We’re hearing from members that the market for cyber insurance has grown very tight, so we contacted Chip Block, chair of the Washington-area Chapter of the FAIR Institute, longtime cyber insurance expert, and VP and Chief Solutions Architect at Evolver for some guidance.
Chip confirms that “we’re going from a soft market to a hard market” in cyber insurance, largely due to the increase in number and size of ransomware attacks against business over the past year. “We went from tens of thousands of dollars to tens of millions of dollars in the loss column. And the insurance industry isn’t designed to absorb that.”
“As the numbers have gone up, it’s putting greater and greater pressure on the carriers. So, what they have started to do is to either cap the ransomware losses or more often – what most people don’t realize – they put sub-limits in the policies that limit what they pay for various types of events and activities.
“You may think you have a $10 million cyber insurance policy but based on the sub-limits you may only have a $1 million policy. As an example, a number of insurance policies have caps on PCI fines. So, if you get hacked on credit cards, you may think you are covered but you are not because you have a sub-limit.”
Chip says that insurance companies continue to pay on ransomware, though not always – but that “brings up an interesting angle for FAIR analysis, and that has to do with cash availability.”
A manufacturing plant knocked offline by ransomware is immediately losing money. Put in an insurance claim and there’s a delay. “So, the question is how much cash do you need to hold in hand, knowing that a ransomware attack is highly likely” in addition to insurance, to handle “the entire financial structure of what would happen in case of a ransomware attack.” (Chip says he never advises organizations to pay or not pay ransomware, that’s a decision for the management.)
Protecting with a FAIR Cyber Insurance Analysis
“There’s probably no higher return on your investment in doing a FAIR analysis than doing an insurance analysis,” Chip says.
“It gives you some idea of your max exposure is, particularly around ransomware, where we know the attack vector. But even more importantly, you can use FAIR to see where your risks are and identify what is covered.”
Learn about FAIR training through the FAIR Institute
For instance, if you know ranges for loss from productivity, replacements or fines and judgements, you can comb through your sub-limits to find those that might be less than your exposure in those areas. “You can then start looking at different types of insurance mixtures. Cyber insurance would not replace capital loss but there are insurance policies that replace capital or other similar losses.”
Expect higher premiums, Chip says, but otherwise, it’s hard to predict what could either bring down ransomware attacks or ease the financial situation for the cyber insurance industry. “I believe this is one of those situations where there is a government role – they could drive the market if they required every government contractor, for instance, to hold cyber insurance.” But the fact remains that “these are dangerous times in the cyber insurance business” and buyers should beware.