Is Cybersecurity Insurance Out of Reach for Government?

Cyber attacks: They’ve shut down government agencies, global companies and even a gas pipeline that serves nearly half the population along the East Coast of the United States. Experts say the attacks are growing in number and severity and that governments and businesses need to make it a priority to guard — and insure themselves — against them.

But as cyber attacks and ransom demands grow, cybersecurity insurance is becoming increasingly expensive for the insured and the insurer. The upward trajectory in cost has some experts wondering if the cybersecurity insurance market will remain economically viable. Local and state government officials wonder too, but many believe the cost of not having cybersecurity insurance is incalculable, making their jurisdictions vulnerable to extreme losses in capital, human health and safety, not to mention reputation.

In this ever-evolving cybersecurity landscape, insurers are asking much more of their clients in terms of staff training and technological safeguards. And looming over the shifting insurance market is a philosophical question: Do larger policies incentivize bad actors to increase their attacks and ransoms because they know governments have insurance policies and can pay large ransoms? Yes, say some experts, but not having insurance is a risk government simply cannot take.

“I think it is critical coverage for our world today …,” said Mike Volk, vice president of Cyber Risk Solutions at PSA Insurance and Financial Services. “It is becoming necessary to operate.”

WHAT IS CYBERSECURITY INSURACE?

On the most basic level, cybersecurity insurance covers the liability and costs incurred by an entity as a result of a cyber attack. The policies can cover not just the losses of the insured, but sometimes the policyholders’ customers as well. And if an attacker demands ransom to release stolen data or unlock a system, policies often pay these costs as well.

As cyber attacks have evolved to a new level of sophistication in recent years, many cybersecurity insurance policies have added core services. Many policies offer negotiators to interact with attackers. Often, these negotiators are able to bargain ransoms down or convince attackers to release some data before they release all of it, as a way to show they are acting in good faith. Policies also often provide a team of forensic experts to come in and study the nature of the breach, its depth and its breadth.

“They also will look at what was stolen,” added Volk. “I’ve seen initial ransoms that were high and then were negotiated down when forensics realized the extent of the attack.”

Policies that cover third parties impacted by an attack offer post-attack services such as sending letters, or calling or emailing customers or other users of a breached system, to inform them that their data has been compromised. Legal support and reimbursement for interruption of business also are often covered.

Some coverage plans send experts out to local and state governments to conduct tabletop emergency activities in which they simulate an attack and guide clients through the process of response. They also develop cyber attack response plans with clients that enumerate, step-by-step, the actions to take after an attack.

MORE EXPENSIVE, HARDER TO GET

Cybersecurity insurance experts and government officials alike report that cyber attacks are increasing and, as a result, policy premiums are going up. Underwriters also are asking much more of potential clients in terms of information on the application and training of staff.

One of the problems in the cybersecurity insurance space is that there is no reliable data on the number of cyber attacks. No central clearinghouse tracks the events, and some businesses don’t report them. Governments, however, are more likely to report them due to their mandates for transparency, but the attacks still aren’t tracked globally. The lack of data makes it difficult for insurers to calculate risk. But anecdotally, experts and government officials report nearly unanimously that the attacks have increased dramatically.

“There is a sense of urgency … a recognition [by local governments] that this is a big problem and a growing problem,” said Brian Nussbaum, assistant professor in the College of Emergency Preparedness, Homeland Security and Cybersecurity at the University at Albany.

“Attacks are increasing,” said Alan R. Shark, executive director of the Public Technology Institute. “The pandemic was a wake-up call … with the more remote workforce, people were unwittingly clicking on things they shouldn’t have. … In the remote environment, not everyone had the best practices in place.”

And growing threats means a growing price tag for insurance. According to a 2021 Government Accountability Office (GAO) report on cyber insurance, a recent survey of insurance brokers revealed that more than half of their clients saw price increases in cyber policies of 10 to 30 percent in late 2020. Industry sources also told the GAO that insurers are reducing coverage limits for some industry sectors, including health care and education.

Shark worries that the upward trajectory in attacks, and subsequently insurance premiums, will make cybersecurity insurance unsustainable for both the insurer and the insured.

“Some [insurers] are getting out of the business,” said Shark. “Some are upping the requirements to get coverage and upping the premiums.”

Phil Bates, chief information security officer for the state of Utah, has seen the increase in premiums firsthand.

“The premiums have gone up quite a bit in the last year and we have heard from other states that their premiums were going up too and their coverage was going down,” said Bates. “Now there is a higher deductible than we had before and that is pretty much across the board.”

Despite the increased cost, Bates says there is still great value in having a policy in place. “But if the cost keeps going up, we are going to have to look for other solutions because it is not feasible for governments to afford them [the policies],” he added.

