Insurers that offer coverage for cyberattacks find themselves playing both offense and defense lately. As they await possible action by Congress to enact federal cybersecurity legislation, the insurance industry has gone on the offensive, applying pressure to policyholders to adopt stricter security practices as an express condition of receiving cyber insurance coverage that includes protection against cyberattacks. At the same time, the insurance industry itself has regularly been the target of cybercrime attempts in recent months. That worrisome trend has sparked concerns that hackers could do serious damage to both insurers and policyholders -- by stealing, and threatening to disclose, details of insureds' policies, or by targeting companies based on the extent of their cyber insurance coverage.
Prices for cyber insurance have escalated dramatically in recent years. Insurance underwriters now feel compelled to tighten cybersecurity standards in the wake of a sharp increase in ransomware attacks. Insurers are now asking prospective policyholders (and companies seeking renewals) to certify that they have adopted a list of security measures, including requiring employees to verify their identities on separate devices before logging into networks and having a plan for restoring their systems from backup files stored offline. In addition, underwriters are likely to require that clients install so-called endpoint software that monitors networks for signs of intrusion, and educate employees about best practices for defeating hackers' attempts to penetrate company and personal networks.
Cyberattacks on insurance giants such as CNA Financial Corp., which paid a reported $40 million ransom in late March to regain control of its network , and AXA S.A. (just one week after it made major changes to its cyber insurance policies in France) have demonstrated that insurers may be adept at assessing and pricing the risk of attacks, but are far from immune from dangerous breaches of their networks. Indeed, ransomware criminals are increasingly preying upon these organizations, which hold no shortage of sensitive data, such as details about client policy limits. In some instances, attackers appear to have subsequently tied demands against policyholders to the amount of coverage, according to recent news reports.
The standards that cyber insurance companies are increasingly demanding of their clients -- and evidently need to be following themselves -- may in many cases be similar to or exceed the types of practices mandated by a patchwork of U.S. state data security laws, many of which require organizations to have "reasonable" cybersecurity, a term that courts across the country have defined differently. At the federal level, companies have typically looked to authorities like the U.S. Department of Commerce's National Institute of Standards and Technology for guidance on voluntary best practices, in the absence of federal mandates. Whether, and how soon, Congress will act to craft a national, overarching set of standards may determine how long insurance carriers will be both seeking to force changes in their clients' digital security practices and on guard against increasingly frequent attempts to steal information from their own computer systems.