Aon | Professional Services Practice
Pushing the Limits – How Much Cyber Insurance Do Professional Service Firms Need?
Release Date: May 2024The only thing worse than being hit by a cyber-attack is finding that your cyber program limits are insufficient to pay the full amount of the loss. Cyber insurance is no longer cheap and nobody wants to pay for insurance limits that may never be used. In a dynamic threat environment where information and publicly available statistics are unreliable, how can we be confident that cyber limits are sufficient?
Key Takeaways
- Professional service firms are frequently targeted for cyber-attack due to the valuable data that they store.
- The average cost of a cyber-attack may appear relatively manageable, but high severity events are occurring.
- There are risk assessment tools that professional service firms should consider when reviewing the limits they purchase in cyber insurance.
Professional services firms want to make rational and economically justifiable decisions when considering how much cyber insurance to purchase.
What challenges do they face?
Challenge 1: Frequency vs. Severity
The profile of cyber claims is dominated by a high frequency of low severity losses. This means that statistics such as medians and averages skew low. Ransomware consultant Coveware reports that the median ransom paid in Q1 2024 was $250,000 (although this is a 25% increase over the prior quarter) and the average is under $400,000.
On the other hand, crypto consultant Chainalysis reports that in 2023 a record $1.1 billion was paid to known ransomware operators and approximately 75% of this total was in payments of over $1,000,000. Baker Hostetler’s 2024 Data Security Incident Response Report indicates that the largest ransom paid by one of their clients in 2023 was over $10,000,000 and the largest demand was over $30,000,000.
Public reporting, particularly in the aftermath of NotPetya, shows cyber losses can be in the hundreds of millions of dollars and in 2021 a public company reported that it made a ransom payment of $40,000,000.
Since 2017, four clients of the Professional Service Practice at Aon have suffered losses that exceeded insured limits and we have seen many more examples reported publicly.
Therefore, despite the predominance of low severity losses, firms should consider the very real possibility of a severe loss.
Challenge 2: How Predictable are Cyber Losses?
For the purposes of this discussion, the costs associated with cyber events broadly fall into three categories:
- Relatively Predictable (Deterministic Predictability)
- Variable (Stochastic Predictability)
- Unpredictable (Random)
1. Relatively Predictable
The costs of engaging resources to respond in the immediate aftermath of a cyber incident are generally relatively predictable:
- Breach Counsel
- Forensic Investigation
- Remediation
- Crisis communications
Obviously, the resources engaged and the associated costs will vary with the exact nature of the attack and the scale and severity of the breach. An extortion-only event typically involves less work than one with extensive deployment of malware and encryption, but it is possible to assess a reasonable upper limit on these costs for insurance purposes.
2. Variable
Several cost elements are much more dependent on the exact nature, scale and scope of the attack and are therefore less predictable. These costs are driven by and have a mathematical relationship to the underlying event, but the range of outcomes is so broad and scenario-specific that quantifying the exposure is challenging. For example:
Business Interruption
There is not a linear relationship between the length of time systems are down and the associated loss of revenue for professional service firms. Existing engagements and workarounds to continue servicing clients can sustain revenue. However, this can be at the cost of finding and onboarding new engagements, among other factors. Over time the revenue associated with existing engagements falls away and without new engagements to replenish the pipeline, the loss of revenue can rise exponentially.
Notifications
Professional service firms typically hold very substantial quantities of regulated data (PII and PHI), but it is difficult to quantify how much. While tools are being developed, they are often limited in their ability to query every database and challenges such as deduplication can be hard to overcome. A large law firm that had a file share platform hacked initially estimated that approximately 150,000 individuals were impacted (July 2023), increasing to 460,000 (August 2023) and then to 630,000 (December 2023). The volume of data stolen and the quantities of regulated data within the exfiltrated data is not something that can easily be predicted or modeled. The possibility of regulatory fines and penalties adds another layer of uncertainty and unpredictability to the equation.
eDiscovery
Costs associated with housing and analyzing the large amounts of data exfiltrated in an attack are rapidly increasing. These costs are proportional to the volume of data stolen and the length of time it takes to perform the analysis and the analysis period can be extended, potentially for years, if there is litigation arising from the breach. The costs will also vary according to the scope and scale of the breach, the length of time the attackers were in the network and the extent and nature of data to which they had access, etc. The example cited above shows how the understanding of the event, and the associated costs, can evolve over time.
