Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
We're diving into the details of a key insuring agreement to help brokers better understand their clients' cyber coverage. This post was originally published February 2020 and was updated in September 2021.
For a basic claim scenario, think of your client, an online retailer, whose website was inaccessible in some parts of the country for several hours due to an outage at their outsourced web hosting provider. In this case, if your client has contingent business interruption coverage, they may be eligible for a claim.
We’ve seen the necessity for Contingent Business Interruption illustrated in recent news, like the REvil ransomware attack on Florida-based software provider, Kaseya, which created downstream risk for Managed Service Providers utilizing the on-premise Kaseya VSA solution. The Kaseya ransomware incident led to outages in unpredictable places, like a supermarket chain in Sweden and several public administration offices in Romania, which highlights the sheer scope of attacks like this.
Contingent BI is a key offering for cyber insurance policies and a prime example of how quickly cyber coverage has evolved. Just a few years ago carriers and reinsurers were not entertaining CBI coverage, due in part to a lack of understanding of cyber risk, data breaches, the cost of business interruption, and how they impact business owners. However, It grew in popularity along with the expansion of cyber coverage. As the current cyber market deals with the prevalence of ransomware, and its first significant encounter with a hard market, we’ve seen some stark reductions in coverage, especially for companies with poor security vulnerability management and incident response procedures.
A major consideration for why we’ve seen some markets pull back on contingent BI is due to aggregation. With a few major service providers like Amazon Web Services and Google providing IT services for millions of companies, the risk of a single outage leading to catastrophe-like consequences for carriers loomed large in the minds of reinsurers. Risk aggregation was an unknown quantity in relation to overall cybersecurity risk management.
There have been examples of near-catastrophic cyber events, like the AWS EC2 outage in 2017, which have turned out not to be overly problematic from an insurance standpoint. In these cases, affected insureds did not experience protracted outages, as service providers were able to fix problems quickly. Reinsurers’ appetite for contingent coverage cracked open enough for more progressive underwriters to begin creating these coverages with waiting periods gauged to the experiences of organizations during these major outage events.
Then ransomware hit. We saw organizations face encryption, exposure of employee personal information, and massive data loss, which led to skyrocketing ransom payments. Beyond outages, this was a whole new risk for carriers to consider, especially facing the reality of how far-reaching a single ransomware attack can be across customers.
Like many of the coverages we see across cyber, language is not universal in how a cyber insurance policy covers loss. Some markets may use “contingent”, while others use “dependent” - others use neither. Other key wordings you may encounter are “security failure” and “system failure” - respectively, a cyber event caused by a cyberattack, and a cyber incident caused by an accidental outage like human error.
Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. (Full limits)
Some exclusions used by cyber liability insurance companies exist depending on how the business interruption insurance coverage is structured. Some policies will identify specific services that count under the coverage, for instance describing specific types of IT providers whose service interruption would qualify. Other policies require the insured to schedule specific vendors rather than providing blanket coverage. Some exclude ‘infrastructure’, meaning basic services like an Internet Service Provider or the electrical grid.
There is also a question of triggers: the system and security failures mentioned above. Contingent BI coverage most often covers security failure. System failure coverage (events not triggered by an attack) is not as common and is often sub-limited when given.
Waiting periods range widely, from conservative to aggressive. Waiting periods under 12 hours are increasingly common. Corvus offers a 6 hour waiting period for this coverage.
Another aspect of the coverage that’s not yet standardized is how markets treat retention. In some cases, the waiting period stands in as the retention, with no additional dollar retention. In others, losses accruing to retention will start counting after the waiting period is up, and still, others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention.
This coverage is still not universal, so check the policies from markets you work with to help protect your business. The more progressive cyber forms will include it. Be sure to review the language with an eye toward the technicalities reviewed above, to ensure you’re offering your client the terms that will cover them best considering the IT service providers they use and the type of business they operate.