Cyber defenses evolve to focus on supply chains

Organizations’ increased connectivity and reliance on the internet, web hosting services and other vendors have created new exposures with the potential to severely disrupt multiple businesses simultaneously.

Recent incidents, such as the CrowdStrike outage in July, demonstrate that a cyber event can incapacitate disparate businesses across multiple sectors without their being targeted (see story below).

Such nonmalicious service outages can have dire consequences similar to targeted or criminal attacks.

The commercial cyber insurance industry has responded to the increased exposures by developing ways to identify and quantify vulnerabilities, model incident outcomes and add defenses to stem losses.

Cyber modeling, which is used to quantify potential cyber losses, “is a relatively new discipline,” said Mike Rastigue, Chicago-based vice president for cyber risk management with Aspen Insurance Holdings Ltd.

The models are used to help quantify systemic cyber risks, which are drawing enhanced scrutiny.

“Systemic risk has always been a concern for the cyber market, but the way we have defined systemic risk or analyzed it is what has shifted more recently,” said Erica Davis, New York-based managing director, global co-head of cyber, for Guy Carpenter & Co. LLC.

Because it is so potentially pervasive, systemic cyber exposure can pose accumulation risks for insurers and reinsurers.

“Accumulation risk has been a topic of conversation for many years; it’s not new. The discussions are getting louder in the wake of some of these supply chain events,” said Tresa Stephens, New York-based North American head of cyber, tech and media at Allianz Commercial, a unit of Allianz SE.

As the threats evolve, tools to analyze and quantify the emerging exposures are being developed.

“Part of this is definitely a reflection of advancements in cyber cat modeling,” Ms. Davis said. For example, changing scenario catalogs, which are collections of potential events made available by cyber cat model vendors, are “contemplated in the way we see cedents purchase the reinsurance,” she said. Enhancements to data collection and the level of detail have also bolstered cyber coverages.

Changes to the risk landscape are also part of the equation, Ms. Davis said.

“You have got greater reliance on outsourced services, you’ve got increased connectivity, you’ve got advanced cyberattack techniques and a changing regulatory environment,” she said.

The cyber insurance sector should continue to reassess its view of systemic risk in light of a changing threat landscape, she said.

The digitization of modern business has revolutionized operations and significantly increased digital risks, said Jonathan Hatzor, co-founder and CEO of Parametrix Insurance Services LLC, a New York-based provider of technology downtime insurance.

Contingent business interruption events have always been an exposure but are increasing as organizations rely more on third parties, Ms. Stephens said.

The evolving threats and regulatory compliance requirements surrounding data privacy present further challenges to organizations, she said.

Risk concentration

Concentrations among service providers, contractors and other vendors leave organizations vulnerable if those suppliers fail.

“Tightly bundled technology solutions run the risk of creating single points of failure. Many businesses rely heavily on integrated systems and third-party IT services, which, while efficient, can also leave them vulnerable,” Mr. Hatzor said.

The advances in modeling and changes in the threat landscape have led to improvements in reinsurance products, Ms. Davis said.

For example, if a reinsurer is “able to identify particular cyber catastrophe events in which a client’s portfolio potential loss is outsized relative to peers, you can craft and design cover specifically for those scenarios, as opposed to buying something more all-encompassing. We’ve seen the market evolve in that direction. We expect that to continue,” Ms. Davis said.

The developments parallel vendor management practices present in larger insurance markets such as property. Explicitly identifying, or “mapping,” an organization’s dependence on technology vendors is critical, experts say.

“We know that a lot of companies rely on technology firms, and we can ask our insureds, ‘Who are your technology vendors?’ to understand what the concentrations of systemic risk are from that dimension,” said Michelle Chia, New York-based chief underwriting officer, cyber, Americas, for Axa XL, a unit of Axa SA.

She cited as an example money center, or global, banks, which regularly evaluate their primary networks, their secondary and tertiary reliances, and, in some cases, fourth-level reliances. “It’s something that money center banks do to ensure that they understand what organizations they rely upon, what capabilities do they outsource. That’s one of the things that I think would be helpful in understanding systemic risk,” Ms. Chia said.

As organizations increasingly shift activities and operations online, risk has accumulated around cloud vendors, Mr. Rastigue said.

An average large business could have thousands of technology providers, he said.

“You can have these third- and fourth-order losses from exposures that you didn’t necessarily know you had, and this is where it gets really complicated,” Mr. Rastigue said.

Risk management

The increased exposure requires increased risk management, including coverage reviews and identifying new threats, experts say.

Risk managers must be mindful of restrictive policy language and precise coverage parameters, especially as they relate to their particular business, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

“The risk manager needs to be focused on wording around contingent business interruption and potential sublimits or exclusionary language that may apply to organizations where they were not direct targets but they suffer consequences of an attack against another party,” he said.

Just as underwriters instituted controls such as multifactor authentication with policyholders to combat ransomware, “there’s that next level of right behavior that is needed to help manage cyber systemic risk, and that’s taking a look at other reliances,” Ms. Chia said.

Danielle Roth, New York-based head of cyber claims for Axa XL, said systemic risk “is another area where we could encourage good behavior.”

“We’ve seen underwriters develop a question set that focuses on controls in a very much more sophisticated way than they were doing it five years ago,” Mr. Farley said.

