The global cyber market finally began to stabilize in the Q4 2022, largely thanks to renewed competition between markets, a decrease in median ransomware payments during the first half of the year and organizations stepping up their technological controls. In this article we will look back at 2022 and discuss what organizations can expect in 2023 (see 4 Top Cybercrime Predictions for 2023).
According to Willis Towers Watson, with the volatile economic situation expected to continue into 2023, cyber scammers will be working harder to take advantage of people when they are more vulnerable. Cybercriminals love to exploit seasonal opportunities, and consumers are facing a perfect storm of rising prices in the middle of the busiest shopping season of the year, when scammers are particularly active (see How to Reduce the Impact of Cybercrime?).
Reported ransomeware incidents and their severity have skyrocketed in recent years, with monetary estimates of global 2020 cyberattack losses at around USD 945 billion. The types of attacks and targeted sectors have also evolved.
The Russia/Ukraine War
According to WTW Research, this past year has been one of unexpected geopolitical and economic upheaval.
The Russian War in Ukraine has had more impact than any other single global event.
Economically, it contributed to a surge in oil and gas prices contributing to widespread inflation that peaked over the summer and put a strain on just about every business and individual across the United States and elsewhere.
The conflict led the FBI and U.S. Department of Homeland Security to warn of an increase in state-sponsored cyber attacks, especially by groups sympathetic to Russia.
As recently as early October of this year, a Russian sponsored group of hackers known as Killnet launched denial-of-service attacks on several major U.S. airports. These attacks highlight the particular vulnerability of certain industries, such as the airline industry, and the potential for even more cybersecurity regulations being imposed by the FAA and TSA.
In response to this conflict, we saw carriers re-examining their war exclusions to address state-sponsored cyber-attacks. In September, we discussed the Lloyds market’s requirements for state backed cyber-attack exclusions, and the four accepted forms deemed acceptable.
The fourth such exclusion–LMA5567 (commonly referred to as LMA4) – is emerging as the most widely used of the four. This model exclusion does exclude losses arising from physical war but does not exclude state-sponsored cyber-attacks unless they are carried out in the course of physical war or they can be categorized against the applicable threshold points in the exclusion as having a major detrimental impact on the essential services or defense of a nation state – and only then, subsection of the exclusion only applies if the insured’s digital assets affected by the attack are physically located in such impacted nation-state.
Many carriers in the U.S. are moving toward using this exclusion, however there is still wide variation among U.S. carriers as the market adjusts.
In particular, the LMA4 exclusion and its US variations can have particular impact on certain industries, such as banking, healthcare, utilities, infrastructure, transportation and defense, as attacks on insureds in those industries can impact “essential services” or “defense” of the U.S. If an organization is within such an industry or falls within the definition of an essential service, we recommend a careful examination of the war exclusion during 2023 renewal negotiations.
Decline of ransomware attacks
According to Global Cyber Crime, Fraud & Ransomware Survey, largely unrecognized for years, this insidious form of crime is accelerating and evolving, as the pandemic-era acceleration to ecommerce, delivery, contactless payments and remote work has opened up new avenues of entry for fraudsters. By identifying platform fraud – essentially, giving it a name for the first time – we aim not only to make companies aware of these risks, but also to help companies leverage fraud prevention and detection strategies and tactics already in their toolkits.
On a positive note, the number and severity of ransomware attacks overall in the industry declined. It is believed that heightened cyber security measures, has been the leading factor in this reduction.
In May, we addressed some examples of steps that financial institutions have taken to minimize their exposure and continue to recommend a proactive approach to cyber security to limit the likelihood of successful attacks (see How to Increase Resilience of Cyber Market through Insurance).
Despite this increased security overall, there were still notable ransomware attacks such as the Kronos Private Cloud ransomware attack which, like Solarwinds in 2021, highlights the exposure that companies face when outsourcing certain services, such as workforce management solutions in the Kronos case, to cloud based service providers.
Wrongful collection insurance coverage
Back in January, we discussed how carriers have begun to reassess coverage for the wrongful collection or use of data, which may not result from an intrusion or hack.
A number of leading cyber policies regularly offered endorsements to cover the wrongful use or wrongful collection of data.
Largely in response to the E.U. General Data Protection Regulation (GDPR) that went into effect in May of 2018 and the subsequent trove of data privacy legislation introduced across the U.S., most notably the California Consumer Privacy Act, many of these same carriers have either stopped offering such enhancements or explicitly added exclusions for these types of claims (see about Cyber Security & Insurance).
While this development could impact a number of different industries, we focused on the impact to the healthcare industry, which according to Willis Towers Watson proprietary cyber claims data for the first half of 2022, accounted for a higher percentage of claims (25%) than any other industry.
Looking ahead to 2023
As we look ahead to 2023, we are finally pleased to report a softening of the cyber insurance market.
Analytics have seen rates fall steadily over the second half of 2022 and expect this trend to continue into the new year, at least partially due to competition picking up between markets and losses stabilizing, as organizations are doing a better job of training their employees and taking necessary security measures (see New Cyber Risk & Ransomware Trends).
Cyber markets will no doubt continue to require insureds to implement more security to stay ahead of the ever-evolving cyber risk landscape, including but not limited to multi-factor authentication, firewalls and encryption.
Perceived weak controls will likely result in coverage restrictions or declinations.
Meta pixel and chat bot ligation
Companies across the country, especially those which handle sensitive personal information such as those in healthcare or finance and banking, have seen increased exposure to potential lawsuits from private citizens involving meta pixel tracking technology, which we just addressed in November.
Further, CA class action lawyers are targeting websites that employ “chat bots”, digital assistants that allow companies to communicate with customers without employing live website customer service representatives.
These cases allege that the website owners violate the California Invasion of Privacy Act by recording communications between consumers and company chat bots without the consumers’ knowledge or consent. Lawsuits have been filed against companies in a vary of industries, including retailers, insurance companies, financial service companies and technology companies (se about Cyber Catastrophe Models).
We will be monitoring how carriers may attempt to address such privacy risks involving the tracking and collection of data directed by Meta or other service providers, as well as organizations that utilize chat bots.
Further enforcement of privacy laws and other cybersecurity regulations
The enforcement of privacy laws and other cybersecurity regulations will no doubt lead to more litigation in 2023 and beyond.
For example, this recent California Consumer Protection Act (CCPA) enforcement action saw an unprecedented settlement by an online retailer accused of violating the CCPA by failing to follow the required opt-out procedures under the Global Privacy Control (GPC) protocol on data collection.
The 30-day cure period for companies to correct any violations of privacy opt-out procedures under the CCPA is set to expire in 2023, and companies will be subject to immediate exposure for any violations.
Further, the California Privacy Rights Act (CPRA), which was a ballot measure approved by voters in 2020 which significantly amends and expands the CCPA, goes into full effect on January 1, 2023, so there will likely be a marked increase in privacy enforcement actions in not only California, but potentially other states such as Virginia and Colorado that have already passed copycat privacy legislation.
It is also worth noting that companies in the financial sector may also faced with proposed regulations by the SEC which, if enacted, will impose additional rules on investment advisers, registered investment companies and business development companies.
Finally, we have the first Illinois Biometric Information Privacy Act (“BIPA”) trial which resulted in a $228 million dollar award in October.
As the use of biometric information has accelerated across a wide range of industries, states such as Texas and Washington have followed the Illinois model. We can expect other states and localities to take a similar approach in an effort to regulate the use and retention of biometric data, which will more than likely generate further litigation.