Specialty Podcast: Ransomware, Ransomware, Ransomware!

Intro (00:00):
Welcome to the Alliant Specialty Podcast, a show dedicated to risk management and professional solutions. Here is your host, Brian Dunphy.

Brian Dunphy (00:13):
Hi, everyone. And welcome back to another edition of the Alliant Specialty Podcast. This is Brian Dunphy, the national leader of our management professional solutions group. I'm pleased to be joined today by two experts in what is a very topical and current field for everyone in cyber liability insurance - that's Bobby Horn and David Finz. Bobby is our national co-product leader for cyber liability and David is our in-house cyber claims expert. Guys, thanks for joining me. So, Bobby, let's talk first. Obviously, ransomware, ransomware, ransomware and more ransomware. We seem to be getting bludgeoned over the head on a daily, if not near hourly basis with events happening across the spectrum of businesses around the world. We've seen CNA, a leading insurer suffer an incident. We've seen the solar winds back in the middle of the winter. Talk about some of the stuff that we're seeing and, and some of the other topical issues that are going on right now, out there.

Bobby Horn (01:25):
Yeah. Brian, you hit it on the head. I think ransomware is certainly the topic of the day, you know, with the way these bad actors are getting into networks and demanding high ransom amounts, it's really hard for carriers to keep up with the demand. I mean, so, you know, where historically we saw, you know, low five or six figure ransom demands, we are routinely seeing seven, and in some cases, eight figure demands, whether it was CNA a few weeks ago, as you mentioned, you know, the solar winds attack, you know, I think there was something like 18,000 different companies that were impacted by that breach, and more recently with Colonial, right? We're seeing it hit every industry class, you know, historically it was manufacturing, and healthcare were the traditional targets of these bad actors. But, you know, we're seeing it really hit almost every industry class. So, while manufacturing still leads the way as far as targets, you know, healthcare is always there. Professional services firms are seeing more and more attacks, and now we're seeing it bleed into municipalities and, and public utilities.

Brian Dunphy (02:27):
I think, the pipeline attack was certainly one that brought some heightened awareness to the issue that maybe hadn't been there previously from certain sectors, because of the catastrophic effect that something like that could have downstream to just the broader economy and David, as we sit here in the wake of that as, as that issue is being remediated, as the pipeline has come back online now. Thankfully for, every one of those of us here, especially located on the east coast. Talk a little bit, if you can, about how that claim would've played out, obviously, we're not involved in it, but from your perspective, what would you want to have seen done there?

David Finz (03:09):
Okay. So, the cyber extortion ensuring agreement within a cyber policy is designed to respond to this sort of event. And what that coverage includes is the cost of hiring a threat consultant to assess the situation, try to identify the M.O. of the threat actor, determine whether they actually have the means to carry out their threat. Is it credible? What is known about the method of attack? What data did they actually manage to get access to? What operational systems did they compromise? Is there a decryption key available? Does law enforcement have a way for a business to deal with a response to this incident without having to pay the ransom? And then once all of this has been assessed as a last resort to negotiate a ransom payment with the threat actor and to try to get that figure down as low as possible, and then to make arrangements for payment, typically via cryptocurrency through something called a Bitcoin wallet to protect the business' financial assets from being exposed any further. So, that's how the cyber policy responds to the threat itself. But again, the damage that is caused by a ransomware attack could ripple through other components of a cyber policy if data is compromised. That becomes a breach response issue. If there is an outage to the company's network that becomes a business interruption issue. If data has been corrupted, that's a data restoration issue. So, potentially a ransomware event could ripple through an entire policy.

Brian Dunphy (05:00):
And I think the other aspect too, correct me if I'm wrong, is that the reality is that for an event like the pipeline incident and even for other less consequential businesses, carriers may not even know the true breadth of what they will have to pay out through ultimately, those immediately impacted businesses, counterparties in contracts, through contingent business interruption losses. There are so many different ways the carrier side of the equation can be forced to pay out large sums of losses. It's not just a direct ransomware payment, correct?

