When the Town of Peterborough, New Hampshire, announced earlier this week that it lost $2.3 million to a business email compromise scam, officials also said it was unlikely the 7,000-person community would ever recover that money.
The lost sum, which amounted to nearly 15% of the town’s annual budget, is not expected to be covered by the local government’s insurance policy. While that’s typical for losses due to BEC attacks — which typically are not covered by cyber insurance policies — the news came at a time when a premiums are on the rise, fueled by an onslaught of claims filed by organizations that’ve suffered ransomware attacks.
Peterborough, like many small towns, has a general liability policy rather than a specific plan for cyberattacks. But in state governments, more officials are contemplating if they should — or can — keep their cyber insurance plans, especially as some insurers say they’ll stop covering ransomware payments.
“We’re wondering as a state, what’s the point of cyber insurance?” one state official told StateScoop. The official also said his state’s insurer has quoted premiums this year that are “three to five times” last year’s rates and that deductibles are on the rise, too.
Alla Valente, a senior analyst for security and risk at the market-research firm Forrester, told StateScoop that cyber insurers were caught off-guard by the spike in ransomware because they lacked information about the frequency and nature of attacks.
“When the insurers created this product, I’m sure they had actuarial data about claims,” she said. “But what they were lacking was actuarial data about cyber incidents. For an industry that’s supposed to think about every possibility, how did they miss this? Someone should’ve been monitoring the rate of cyberattacks, the types of attacks that have become bigger and more costly.”
Too many organizations, she said, have been considering their insurance policies to be a form of risk management, instead of investing in tools or implementing practices that reduce vulnerabilities.
Valente described a trend she called “silent cyber,” in which organizations that suffered attacks made claims on their business interruption policies if those plans didn’t explicitly preclude losses due to cyberattacks. Claims like that surged during the COVID-19 pandemic as ransomware incidents proliferated, though insurers have started to cut them off, she said.
“Policies were written ages ago. A lot has changed,” she said.
‘This isn’t a nonprofit business’
Valente also said it’s unsurprising that cyber insurance rates — especially for government — are going up as more federal, state and local agencies find themselves entangled by ransomware and other breaches.
“If I were an insurer, I have to factor in that we see certain sectors being targeted more often, and right now government is one of those sectors,” she said. “This isn’t a nonprofit business. They’ve created a product that will be profitable for them.”
But government can take some steps to better regulate the cyber insurance market. In February, the New York State Department of Financial Services published a risk framework for the insurers it regulates. The framework, which was written a few months after the massive SolarWinds hack, recommends eliminating the “silent cyber” claims by making general liability policies more explicit. It also urges insurers to take more steps to evaluate their clients’ systemic risks, including to hardware and software supply chains.
“Many insurers still have work to do to develop a rigorous and data driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk,” the framework reads.
The state official who spoke with StateScoop said an informal poll of states showed that several don’t have statewide cyber insurance policies. But instead of insurance, some states are moving toward keeping an incident-response firm, like Mandiant, on retainer.
Still, Valente said, risk mitigation is most effective before an attack occurs.
“Having IR on retainer, I’m sure that’s a great idea,” Valente said. “Having someone available to respond. But what about being able to protect or prevent it from happening in the first place?”