This article was originally written by our North America colleagues for a US audience. We have shared this article for information purposes only as it may be of interest to our global clients. Please speak to your local office contact to discuss any of the points raised in this article further.
As we look back on the year on cyber risk, there was no shortage of new challenges and exposures for organizations of all sizes and industries. COVID-19 continued to play a large part, as the work from home era entered its second year. Employees continued to be more susceptible to clicking malicious links and attachments. The increased reliance on digital technologies has shined a light on pre-existing security vulnerabilities. Frequency and severity of ransomware losses have shown no signs of easing.
According to our Willis Towers Watson proprietary claims data for 2021, ransomware accounted for 19% of all claims reported. Most notably, the Colonial Pipeline ransomware incident in May sent shockwaves, as one of the nation’s largest pipelines, which controls nearly half of the gasoline, jet fuel and diesel flowing along the east coast, was forced to shut down 5,500 miles of pipeline in an effort to contain the breach. This hack underscored how vulnerable government and industry is to even basic assaults on computer networks. On the heels of the Colonial Pipeline attack, JBS USA Holdings Inc. was forced to pay an $11 million ransomware demand when cybercriminals knocked out plants that process approximately one-fifth of the nation’s meat supply. This attack further underscored the upward trend in the sophistication and frequency of cyber-attacks on major U.S. companies and infrastructure.
And if that wasn’t enough, companies were hit with other wide-scale supply chain cyber incidents over the course of the year that impacted numerous organizations. It began with the Solarwinds cyber incident, one of the largest software supply chain cyberattacks. Instead of targeting a specific organization, the hackers infiltrated a third party that allowed malware to be installed on target organizations’ networks, greatly increasing the scope of the attack. In March, we addressed the fallout from the late December 2020 Accellion cyber incident, in which threat actors exploited unpatched vulnerabilities in Accellion’s file transfer applications to launch attacks on numerous Accellion customers and partners. Also in March, we discussed the Microsoft Exchange Server breach, which permitted hackers to gain access to email accounts and the ability to install malware that might enable them to access those servers at a later time. Then in June, we issued a client alert on the Pulse Secure VPN breach. This breach was unique in that the threat actors were able to clean their tracks, leaving little to no trace of their handiwork, as the malware was engineered to blend with its surroundings, surviving software updates and factory resets.
Ransomware and the other widespread events discussed above have led numerous cyber insurance markets to rethink their cyber insurance underwriting as a whole. This has included but is not limited to adding new security related questions to their cyber insurance applications, considering sub-limiting ransomware coverage, and even excluding coverage for ransomware incidents altogether. We have regularly seen premium increases in the 50% to 150% range and sometimes even higher for certain industries and organizations who have not taken necessary security precautions.
Decision makers at organizations across industries have been considering optimal ways to limit their exposures and present their companies as better risks to underwriters. Following the Colonial Pipeline attack, President Biden signed an Executive Order on May 12, 2021 with the goal of improving the nation's cybersecurity and protecting federal government networks. Although the President's broad executive order demonstrated a step in the right direction, it is, by itself, limited in its ability to stop the consistent barrage of cyberattacks facing the private sector. At the very least, organizations should meet minimum security standards, which include remote desktop protocols, multi-factor authentication and properly securing back-ups to reduce the severity of ransomware losses. In August, we discussed the potential benefits of the U.S. government allowing the private sector to engage in Active Cyber Defense (“ACD”) or “hacking back” against cybercriminals targeting their companies.
As we head toward 2022, slowly emerging from COVID-19 and at least partially returning to the office, there is no sign of a slowdown in ransomware losses and potential exposures to other widespread cyber incidents. Predictions from McAfee Enterprise and Fireeye include nation states weaponizing social media in an effort to target more enterprise professionals and less-skilled cyber-criminals leveraging the expertise encoded by more skilled ransomware developers. Regrettably, this expanding threat landscape will likely lead to a continuation of sizeable premium increases and less available capacity in the near term, without much of a likelihood of stabilization of premiums until at least the end of 2022 or even early 2023.
Organizations should strategize with their broker to find the best ways to limit premium increases, which could include increasing retentions, utilizing co-insurance alternatives, or exploring captive solutions. Further, partnering with a cyber risk consultant to find the most cost-effective way to stay ahead of the increasingly sophisticated bad actors and employ adequate security measures will allow organizations to present as better risks to underwriters.