David Finz (05:42):
That's right. I mean, part of what we learned from solar winds is the systemic risk associated with having, you know, a relatively small or finite number of IT vendors responsible for so many different business organizations, operations. And as a result of that, sort of the contingent loss that arises when one company's network is breached and how that affects supply chain, how that affects vendor management. And that's why there's a lot of attention to those issues right now for our clients, in terms of the underwriting process, to be able to show what safeguards they have in place and how they vet their vendors, their service providers that help keep their operations running.

Brian Dunphy (06:31):
Yeah. And so, all this Bobby right, has brought on a new heightened level of scrutiny through the underwriting process on every risk that we bring to market and that insurers see broadly from all brokers. What are some of the key areas that underwriters are really focused in on, to David's point, about really analyzing the risk further and, and, and making sure that everyone is putting forth the best posture they can to provide ample defense against intrusions?

Bobby Horn (07:06):
Yeah, I think it varies with each carrier, but they are certainly all collectively, I think focusing on several different controls that, that they see as being kind of the gateway for these bad actors to get into networks. So, I think, you know, primarily multifactor authentication, right? That's that is the, you know, the baseline of which you need to have in place to get a policy, or at least a policy with, with good terms and conditions. So, by multifactor authentication, referring to the idea of, logging into your network, either through, you know, VPN or some sort of, you know, remote desktop protocol, where you have a password, and then separately through either a text or a phone call, you get a login code that you then get into your network. So, we're seeing carriers require MFA at a minimum, and beyond that, where it was originally just MFA to get into the network they are now asking for even a second step of MFA for privileged access.

So, the concern there is if somebody were to get into the network through the basic MFA, just into, the email, once they're in the network, they've got free reign over all the different applications available. So, underwriters are really focusing on, okay, now you have MFA for your email. Do you have it for all of your critical applications? It's a second step that they are saying, well, that's what we're going to require. And you know, they continue to move the goal post, so to speak on us from an underwriting perspective where, you know, in January and February, it was these requirements. And then as they've dug more into their claims and where they're seeing claims, they're expanding those questions even more certainly patch management. How often are you patching your networks? There are obviously updates that the software companies put out on a weekly or monthly basis.

How often are you updating your systems? Are you backing up your data? Are you backing it up offline? Is it separate from your basic servers? Is that information encrypted? And that all goes to the idea of, if you are locked out, are you able to get back online more quickly than if you don't have backups? And that's really where, you know, David mentioned the business interrupt piece and, um, not being able to get back, you're almost forced to pay that ransomware demand, because you have no other options. So, you know, certainly, MFA, patching processes and backup procedures are really critical. As far as what the underwriter is looking for when they look at risk. You know, again, it varies with each carrier and certain carriers are taking different taxes, how they want to approach it. You know, we're seeing co-insurance provisions being put on policies and whether it has to do with, you know, business interruption co-insurance, or if it's, you know, co-insurance with respect to any ransomware loss, you know, again, it's going to vary by the carrier, but they're all kind of doing their own thing with what they see and the best way to mitigate their losses they are seeing a weekly basis it seems.

David Finz (09:54):
Right. If I could just add to that, while the underwriters are definitely imposing more stringent requirements, in light of some of the recent ransomware attacks, many of the insurers are also offering, discounts or credits toward pre-incident security assessments and other types of services, that enable policy holders to get a sense of where they do have good controls in place and where there's room for improvement. And not only does that actually help safeguard them against an attack, but it enables them to present themselves as a stronger risk to the underwriters. And so, you know, policyholders should definitely contact their broker to find out about how to avail themselves of those services that are, as I said, often provided through the insurers with trusted vendors where the underwriters feel comfortable helping to defray some of the cost.

Brian Dunphy (10:50):
That's a great point, David, thank you, Bobby pivoting back to the market, obviously carriers have to respond to this in some way, like you mentioned, by adding certain tighter restrictions to terms and conditions up to and including co-insurance. What about capacity deployment in the market broadly and, and pricing and just upfront retention on a loss? What are we seeing carriers do there?

Bobby Horn (11:15):
Yeah, again, it varies by carrier how they're looking at it, you know from a retention and premium standpoint, but I mean, certainly, we are seeing rate increases across the board. Even counts with zero claims we are seeing at a minimum 25 to 30% increases just off the bat, along with that is increases in retentions. And then also on the business interruption piece, an increase in the waiting hour. So, you know, where you may have historically had an eight-hour waiting period for business interruption loss, we're seeing 12 hours, 18 hours. And then in some cases on the contingent business interruption, 24 hours before the policy will respond. So, you know, and that as far as the rate increases, that's, you know, the 20, 30% is certainly on the light side, we've had accounts in the healthcare space with upwards of 300% increases.

