Insurers weigh risks as ransomware hits public sectorPosted On: Jul. 16, 2019 6:51 AM CST
The growing number of ransomware attacks on public entities is leading insurers to more closely scrutinize their policyholders’ cyber risks and could lead to increased rates for the sector, say some observers.
But with more than 150 insurers now offering cyber coverage, the attacks are unlikely to have a significant impact, according to some experts.
The amount of ransomware targeted at public entities of all sizes has “really exploded” in the past six months, and more insurers are paying six-figure ransoms, said Scott Schleicher, Washington-based underwriting manager for Axa XL, a unit of Axa SA. “Rates will go up, and coverage will become restricted, and retentions will increase,” he said.
The list of public entities that have been hit with ransomware attacks ranges from small towns and municipalities to major cities such as Baltimore, say experts.
“They are targeting public entities significantly for a lot of reasons,” including their susceptibility, said Mr. Schleicher. “It’s probably easier to enter the network of a public entity than it is, maybe, a commercial business, only because of the budget constraints and legacy systems that public entities may still be working under.”
“(Information technology) security often falls victim to a budget before they fall victim to a hacker,” said John Farley, New York-based managing director for cyber for Arthur J. Gallagher & Co. “When you don’t have resources and you don’t have staff to keep up with the ever-evolving and often sophisticated methods cyber hackers have taken, you’re naturally at a disadvantage.”
Meanwhile, the amounts demanded by ransomware criminals, which were initially relatively low, have increased to $500,000 and more, experts say, and municipalities are often left with no choice but to pay to free up their records. These ransom payments are generally paid with cryptocurrency, they add.
Increasingly sophisticated malware can attack public entities’ backup systems, experts note. Where once public entities with backup systems in place might have refused to pay the ransomware, with the idea they could be up and running back to normal within a few days because of their backup systems, that is no longer the case, said Mr. Schleicher.
The new ransomware is “going out and it’s seeking the backups and encrypting the backups as well,” leaving municipalities to choose between starting from scratch or paying the ransomware, he said.
Experts say the criminals are generally reliable in returning the cyber keys that unlock municipalities’ records once a deal is reached.
Damian Caracciolo, Columbia, Maryland-based vice president with CBIZ Insurance Services Inc., said once the criminals learn insurance is involved — which likely can be determined by who is responding to the ransomware demand, such as a high-level consulting firm — “they tend to push the limits of what they think they can get.”
Some experts predict higher cyber insurance rates for public entities because of ransomware-related losses. “Any time you experience claim activity, or a specific industry is targeted, the insurance industry is going to be responsive,” said Mr. Caracciolo. However, there is so much capacity in the market that “competitive pressure is going to keep that rate within a reasonable range.”
Jeff Norton, Chicago-based senior vice president of technology and cyber for Brit Global Specialty USA, a unit of Brit Ltd., said, “Just by the nature of any line of insurance, if there are more and more claims and events, that will have an impact adversely on rates. However, if the bad actors decide to move to a different industry before doing too much damage … it’ll be status quo.”
He added the public entity space “is being watched much more actively right now than it has in the past.” This attention goes through cycles, he said. While eight years ago the focus was on health care, then on larger retailers, over the past couple of years it has moved to the public entity space.
“We haven’t gotten to significant increases of premiums for municipalities, but we have started seeing a lot of additional questions around preparedness and backups,” said Dena Cusick, Charlotte, North Carolina-based senior vice president and national practice leader for technology, privacy and network risk for USI Insurance Services LLC. “I do think there’ll be an increase” in rates, as well as increased retentions if losses rise, she said.
“I would expect at renewal those who currently purchase (cyber) should probably see an uptick,” although “it’s probably too early to tell,” said Thomas Srail, executive vice president, cyber risk team for Willis Towers Watson PLC in Cleveland.
Public entities “should absolutely look at their continuity plans” now and figure out how to put their backup plans offline and other techniques to make sure they can recover their data “if the unthinkable happens,” he said.
“It’s too early to say from an industry standpoint whether that’s going to have an impact,” said Tim Francis, Hartford, Connecticut-based enterprise cyber lead for Travelers Cos. Inc. “Generally, I think you’ll see more insurers paying perhaps closer attention to how a municipality is securing their systems or not” and whether they are training their staffs to reduce their vulnerability to these attacks, which he said could have an impact on coverage.
Much depends on market conditions, said Gallagher’s Mr. Farley. “Right now, we have a soft market. We have lots of insurance carriers writing cyber insurance now, and they’re competing for new business, so even if you have a particular industry hit hard by hackers, it doesn’t necessarily translate to an immediate increase in premiums.”
Robert Parisi, New York-based managing director and cyber product leader for Marsh LLC, said he doesn’t anticipate rates will increase for public entities. “What we’ve seen in the last 10, 15 years of the cyber insurance market” is that it has been able to absorb “some fairly large events.”
“While you’ve gotten some press on municipalities, we still haven’t seen the NotPetya level of billions of losses either,” he said.
But “I think you will see carriers certainly ask more questions around whatever the latest issues were with regard to municipalities’ ransomware,” he said. “It’s become a fairly common point of inquiry now across all industries, including municipalities.”