Insurance industry in the middle
The SolarWinds cyberattack on federal government agencies earlier this year, coupled with the recent Colonial Pipeline hack that led to gasoline shortages at the pump, has prompted a flurry of activity from the White House and Congress. That includes discussions with the insurance industry for data and solutions. But there’s also increasing pressure for insurers to report ransom payments and questions whether such payments are legal in some cases.
Following the Colonial Pipeline attack, insurance industry representatives met with the National Security Council to provide information about ransom payments made in cyberattacks and how the industry has approached risk mitigation. The FBI generally discourages ransom payments, believing it rewards bad behavior and will encourage more attacks. The discussions included whether incident reporting and the payment of ransom by private companies should now be mandatory. The Feds have also issued advisories to financial institutions and cyber insurers reminding them that there is strict liability for paying or facilitating the payment of ransom in violation of U.S. Sanction’s law.
In Congress, Senate Intelligence Committee Chairman Mark Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) are drafting legislation that would mandate cyberattack reporting for government agencies, their contractors, and for companies involved in critical infrastructure. Companies would be required to notify the newly formed public-private Ransomware Task Force immediately of cyberattacks in exchange for specific confidentiality and liability protections. The suggestion came from the Task Force itself in a recent report as a way “to increase the understanding of the scope and scale of the crime.”
The General Accounting Office (GAO) notes that “malicious cyber actors are becoming increasingly capable of carrying out these attacks, highlighting the need for a stable cyber insurance market.” The GAO just finished a study of the U.S. cyber insurance market to look at key trends, challenges, and how to overcome them. Among the trends:
- Increasing take-up. Data from a global insurance broker indicate its clients’ take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26% in 2016 to 47% in 2020.
- Price increases. Higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10% to 30% in late 2020.
- Lower coverage limits. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
- Cyber-specific policies. Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.
The report notes two key challenges facing the industry: limited historical data on losses, without which you can’t accurately gauge risk and pricing; and cyber policies that lack common definitions, including the term “cyberterrorism.” The proposed solution: better collaboration on data collection between government and the insurance industry and on advancing common terms.
LMA Newsletter of 6-1-21