Cyber Insurance Mid-Year State of the Market Report

David Derigiotis
11 min
|
July 17, 2024

Cyber Liability

Executive Summary

Cyber insurance has undergone significant changes in the first half of the year, presenting both challenges and opportunities for retail agents. The market is now softer compared to the hard phases experienced between 2020 and 2022. Increased competition has driven carriers to lower rates and offer more comprehensive policies. From 2023 to 2024, the global cyber insurance market grew from $16.66 billion to $20.88 billion and is projected to reach $120.47 billion by 2032, demonstrating a substantial 24.5% CAGR during the forecast period¹.

Carriers are leveraging advanced technological tools to assess risk and provide cybersecurity services alongside insurance coverage. This blending of insurance and security services represents an innovative shift in the market, aiming to provide a more holistic approach to cyber risk management. For retail agents, this is an exciting time to stake a claim in the cyber insurance market. The most significant opportunity lies in cross-selling and introducing cyber insurance to first-time buyers, as overall adoption remains low with substantial room for growth.

Market Landscape

Capacity for cyber insurance is expanding, with insurers offering more varied and comprehensive policies. The past six months have seen high-profile cyber incidents and data breaches with the average breach costing a record high of $4.45 million2. These numbers are greatly influencing pricing trends to more accurately reflect the heightened risk environment.

Source: Munich RE

Additionally, a new regulatory landscape has emerged, with an increasing number of states introducing privacy laws and new rules regarding cybersecurity incident disclosure as adopted by the Securities and Exchange Commission (SEC).

New consumer privacy and data protection laws have now been instated in 18 states while many more bills are currently moving through various committees. Key features included in these laws and regulations:

Consumer Rights: Right to access, right to correct, right to delete, right to opt out of certain processing, right against automated decision making, private right of action.

Business Obligations: Opt-in default, notice/transparency requirement, risk assessments, prohibition on discrimination, purpose/processing limitation3.

Threat Landscape

With emerging and pervasive threats such as ransomware, AI-driven attacks, and supply chain vulnerabilities, the cyber landscape continues to evolve rapidly. These threats can lead to severe consequences, including prolonged business interruptions, major data breaches, significant financial loss, and hefty regulatory fines.

Breach Patterns

Verizon’s 2024 Data Breach Investigations Report found 5,175 breach incidents, 3,803 with confirmed data disclosure. Ransomware or other forms of extortion are prevalent in 92% of industries as a top threat, with attacks now accounting for 23% of all breaches, while system intrusions are responsible for 36%4. System intrusions involve unauthorized access to computer systems, often by cybercriminals aiming to steal sensitive information, disrupt operations, or deploy malware for malicious purposes.

Source: Verizon 2024 Data Breach Investigations Report

Several pervasive hacker groups have embedded themselves as top threats and continue to be on the rise.

Cozy Bear

State-sponsored threat group, Cozy Bear, also known as APT29, has been carrying out devastating cyber attacks on major corporations since late 2023. Both Microsoft and Hewlett Packard have revealed this attacker group to be the culprit of the breaches on their respective systems. Cozy Bear’s primary targets are U.S. and European diplomatic entities, governments, non-governmental organizations (NGOs), and IT service providers5. Their primary goals include gathering intelligence from government, diplomatic, and military organizations, and infiltrating key sectors such as energy, technology, and academia to collect sensitive data and advance Russia's geopolitical interests.

LockBit

LockBit is a ransomware group known for targeting organizations globally, claiming 25% of all ransomware deployments in 2023. This group employs ransomware-as-a-service (RaaS) to provide affiliates with the ransomware software and infrastructure needed to launch their own attacks in exchange for a share of the ransom payments. This model allows even less technically skilled cybercriminals to execute sophisticated ransomware attacks, significantly broadening LockBit's reach and impact. According to the Department of Justice, Lockbit claims over 2,000 victims globally and has received over $120 million in ransom payments since January 20206.

Source: Chainalysis

However, it is worth noting that in February 2024, law enforcement agencies seized control of LockBit's dark web sites, but the group has since attempted to make a comeback. It sent shockwaves through the Russian cybercrime ecosystem and tainted LockBit’s brand. Although a major blow, ransomware groups have rebranded before, so LockBit’s long-term impact remains uncertain.

