From growing ransomware attacks to navigating a remote work environment to regulatory developments to a challenging insurance landscape, 2022 proved to be a newsworthy year for the ever changing cyber industry.
Insurance Journal covered some of the major breaches of the year, proposed updates to the New York Department of Financial Services’ cybersecurity regulation, changes in the cyber insurance market, and more. Here’s a look back at Insurance Journal’s most viewed cyber stories from this year:
Travelers, Policyholder Agree to Void Current Cyber Policy
Travelers and policyholder International Control Services (ICS) jointly filed a stipulation to have a federal court rescind an active cyber insurance policy the insurer claimed was void due to the insured’s misrepresentation of multi-factor authentication use. According to documents filed Aug. 26 in U.S. District Court for the Central District of Illinois, Travelers and the Decatur, Illinois-based electronics manufacturing services company have agreed “no insurance coverage shall be available to any person or entity under the policy for past, present, and future claims, suits, loss, costs, or expenses of any kind whatsoever.”
10 Cyber Attacks in 2021 Cost $600M With 40,000 Businesses Put at Risk
In just 10 cyber incidents last year, over $600 million in cash was stolen or taken as ransom, tens of millions of citizen records stolen, 40,000 businesses’ IT operations put at risk, one billion airline passenger details compromised and at least one bank was effectively shut down for over a week, according to Tokio Marine HCC International’s (TMHCCI) second annual Cyber Incidents Report. The vast majority of the incidents listed in this year’s top 10 involved large institutions where cyber security plays an integral role in operations, but this did not prevent their sophisticated defense systems from coming under attack, confirmed the report, titled “Top 10 Cyber Incidents 2021.”
Court Siding With Merck Over War Exclusion for Cyber Attack a Warning to Insurers
In January of 2022, the Superior Court of New Jersey ruled insurers cannot use a policy exclusion to avoid covering about $1.4 billion in damages Merck & Co. said it suffered from a spring 2017 cyber attack known as NotPetya. The court “unhesitatingly” found that the nearly identical war exclusions contained within Merck’s all-risk property policies worth about $1.75 billion do not apply, according to a decision made public Jan. 13. The insurers had tried to use the exclusions to avoid paying out, citing the fact the NotPetya malware was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine. The malware wound up affecting thousands of companies worldwide.
Zywave Agrees to $11 Million Fund to Settle ITC Data Breach Lawsuit
Insurance technology provider Zywave agreed to offer an $11 million fund to settle a class-action lawsuit related to a data breach at a company it acquired in 2020. A proposed class-action suit was filed against Insurance Technologies Corp. (ITC) following a data breach that occurred on February 27. 2021. ITC, which was acquired by Zywave in November 2020, began notifying customers and attorneys general of the breach on May 10, 2021. The class-action lawsuit was filed in June 2021. It alleged that the ITC breach gave hackers access to names, Social Security numbers, driver’s license numbers, dates of birth, and log-in credentials of thousands of ITC customers, potential customers, and other individuals.
Aon Discloses ‘Cyber Incident’ Amid Mounting Concerns Over Hacks
Bloomberg reported in February of 2022 that Aon Plc announced it was investigating a “cyber incident” that the insurance brokerage said impacted a limited number of its systems. The incident came amid global concerns about malicious activity in cyberspace following Russia’s invasion of Ukraine. Ransomware gangs have pledged allegiance to the Russian government, while activist groups have targeted pro-Russian organizations in an attempt to help Ukrainian forces.
New York Proposes Changes to Financial Services Cybersecurity Regulation
The New York State Department of Financial Services (DFS) proposed updates in November to its original cybersecurity regulation, which DFS promulgated in 2017. The updated regulation was subject to comment for 60 days. The regulation, which is aimed at protecting New York’s financial services industry from the threat of a cyber attack, was the first of its kind in the U.S. The regulation requires each company overseen by the New York DFS to assess its specific cybersecurity risk profile and implement a program that addresses those risks. Insurers, banks and other financial services entities regulated by DFS had until March 2019 to comply by adopting cybersecurity practices and polices ensuring the security of information systems and nonpublic information. DFS took its first enforcement action under the regulation in July 2020 in the matter of a data breach at a title insurer. The regulation has become a model that is now used by both federal and state financial regulators.
