Risk mitigation on the agenda as insurers see a spike in cyber claims

In May this year, Colonial Pipeline paid hackers a USD4.4 million ransom to end a cyberattack that halted US fuel supplies from Texas to New Jersey. 

One month later, meat processing company JBS Foods paid USD11 million to a criminal network after a cyberattack froze its global operations.

These are just two high profile examples of the rise in cybercrime since the global pandemic began. How is cyber insurance responding?

GROWTH IN INCIDENTS

This is one of the questions to be addressed in an upcoming ANZIIF webinar, ‘Cyber Capacity and Claims. 

Hosted by cyber experts from Marsh — Nicole Pallavicini, Managing Principal, Cyber, and Fiona Fong, Cyber Incident Management and Claims Lead, Pacific — it will include unique insights into cyber insurance and the challenges and opportunities the Australian market presents.

A recent report by the Australian Institute of Criminology estimates the economic impact of pure cybercrime in Australia at approximately AUD3.5 billion in 2019, with that figure looking set to rise since COVID-19 hit last year.

The Australian Cyber Security Centre received one cybercrime report every eight minutes over the 12 months to 30 June 2021.

‘We have seen is an increase in the severity and frequency of ransomware events, which is really affecting insurers from a global perspective,’ says Pallavicini.

‘The global market has been hit relatively hard from these large ransomware events and, here in Australia, we have had some large-scale incidents as well.’

CONSIDERING PORTFOLIO REMEDIATION

Pallavicini says the growth in cyber incidents has caused insurers to consider remediation of their portfolio.

‘That may include reduction in line sizes, increased retentions, or pressure on premiums.

And, in some instances, it may include coverage restrictions, such as supplements for ransomware or co-insurance for ransomware as well where organisations are not meeting insurers minimum requirements.’

When Pallavicini began her career in insurance in 2011, cyber insurance was barely on the radar.

After completing a Bachelor of Business and Commerce, she joined Aon where she worked primarily with financial institutions and professional services clients.

FOCUS ON CYBER

She moved to Marsh in 2018 to focus on cyber insurance, while maintaining her connection to directors’ and officers’ insurance and professional indemnity insurance for large financial institutions.

‘I was passionate about cyber insurance and what we can do for a lot of our clients who, over the course of the last couple of years, have not necessarily struggled with cyber risk, but have certainly needed assistance from an education perspective,’ she says.

At the time, Australia was a much softer market with a degree of client hesitancy about purchasing cyber cover.

‘Clients didn't quite understand its value and how it could help them, it was still quite in its infancy here in Australia,’ she says.

‘You would hear of large losses from a global perspective, and maybe smaller incidents from an Australian perspective, but there were few-to-no major cyber claims that I had personally experienced back then. That's obviously changed.’

PAIN POINTS

Pallavicini says Marsh has recorded almost a 50 per cent increase in claims in the first half of 2021, compared to the same time period in 2020.

Ransomware attacks have dominated the headlines in recent times, and Pallavicini says systemic risk exposures are beginning to impact insurers.

‘There are a number of cyber risk controls that organisations should have in place, which can result in pain points for the insurance market if they’re not implemented,’ she says.

‘For example, from a global perspective, there are certain insurers unable to provide quotation terms to an organisation that does not have multi-factor authentication rolled out across all remote access vendors, contractors, backups in the Cloud and so forth.

‘There's also an increased focus now on vulnerability and patch management in relation to managed service provider incidents,’ Pallavicini adds, ‘which incorporates the use of correct releases of patches as part of a suite of adequate controls from vulnerability.’

‘Locally, some insurers are now considering ways they can mitigate exposure, whether by applying higher waiting periods or deductibles, where organisations may outsource services to a managed service provider.’

MITIGATING RISK

Pallavicini recommends that brokers take time to educate clients about cyber risk and mitigation, as well as establishing claims protocols.

‘We undertake self-assessments for organisations, to understand what their strengths and weaknesses are from a risk maturity perspective,’ she says.

‘We have created tools to get a more granular level of understanding of risk controls, what the impacts may be from a threat actor perspective, and how to remediate them.’

Marsh conducts ransomware workshops with clients to increase their awareness. It also helps them to map out whether or not to engage with a cyber threat actor, should an incident occur.

‘A lot of the work that we do is around preparedness for a cyber incident,’ says Pallavicini. ‘We also spend a significant amount of time working with the clients from  policy inception, to really prepare them for cyber claims,’

‘We work through claims protocols and do some onboarding work with them to get the right vendors on-boarded for when an event occurs.’

MANAGING CLAIMS

With cyber claims increasing across the Marsh portfolio, attention has turned to smooth claims management processes. Fiona Fong leads the cyber incident response and claims team and works closely with the wider cyber team as soon as an incident arises.

‘When we’re notified of a cyber incident, we set up a briefing call with the client to ascertain what is occurring,’ says Pallavicini.

‘At that point in time, we're also engaged with incident response managers to assist in the triage of the incident, and then bring in relevant third parties to assist from an IT forensics perspective.

‘We also have regular briefing calls with insurers, because it's really important that they come on the journey as well,’ adds Pallavicini.

‘Ransomware, for instance, is a crisis for organisations. It can be quite exhausting, so we do whatever we can to assist them throughout that journey. The incident response panel that's afforded under the insurance policy provides meaningful value to a lot of clients.’

EDUCATION IS KEY

During the ANZIIF webinar, Pallavicini and Fong will provide an overview of the state of the cyber market, how insurers can help client prepare for incidents, and the value of cyber insurance policies.

‘We do a lot of work educating brokers who sit outside of cyber about what the threat landscape looks like, how to talk to clients about it and tips for mitigation,’ says Pallavicini.

‘Given that travel is restricted now, the industry can’t bring in international talent, so we need to build up local talent from a cyber perspective, regardless of whether it’s at Marsh or at one of our competitors.

‘We really want to educate colleagues from our peer organisations about what we're being faced with from a cyber perspective, so that they can educate their clients, because the education is critical.’