Commercial insurers and reinsurers play a role in raising awareness around the importance of good cybersecurity and cyber hygiene, said Justyna Pikinska, London-based global head of cyber analytics for Gallagher Re, the reinsurance brokerage of Arthur J. Gallagher & Co.

Among the tools being used, outside-in scanning, which helps underwriters identify potential exposures related to a policyholder’s website, is becoming popular in the cyber insurance sector, Ms. Pikinska said.

“Many insurance companies are actively going out of their way to help improve in that regard, and to help that product evolve,” she said.

“The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures and mitigate both malicious and nonmalicious threats,” Mr. Hatzor said.

---

Cyber insurance rates soften as competition heats up

The market for commercial cyber liability insurance is largely stable, with many policyholders still seeing rate decreases, albeit smaller than earlier this year amid a general deceleration of reductions, experts say.

The sector has matured in recent years, with more insurers offering coverage and capacity and an expanded loss and claims history that has given cyber underwriters more data on which to base pricing and underwriting decisions.

“We’ve seen a maturity there. We’ve seen a lot more competition, and that competition has helped to drive pricing down or keep it stable today,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

In addition to new market entrants, some insurers that previously only wrote excess layers are writing primary coverage, resulting in increased capacity and a buyer’s market, he said.

Pricing is stabilizing, and reductions are decelerating, “so we’re starting to get to a place where we’re almost close to zero. I would say by the end of the year, we’ll be a little bit down,” with likely decreases of less than 5%, said Meredith Schnur, New York-based U.S. and Canada cyber practice leader at Marsh LLC.

The continued rate softening of the past few quarters has largely ended, Ms. Schnur said. “They’re not softening; if anything, they’re stabilizing, and we’re not seeing the intense decreases,” she said.

Marsh’s most recent pricing data, based on U.S. Marsh clients renewing their cyber programs in the second quarter of 2024 shows average total program annual decreases of 5.1% and second-quarter average primary declines of 3.6%. The changes do not include renewals with changes in limits.

Ms. Schnur added that although some middle-market policyholders have been buying cyber coverage for some time, “there are a lot more enterprises in that space, so the take-up rates are continuing to grow.”

“The market’s definitely stabilizing. It’s not going up very rapidly; it’s not coming down very rapidly,” said Michelle Chia, New York-based chief underwriting officer, cyber, Americas, for Axa XL, a unit of Axa SA.

More businesses and organizations are buying cyber insurance, including small and midsized companies, she said.

Much of the market softness over the past few quarters has been in the middle-market segment, policyholders with annual revenue of $100 million to $1 billion, said John Kerns, New York-based executive managing director, cyber and technology, for Brown & Brown Inc.

“There’s been a pause in terms of the significant reductions that clients have been seeing over the last 12 to 18 months,” Mr. Kerns said.

Rates for large accounts, policyholders with more than $1 billion in annual revenues, were “slightly down,” but they had not seen such significant reductions as smaller accounts.

Rating levels may fall under increased scrutiny as losses mount, said Mario Vitale, New York-based president of Resilience Cyber Insurance Solutions LLC.

“We’ve had some large events,” Mr. Vitale said. “Not market-changing loss levels, but it’s got everyone’s attention. It is going to get underwriting to sit back hopefully and look at it and recognize that this is a serious risk to corporations.”

---

CrowdStrike outage triggers protracted claims process due to business disruptions

The cyber infrastructure failure that began July 19 due to a faulty security update from leading cybersecurity vendor CrowdStrike Inc. generated a flurry of cyber insurance claims.

While industry sources were careful not to dismiss the possibility of further claims, most notices have likely been filed, they said. One source noted that this is the front end of what may be a lengthy process as claims are adjusted and adjudicated.

Austin, Texas-based CrowdStrike rectified its error and has provided updates about the incident via its website, concluding that according to its analysis, “together with a third-party review … this bug is not exploitable by a threat actor.”

“We have a pretty good sense of what the size of the event looks like today, in terms of volume of claims,” said Elisabeth D. Case, Chicago-based global product manager, cyber, for Liberty Mutual Insurance Co.

Brokers were diligent in quickly filing claims and notifying all affected insurers, she said.

“Clients, globally, continue to notify their cyber carriers of potential claims from the CrowdStrike outage, but the frequency has slowed tremendously since late July,” said Meredith Schnur, New York-based U.S. and Canada cyber practice leader at Marsh LLC.

“For the most part, there was a spike the first two weeks after, and now we still have a few notices trickling in, but I feel like we have a good idea of which of our insureds have or will notice us, and I don’t expect to get many more,” said Danielle Roth, New York-based head of cyber claims for Axa XL, a unit of Axa SA.

Some of the claims may be “precautionary in nature” and may not ultimately result in a serious loss, she said.

Clients with a large potential loss or substantially difficult cyber incident would likely be working with response and recovery personnel or vendors, giving added visibility and transparency to claims, Ms. Roth said.

Claims notices, though, are just the beginning of what will likely be an extended process, said John Kerns, New York-based executive managing director, cyber and technology, for Brown & Brown Inc.

“These are business interruption losses, and it takes considerable time to be able to determine the net income loss as a result of something like CrowdStrike. That takes time to adjust,” Mr. Kerns said.