The only thing worse than being hit by a cyber-attack is finding that your cyber program limits are insufficient to pay the full amount of the loss. Cyber insurance is no longer cheap and nobody wants to pay for insurance limits that may never be used. In a dynamic threat environment where information and publicly available statistics are unreliable, how can we be confident that cyber limits are sufficient?

Professional services firms want to make rational and economically justifiable decisions when considering how much cyber insurance to purchase.

What challenges do they face?

Challenge 1: Frequency vs. Severity

The profile of cyber claims is dominated by a high frequency of low severity losses. This means that statistics such as medians and averages skew low. Ransomware consultant Coveware reports that the median ransom paid in Q1 2024 was $250,000 (although this is a 25% increase over the prior quarter) and the average is under $400,000.

On the other hand, crypto consultant Chainalysis reports that in 2023 a record $1.1 billion was paid to known ransomware operators and approximately 75% of this total was in payments of over $1,000,000. Baker Hostetler’s 2024 Data Security Incident Response Report indicates that the largest ransom paid by one of their clients in 2023 was over $10,000,000 and the largest demand was over $30,000,000.

Public reporting, particularly in the aftermath of NotPetya, shows cyber losses can be in the hundreds of millions of dollars and in 2021 a public company reported that it made a ransom payment of $40,000,000.

Since 2017, four clients of the Professional Service Practice at Aon have suffered losses that exceeded insured limits and we have seen many more examples reported publicly.

Therefore, despite the predominance of low severity losses, firms should consider the very real possibility of a severe loss.

Challenge 2: How Predictable are Cyber Losses?

1. Relatively Predictable

The costs of engaging resources to respond in the immediate aftermath of a cyber incident are generally relatively predictable:

• Breach Counsel
• Forensic Investigation
• Remediation
• Crisis communications

Obviously, the resources engaged and the associated costs will vary with the exact nature of the attack and the scale and severity of the breach. An extortion-only event typically involves less work than one with extensive deployment of malware and encryption, but it is possible to assess a reasonable upper limit on these costs for insurance purposes.

2. Variable

Several cost elements are much more dependent on the exact nature, scale and scope of the attack and are therefore less predictable. These costs are driven by and have a mathematical relationship to the underlying event, but the range of outcomes is so broad and scenario-specific that quantifying the exposure is challenging. For example:

Business Interruption

There is not a linear relationship between the length of time systems are down and the associated loss of revenue for professional service firms. Existing engagements and workarounds to continue servicing clients can sustain revenue. However, this can be at the cost of finding and onboarding new engagements, among other factors. Over time the revenue associated with existing engagements falls away and without new engagements to replenish the pipeline, the loss of revenue can rise exponentially.

Notifications

Professional service firms typically hold very substantial quantities of regulated data (PII and PHI), but it is difficult to quantify how much. While tools are being developed, they are often limited in their ability to query every database and challenges such as deduplication can be hard to overcome. A large law firm that had a file share platform hacked initially estimated that approximately 150,000 individuals were impacted (July 2023), increasing to 460,000 (August 2023) and then to 630,000 (December 2023). The volume of data stolen and the quantities of regulated data within the exfiltrated data is not something that can easily be predicted or modeled. The possibility of regulatory fines and penalties adds another layer of uncertainty and unpredictability to the equation.

eDiscovery

Costs associated with housing and analyzing the large amounts of data exfiltrated in an attack are rapidly increasing. These costs are proportional to the volume of data stolen and the length of time it takes to perform the analysis and the analysis period can be extended, potentially for years, if there is litigation arising from the breach. The costs will also vary according to the scope and scale of the breach, the length of time the attackers were in the network and the extent and nature of data to which they had access, etc. The example cited above shows how the understanding of the event, and the associated costs, can evolve over time.

3. Unpredictable

Some costs associated with a cyber event are completely unpredictable as they are so specific to the peculiarities of the situation. The two most significant in this regard are:

Ransom

Payment of a ransom is a business decision that is entirely dependent on the circumstances and factors such as the perceived value of the data involved or the urgency and need to acquire a decryption key. An example that illustrates this dynamic involves is a large publicly traded insurer that was hit by ransomware. Reportedly, the original ransom demand was less than $60 million and was initially ignored by the insurer. Subsequently, it was revealed that a ransom payment of $40 million was made. Data may also be time sensitive, so it may be crucially important that the existence of the particular deal not be leaked, but only for a short period. If the hackers can be “stalled” long enough, payment of the ransom may not be necessary at all, but otherwise paying a large ransom may be the only way to avoid an even larger professional liability exposure.

Class Action Lawsuits

In September 2022, a decision out of the Third Circuit Court of Appeals opened the door to class action lawsuits from individuals whose personal information was compromised in a cyber breach. Since then, several professional services firms have been sued and in August of 2023 a firm settled a class action lawsuit arising from a data breach for $7.75 million and in April 2024 another firm settled a class action for $8 million. The Duane Morris Class Action Review 2024 shows Data Breach Class Actions increasing from 310 filed in 2021, to 604 in 2022 and 1,320 in 2023; it is likely that settlements will follow a similar trajectory. Baker Hostetler’s 2024 Data Security Incident Response Report highlighted that 43% of their matters resulted in notifications, resulting in 139 regulatory inquiries and 58 lawsuits.

Adding to the challenge is the constantly evolving threat environment. Threat actors are sophisticated. Their understanding of the sensitivity of the stolen data and their techniques for exploiting it are continuously developing. They are very aware of the increasingly onerous data privacy and regulatory environment and are already exploiting this to put additional pressure on their victims.

When Everyone is in the Dark, Benchmarking Does Not Shed Light

Benchmarking can be a valuable tool for assessing limits if comparable peer data is available (revenue, limit purchase, limit purchased as a percentage of revenue, rate per million on premium, premium spend by revenue, etc.). It also provides reassurance from a governance perspective if the firm is purchasing similar limits to its peers at comparable pricing.

However, in an environment where there is substantial uncertainty and unpredictability of loss and a lack of good statistical data and meaningful loss history, benchmarking may not be a reliable metric for assessing appropriate limits to purchase. The close relationship between firm revenue and limits purchased shown in our benchmarking indicates that decisions may be driven as much by economics as any other factor, although there are outliers that demonstrate different thought processes.

Are There Tools to Analyze Risk and Recommend Appropriate Limits?

There are numerous risk quantification tools available, including those from Aon. These tools exist in two main forms:

• Impact analysis tools – These take an underwriting approach to the assessment, using basic information about the firm and historical claims and loss information to derive a view on the types of loss and outcomes that may impact it. These tend to look at risk through a coverage lens, focusing primarily on insurable risk.
  
  
• Risk analysis tools – These analyze the security environment using models such as FAIR (Factor Analysis of Information Risk) combined with Monte Carlo Simulations and calibrated estimations by subject matter experts to derive quantifications of risk, offering the ability to assess not only limits purchase but also Return on Security Investment. This is a more prospective approach in that the analysis is derived from the current and forward-looking threat environment, where the impact approach uses historical information to assess insurance limit adequacy.

It is important to emphasize that these tools are part of, not a replacement for, a limit adequacy dialogue and neither can predict the amount of limit that will be adequate in all situations. We recommend taking into consideration the evolving threat environment and the three categories of risk discussed above when making decisions about the appropriate amount of cyber limit to purchase.

Contact

The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts or Parker Baddley.

Tom Ricketts
Managing Director
New York



Parker Baddley
Assistant Vice President and Associate Director
New York