with it, the pause button on the rush to get America's workers back into the office on a more regular basis. Remote working has been directly tied to significant increases in ransomware attacks, cited by the Ransomware Task Force2.

The theme here is that the cybercrime community is alive and well, organizations of all shapes and sizes are vulnerable, and yes, these attacks will continue to bring new ways of disrupting our everyday lives the more reliant we are on 24x7 access to information, currency, goods and services.The most ubiquitous elements of our society–energy, water, healthcare, education, manufacturing, commerce and government–all are in the crosshairs of attacks.

Ransomware attacks, Ransomware as a Service (RaaS), double extortion (where demands are made for access to decrypted data and the threat of release of confidential information and/or threat of a Distributed Denial of Service (DDoS) attack), triple extortion (add the threat of attacks against victims' customers to double extortion), Business Email Compromise and Social Engineering remain the most common claims we see, in addition to the hacking and malware attacks that lead to general data breaches.

How do we see this ever-expanding risk environment affecting the cyber insurance market? Below, we will view this through the lens of developments we are seeing among our insurance carrier partners, as well as what we feel is in store for insureds looking to obtain coverage in the New Year.

Carrier Developments

Remember, in the grand scheme of insurance coverages, cyber is still relatively young and is being forced to mature at warp speed. As a result, we continue to see significant developments in how policies are underwritten, structured and priced.

For instance, in response to concerns about systemic or aggregate risk events – situations where the likelihood of a single security event simultaneously affecting large numbers of cyber insurance policyholders is high – carriers are asking more questions about vendor management, single-source suppliers, business continuity planning and reliance on cloud-based applications and infrastructure.

The fourth quarter of 2021 saw significant capacity restrictions in the London market. The combination of increased demand for coverage and significantly higher premiums caused some to literally run out of product to sell.

The "good ol' days" of 2018-2019 brought great expansions in the cyber insurance market for business interruption coverage triggers that extended to IT vendors, and even non-IT suppliers. Now, we are seeing a retraction in this area. Underwriters are more concerned about exposure to networks and systems whose controls they cannot underwrite. The fear of paying large numbers of claims across an entire book that stem from a common event is the "hurricane" that the industry needs to avoid. Highly publicized attacks against the nation's supply chain in 2021 fueled this increased concern about systemic risk. As a result, the once-generous coverage grants in this B.I. area are being excluded completely by some carriers, or, at a minimum, significantly sub-limited by others.

While some reports indicate that the frequency and severity of ransomware claims continued to decrease in Q4, the fact remains that we continue to see a lot of expensive claims activity in this space among our network of carrier partners. In response, we continue to see the following measures taken as a means of solidifying loss ratios for stand-alone cyber insurance:

  • Significantly higher premiums: 30% - 150% increases. Previously, we have reported 400% or more for some sectors. Today, we're hesitant to put a ceiling on that percentage increase as it greatly depends on the industry, loss history and information security controls of the particular insured. There are talks of a leveling out as early as the second half of the year, but as with anything in cyber, future events (both technological and political) will play a role.
  • Large increases in retentions/deductibles: On middle-market and risk management business, in certain industry sectors, a 10x increase here is not unheard of. For SME business, this has not been as much of a factor; Social Engineering coverage being a potential exception.
  • Co-insurance ranging from 10-50%: Both ransomware event-specific and across the board.
  • Introduction of event or exploit-specific exclusions: Log4J is one example. Admitted carriers are introducing what we refer to as "Insert name of exploit here" exclusions to enable them to remain nimble within the confines of an admitted filing.
  • Hard-line requirements that insureds have Multi-Factor Authentication in force for remote access to systems, applications, email, etc. This is not new and underwriters expect insureds to have implemented these measures before applying for coverage.
  • Increased use of outward-facing network infrastructure scans and requirements that insureds demonstrate proper configurations of Remote Desktop Protocols (RDP) and secure email gateways.
  • Sudden pauses on all new business writing from some carriers in response to exploit-specific developments like Log4J.
  • An exit from the market by some carriers for writing new cyber excess coverage.
  • An exit from the cyber market entirely by more than one carrier. As it turns out, writing full policy limits on high risk classes of business, while asking no questions, and charging 1/3 of the market didn't end up working out so well.
  • A complete exit from new business and non-renewals on lower-performing industry classes such as public entity/government, utilities, education, manufacturing and construction.
  • Continued de-risking by carriers to reduce exposure to large-scale events.$10M limits have become much more difficult to obtain.
  • A shift from admitted to non-admitted policy forms, affording carriers the nimbleness they need to quickly implement significant premium increases or changes in terms and conditions.