Coverage Considerations


Risk Management & Loss Control

Implementing Robust Risk Management Measures: Effective risk management is foundational to minimizing cyber threats. Carriers are providing more comprehensive risk management services as part of their insurance offerings. These services often include:

  • Vulnerability Scanning: Cutting-edge scanning tools with sophisticated algorithms analyze a client's network infrastructure. These tools comb through every network layer, identifying outdated software and pinpointing potential vulnerabilities. For instance, they might detect unpatched software, misconfigured settings, or weak encryption protocols. Upon detection, clients are alerted and guided in patching or mitigating these vulnerabilities. This proactive approach substantially reduces the likelihood of successful cyber breaches by closing off potential entry points before attackers can exploit them.
  • Security Assessments: Thorough cybersecurity assessments are critical for a client's defense strategy. Skilled cybersecurity professionals with a myriad of assessment methodologies can conduct penetration testing, risk analysis, and compliance audits. These assessments delve deep into the client's systems, evaluating the effectiveness of existing security measures. They identify weaknesses, gaps, and potential entry points that adversaries could exploit. For example, assessments may uncover vulnerabilities such as weak authentication mechanisms, inadequate access controls, or insufficient intrusion detection capabilities. Tailored recommendations based on these assessments enhance the client's security posture, addressing identified weaknesses and bolstering defenses against evolving threats.
  • Employee Training: These programs educate employees across all levels of the organization on various aspects of cybersecurity best practices. Training modules cover identifying and defending against phishing attempts, implementing effective password management techniques, recognizing social engineering tactics, and adhering to secure data handling protocols. Interactive workshops, simulations, and real-world case studies are often incorporated to provide practical insights into cybersecurity challenges. Fostering a culture of security awareness makes employees the first line of defense against cyber threats. Insurers may even incentivize or mandate participation in these training programs to ensure the widespread adoption of security best practices throughout the organization.
  • Incident Response Planning: Agents can collaborate closely with clients to develop tailored incident response plans designed for their unique business environment and potential threats. These plans serve as a structured framework to guide organizations in effectively managing and mitigating cyber incidents when they occur. The process typically includes:some text
    • Risk Assessment and Scenario Identification: Identifying potential cyber threats and vulnerabilities specific to the client's industry, operations, and technology infrastructure is crucial in prevention and mitigation. By analyzing historical data, threat intelligence feeds, and industry trends, carriers help clients anticipate and prepare for a wide range of potential cyber incidents. Scenarios include data breaches, ransomware attacks, DDoS attacks, and insider threats.
    • Plan Development and DocumentationStep-by-step procedures, delineating roles, responsibilities, and communication protocols for key stakeholders can make a significant difference in the event of a cyber incident. Plans are documented in a clear, accessible format and regularly reviewed and updated to reflect changes in the threat landscape or organizational structure.
    • Training and Tabletop ExercisesThese exercises simulate realistic cyber incidents, allowing teams to practice coordinated response actions in a controlled environment. Through hands-on scenarios, participants gain valuable experience in identifying, containing, and mitigating cyber threats while minimizing disruption to business operations.
    • Continuous Monitoring and Incident DetectionReal-time threat intelligence feeds, intrusion detection systems, and Security Information and Event Management (SIEM) platforms are critical components of incident response. By proactively identifying and alerting on anomalous behavior, carriers help clients detect and respond to cyber incidents swiftly, minimizing the impact on business operations.
    • Response Coordination and RemediationResponse and remediation may involve activating an incident response team, coordinating with law enforcement or regulatory authorities, and implementing containment and remediation measures to mitigate further damage. Agents can leverage their expertise and resources to assist clients in restoring normal operations, conducting forensic investigations, and implementing corrective actions to prevent future incidents.
    • Post-Incident Analysis and Lessons LearnedDocumenting lessons learned, identifying gaps in the incident response plan, and implementing corrective actions strengthen resilience against future threats. By fostering a culture of continuous improvement, clients can enhance their incident response capabilities and better mitigate the impact of future cyber incidents.