According to Bates, some states are informally discussing moving to a self-insurance program where they would pool their resources with other agencies within their states to cover costs of attacks and possibly even ransoms.

“As you see costs go up, people will get more creative,” Bates added.

Peter Miller, chief security officer for Orange County, Fla., says the underwriting requirements to obtain cybersecurity insurance have exploded in recent years and now resemble one of the many audits he is required to undertake each year. Miller says the dramatic increase in documentation demands occurred in 2020.

“What we are seeing is that not only are the rates going up significantly, but the amount of documentation that they want for your coverage … has gone up significantly,” said Miller. “Two or three years ago they’d ask for two to three pages of documentation. This year the paperwork was 35 to 40 pages. … They go into a lot of detail.”
Miller says insurers want to know what kind of cyber awareness programs governments have in place, and if they don’t have one, insurers want one implemented. Some insurers will offer to do the training. Orange County purchased a training module to educate staff about phishing attacks, which are the No. 1 vector for cyber attacks in his county, according to Miller. The program sends out fake phishing scams via email. If an employee clicks on the fake phishing link, they are automatically redirected to an educational module that instructs them on the dangers and types of phishing scams. Days or weeks after they have completed the module, they will be sent another fake link. If they click on the fake link again, they must repeat the training module.

Miller also said cyber intrusion events — instances of phishing emails or other attempted breaches of the system — have increased dramatically in the last six months.

“In the last six months I have seen more activity than in the last 10 years,” he said. “It is definitely interesting times.”

Some recent cyber attacks against local and state governments have been stunning in their breadth and ransom demands. CISOs and insurers across the nation have taken note.

Shark, the executive director of the Public Technology Institute, says the increase in ransoms and the sophistication of the attacks is dramatically shifting the market. Insurers have gained more control in calling the shots on what local and state governments need to do to get the policies and how they must react in the event of an attack. Often, insurers will demand that jurisdictions call them first to notify them of the breach — before state attorneys general offices or other law enforcement. And some insurers are running a cost benefit analysis and getting out of the cyber market altogether.

“Today … there are some cyber insurance companies saying, ‘You know what? This is way too expensive. We are going to stick to traditional lines of insurance,’” said Shark. “Others are upping the requirements and the premiums.”

According to a report by Chainalysis Insights, a cryptocurrency blog, in 2020, total cyber ransoms paid by victims reached $350 million, a 311 percent increase over the previous year (most cyber ransom demands are made in cryptocurrency). Chainalysis also expects these ransoms to rise.

Shark says despite the increase in premiums, cybersecurity insurance is still a good idea for local and state governments.

“But does it make governments a target?” he asked.

DOES INSURANCE INCREASE ATTACKS?

Shark is not alone in asking whether cybersecurity insurance incentivizes bad actors to launch more attacks and ask for larger ransoms because they know governments have the coverage and can pony up for the ransom.

“It seems to be the consensus of people in this space that ransoms have gone up in part because of cyber insurance,” said Nussbaum, of the University of Albany. “But are they going up because it is clearer and clearer how disruptive ransom attacks can be? It is hard to pull these things apart.”

To guard against higher ransoms, Volk, of PSA Insurance and Financial Services, advises businesses and local governments not to share their insurance limits.

“If a criminal knows your limits, they know where to start the negotiation,” said Volk.

Shark says recent trends in legislation could put another damper on the cybersecurity insurance industry. Three states are weighing legislation that would ban local governments from paying cyber ransoms, even if they are funded through an insurance company. The proposed laws seek to decrease ransom attacks by taking the paying of ransoms off the table. Shark says the bills would strip insurers of the power to decide whether paying the ransom is more cost effective than paying for the local government to restore the system.
“If this is successful and local governments were banned from paying a ransom, this would really hurt or destroy the cyber insurance market,” said Shark. “If that local government is prohibited from paying a ransomware fee, then the insurance company has its hands tied. They’ll say, ‘This market is not for us. … We are out of here when it comes to the public sector.’

“It has an enormous chance of backfiring and reversing the very things these well-intentioned laws are trying to do.”

Miller, of Orange County, believes cybersecurity insurance does entice bad actors to launch cyber attacks. He cites as evidence what he calls a “weird” analogy of some overseas companies buying ransom insurance in the event an employee is kidnapped.

“What happens then is they are kidnapped because these people know they work for a company and there is a policy and they will be guaranteed money,” said Miller.

Still, Miller, other local government officials and many cybersecurity experts maintain that having a cyber insurance policy is a necessary risk mitigation measure in the current climate. What’s unclear is how the market will continue to shift in response to evolving threats.