It is important to recognize certain industry-specific underwriting developments, as we prepare for renewals in 2022.

  • Large public entity risks (cities, counties > $100M in annual operating budgets) will not get the higher limits they might have enjoyed on their last renewal. They will pay significantly higher premiums for half of their previous limits, much higher retentions and more restrictive coverage grants – and this is for best-in-class risks. Others will find getting coverage very difficult, many impossible. RPS is actively working with vendors in the IT community and carriers to create pathways to insurability for those who find themselves unable to procure coverage.
  • Pooled cyber risks with a shared aggregate limit are becoming increasingly difficult to renew, much less create.
  • The manufacturing, construction and wholesale distribution sectors have been particularly affected by ransomware losses and the associated business interruption costs they create. Some cyber markets are moving away from this class altogether.

Regulatory Landscape

In September, 2021, the Treasury Department's Office of Foreign Assets Control (OFAC) released an Updated Advisory3 regarding sanctions risks associated with "ransomware payments related to malicious cyber-enabled activities." This Updated Advisory went beyond its advisory released a year4 prior by targeting not only organizations who have fallen victim to ransomware attacks, but also those links in the chain who facilitate payments to bad actors, including insurance companies, financial institutions and IT forensics and incident-response firms. As a result, greater scrutiny is occurring at every level of the ransomware claims process to ensure that all parties are in compliance with the federal law.

In October, United States Senator Elizabeth Warren (D-Mass.) and Representative Deborah Ross (D-N.C.) introduced a bill to require disclosures of ransomware payments within 48 hours. Additionally, the bill requires the Department of Homeland Security to make public the information disclosed during the previous year (anonymizing the named entities that paid the ransoms), the establishment of a website through which individuals can voluntarily report payment of ransoms and directs the Secretary of DHS to conduct a study on the "commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity." The bill is one of several under consideration in Congress, related to reporting rules for federal contractors, critical infrastructure owners and others to report security breaches in a more expedient fashion.

In December, the New York Department of Financial Services (NYDFS) released a Guidance on Multi-Factor Authentication. In the Guidance5, they state "Lack of effective MFA has been the most frequently exploited cybersecurity gap in the Cybersecurity Events reported to the Department. Approximately 64% of Covered Entities that reported Cybersecurity Events from January 2020 to July 2021 had some gap in their MFA. In some cases MFA was completely absent; in others it was not enabled, misconfigured, only partially implemented, or pending implementation." This development further supports the trend among insurance carriers who require that MFA for remote access to systems as it is among the most significant preventative measures an organization can implement to help avoid ransomware attacks.

In the coming months, we expect to see more states move to enact legislation designed to prevent security breaches, include notification requirements and even place restrictions on the payment of ransoms by state and local governments. Pennsylvania was recently among the first to address this in legislation passed January 19, 2022.6

WIIFMC (What's In It for My Clients?)

With so much change, so fast, what does this mean for insureds seeking cyber insurance coverage?We feel it is very important to consider the following as you prepare for continually evolving cyber market in 2022:

  • Start your renewal discussions early. This can be in direct conflict with the timelines insurers are setting for the release of cyber insurance quotes. Many have gone from offering bindable terms 60 days out to 30 days before renewal. In the absence of having a carrier's "new" application or supplemental, review last year's primary and supplemental application. Where you see deficiencies, assume that underwriters will want to see improvements and communicate these deficiencies to insureds.If you aren't sure what is considered a "deficiency," be sure to partner with a broker who can help you navigate those conversations.
  • Prepare your insureds for what will likely be significant premium increases, sublimits, higher retentions and new exclusions. That said, policy count retentions remain strong as insureds understand the value compared to the cost of self-insuring a data breach or ransomware event.
  • Be sure that your insureds take the cyber insurance application process seriously. The old days of completing an application by committee, with no oversight by IT, are gone. If your insured has invested significantly in information security during the past year, make sure that investment is highlighted.
  • Procuring cyber insurance for your clients has become a sales process in 2022. Underwriters are overwhelmed. A low supply/high demand for expert cyber underwriters, combined with the reality that everything that was once an automatic renewal is marketed in 2022, is creating a pipeline that many markets are finding very difficult to manage. This means that for some markets, only the best submissions even get reviewed. Reviewing the applications with your insured before submitting to the market can go a long way towards getting coverage or not getting coverage. Again, if you're unsure, partner with an expert broker in this space.
  • As in any insurance document, check the fine print before releasing renewal proposals to your insureds. Important items such as Business Interruption waiting periods, items that have perhaps remained static for years, are starting to change. We are seeing some increase from 8 to 24 hours. This becomes a big deal in the wake of a ransomware attack that leads to business interruption loss.
  • Be on the lookout for new exclusionary wording surrounding zero day attacks, unsupported "end of life" software and the wrongful collection of data. These exclusions have been around for a long time in limited instances. They are beginning to take on new life in light of recent systemic events involving widespread software vulnerabilities.
  • Sublimits for ransomware-related events can often apply to more than just the ransom payment or the Cyber Extortion insuring agreement. Increasingly, we are seeing sublimits of this nature apply to all coverage grants, if the nexus of the loss is from a ransomware event. Familiarize yourself with the nuances of how carriers may be applying these sublimits and exclusions on your renewals.

Understanding that cyber resilience is a constantly evolving process, and the goal posts are constantly moving, we can offer some guidance on some of the baseline standards cyber insurance markets are looking for in 2022. This is by no means an exhaustive list, nor does it constitute IT advice, but having a basic understanding of these items will go a long way towards satisfying underwriting requirements in today's market.

Baseline Requirements of Cyber Insurers in 2022:

  1. Secure remote network access via Multifactor Authentication (MFA) - for all remote access:
    • Remote access to your network, applications, systems by employees, contractors and network service providers
    • Remote access to your data on cloud hosted systems (ie: SaaS, backups, etc.)
    • Remote access to your email, O365, Google, etc.
    • To access your VPN
    • On-premises access for privileged users
  2. Backup & Recovery Assessment
    • "Air-gapped" backups – taking into account cadence, segregation, testing and redundancy.
  3. Regularly conduct employee infosec training, including quarterly phishing simulations
  4. Endpoint protection (EDR – Endpoint Detection & Response)
  5. Incident response plans that include ransomware readiness. Underwriters will want to know the plans have been tested as well.
  6. Implement timely, consistent patch management protocols
  7. Secure Email configurations – DMARC, SPF, DKIM
  8. Filter in-bound web traffic
  9. Implement Least-Privilege Administrative Models
  10. Internal & external vulnerability scanning and Secure Remote Desktop Configurations
  11. Segregate end-of-life, unsupported software from primary network
  12. Require call-back verification for authorization of wire payments and any requested changes in routing information by third parties. Call the previously known number on file, not a number provided via email request.

As we continue this ride into 2022, RPS is in a unique position to help our retail brokers navigate this changing marketplace. With exclusive access to carrier forms, proprietary coverage analysis capabilities, claims advocacy, and a team of more than 100 members to help market and place cyber coverage on an open brokerage basis, we are ready to help our retail agents come through for their clients. In the fourth quarter, we were pleased to begin work with a long-standing partner in a new way, with an admitted cyber product (CFC) to our industry-leading rate/bind/issue ecommerce platform at RPSSmallBusiness.com. We recognize the challenges in the current environment but embrace them as opportunities to show our agents what RPS is all about – your partner in what's possible.

Contributor Information

1"The Log4J Vulnerability Will Haunt the Internet for Years" Lily Hay Newman, Wired Magazine, December 13, 2021

2 "Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force" Institute for Security and Technology

3 ofac_ransomware_advisory.pdf (treasury.gov) United States Department of the Treasury Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, September 21, 2021

4 ofac_ransomware_advisory_10012020_1.pdf (treasury.gov)United States Department of the Treasury Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, October 1, 2020

5 Industry Letter - December 7, 2021: Guidance on Multi-Factor Authentication | Department of Financial Services (ny.gov) New York Department of Financial Services, December 7, 2021

6 Pennsylvania Senate Passes Ransomware, Data Breach Bills (insurancejournal.com) January 21, 2022