Guy Carpenter recently published its Cyber Year in Brief and 2020 Outlook, which takes a look back at the prevailing cyber-related trends of 2019.
Ransomware – For years, it had been a common industry practice to offer in cyber insurance contracts cover for cyber extortion payments and business interruptions caused by ransomware events. 2018 and especially 2019 showed new trends in ransomware frequency, attack behaviors and losses sustained. Extortion amounts skyrocketed as events transitioned from small scale, broadly executed mass extortion attempts to highly-targeted, larger attacks on organizations. Impacted businesses weighed the choice of paying the ransom amounts or risking compromise of their operations.
The decision is never an easy one. Downtime costs, measured by losses in productivity, revenue opportunities, and company reputation, are typically five to 10 times the actual ransom amount demanded, if not greater. (1) The combination of higher extortions, increased attack frequency and more costly downtime is prompting insurers to re-evaluate their underwriting strategies, pricing and services provided for ransomware exposures.
Illinois Biometric Privacy Act (BIPA) – This wide-ranging state law requires businesses that collect or obtain biometric information, such as fingerprints or retina scans, to meet certain requirements on disclosure to individuals. Though the law was passed in 2008, and other states have since passed similar legislation, insurers began to see new loss emergence trends associated with BIPA-related claims in 2019, when a court ruling held that private individuals could bring suit even if the only harm was a violation of their legal rights. How interpretation of BIPA develops and how other types of injuries are defined continues to present a legal conundrum for cyber risk, especially as biometric data collection expands and usage consent remains unclear. In the meantime, failing to follow proper information handling procedures has exposed businesses to liability and insurers to an unprecedented influx of biometric related claims.