How ransomware claims are trending

Ransomware claims have transformed from mostly third-party liability claims into first-party liability, a cyber insurance expert tells Canadian Underwriter. 

“It used to be third-party liability; you were concerned about monitoring credit, and somebody sues you because of a hack,” said Michael O’Connor, associate vice president of technology/cyber and professional lines at Sovereign Insurance. “Now, it’s all become first-party ransomware because the threat actors have figured out it’s just more efficient to hold the information and ask for ransom than to try to sell all the individual information on the dark web.” 

The affected corporation (first party) now often incurs the expense compared to the third party, such as an IT consultant or vendor. In short, first-party cyber insurance tends to cover only the insured’s costs on their own network and systems, while third-party coverage provides liability protection for companies that fail to prevent a breach or attack on their clients’ businesses. 

“When cyber [insurance] started 15, 20 [or so] years ago, the concern was always the third party,” O’Connor told CU. “You know, you have to monitor credit and someone’s going to sue you because you lost their health data. 

“And that’s less prevalent than the first-party claims these days.” 

He adds that Sovereign Insurance has moved away from covering managed service providers (MSPs) — third parties covering things like clients’ networks and security — because they have a much higher propensity to be cyberattacked. “The losses tend to be higher because they’re dealing with multiple companies.”  

Related: Why ransomware is still a threat to your cyber clients

Another trend O’Connor is seeing is the easing of restrictions on cyber coverage, especially around ransomware. Throughout the pandemic, ransomware was a big driver of claims, so coverage was often sub-limited.  

“The market seems to be moving away from that, offering full limits again,” O’Connor said. “Some of the limit restrictions are starting to loosen, so we may see an uptick in the quantum of claims because more limit is available.” 

It’s also important clients are prepared with a data recovery plan and disaster management plan that includes loss of network availability. “What do you do if your network is compromised and you can’t operate inside your network for a week?” O’Connor asked. “Do you have a workaround plan?

“Even the claims that we see, it still takes a few days even to go through the process of negotiating, paying a ransom, getting the information back,” he added. “Even if you’re going to pay the ransom, you still have a network that may be down for several days.” 

Having a plan is especially important for smaller companies, who may outsource their IT and need to rely on a third party to get them back up and running, O’Connor said. It’s also important that specialists go through the system to ensure the bad actor can’t get back in after the victim has paid the ransom.

Risk and loss control is becoming much more important, he added. 

“There are going to continue to be losses… You’re going to make mistakes but that’s what the insurance is there for. It’s not for [choosing] not to do patch management.’  

“It’s [for] a mistake [that] happened, or someone specifically attacked our network for this reason. And that’s what the insurance is there for, not for a failure to keep your system safe.” 

Feature image by iStock.com/ismagilov