Last Updated on January 19, 2024
Cybercrime continues to escalate, with a staggering 37% of organizations experiencing ransomware attacks in 2021, at an average cost of $1.85 million to recover. Many of these attacks end up driving claims against the victims’ cyber liability insurance. No wonder cyber liability insurance rates are skyrocketing.
To share an expert legal perspective on today’s volatile cyber liability insurance marketplace, Eric Jesse, Partner at Lowenstein Sandler LLP, joined the latest episode of The Virtual CISO Podcast. Pivot Point Security CISO and Managing Partner John Verry hosts the show.
The Wild West
Eric characterizes cyber liability insurance as “the Wild West” because of the diversity of risks, their potential severity and the fact that they’re always changing, making it hard for insurers to keep up.
“Cyber risks are obviously on the rise,” Eric notes. “The pandemic exacerbated those risks. Work from home certainly did as employees were using their personal and not work devices. And now we have the Russian invasion of Ukraine and insurers certainly have concerns about increased attacks as a result. And President Biden, a few weeks ago, confirmed those risks as he told American businesses to be on alert and to strengthen their cybersecurity.”
“So, the insurers have been hit hard on the claims side year after year,” Eric adds. “That all translates into not only just the increased premiums, but also increased policy retentions [basically deductibles], which is the loss that the policy holder needs to incur before the insurance company is responsible. There’s also the possibility of lower limits or sub limits being put into these policies, and just more restrictive terms and conditions.”
More intensive due diligence
Another impact from increasing risks and claims activity is more stringent underwriting, which is the process by which insurers evaluate risk and negotiate policies.
“A few years ago it was commonplace that a company could fill out a relatively short application, give it to their broker and get cyber insurance,” Eric relates. “Now the process is starting to become more intensive. Insurers are really wanting to probe and understand what cyber security systems companies have in place.”
Eric continues: “They want to know what’s being done to train employees to address or thwart cyber attacks. And we’re also seeing something that I think existed many years ago and seemed to have died down, and now it’s coming back, which is underwriters wanting to interview Chief Information Security Officers and CTOs to really probe those security systems. And that’s a part of the process that companies can’t take lightly. They really need to practice and prepare for those interviews and have ready explanations for either real or perceived gaps.”
Getting tougher on claims
Besides getting tougher on due diligence, cyber insurance companies are also digging in their heals on claims, to the point of being “aggressive and difficult” in Eric’s view as they look for ways to save money.
“We often say in our policyholder world, that when a company buys a policy and pays premiums, they’re really paying for the ability to try and negotiate coverage for a claim,” says Eric. “And I’m happy to share a war story to put that into perspective. We had a client several months ago who faced a ransom demand and the insurer only agreed to cover a small percentage of that demand. So, the client was going to have to make up this massive difference. And the insurer’s position was, ‘Well, the threat actor only stole data.’”
In the insurer’s view, “the harm was done.” But the harm wasn’t over because the hackers were threatening to release the stolen data if the ransom wasn’t paid. Further, this was not only employee personal data but also financial and competitive data, as well as intellectual property and trade secrets. The insurer was acting in bad faith.
“We did have the law and the facts and the policy on our side and marshalled them to eventually get the carrier to pay in full—but we shouldn’t have had to do that in the first place,” Eric asserts.
What’s next?
To hear this business-friendly legal conversation with Eric Jesse all the way through, click here.
Is your security policy aligned with cyber liability insurance policy? This blog post explains the issues: 5 Critical Steps to Align Security Policy with Your Cyber Liability Insurance Policy