Read time: 8 minutes
Staying on top of cyber risks can be daunting, as threat actors evolve their methods and cyber insurance coverage becomes increasingly complex. Cyber insurance coverage is an important protection in the event of a security or privacy incident, but it is not the only protection. Policyholders also should protect themselves by monitoring trends in cyber risks, legal developments in cyber insurance coverage and potential cyber-related issues under other types of insurance coverage.
Responding to an attack
Cyber risk trends
Ransomware
Ransomware attacks are still considered the top threat to companies. According to the U.S. Treasury Department, banks and financial institutions flagged more than $1 billion in ransomware-related transactions in 2021, and that number likely will increase. The increase in ransomware attacks has resulted in increased premiums, more stringent underwriting practices and reduced capacity for some industries.
Business email compromise
Business email compromise (BEC) is a growing problem whereby threat actors target organizations by hacking company emails and making what appears to be a legitimate request for funds or information. The FBI issued a congressional report on BEC in 2022, noting that “BEC schemes often involve the spoofing of legitimate, known email addresses or the use of a nearly identical address” in order to transmit “false wire instructions from a criminal attempting to redirect legitimate payments to a bank account controlled by fraudsters.” These scams are evolving, to include spoofed emails purportedly from company CEOs, vendors, and attorneys making requests for W-2 and other personal employee information and trying to divert payroll funds. In 2021, losses associated with BEC-related complaints in the United States exceeded $2.4 billion, up from only $360 million in 2016. That number is likely to keep growing.
Phishing attacks
A recent report by insurance broker Marsh confirms that phishing and social engineering attacks are among the most common cyberattacks experienced by organizations. These attacks induce people to unintentionally reveal confidential information or allow threat actors to bypass network security. Although ransomware often tops the list of organizational concerns given the potential for huge losses, phishing attacks are becoming more frequent, more creative and more elaborate, and are often a precursor of a ransomware or other attack.
Cyber insurance goes mainstream
Ten years ago, cyber insurance was a niche market, with relatively few carriers offering it, and few companies using it. Now, most businesses carry cyber insurance. A recent report issued by insurance broker Marsh, in connection with Microsoft, shows a 14 percentage-point increase in organizations carrying cyber insurance—from 47% to 61%—since 2019. As cyber risks move to the forefront and cyber insurance increasingly becomes a standard part of businesses’ risk management portfolio, this percentage likely will increase in the coming years.
Continued premium increases
Prices for cyber insurance coverage increased rapidly in 2019, and while premiums have stabilized some since 2021, they remain high. As a result of the frequency and severity of ransomware and other attacks and continued economic volatility, many insureds are seeing cyber-risk policy costs continue to rise.
More entering the market
A midyear report by insurance broker Aon states that new carriers are entering the market, thereby creating more cyber insurance coverage choices. New insurers entering the market may help to stabilize premiums and provide options for increased program limits for large companies.
Artificial intelligence
As companies work to ensure that their cybersecurity programs keep up with ever-changing risks, the use of artificial intelligence (AI) in cybersecurity is increasing. AI and machine learning tools for cybersecurity can help to identify and analyze millions of different events and pinpoint specific threats that might affect a given business. Over time, machine learning allows AI-based tools to flag risky behavior, identify new risks and attacks, and respond when cyber events deviate from specified protocols. A new report from Capgemini Research Institute suggests that use of AI is expected to increase in the coming years, especially in response to AI-powered cyberattacks. As machine learning becomes commonplace, and hackers use AI to expand their reach, use of AI to shore up cybersecurity is likely to increase as well.
Legal developments
Cyber coverage under other forms of insurance
Recent court opinions confirm that more traditional forms of insurance may cover certain losses arising from cyberattacks.