And that's a function of the claim’s activity in that space specifically. And also, it goes into the controls you have, right? The better controls you have, the less of an increase you're going to see, you're certainly going to see an increase, but a lot will depend on how, how buttoned up you are and what your cyber hygiene is. And so, you know, as David mentioned, working with those carriers that are being a little more creative in their underwriting and, and maybe providing some services to the clients, they can implement some of these things, whether before binding or maybe midterm, we can negotiate some of those you more restrictive coverage items off the policy. You know, certainly, I don't think any, any carrier has not taken some sort of position from an increased rate perspective or larger retentions to, to get their books back in line.

Brian Dunphy (12:47):
Thanks, Bobby. So, David, just some closing thoughts, where do you think things are headed from an insured perspective, claim perspective, broader market perspective over the next three to six months from now?

David Finz (13:03):
Well, I think the underwriters are definitely getting more sophisticated and drilling down into the security controls of their policyholders. And this is really where the role of the broker comes in. I think what we're going to see in the months to come is more differentiation of risk. So those organizations that are able to show their work and demonstrate that they have implemented some of the controls that Bobby had spoken about are going to be able to enjoy more favorable coverage terms. And that those that have not are going to see the greatest increases in terms of pricing and also perhaps even in the form of declinations of coverage, either in its entirety or around cyber extortion. So, this is where it's really critical that insurers collaborate with their broker partners to help identify areas where there's room for improvement and where they can demonstrate that they have good controls in place.

Brian Dunphy (14:03):
Yeah. I agree with that a hundred percent and Bobby, I'd ask you the same from an insurer perspective. Obviously, we don't have a crystal ball can't predict what's going to happen really in any real way, given the fact that this market changes nearly daily, there's always something new, a bigger ransomware event is coming down the pipe. We probably just haven't heard about it yet. No pun intended. But what do you think’s going to be looming for us in the brokerage community and for our clients?

Bobby Horn (14:39):
Yeah, I think we have at least 12 months of this hardening market. I don't see that changing anytime soon, especially with the amount of taxes we are seeing on a weekly basis until the carriers are able to make it clear to their insureds, what needs to be in place in order to have a policy a good policy with good terms and conditions it's going to respond appropriately. It's going to take, you know, the, the work of the carriers, the brokers, the insureds are working together to make sure that, you know, as David mentioned, they're, doing what needs to be done to, you know, beyond even insurance, right. Just being, making themselves a better cyber risk. You know, I just think the way this product was historically priced was just unsustainable. You had million-dollar policies for fifteen hundred dollars and five-million-dollar policies going for fifteen thousand dollars and in the long run that just was not sustainable.

And so now that these are coming home to roost, we're seeing that you know, these books are on - these cyber carrier books are on fire. And so, I think this we're seeing a new floor being set as far as minimum premiums, minimum controls, minimum retentions before we kind of see a level off of those insured that do a better job of getting out in front from a cost perspective and spending the money on IT and hiring the best people on the InfoSec side, they'll be the beneficiaries of better terms conditions. So, I think we're still in it for another 12 months. And look, this is just kind of the way I think the cyber product is going to be for the foreseeable future, which is going to be the bad actors are going to find a way in and exploit certain things. And then, you know, the insurers will figure out how to get that out of control. And then there'll be, you know, some other new, you know, new threat, whether it's a group or, or individuals, that'll you know, exploit companies, you know, going forward. I think it's going to see it's going to be very lot more cyclical forward as it's been historically.

Brian Dunphy (16:36):
Yeah, I think we can all agree. We're in a very perilous time right now, as brokers and for our buyers as the market continues to shift and the threat landscape continues to evolve. And sadly right now, it certainly seems like it is at least a half step, if not a whole step ahead of us. Thank you very much for your time that does it for this edition of the Alliant Specialty Podcast, please feel free to reach out to any of your local Alliant contacts to discuss with them how to find a more rewarding way to manage risks specifically as it relates to cyber. Thank you.