Ransomware was the word of the year in 2021 for the cyber insurance industry as attacks continued to grow in scale and complexity, and experts say this cyber threat landscape will likely continue in the new year.
Kurt Suhs, founder and CEO of cyber risk company Cyber Special Ops, said in a December episode of The Insuring Cyber Podcast that moving forward in the current threat landscape is an ongoing challenge.
As insurers prepare to look forward, however, it may be helpful to also look back on some of the cyber topics that were most important to Insurance Journal readers in 2021.
Here are Insurance Journal’s top 10 cyber stories of 2021:
Insurance Journal’s top read cyber insurance story of the year sent a powerful message about the growing affect of ransomware on the insurance industry, as insurance and benefits broker Arthur J. Gallagher in August became the target of a proposed class action lawsuit over a ransomware attack it suffered in 2020. The plaintiffs alleged that Gallagher failed to follow federal and state government and industry standards to protect their personal information from hackers and failed to adequately notify or help individuals whose information was stolen.
In addition to seeking compensatory, statutory, nominal and punitive damages, legal costs and credit monitoring, the suit asked the court to order Gallagher to have regular third-party tests of its network security, improve training of its security personnel, and purchase or provide funds for credit monitoring services for its customers.
Bloomberg reported that CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.
The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
With cyber attacks and insurance claims on the rise, leading cyber insurers AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance and Travelers in June formed a company to pool their data and expertise and take collective efforts to enhance cyber risk mitigation efforts across the insurance industry.
The new entity, called CyberAcuView, will compile and analyze cyber-related data to enhance value and service to policyholders and help insurers sustain a competitive market for cyber insurance. CyberAcuView’s activities will be conducted under strict antitrust review and guidance, according to the announcement. Mark Camillo, most recently head of Cyber, EMEA at AIG, has been appointed CEO.
CyberAcuView is 100%-owned by the founding seven member carriers, six of which are among the top 10 insurers in the market based on 2020 direct written premium, according to AM Best. (Liberty Mutual ranks 14th.) The new company will invite other direct writers of cyber insurance to be associate members, according to its website.
Auto insurer Geico reported in April that fraudsters had been stealing license numbers of its customers for the past few months and possibly using them to fraudulently apply for unemployment benefits. In a data breach notification filed with California’s data privacy agency on April 15, the major auto insurer indicated that the breaches occurred between January 21, 2021 and March 1, 2021.
The hackers gained access to driver’s license information through the insurer’s online sales system. Geico said the data obtained was limited to license numbers.
The White House in March urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft Corp.’s Outlook email program, saying a recent software patch still left serious vulnerabilities, Reuters reported.
“This is an active threat still developing and we urge network operators to take it very seriously,” a White House official said, adding that top U.S. security officials were working to decide what next steps to take following the breach.
CNN separately reported the Biden administration was forming a task force to address the hack. The White House official, in a statement, said the administration was making “a whole of government response.”
Bloomberg reported Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers in May, contradicting earlier reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Anyone who works in cyber insurance knows that the industry is never static. It’s a constantly evolving business as the risks change all the time, and this has never been more apparent than right now, said panelists for Insurance Journal’s August webinar – Cyber Insurance: Is This the Beginning, Middle or End?
“The game changer,” said Justin Herring, executive deputy superintendent at the New York State Department of Financial Services (DFS), “has been ransomware.”
A spate of attacks in 2021 have been of particular concern among U.S. government officials, as they’ve been attributed to cybercriminals operating from Russia, Insurance Journal previously reported. There was the hack last year in which Russian military cyber criminals sabotaged computer code within a software called SolarWinds. Now, a July ransomware attack has made its way to the center of the conversation, in which the Florida information technology firm Kaseya saw its management system hacked. REvil, a Russia-linked cybercrime syndicate, took credit for the breach.
In June, REvil extorted an $11 million ransom out of meatpacker JBS after compromising its supply chain. Earlier this year, in May, an intrusion by another Russia-linked group at U.S. fuel transporter Colonial Pipeline led to the shutdown of 5,500 miles of critical infrastructure, causing panic buying and gas shortages all along the East coast.
Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home-working drove a surge in ransomware attacks that left them smarting from hefty payouts, Reuters reported in November.
Faced with increased demand, major European and U.S. insurers and syndicates operating in the Lloyd’s of London market have been able to charge higher premium rates to cover ransoms, the repair of hacked networks, business interruption losses and even PR fees to mend reputational damage.
But the increase in ransomware attacks and the growing sophistication of attackers have made insurers wary. Insurers say some attackers may even check whether potential victims have policies that would make them more likely to pay out.
While a typical business interruption can often be a confusing insurance situation, the picture gets even muddier when it involves cyber coverage.
Chris Mortifoglio, a forensic accountant, knows all too well how muddy it can become.
“I will tell you that in my experience business interruption is often the most misunderstood part of property coverage. Part of that has to do with the fact that it can be very subjective. If you have 10 accounts looking at the same set of financial data, you’ll oftentimes receive 10 different calculations or estimates of what a business interruption loss might be,” said Mortifoglio, who has been dealing with business interruption exposure assessments and claims for more than a decade as the director of forensic accounting at Procor Solutions and Consulting in New York.
According to Mortifoglio, who is a Certified Public Accountant and a Certified Fraud Examiner (CFE), understanding the “nuances and differences” of a cyber insurance business interruption exposure or claim situation compared to a traditional one is more important now than ever.
Four insurance firms — Travelers, Coalition, Resilience Cyber Solutions and Vantage Group— were among the participants in the White House summit on cybersecurity along with giant technology firms and Biden Administration officials.
The aim was to discuss how these groups can work more closely together to improve the nation’s cybersecurity, particularly as U.S. public and private sector entities increasingly face cyber attacks.
Chris Finan, chief operating officer at ActZero, an artificial intelligence-driven cybersecurity start-up, and former director for cybersecurity legislation and policy on the National Security Council staff in the White House during the Obama Administration, and Joshua Motta, CEO and co-founder of cyber insurance and security provider Coalition, discussed what the summit means for the insurance industry in an October episode of The Insuring Cyber Podcast.
“The federal government can’t meet this challenge alone,” President Joe Biden told the executives at the summit. “You have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”
Was this article valuable?
Thank you! Please tell us what we can do to improve this article.
Thank you! % of people found this article valuable. Please tell us what you liked about it.
Here are more articles you may enjoy.