“If you fail to prepare, prepare to fail.”
That is how Fred Karlinsky concluded his presentation on March 7 about cybersecurity insurance at LDI Conference 2022 hosted by the Louisiana Department of Insurance in New Orleans at the Higgins Hotel, part of the World War II Museum complex. Karlinsky was emphasizing the risk these days associated with cyberattacks.
An attorney with Greenberg Traurig in Florida, Karlinsky has 30 years of experience representing the interests of insurers, reinsurers and other insurance-related entities on their regulatory, transactional, corporate and governmental affairs matters.
During his presentation, Karlinsky covered the threat environment, recent cyberattacks, the importance of cyber insurance, cyber insurance basics, cyber insurance coverages and other cyber considerations.
To punctuate the seriousness of the cyber threat, Karlinsky told his audience that insurance experts now consider the risk of cyber liability losses to exceed the risk of fraud or theft, which is “obviously significant.”
Cyber is our largest risk, Karlinsky said, and will continue to be significant. There is nothing that people do, whether it is turning on the lights in the house, or pumping gas, or going into the grocery store, or checking out of the grocery store, that they are not connected. “Any organization that uses technology or stores any confidential information has cyber risks,” Karlinsky pointed out.
The threat environment
Cyber risks include loss of information, cyber-extortion, legal liability for security breaches and expenses involved in responding to a cyber-attack, he explained.
In the United States alone, attacks cost the economy anywhere from $57 billion to $109 billion annually. There are approximately 300,000 cyber incidents per year in the United States alone, he said.
A lot of today’s cyber incidents are coming from offshore and are perpetrated by nation states that intend to take down the infrastructure of the United States from an intelligence perspective and an economic perspective, Karlinsky told his audience.
In October 2021, the United States treasury department’s financial crimes enforcement, or FinCen, released a financial analysis titled Ransomware Trends between Jan. 2021 and June 2021. During the first six months of 2021, there were 590 million suspicious activity reports related to ransomware. Putting that in perspective, he said, those six months exceeded the entire year of 2020 by 150 million. Those suspicious activity reports exceed the prior 10 years combined, Karlinsky pointed out.
Most of the suspicious activity reports are filed by U.S. cybersecurity companies, banks and cryptocurrency exchanges, according to Karlinsky.
“What you are seeing now is ramped up activity in the suspicious activity report that the government gets. FinCen identified 68 ransomware variants in the suspicious activity data.
“That means that at a minimum there are 68 different dread actors that are doing significantly bad things to the U.S. intelligence and business infrastructure in terms of the cyber world,” he said.
The identification of variants helps law enforcement identify various attackers, he said. Similar variants are probably caused by “the same dread actors,” Karlinsky explained.
The top 10 most frequent variants of ransomware accounted for $217.56 million and more than half of the suspicious activity in the first six months of 2021. There were 242 suspicious activity reports on the 10 most frequent variants, according to Karlinsky.
The last two years have probably been “the strangest two years of our lifetime,” he said. After the pandemic hit, work forces that had been in offices migrated to home office systems where cybersecurity is much less controlled, Karlinsky explained. The main culprit to cybersecurity and data security is not the dread actors, he said, but it is individuals who make careless errors and do things that are not the best cyber hygiene practices in terms of security.
Cyber criminals almost immediately took advantage of human and company vulnerabilities, he said, such as unsecured connectivity, employee access and phishing, which occurs when someone tries to get personal information.
Recent cyber attacks
Karlinsky talked about some of the cyber activity that took place in the last year or so.
-The CNA cyberattack in March 2021 exposed personal information of about 75,000 people. The attack completely shut down CNA. “If you went to their website, there was one page that said, ‘We are having technical difficulties, come back later.’” Karlinsky said CNA paid ransom of somewhere around $40 million to get the system back up and running.
-The Colonial Pipeline breach in April 2021 was a ransomware attack for which the company paid about $5 million. “Whether there was actually a shortage of gas, I don’t think we will ever know,” he said, “but when people heard about it, there was such a concern that they would not be able to get gas that it created at least an artificial need for people to go out and fill up their tanks.” In addition, airlines took down some of their flights out of concern that they might not have enough fuel to move those flights around, he said.
Infrastructure cyberattacks are some of the most devastating and critical, Karlinsky said. In this instance the attack happened in one part of the country. “Because it affected something as essential as gas, it affected a lot more people than just the folks in that part of the country,” he said.
-The impact of the Kaseya attack in July 2021 was widespread, Karlinsky said, affecting businesses in New Zealand, Swedish grocery stores and between 800 and 1,500 businesses in the U.S.
-Robinhood in November 2021 was a security breach that exposed the data of seven million users.
Speaking from personal experience, having been the victim of identity theft, Karlinsky recommended that people protect their credit information by locking down their credit. He said it is easy to do, and explained that it “does not allow anyone to open credit using your identity without talking to you and using certain buzzwords.”
He mentioned that Aon had suffered a cyberattack in the last 10 days or so.
Financial service entities such as CNA or AON are big targets, he said, because that information is data rich information that people can use. In the old days, he said, information like social security numbers and credit card numbers were considered high value data, but if a person has a problem with a social security number or credit card number these days, the person changes the number almost immediately. “Those numbers now go on the dark web for almost nothing, 25 cents, 50 cents, because the dread actors know that when that credit card number is out there, it is probably going to be good for just a short period,” he said.
