From The Iowa County magazine october 2021 issue
Cyber insurance enviornment
If you’re an ICAP member, you’ve likely heard us talk about “cyber” over the past few months. We’ve hosted multiple events on the topic; undertaken an arduous cyber application process; and provided multiple market updates in our attempts to ensure member representatives have been informed of the changing cyber insurance market.
If you participate in the Pool, you know cyber coverage has been on our minds. The insurance landscape is changing. The market is hardening, and the cyber insurance industry is reeling. When you start to dig into things, it becomes very easy to understand why.
AM Best, a credit rating provider, recently reported “the prospects for the cyber insurance market are grim.” In a June 2021 report, the agency stated the percentage increase in [cyber] claims is outpacing that of premiums.
Take a look at the US Department of Justice chart shown at right; this chart depicts actual monetary damages caused by cybercrime for the period dated 2001-2020. The year-over-year growth in related damages, especially since 2018, is staggering.
Estimates indicate cybercrime will cost the world $6 trillion this year, and $10.5 trillion annually by 2025. For a point of reference, cybercrime damages totaled $3 trillion in 2015.
At present, cyberattacks are the fastest growing crime in the US. Our collective reliance on technology, coupled with the unique circumstances of the pandemic, has caused organizations and individuals alike to be more susceptible to cyberattack, which are increasing in both severity and frequency.
ABC News reports malicious emails are up 600% due to the pandemic (Fortinet reports 1 in every 6,000 emails contains a suspicious URL), and Varonis, an independent data security platform, suggests ransomware attacks jumped 148% in the first month of the pandemic alone.
These are scary statistics, and they get worse, because public entities are being targeted by such crimes. A 2021 Data Breach Investigations Report by Verizon indicated “Almost one in five breaches in 2019 involved the targeting of public sector organizations.”
There are a number of factors contributing to this, and they boil down to three main considerations:
Local governments do not have the funds to replace technological infrastructure and related IT items.
The majority of local and state government employees lack training as relates to cyber attack prevention (less than 40% are trained in ransomware attack prevention).
Many municipal representatives believe they aren’t as “at risk” of cybercrime as larger, for-profit organizations.
Local governments now face increased scrutiny when it comes to cyber insurance. Coverage providers are looking at public entities as an increased risk and requiring a significant amount of nuanced, heavily detailed underwriting information before they will even entertain providing cover. As a result, it is becoming increasingly more difficult for counties and local governmental agencies to secure adequate levels of cyber coverage at prices they can afford.
As we stated earlier, providers are paying out more in cyber-related claims than they are collecting in cyber coverage premiums. This jeopardizes the profitability of the industry. and suggests we should expect to see pricing for cyber coverage increase as we move into 2022. It also suggests, pricing aside, public and private organizations alike may face an uphill battle when it comes to securing cyber coverage. That is, of course, unless one can present itself as a favorable risk to a provider.
Fortunately, there are things your county can do to help with this. Every public entity should have measures in place to help mitigate the risk of a cyber attack. ICAP’s IT Risk Control Team recommends every county:
Develop an incident response plan.
Monitor for security incidents.
Develop relevant policies (and train to them!).
Establish data backup protocol.
Maintain a records retention schedule.
Know the difference between an incident and a breach, and have reporting measures in place.
Outline steps to be taken in the event of a breach.
While these recommendations are general in nature, they are relevant to every single Iowa county. They are also a great jumping off point for reviewing any security measures your county already has in place. If ever there is a time to do this, the time is now!