For instance, in 2022, a federal court in Minnesota ruled that Target Corp. was entitled to coverage under general liability policies for certain losses associated with a well-publicized 2013 data breach. Target sought coverage for the costs incurred in settling thousands of claims for replacement of payment cards after card data was compromised. Target Corp. v. ACE American Insurance Co. (D. Minn. Mar. 22, 2022). Target’s insurer, ACE, argued that those costs were not covered because they were not “damages because of loss of use of tangible property” as required by the policies. The court held that the costs of replacing the payment cards were “damages because of loss of use” because the payment cards had to be cancelled following the data breach and were therefore inoperable.
However, on December 27, 2022, the Ohio Supreme Court reversed its appellate court and held that an insured was not entitled to coverage under a businessowners insurance policy for losses resulting from a ransomware attack. EMOI Servs., L.L.C. v. Owners Insurance Co. (Ohio 2022). The insured suffered a ransomware attack that encrypted its system and rendered its files unavailable. The insured paid the ransom requested, upgraded its software system and tendered a claim to its business owners insurer under a policy that provided coverage for “direct physical loss of or damage to ‘media’ which you own,” including “costs to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage.” The court concluded the insured was not entitled to coverage because “software is an intangible item that cannot experience direct physical loss or direct physical damage.”
The EMOI ruling stands in contrast to a 2020 Maryland federal court ruling that held the opposite. National Ink & Stitch, LLC v. State Auto Prop., & Cas. Insurance Co. (D. Md. 2020). The court in National Ink concluded that the insured screen printing business suffered a “direct physical loss of or damage to” its computer system when a ransomware attack prevented the insured from accessing art files, data, and software on its server. The policy provided coverage for “electronic media and records,” defined to include “storage media” and “data stored on such media.” The court concluded that the inability to access data and software constituted a “direct physical loss.” The opposing conclusions reached by the EMOI and National Ink courts demonstrate the complexity of determining coverage for cyber events, and show how differences in policy language and applicable law can affect the availability of coverage.
Coverage for “catfishing”
In November 2022, a federal court in Minnesota ruled that technology consulting company Fishbowl was entitled to coverage for losses that occurred after a bad actor infiltrated a senior staff accountant’s email and, posing as the accountant, provided fraudulent account information to a Fishbowl client seeking to pay invoices. Fishbowl sought coverage under a cyber-business interruption and extra expense coverage form in its technology professional liability policy for the BEC-related loss. Fishbowl’s insurer, Hanover, argued that coverage was not available because the loss did not arise out of Fishbowl’s “business operations” and the loss sought recovery of money “already earned” rather than money that “would have been earned.” The court disagreed, holding that Fishbowl was entitled to coverage for the “catfishing” hack for loss of business income. Fishbowl Solutions, Inc. v. Hanover Insurance Co. (D. Minn. Nov. 3, 2022).
Cyber risks affecting other insurance sectors
Cyber risks for directors and officers
In March 2022, the SEC issued its proposed new proposed cybersecurity rules for public issuers, which, if adopted, would require companies to disclose in their public filings information concerning their cybersecurity measures and expertise. The proposed rules could increase exposure under D&O policies for suits alleging violations of securities laws and breaches of fiduciary duty due to alleged cybersecurity oversight failures. Policyholders should be aware that the risks associated with maintaining a cybersecurity program and engaging in oversight of cybersecurity and cyber risks not only arise in the context of cyber insurance itself, but can also increase potential exposure under other insurance coverage.
Cyber risks for plan administrators
A federal court in New York ruled that an ERISA suit brought by a former employee seeking to recoup funds from her retirement account that were stolen after a 2020 cybersecurity incident could move forward against the employer and the plan administrator. The court denied the company’s and the plan administrator’s motions to dismiss. This case demonstrates how risks associated with cybersecurity can create unexpected risk exposures in other business areas. Disberry v. Employee Relations Comm. of the Colgate-Palmolive Co. (S.D.N.Y. Dec. 19, 2022). Companies should review their employee benefit plan fiduciary liability insurance to determine whether it may respond to potential liability arising from cyber risks.
As cyber risks continue to evolve, businesses seeking to mitigate risks should consider the above cyber risk trends when considering insurance coverage for 2023.