Please don't mention me by name, I am "an anonymous industry professional with standing" for the purposes of this email.
Sorry for the massive delay in delivering this, as you can imagine, things have been a bit busy lately in the world of brokering Cyber insurance. I am going to break this email into three parts, hopefully something can be useful for the show (I have underlined and Highlighted the one part I know you may find most interesting for the show tomorrow).
I can provide more standing credentials, if needed, but I would categorize myself as being in the top tier of talent in my industry. Feel free to shoot me any questions that any of the below may stir up. Sorry this is VERY long.
Cyber Coverage Overview
Cyber cover is really three different types of coverage wrapped into one, but all center around some form of unauthorized access to computer systems to trigger coverage. There is the liability component, the first party coverage, and cyber crime extensions.
Liability covers the costs and expenses associated with notifying individuals of compromised data, providing credit monitoring services, and a few other items like paying Payment Card Industry fines and penalties or even media liability.
First party coverage is the breach response. If an insured's system is breached, you can gain access to computer forensics, PR teams, legal services, etc, etc. Also, this is where you get coverage for business interruption (loss of income) for a period in which your system may be shut down, or if a third party on whom you rely is shut down for a Cyber event.
Most notably, this is the part of the policy where Ransomware/Extortion is covered. This has been the problem child in the industry and you can see below for ways they are trying to deal with it.
Lastly, a good broker adds in some Cyber crime extensions. This is for stuff like social engineering attacks, funds transfer fraud, and the one I like best is invoice manipulation fraud (also called "reverse social engineering"). This is if a bad actor gains access to my system and manipulates an invoice to get my customer to send funds to the wrong place.
So, these policies are traditionally very broad in coverage they can provide and the coverage trigger is broad as well, typically some form of "actual or suspected unauthorized access".
Cyber Market Overview
When this product originally came out, it was written dirt cheap and no one understood the potential scope of the losses carriers would sustain. At that point, ransomware payments were a cute $50k average and not the now >$300k industry average. Also, the cost of a compromised record has continued to swell in terms of notification and monitoring costs, we are up near $300 per record. If a company has records compromised it isn't just a few at a time, as you know. A record breach is going to be on the order of a 7 figure loss, easily.
Carrier loss ratios have been getting destroyed and they are losing money like crazy. Beazley was a major player on those initial policies and they have had to massively rewrite their book. Policies that used to cost $2,500 are now coming out at $30,000 on renewal quotes depending on industry segment and controls. "Tough classes" are now manufacturing, medical, education, municipalities/cities, or anything deemed to be in the supply chain. I've had to pull so many all-nighters trying to find homes for policies at prices that aren't going to get me fired off the account.
The market, as recently as two months ago, had pockets of new entrants who would still underwrite accounts with bad controls at competitive pricing, but that has dried up near immediately. A good account can now expect a premium increase of anywhere from 50% to 100% on premium over expiring. That is a good renewal.
Currently, there is a lot of chatter in the market about carriers severely limiting or even altogether stopping the payments for ransomware/extortion. Insureds do not have enough skin in the game (typical retention can be as low as $25k on an account with $100M revenue). Some carriers are now sub-limiting the ransomware limit and others are implementing a co-insurance so the insured has to pay a portion of every dollar lost.
In France, AXA (large insurance carrier) has announced they will no longer offer any ransomware cover on new policies and we are waiting to see how the market follows and if that moves to the US. The theory is that the presence of insurance for these events incentivizes higher demands since bad actors know there is potentially a deep pocket to cover the event.
What I find sketchy is the attacks against our industry in the past few months. CNA (another large insurer) had a massive breach that shut them down for multiple days back in March. More recently, several prominent brokerages have announced breaches they have discovered.
If insurance is truly incentivizing the higher ransom demands, I think it likely that people are now attacking insurance carriers and brokerages with no intention of demanding ransom, but trying to mine policy data. If hackers can figure out what entities carry what policy limits, they know exactly who to attack and what figures they can extract.
Additionally, a lot of carriers run non-invasive port scans for open ports on policy holders and save and distribute these reports. My hunch is that we, as an industry, may be providing hackers with the perfect playbook should they access the right portion of our systems.
Carrier Controls Sought
Multi-Factor Authentication is God to carriers right now. Almost all carriers have some form of a questionnaire related to this and it will be four or five questions asking if MFA is implemented at log on, for accessing email from mobile device, if there is MFA for admin accounts, etc, etc. Other items that are big are air-gap and encrypted back ups, EDR, and having a response plan in place.
This is already too long so I am attaching a sample application for your review. This is not fully inclusive of all supplemental apps typically requested, but just a "base application".
Thank you for your courage and, again, no names, please!