3. Unpredictable
Some costs associated with a cyber event are completely unpredictable as they are so specific to the peculiarities of the situation. The two most significant in this regard are:
Ransom
Payment of a ransom is a business decision that is entirely dependent on the circumstances and factors such as the perceived value of the data involved or the urgency and need to acquire a decryption key. An example that illustrates this dynamic involves is a large publicly traded insurer that was hit by ransomware. Reportedly, the original ransom demand was less than $60 million and was initially ignored by the insurer. Subsequently, it was revealed that a ransom payment of $40 million was made. Data may also be time sensitive, so it may be crucially important that the existence of the particular deal not be leaked, but only for a short period. If the hackers can be “stalled” long enough, payment of the ransom may not be necessary at all, but otherwise paying a large ransom may be the only way to avoid an even larger professional liability exposure.
Class Action Lawsuits
In September 2022, a decision out of the Third Circuit Court of Appeals opened the door to class action lawsuits from individuals whose personal information was compromised in a cyber breach. Since then, several professional services firms have been sued and in August of 2023 a firm settled a class action lawsuit arising from a data breach for $7.75 million and in April 2024 another firm settled a class action for $8 million. The Duane Morris Class Action Review 2024 shows Data Breach Class Actions increasing from 310 filed in 2021, to 604 in 2022 and 1,320 in 2023; it is likely that settlements will follow a similar trajectory. Baker Hostetler’s 2024 Data Security Incident Response Report highlighted that 43% of their matters resulted in notifications, resulting in 139 regulatory inquiries and 58 lawsuits.
Adding to the challenge is the constantly evolving threat environment. Threat actors are sophisticated. Their understanding of the sensitivity of the stolen data and their techniques for exploiting it are continuously developing. They are very aware of the increasingly onerous data privacy and regulatory environment and are already exploiting this to put additional pressure on their victims.
When Everyone is in the Dark, Benchmarking Does Not Shed Light
Benchmarking can be a valuable tool for assessing limits if comparable peer data is available (revenue, limit purchase, limit purchased as a percentage of revenue, rate per million on premium, premium spend by revenue, etc.). It also provides reassurance from a governance perspective if the firm is purchasing similar limits to its peers at comparable pricing.
However, in an environment where there is substantial uncertainty and unpredictability of loss and a lack of good statistical data and meaningful loss history, benchmarking may not be a reliable metric for assessing appropriate limits to purchase. The close relationship between firm revenue and limits purchased shown in our benchmarking indicates that decisions may be driven as much by economics as any other factor, although there are outliers that demonstrate different thought processes.
Are There Tools to Analyze Risk and Recommend Appropriate Limits?
There are numerous risk quantification tools available, including those from Aon. These tools exist in two main forms:
- Impact analysis tools – These take an underwriting approach to the assessment, using basic information about the firm and historical claims and loss information to derive a view on the types of loss and outcomes that may impact it. These tend to look at risk through a coverage lens, focusing primarily on insurable risk.
- Risk analysis tools – These analyze the security environment using models such as FAIR (Factor Analysis of Information Risk) combined with Monte Carlo Simulations and calibrated estimations by subject matter experts to derive quantifications of risk, offering the ability to assess not only limits purchase but also Return on Security Investment. This is a more prospective approach in that the analysis is derived from the current and forward-looking threat environment, where the impact approach uses historical information to assess insurance limit adequacy.
It is important to emphasize that these tools are part of, not a replacement for, a limit adequacy dialogue and neither can predict the amount of limit that will be adequate in all situations. We recommend taking into consideration the evolving threat environment and the three categories of risk discussed above when making decisions about the appropriate amount of cyber limit to purchase.
Contact
The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts or Parker Baddley.
Tom Ricketts
Managing Director
New York
Parker Baddley
Assistant Vice President and Associate Director
New York
About Aon
Aon plc (NYSE: AON) (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues in over 120 countries and sovereignties provide our clients with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.
Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.
©2024 Aon plc. All rights reserved.
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.