Claims & Incident Response

Efficiency in Claims Processing: In the aftermath of a cyber incident, efficiency and clarity of the claims process are critical. Policies should clearly define the following:

  • Duty to Pay vs. Duty to Reimburse:Some policies are structured as a duty to pay, where the insurer directly covers costs associated with a claim. Others operate on a reimbursement basis, requiring the insured to cover costs upfront and then seek reimbursement. Understanding this distinction is crucial for agents.
  • Coverage Triggers:Policies must specify what incidents trigger coverage. Triggers can include unauthorized access, data breaches, ransomware attacks, and other defined cyber events.
  • Sublimits and Deductibles:Detailed information on sublimits for specific incidents (e.g., social engineering, ransomware payments) and applicable deductibles is essential. Clear communication about these financial limits helps manage client expectations and preparedness.
  • Incident Response Teams:Many insurers provide access to dedicated incident response teams that assist clients immediately following a cyber event. These teams include IT experts, legal advisors, and public relations professionals to manage the incident's technical, legal, and reputational aspects.

Emerging Trends & Future Outlook

Artificial Intelligence (AI) and Machine Learning (ML): Evolving technologies are both helping and hindering cybersecurity efforts in the following areas:

  • Integrated Threat Detection: AI and ML are increasingly integrating into cybersecurity for threat detection, analysis, and automated response.
  • Autonomous Defense: AI-powered systems can identify anomalous behavior, predict potential breaches, and autonomously thwart attacks in real time.
  • Malicious AI Use: Adversaries are also leveraging AI for malicious purposes like AI-powered malware and content/message generation for phishing attacks.

Ransomware:Emerging trends in ransomware that agents need to be aware of include:

  • Targeting Cloud Environments: As more organizations shift workloads to the cloud, ransomware actors are adapting their tactics to target cloud environments and cloud-based endpoints (Snowflake attack)
  • Supply Chain Attacks: Compromising trusted third-party vendors and software supply chains allows ransomware groups to access multiple downstream victims. Notable examples in 2023 include the widespread MoveIt Transfer software attacks and the Kaseya incident.
  • Targeting Unpatched Systems: While some attacks leverage new vulnerabilities, many still exploit known vulnerabilities in unpatched systems, highlighting the importance of timely patching.
  • Generative AI Exploitation: The rise of generative AI will enable more sophisticated phishing lures and social engineering tactics by ransomware operators in 2024.

Increased Adoption by SMBs:An enlargement of small and medium-sized businesses (SMBs) recognize the importance of cyber insurance as cyber threats continue to rise. The adoption rate among SMBs is increasing as they:

  • Recognize Their Vulnerabilities: Smaller businesses often lack the security related budgets and teams of larger enterprises, making them attractive targets for cybercriminals.
  • Understand the Financial Impact: Awareness of the potential financial devastation from a cyberattack is driving more SMBs to seek coverage.
  • Access Affordable Options: Market expansion and increased competition result in more affordable policies tailored to the needs and budgets of SMBs.

Cyber Warfare and Nation-State Attacks:The increasing prevalence of cyber warfare and nation-state attacks poses significant risks. Policies must evolve to address:

  • Coverage for Nation-State Attacks: Some policies may exclude coverage for acts of cyber warfare or terrorism. Review these exclusions and consider policies that offer coverage extensions or carve backs. Some notable more recent attacks against public utilities include the following: some text
    • Hacktivist Attacks on Water Utilities (November 2023)
      The hacktivist group CyberAv3ngers successfully compromised programmable logic controllers (PLCs) at water utilities across North America, Europe, and Australia. They disrupted water services for two days in at least one community by exploiting default passwords and internet-exposed OT devices.
    • Chinese State Hackers Infiltrating U.S. Water Systems
      Chinese state-backed hackers have infiltrated U.S. water facilities, raising concerns Beijing could disrupt critical infrastructure during conflicts.
    • Russian Hacktivist Attempt on Texas Utilities (Early 2024)
      A Russian-linked "hacktivist" group attempted to disrupt operations at several water utilities in Texas earlier this year.
  • Regulatory Implications: As government scrutiny of nation-state cyber activities increases, businesses need policies that comply with evolving regulations and provide adequate protection.

Supply Chain Attacks: Implementing layered defense strategies against supply chain attacks is essential to safeguard businesses from potential vulnerabilities. Prevention strategies include:

  • Vendor Risk Assessment: Thoroughly vet new and existing vendors, assessing their security posture through questionnaires, on-site visits, and continuous monitoring.
  • Software Supply Chain Security: Implement secure software development practices, code signing, and continuous monitoring of open-source dependencies and third-party components.
  • Access Controls: Limit vendor access to only the necessary systems and data, and enforce principles like least privilege and zero trust.
  • Threat Intelligence: Leverage threat intelligence to stay informed about emerging supply chain threats and indicators of compromise.
  • Incident Response Planning: Develop and test incident response plans specifically for supply chain attack scenarios.

