We are pleased to report that the cyber insurance market remained stable in 2024, even in the face of the continued expansion of the cyber threat landscape, highlighted specifically by an increase in ransomware activity and notable systemic events (e.g., Change Healthcare, CrowdStrike).
Additionally, 2024 saw the continued expansion of the privacy regulatory landscape, particularly with respect to use of tracking technologies and AI. Nevertheless, there is an abundance of capacity readily available in the cyber insurance marketplace, which has facilitated a stable market environment despite more unpredictable exposures.
In February, the Change Healthcare cyber-attack impacted a wide range of healthcare organizations, as well as their members, patients and customers, reliant on Change Healthcare for their services. The protected health information of at least 100 million individuals was compromised by the ransomware attack, making it the largest ever known breach of protected health information at a HIPAA-regulated entity. According to UnitedHealth Group’s Q3, 2024 earnings report, the cost of the attack has risen to $2.4 billion and the anticipated cost has been revised to $2.8 billion.
Then in July, the CrowdStrike global technology outage, triggered by a botched software update and not a security incident or cyber attack, has been called the largest IT outage in history. Insurers estimate the outage will cost U.S. Fortune 500 companies $5.4 billion.
Further, there was a spate of cyber-attacks this past summer on snowflake accounts, where attackers used stolen username and password pairs to breach accounts which were not protected by multi-factor authentication (MFA). The breach of these accounts appears to have affected about 165 customer accounts of well-known organizations across a wide range of industries.
Back in January, we discussed the relatively new biometric authentication method of palm scanning and how certain retailers are using palm recognition services to accept payments. There is the possibility that the biometric data collected will be improperly used or not adequately protected from hackers. Similarly, facial recognition software, another biometric identifier that retailers are relying on as of late, can present significant privacy and compliance exposures, as the technology becomes more widespread.
Further, meta pixel litigation continues to move forward. Back in January, a judge allowed a proposed class action lawsuit to proceed against Meta for unlawfully collecting patient data from the websites of hospitals and other providers through the use of its pixel tracking tool.
Finally, just in December, a health system serving patients in Philadelphia and South New Jersey was hit with a class action over its use of the tool on its website and is alleged to have sent sensitive patient data to Meta without users’ consent.
Understanding how cyber markets are addressing this exposure in their policies, especially for healthcare clients, will no doubt be a theme in 2025.
The ransomware attack in June against the U.S. Federal Reserve where 33 terabytes of sensitive banking information belonging to Evolve Bank & Trust was compromised by the Lockbit hacktivist group, underscored the ever-expanding third-party relationship exposure, as did the CrowdStrike and Change Healthcare incidents. Despite having strong internal security measures, organizations can still be vulnerable if their partners are compromised.
It is imperative for organizations to conduct third-party vendor risk assessments given the interconnectivity and increasing business reliance that companies of all types and sizes have with vendors. Organizations across all industries should ensure that they have the necessary coverage for not only when their networks are impacted, but when the networks of their dependent businesses are impacted by either a security breach or system failure.
There is just no way to avoid this annual prediction. The more exposures, the more regulators take notice.
In May, the SEC officially adopted amendments to Regulation S-P that require broker dealers, registered investment companies and registered investment advisors to adopt written policies and procedures creating an incident response program to address unauthorized access to customer information, including procedures for notifying affected persons within 30 days. Further, as part of an enforcement action with a public company hit with a ransomware attack, the SEC in June extended their internal accounting controls provisions to encompass companies IT practices, as well as related policies and procedures relating to cybersecurity.
Then, in October the SEC charged four current and former public companies with making materially misleading disclosures regarding cybersecurity exposures, as well as one company with disclosure controls and procedures violations, in the wake of the SolarWinds cyber-attack. The companies agreed to pay civil penalties ranging from $990,000 to $4 million to settle the charges. According to the SEC’s charges, each of the companies had learned that the bad actor behind the SolarWinds attack had gained unauthorized access to their systems, but negligently downplayed the incident in their public filings and disclosures. While it is possible with the incoming administration that the SEC will dial back its enforcement efforts against companies that experience cyber setbacks, organizations should, nonetheless, be cognizant of the possibility that cyber incidents will lead to D&O events and that adequate coverage is in place for all exposures that may result.
It is also worth noting that EU Artificial Intelligence (AI) Act, the first major AI legistation, went into effect on August 1. While there is no U.S. federal legislation specifically governing AI, the EU AI Act, which regulates the way companies develop, use and apply AI, will likely target large U.S. technology companies, currently the primary builders and developers of the most advanced AI systems. The legislation applies a risk-based approach to regulating AI which means that different applications of the technology are regulated differently depending on the level of risk they pose to society. Further, several states, such as Illinois and Colorado, have privacy laws, which may extend to AI systems that process personal data, such as autonomous vehicles and the aforementioned facial recognition.
Cyber underwriters are certainly asking clients more questions about how their organizations are using AI in their day-to-day business. We have seen a number of markets offer AI endorsements to their cyber policies and even bespoke AI products to address the evolving exposures that may result from the use of this relatively new technology. WTW is currently in the process of evaluating the current AI insurance landscape and the coverages and products currently on the market.
We are predicting that the cyber insurance market will continue its relative stability, at least through the first half of 2025 with a -5% to +5% rate forecast. Capacity should continue to be plentiful in the near term in North America, London and Bermuda. WTW will be closely monitoring cyber losses and impacts to insurer loss ratios during the early part of 2025 to inform our projections for the second half of the year.
WTW hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).