Insurance Journal’s Top Cyber Stories of 2020
Whether it was cyber risks related to the COVID-19 pandemic or ransomware attacks growing more severe and frequent, cyber insurers had a lot to pay attention to this year.
As 2020 wraps up and cyber insurers prepare for a new year, here’s a look back on Insurance Journal’s most read cyber stories of the year based on readership metrics:
Insurance broker Arthur J. Gallagher & Co. and its claims unit, Gallagher Bassett, reported that a ransomware incident that happened on Saturday, Sept. 26 limited some of its internal systems.
In a filing with the Securities and Exchange Commission (SEC), the company said it took all of its global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged external cybersecurity professionals, and implemented its business continuity plans to minimize disruption to its customers.
Photographer: Andrew Harrer/Bloomberg
Cybersecurity firm Prevalion Inc. said in November that a Russia-based ransomware group responsible for a new wave of attacks against U.S. hospitals is laying the groundwork to cripple at least ten more. Prevailion’s analysis came a day after the FBI and two other federal agencies issued a warning about an imminent and credible threat to hospitals and health-care providers from cyber attacks, including ransomware capable of locking entire computer networks.
The hacking group responsible — known among some experts as UNC1878 and others as Wizard Spider — hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.
The U.S. Treasury Department warned in October that individuals or businesses that help facilitate ransomware payments may be violating anti-money laundering and sanctions regulations. The warnings came in a pair of advisories, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC).
FinCEN addressed companies that provide protection and mitigation services to victims of ransomware attacks, including digital forensics and incident response companies and cyber insurance companies that facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for convertible virtual currency (CVC), and then transferring the CVC to criminal-controlled accounts.
A major government report on cybersecurity issued in March that warns the nation is seriously underprepared for cyber attacks called for the creation of a federally-funded center to develop cybersecurity insurance certifications and a public-private partnership on cyber risk models. The report, “A Warning from Tomorrow,” also called for consideration of a government reinsurance program to cover catastrophic cyber events.
“Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system,” said the report from the Cyberspace Solarium Commission.
The commission advocated a strategic approach to cybersecurity that it referrs to as “layered cyber deterrence,” which has the goal of a “reduced probability and impact of cyberattacks of significant consequence.”
Cyber insurers have been enjoying a profitable run for several years but are now facing a changed risk landscape with data breaches, ransomware attacks, insurance claims and overall threat awareness increasing. In a report, “Cyber Insurance: Profitability Less Certain as New Risks Emerge,” rating agency AM Best noted that growth has slowed significantly from 2016-2017 when direct premiums written grew by more than 30% annually and claims have doubled to 18,000 in 2019, up from 9,000 in 2017.
Accordingly, AM Best analysts are advising carriers that they should focus on “greater clarity in their insurance contracts to set transparent expectations for themselves and their clients.”
The magnitude of the COVID-19 pandemic as an economic loss event is unprecedented for companies and insurers alike, and claims trends and risk exposures are likely to evolve in both the mid- and long-term as a result of the pandemic, according to a new report: Covid-19 – Changing Claims Patterns from Allianz Global Corporate & Specialty (AGCS).
With the reduction in economic activity during lockdown phases, traditional property and liability claims have been subdued, most notably in the aviation and cargo sector, but also in many other industries with fewer accidents at work, on the roads and in public spaces, the report notes. While estimates vary, the insurance industry is currently expected to pay claims related to the pandemic of as much as $110 billion in 2020, according to Lloyd’s.
Cyber incidents ranked for the first time as the most important business risk globally, pushing the perennial top peril, business interruption (BI), into second place, according to the ninth Allianz Risk Barometer 2020.
Cyber incidents were named by 39% of survey respondents from more than 2,700 risk management experts in over 100 countries and territories, said the annual survey from Allianz Global Corporate & Specialty (AGCS). Seven years ago, the survey report revealed, cyber incidents ranked only 15th with just 6% of responses.
Pandemic threats were once on the list of potential emerging risks facing the insurance industry and society. Now that this risk has materialized with the COVID-19 crisis, it is perhaps a good time to take a look at the latest emerging risks, which could present potential downside threats and upside rewards for the industry.
This is the aim of Swiss Re’s latest SONAR report, which details 14 emerging risks for 2020, including the top three with the highest potential impact: cyber security, intergenerational imbalances (highlighted by the coronavirus pandemic) and carbon removal. Drilling down into the report, there are eight short-term risks (of less than three years) out of the overall 14 risks identified by SONAR.
Companies of all sizes have fallen victim to attacks whereby fraudsters will use deceptive communications, such as spoofed emails, to trick an employee into transferring money into the fraudsters’ control. While these increasingly prevalent schemes are an ever-present risk for businesses, the body of case law finding these losses covered under crime insurance policies continues to develop.
A previous post on the Farella Braun + Martel blog discussed decisions from the Second Circuit and Sixth Circuit that have found coverage under crime policies for phishing-related losses. Now, with its decision in December 2019 in Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the Eleventh Circuit held that such losses are covered by policies insuring against fraudulent instructions.
This summer marked three years since the NotPetya malware attack, which has been called the most devastating cyber attack in history. The NotPetya malware attack that began in Ukraine in June 2017 ultimately caused more than $10 billion in damage and wreaked havoc on major companies, including shipping company Maersk and pharmaceutical company Merck, which respectively lost up to $300 million and $870 million, according to reports.
While cyber experts say cybersecurity and prevention strategies have since evolved in many ways, they also warn another crippling attack is never far off.
“We’re always one attack away from another market-wide event,” said Conan Ward, president of MGA/MGU Operations at QOMPLX, a Reston, Va.-based intelligence data analytics company that specializes in insurance and cybersecurity.