Elephant Insurance Reports Data Breach
Virginia-based direct-to-consumer personal lines insurer Elephant Insurance reported that it experienced a cyber incident beginning in late March, and as of April 25, its review had been able to identify consumers whose data may have been viewed or copied from its network. The company determined that the breach occurred between March 26, 2022 and April 1, 2022. The affected information includes name, driver’s license number and date of birth. The company did not disclose the number of affected persons. Elephant sells insurance in eight states: Georgia, Illinois, Indiana, Maryland, Ohio, Tennessee, Texas and Virginia. The information either relates to current or previous Elephant Insurance customers or is information the firm received as part of providing a quote for auto or other insurance coverage. The company said it took prompt measures to secure its systems and investigate the incident.
Rapid Cyber Premium Growth by Fairfax, Tokio Marine Increased Share of Market
The top cyber insurance carriers in 2021 shifted to include Fairfax Financial Holdings and Tokio Marine U.S. as the marketplace grew 74% to over $4.8 billion, according to a report from Fitch Ratings. Overall, the top cyber insurance underwriters are Chubb with 10% market share, Fairfax (9%), AXA XL (9%), Tokio Marine, AIG and Travelers (each with 5%). According to Fitch’s report, based largely on statutory financial supplements from insurers disclosing cyber-specific direct premiums, Fairfax reported 300% growth in premium in 2021 to move from eighth in 2020 to its current position thanks to the performance of its Crum & Forster, Hudson Insurance, and Allied World operations. Tokio Marine moved from 11th to occupy a spot in the top 5 underwriters after nearly 190% growth in 2021, driven mostly by HCC.
3 Iranian Citizens Charged in Broad Hacking Campaign in US
The Justice Department said in September that three Iranian citizens were charged in the United States with ransomware attacks that targeted power companies, local governments and small businesses and nonprofits, including a domestic violence shelter. The charges accuse the hacking suspects of targeting hundreds of entities in the U.S. and around the world, encrypting and stealing data from victim networks, and threatening to release it publicly or leave it encrypted unless exorbitant ransom payments were made. In some cases, the victims made those payments, the department said. The Biden administration has tried to go after hackers who have held U.S. targets essentially hostage, often sanctioned or sheltered by adversaries. The threat gained particular prominence in May 2021 when a Russia-based hacker group was accused of conducting a ransomware attack on Georgia-based Colonial Pipeline, which disrupted gas supplies along the East Coast.
Cyber Insurance Premiums Up 27.5% to Lead All Lines in Q1: CIAB
The first quarter of 2022 started off with a report from The Council of Insurance Agents & Brokers’ (CIAB) Commercial Property/Casualty Market Index stating capacity for cyber insurance may be decreasing while demand is increasing, which could have driven cyber premium price increases of an average 27.5% during the first three months of the year. Nearly 80% of respondents said capacity decreased during Q1, and more than 30% said the decrease was “significant.” Meanwhile, 90% of survey takers said there was an increase in demand for cyber insurance due to an “increased general awareness of the exposure faced by all individuals and organizations on a global basis without borders or regard for size, score or industry,” CIAB quoted one respondent. Results from the survey indicated carriers are also requiring more from insureds to obtain cyber coverage. Many insurers require at least multifactor authentication or the potential policyholder is deemed “virtually uninsurable” and a quote is refused, CIAB reported.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Allstate, State Farm Sued Over $4 Billion Maui Fire Settlement 
Study Urges Rethinking of Disaster Management in Era of Compounding Events 
Travelers Reverses Q2 Income Loss, Narrows Underwriting Loss 
Deere Retreats From Diversity Measures After Online Attacks 