Capacity Constraints and Regulatory Changes: Agents must stay vigilant about capacity constraints and regulatory changes that affect the market. Key areas include:

  • Policy Exclusions: Carefully review exclusions related to cyber warfare, terrorism, and new forms of cyber threats. Ensure clients understand these exclusions and seek policies with favorable terms.
  • Ransomware and Extortion: Policies should provide clear coverage details for ransomware payments and related extortion demands, including any limits or sublimits.
  • Social Engineering and Fraud: Understand the coverage for social engineering fraud, including voice manipulation and email compromise. Policies may require verification steps (e.g., callbacks) to validate fund transfer requests.
  • Technology and Vendor Coverage: Ensure policies cover incidents involving cloud service providers and tech vendors, which are integral to modern business operations. This could fall under dependent business interruption coverage or a broader definition of the insured’s “computer system.”
  • Regulatory Compliance: Stay updated on privacy and cybersecurity regulations, particularly those involving biometric data and AI. Compliance with these regulations is essential to avoid fines and ensure adequate coverage.

Key Areas for Agents to Monitor

  • Policy Wording and Coverage Limits: Pay close attention to exclusions and limitations in the policy wording, particularly concerning social engineering, the duty to pay vs reimburse language, cyber warfare, and electronic funds transfer fraud. Additionally, more businesses are accepting crypto payments, so ensuring crypto is addressed under the definition of financial loss or “money” is critical.
  • Regulatory Compliance: Stay updated on new regulations, especially those governing biometric data and AI usage, to ensure clients' compliance and avoid hefty fines. Some notable emerging regulations include: some text
    • Ensuring Likeness Voice and Image Security (ELVIS) Act: Tennessee is the first U.S. state to enact a law directly regulating the commercial use of AI to generate unauthorized "deepfakes" of individuals.
  • Technology and Vendor Coverage: Ensure that policies extend to covered attacks involving cloud service providers and tech vendors, which are critical components of modern business operations.

Conclusion

Shifts in the cyber insurance market are evident through rising competition, evolving regulatory environments, and the emergence of new cyber threats. As the market softens and carriers introduce more comprehensive offerings, agents must leverage their expertise and resources to stay ahead. Cross-selling cyber insurance to first-time buyers presents an exciting opportunity for growth, given the low adoption rates in the market. Embracing advanced technological tools for risk assessment and cybersecurity services allows agents to enhance their service offerings and provide clients with holistic solutions.

Agents must stay vigilant about capacity constraints, regulatory changes, and emerging trends to ensure adequate coverage for clients.

In this rapidly evolving landscape, agents who effectively blend human expertise with technological innovation will thrive. By staying informed, proactive, and client-focused, agents can position themselves as trusted advisors and provide valuable guidance in navigating the complexities of the cyber insurance market.

References

¹ Fortune Business Insights. (n.d.). Cyber insurance market size, share & COVID-19 impact analysis. Retrieved June 13, 2024, from https://www.fortunebusinessinsights.com/cyber-insurance-market-106287

2 Munich RE. (2024). Cyber Insurance: Risks and Trends 2024. Retrieved from https://www.munichre.com/en/insights/cyber/cyber-insurance-risks-and-trends-2024.html

3 IAPP. (2024). US State Privacy Legislation Tracker 2024. Retrieved from https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf

4  Verizon Business. (2024). 2024 Data Breach Investigations Report. Retrieved from https://www.verizon.com/business/resources/Tacc/reports/2024-dbir-data-breach-investigations-report.pdf

5 StrongDM. (n.d.). Cozy Bear (APT29). Retrieved May 31, 2024, from https://www.strongdm.com/blog/cozy-bear-apt29

6 U.S. Department of Justice. (n.d.). U.S. and UK disrupt LockBit ransomware variant. Retrieved May 31, 2024, from https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant#:~:text=LockBit%20members%20have%20executed%20attacks,%24120%20million%20in%20ransom%20payments

David Derigiotis
11 min
|
July 17, 2024

Share post

Wholesale Insurance

With a Heartbeat

Get in touch