13 October 2022
Cyber Risk: The Ransomware Epidemic
In our last cyber article we looked at the increased cyber risk in aviation as a result of the pandemic, why large carriers were an attractive target to threat actors and how there was an increasing internet of things.
All of these themes remain relevant 18 months on, moreover there have been developments in the cyber insurance market and on a geopolitical scale that are set to effect the cyber insurance environment. These include continued ransomware activity, potential market correction around systemic cyber, and the Russia/Ukraine conflict, all of which is overlaid to the fundamentals of cyber risk in the aviation industry.
These continuing circumstances make Gallagher’s Aerospace division risk management led CybAir solution more relevant than ever. Over the past 18 months we have had growing success in supporting clients manage and transfer cyber risk. Cyber risk and insurance should by now be a board level discussion in the same way as Directors & Officers cover. Below we examine some of the key elements impacting cyber risk and insurance.
Ransomware Epidemic
Ransomware claims have been the primary force behind the severe market correction experienced around cyber insurance over the past 18 months. The cyber market has dubbed the increased claims activity in this space a ‘ransomware epidemic’ and it has affected all industry types, including the aerospace industry and has showed no signs of slowing down. According to a recent Eurocontrol report, aviation faces a ransomware attack every week, and these attacks cause significant levels of first and third party costs to clients and insurers. Whilst airlines are at the top of the hit list for threat actors, all industries have experienced losses and have contributed to the market wide correction.
Given the frequency of these complex and highly costly claims, insurers have moved to increase premiums and reduce capacity even restricting limits in order to manage their books and ultimately improve underwriting performance. We have also seen insurers enforce higher retentions on policyholders, this has been a contributory factor in some clients taking a more holistic approach to risk management and shining a brighter light on their own information security policies and procedures.
As a result of increased claims activity there are certain minimum requirements that insurers now demand in order to obtain cyber insurance. These include but are not limited to, Multi Factor Authentication, adequate backup procedures, privileged access management tools, frequent patching, employee training and active detection tools are just some of the minimum standards. It is too early to see the effects of these minimum standards on the insurance claims landscape but this step has given more confidence to insurers to stay in the insurance class.
It is important that organisations are able to show they continue to bolster defences to maintain access to the Cyber insurance product.
Systemic Cyber
The world has become more connected, and as a result the risk of a large scale disruption impacting global business has increased e.g. the Microsoft Exchange Server and the Kaseya events. These highlighted how dependent the modern world is on a small number of service providers. Many in the insurance industry viewed these events as a warning sign of what lies ahead, and fuelled growing concerns that future disruptions could be more severe and systemic. Whilst not cyber focused, many insurers have been alerted to the nature of extreme risk by Covid-19 related business interruption losses which many argue they never contemplated covering, so systemic risk as a general topic is a key area of focus for the insurance industry.
Historically, if a key service provider, such as AWS or Microsoft suffer an incident and their customers (policyholders) are affected, or a common hardware or software vulnerability is discovered which hackers exploit on a large scale, typically the cyber market has to date covered events of this nature.
Systemic cyber risk has been acknowledged as a concern for Aviation being a highly interconnected industry. Reliance from an infrastructure perspective is placed on a few core third parties from both an IT and Non IT standpoint e.g.SITA, Amadeus and Galileo as key service providers and therefore critical dependencies. This has been reflected in the scope of Cyber Business Interruption cover for key suppliers being restricted.
With increased underwriting concerns around the wider impact of systemic risks it is more than likely that this scrutiny will have an impact to how Cyber cover is delivered to the Aviation industry. Some insurers are looking to introduce measures to manage their overall exposure to extreme cyber catastrophe events. This could take shape in the form of new sub-limits for single or widespread events and the perimeter of policy extensions e.g. outsourced providers.
Russia/Ukraine Conflict
We have seen modern warfare no longer just means ‘kinetic warfare’ but also takes place online via cyber warfare. Historic War exclusions have been amended to reflect this modern world. Four new Cyber War exclusion clauses have been created to provide Lloyd’s syndicates and brokers, with options in respect of the level of cover provided for cyber operations between states, which are not excluded by the definition of war, cyber war or cyber operations.
The impacts of the Ukraine situation have not triggered any increase in frequency or severity of cyber claims. Though, in expectation it has become mandatory for Cyber insurers to include affirmative War and Terrorism exclusions on all renewals and new business placements. It is important to recognise that the application of war exclusions are intended to better define when cover does not apply e.g. state on state warfare/acts of war perpetrated on behalf of a state. Some exclusions even reference consequential cover to untargeted assets which are impacted in a cyber-attack but not those which are targeted. It’s important to note that the onus is on the insurer to prove that ultimately the exclusion applies.
Cyber exposure in the aviation industry
Aviation has typically been a low appetite class for cyber insurers given its international nature, reliance on technology and significant volumes of customer information held putting it at an appreciable risk from a cyber-incident.
Aviation risks with an international footprint involve multiple jurisdictions and regulations which make the risks quite complex to underwrite and any claims can be challenging to administer. Reliance on IT systems means that downtime, either malicious or simply operator error, can lead to significant disruption and a loss of revenue, along with the potential loss of business through reputational damage. Malicious actors can target both a company’s OT – operational technology and IT – information technology environments; this kind of malware can impact the capacity of security teams to respond. Ransomware attacks can interdict an airline's entire IT network for days, even weeks. Given the volume of airlines operations, sometimes performing 100’s of flights each day, the cost associated with a business interruption element of cyber cover can therefore quickly increase.
With the high-profile nature of airlines any cyber attacks involving customer data make headline news. In the last few years two global airlines lost a combined total of around 600,000 customer/ staff records, with another suffering an attack affecting a colossal 9.4 million passenger records. Only last month two international airlines in different parts of the world have acknowledged data breaches involving personally identifiable information which ultimately carries likely fines, penalties and compensation for appreciable sums. The failure to protect personally identifiable information can cause adverse publicity for the brand and costly regulatory investigations e.g. GDPR breaches in the EU/UK can be very costly and for severe violations fines as much as 4% of global revenue.
Gallagher Solution
The cyber insurance market requirements and coverage sensitivities therefore make it a complex arena for aviation businesses to navigate.
Gallagher’s Cyber practice in addition to its broking and claims management team has the added value of a specialist consultancy arm. This assists in board level appreciation of the maturity of security posture and has helped clients better engage their profile to place cyber insurance. Through this dual approach Gallagher are helping to address the challenges of a tough insurance market with limited appetite for aviation businesses. The risk reports can be an invaluable tool in supporting clients’ longer term planning on improvement to their security controls and helping with the ongoing benefits to placing Cyber insurance.
We would be delighted to explore this with you and be a partner on your journey.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.