The cyber market finally began to stabilize in the third and fourth quarters of the year, largely thanks to renewed competition between markets, a decrease in median ransomware payments during the first half of the year and organizations stepping up their technological controls. In this article we will look back at 2022 and discuss what organizations can expect in 2023.
This past year has been one of unexpected geopolitical and economic upheaval. The Russian invasion of Ukraine has had more impact than any other single global event. Economically, it contributed to a surge in oil and gas prices contributing to widespread inflation that peaked over the summer and put a strain on just about every business and individual across the United States and elsewhere. The conflict led the FBI and U.S. Department of Homeland Security to warn of an increase in state-sponsored cyber attacks, especially by groups sympathetic to Russia. As recently as early October of this year, a Russian sponsored group of hackers known as Killnet launched denial-of-service attacks on several major U.S. airports. These attacks highlight the particular vulnerability of certain industries, such as the airline industry, and the potential for even more cybersecurity regulations being imposed by the FAA and TSA.
In response to this conflict, we saw carriers re-examining their war exclusions to address state-sponsored cyber-attacks. In September, we discussed the Lloyds market's requirements for state backed cyber-attack exclusions, and the four accepted forms (LMA5564 through LMA5567) deemed acceptable. The fourth such exclusion--LMA5567 (commonly referred to as LMA4) -- is emerging as the most widely used of the four. This model exclusion does exclude losses arising from physical war but does not exclude state-sponsored cyber-attacks unless (1) they are carried out in the course of physical war or (2) they can be categorized against the applicable threshold points in the exclusion as having a major detrimental impact on the essential services or defense of a nation state – and only then, subsection (2) of the exclusion only applies if the insured’s digital assets affected by the attack are physically located in such impacted nation-state. Many carriers in the U.S. are moving toward using this exclusion, however there is still wide variation among U.S. carriers as the market adjusts. In particular, the LMA4 exclusion and its US variations can have particular impact on certain industries, such as banking, healthcare, utilities, infrastructure, transportation and defense, as attacks on insureds in those industries can impact “essential services” or “defense” of the U.S. If an organization is within such an industry or falls within the definition of an essential service, we recommend a careful examination of the war exclusion during 2023 renewal negotiations.
On a positive note, the number and severity of ransomware attacks overall in the industry declined. It is believed that heightened cyber security measures, has been the leading factor in this reduction. In May, we addressed some examples of steps that financial institutions have taken to minimize their exposure and continue to recommend a proactive approach to cyber security to limit the likelihood of successful attacks. Despite this increased security overall, there were still notable ransomware attacks such as the Kronos Private Cloud ransomware attack which, like Solarwinds in 2021, highlights the exposure that companies face when outsourcing certain services, such as workforce management solutions in the Kronos case, to cloud based service providers.
Back in January, we discussed how carriers have begun to reassess coverage for the wrongful collection or use of data, which may not result from an intrusion or hack. A number of leading cyber policies regularly offered endorsements to cover the wrongful use or wrongful collection of data. Largely in response to the E.U. General Data Protection Regulation (GDPR) that went into effect in May of 2018 and the subsequent trove of data privacy legislation introduced across the U.S., most notably the California Consumer Privacy Act, many of these same carriers have either stopped offering such enhancements or explicitly added exclusions for these types of claims. While this development could impact a number of different industries, we focused on the impact to the healthcare industry, which according to our Willis Towers Watson proprietary cyber claims data for the first half of 2022, accounted for a higher percentage of claims (25%) than any other industry.
As we look ahead to 2023, we are finally pleased to report a softening of the cyber insurance market. We have seen rates fall steadily over the second half of 2022 and expect this trend to continue into the new year, at least partially due to competition picking up between markets and losses stabilizing, as organizations are doing a better job of training their employees and taking necessary security measures. Cyber markets will no doubt continue to require insureds to implement more security to stay ahead of the ever-evolving cyber risk landscape, including but not limited to multi-factor authentication, firewalls and encryption. Perceived weak controls will likely result in coverage restrictions or declinations.
Meta pixel and chat bot ligation: Companies across the country, especially those which handle sensitive personal information such as those in healthcare or finance and banking, have seen increased exposure to potential lawsuits from private citizens involving meta pixel tracking technology, which we just addressed in November.
Further, CA class action lawyers are targeting websites that employ “chat bots”, digital assistants that allow companies to communicate with customers without employing live website customer service representatives. These cases allege that the website owners violate the California Invasion of Privacy Act by recording communications between consumers and company chat bots without the consumers’ knowledge or consent. Lawsuits have been filed against companies in a vary of industries, including retailers, insurance companies, financial service companies and technology companies.
We will be monitoring how carriers may attempt to address such privacy risks involving the tracking and collection of data directed by Meta or other service providers, as well as organizations that utilize chat bots.
Further enforcement of privacy laws and other cybersecurity regulations: The enforcement of privacy laws and other cybersecurity regulations will no doubt lead to more litigation in 2023 and beyond. For example, this recent California Consumer Protection Act (CCPA) enforcement action saw an unprecedented settlement by an online retailer accused of violating the CCPA by failing to follow the required opt-out procedures under the Global Privacy Control (GPC) protocol on data collection. The 30-day cure period for companies to correct any violations of privacy opt-out procedures under the CCPA is set to expire in 2023, and companies will be subject to immediate exposure for any violations. Further, the California Privacy Rights Act (CPRA), which was a ballot measure approved by voters in 2020 which significantly amends and expands the CCPA, goes into full effect on January 1, 2023, so there will likely be a marked increase in privacy enforcement actions in not only California, but potentially other states such as Virginia and Colorado that have already passed copycat privacy legislation. It is also worth noting that companies in the financial sector may also faced with proposed regulations by the SEC which, if enacted, will impose additional rules on investment advisers, registered investment companies and business development companies. Finally, we have the first Illinois Biometric Information Privacy Act (“BIPA”) trial which resulted in a $228 million dollar award in October. As the use of biometric information has accelerated across a wide range of industries, states such as Texas and Washington have followed the Illinois model. We can expect other states and localities to take a similar approach in an effort to regulate the use and retention of biometric data, which will more than likely generate further litigation.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
