The U.S. cyber insurance market this year can best be described as the wild west.
We at ESP & SHEL continue to see accelerated demand for cyber coverage in 2021 by small leagues, sports clubs, bowling centers, family entertainment facilities, and our sports promotions and marketing clients.
The Cyber Insurance carriers and underwriting teams have put on the brakes. Hard screeching brakes. On the demand side most of our clients are looking to make their initial cyber coverage purchase or increase their existing coverage or simply renew within their current cost budget. On the other side are the insurance companies. They have been hammered by higher-than-anticipated losses, so they are only willing to write less coverage/smaller limits (or sometimes no coverage) at a significantly higher premium rate.
With the Motto, Go Ahead We Have You Covered, we can attest we are fighting tooth and nail for only 10% increases on current clients or in the case of new purchases min premiums that make the purchase cost prohibitive for some but worthy for all. Sidenote standalone cyber program pricing is starting at $1,000 for smaller insurance limits. Why might one ask has the cyber market become so hot in terms of coverage requests? Simply put the number ransomware attacks in the past year and the mind-boggling payouts have put a gigantic spotlight that has effectively attracted more bad criminals into the space quicker than anticipated. Ransomware is no doubt the ugly face of the current cyber insurance market.
To put the cyber market into perspective, look no further than the FBI Criminal Complaint Center. Complaints of cybercrimes grew from 1,495 in 2014 to 19,369 in 2019. Similarly, the associated claims losses went from $60.3 million in 2014 to over $1.8 billion in 2019. In 2020 alone insurance companies’ saw a series of significant cyber incidents and ransomware attacks, including the shopping platform Magento and the SolarWinds hacks. The latter alone impacted up to 18,000 companies, including multiple U.S. government agencies, and it has been estimated that it could cost cyber insurers hundreds of millions.
According to a report from Accenture plc earlier this year. The collective additional cost and lost revenues companies face from cyberattacks could reach as much as $5.2 trillion during the coming three years.
This does not apply to me or my business, right? Wrong!
The best way I can think of to rephrase all of this and make it simple is if you’re a club, a league or a team or any business that uses point of sale (POS) software and you’re having data stored by a 3rd party IT vendor (handling one time or reoccurring payment etc.) What does that mean? Simply put can people pay you via credit card. If so, you have risk and can be exposed so please pay attention. Although the data may be stored in another place, by a 3rd party IT vendor, it all initially passes through your platform, your site or network and remains a point of liability for you.
In the case of a breach, the POS provider may be liable to notify you of the breach but your league, your club, your family entertainment center (Including but not limited to Bowling Centers, Escape Rooms, Axe Throwing facilities, Tennis Clubs) must notify all your customers, deal with public relations expenses, and effectively could be sued by families, and/or clients, etc. They may turn around and then sue the POS provider depending on where the breach occurred (Your network or POS network) but you will have the first party obligation, defense costs, and expenses regardless. Without coverage you are on the hook for those expenses.
Simply put, In the scenario described in last sentences, because they accessed the data and that breach led to a large first party loss to the insured’s customer, they could come back and sue you which is why you need Tech/Cyber program would likely respond to investigate and defend.
Things to become familiar with and understand with your organization.
- Data Backup, testing and recovery procedures. Timing and who to contact
- IT Vendor management controls and contracts? Who is responsible for a breach?
- Dual Authentication (require at least 2 different protocols. At ESP we require multistep to log in.
- Employee Cyber Training
- Remote Desktop Access Protocols (Dual Authentication)
- Email Security if you don’t recognize the email ignore or call or check with IT.
At the end of the day, we ask our clients to stop thinking of themselves as immune to a cyber security attack. Cyber insurance isn’t a luxury buy for only large companies. Just because you don’t personally have 1000’s of credit card numbers on file or personal health information doesn’t mean you’re not being set up as a target for a cyber/ransomware attack. As we say to everyone, when in doubt please reach out and let the team at ESP help anyway possible. We have the capabilities to Risk Identify, Quote Quickly, and Bind and Issue Docs at Speed and Scale.
As always, thanks for listening.
Team ESP.