Currently, health data is probably the highest value data, Karlinsky said, because individuals can’t change their health data, and if health data is acquired on a politically exposed person, it could be used to compromise that person.
In Karlinsky’s estimation, the item du jour is “Russia, Russia, Russia.” There are more cyberattacks coming out of Russia to the United States than any other place, he said. He contends there is a cyber war, and no one is better at it than Russia and China. He said that they have gotten into the Pentagon systems and into the FBI.
Cyber insurance basics
In addressing the importance of cyber insurance, Karlinsky described the coverage as “the latest and greatest trend to protect your business.” It is a “safeguard against those who look to do your company harm.”
In years past, a general liability policy might cover some of the same things that today a cyber policy covers.
Fast forward to 2022, he said, “GL policies no longer cover cyber, so if you are running a business, … you need to make sure that your organization, if applicable, has some type of cyber insurance.”
There’s talk about some states not allowing victims to pay ransomware, but “the fact of the matter is you cannot legislate whether you are going to have to pay ransomware or not,” Karlinsky said.
“To be clear, cyber insurance is not a panacea or a substitute for good cyber hygiene. You still need to have dual authentication. You still need to have best practices. You still need to train your folks. But cybersecurity can help you out in the event of a loss,” he said.
Karlinsky mentioned a ransom attack he was involved in that he described as “bizarre.” At the end of the process, the attackers revealed exactly how they did it. Turned out it was through someone working from home with poor cyber hygiene.
He explained that cyber insurance mitigates a company’s cyber risk, covers financial losses following a cyber event and helps with costs associated with remediation.
In addition, if insureds get sued because they have a loss covered by a cyber security policy, the insurance can help with some of the regulatory friction costs as a result of the incident.
He believes cyber insurance is a necessity for businesses with an online component; businesses that send or store data, systems that house private and personal data, and businesses that depend on computer networks. “Having an online presence is reason enough to have cyber coverage,” he said.
Cyber insurance is a new coverage based on emerging technology. Coverages have changed, Karlinsky said, because of the novel nature of cyber risks.
Cyber insurance trends
A 2021 report on ransom by Marsh found that the cost of a ransomware attack in the U.S. increased by 290 percent year-over-year, and ransomware incidents increased by 170 percent. And the cost of cyber insurance has increased 96 percent year-over-year, according to Karlinsky.
There probably is not an availability crisis for cyber insurance, but there may be an affordability crisis. He said that is an artificial statement, since the rates were probably too low before because cyber insurers did not know what they were facing. In addition, Marsh found that rates are increasing due to the loss environment, systemic risk concerns, reinsurance going up and the available capital to write the coverage.
Karlinsky presented a bar graph from Marsh indicating that 47 percent of Fortune 1,000 companies are getting cyber insurance as of 2020. That compares with 26 percent in 2016. That number is also going up for small and medium size businesses, he said.
He believes that mom and pop businesses are the most vulnerable and the ones least likely to have the right kind of cyber coverage.
Whatever the time frame that a business needs to save data, he advises that businesses destroy the data at the end of the required time frame. “Because the worst thing that can happen is that data that you didn’t need to keep is the victim of a data breach. Be sure you do the research and understand the statute of limitations and other business necessities,” he said.
Four myths about cyber
-Cyber insurance never pays claims. Actually, 98 percent of claims to cyber insurers are being paid, Karlinsky said.
-With cyber insurance, there is no worry anymore about cyber security. In fact, he said, “Cyber insurance is not a cover all type of contract and has specific requirements.”
-With a data breach replacement endorsement to a businessowners policy, the insured is covered. The truth is that data breach endorsements often don’t offer the coverage options and limits that businesses need.
-If a business is on the cloud, why worry about cyber insurance. The problem is that data on the cloud can be compromised during a cyberattack. “When cloud services aren’t configured properly, safety gaps can occur, and hackers scan the web for those safety gaps,” he said.
As cyberattacks are on the rise, insurers and clients face additional challenges that they never faced before, Karlinsky told his audience. He explained that it’s tough to develop cyber insurance products because insurers don’t have the data to develop models, and the coverage is difficult to price. Other challenges arise because key terms such as “cyberterrorism” don’t have standard definitions.
Cyber insurance coverages
He explained the five types of cyber insurance coverage: privacy liability, network security, errors and omissions, media liability and network business interruption, none of which can be purchased in the middle of a breach.
Network security coverage includes ransomware coverage, which does not cover the ransom, Karlinsky explained, but attorneys will help a client through the process.
Other cyber considerations
Karlinsky suggested some cyber hygiene measures to ward off cyberattacks, including multifactor identification to get online, email filtering, cybersecurity training and developing response plans. In addition, he recommended backup practices and defensive software.
Karlinsky listed several regulatory measures taken to enhance the security of cyber systems.
In May 2021, President Joe Biden issued Executive Order 14028 titled, Improving the Nation’s Cybersecurity. The order charged multiple agencies with improving cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
The Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.
NAIC Insurance Data Security Model Law establishes data security standards for regulators and insurers. The model law has been adopted in 18 states. “It was a painstaking process and somewhat controversial,” Karlinsky said. The model law was developed in response to high profile data breaches of insurers.
New York’s Department of Financial Services has implemented a rule on cybersecurity requirements which applies to insurance companies, banks and other financial services regulated by DFS.
Karlinsky said the “most sweeping” state law is the California Privacy Act.
A lot of these laws are intended to deal with the purveyors of big data, such as Facebook and LinkedIn, but they can impact everyone, he noted.