Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor!

By Tim Nunziata | Vice President of Cyber Risk and Commercial E&O, Nationwide Mutual Insurance Company

Cyber risks remain top concerns for businesses, amid continuing malicious attacks and an increase in high-profile, non-malicious events that disrupt industries. Ransomware and data privacy incidents continue to represent significant risks for all kinds of organizations. At Nationwide, we recognize that network security and data privacy coverages are necessary but not enough by themselves to mitigate the risks. For this reason, we believe the steps we take with our policyholders before a cyber incident are just as important as our response when a breach or other cyber event happens.

Malicious attacks loom large

Ransomware has been driving cyber risk trends for the past several years, and it shows little sign of abating. In “The State of Ransomware 2024,” cybersecurity services company Sophos reported that 59% of organizations were hit by ransomware attacks in the past year, and of victims whose data was encrypted, 32% also had their data stolen. The percentage of data exfiltration was even higher – 53% – for firms in the information technology, technology and telecommunications sector.

These malicious attacks are costly, both in terms of extorting funds and recovery efforts by the victim organizations. The average initial ransom demand, according to Sophos, was $2.0 million, while the average recovery cost excluding any ransom payment was $2.73 million. Over a third of organizations needed more than a month to recover from the ransomware attack.

Even without a data breach, ransomware can cause serious business interruption. What ransomware attacks have shown us is they are industry-agnostic. It’s not just about the data that may be encrypted and stolen; it’s also about the unauthorized access that exploits vulnerabilities.

The insurance industry’s response to ransomware has improved. Companies are now able to act more quickly, and Nationwide is working with our clients to prepare them for potential issues with thorough incident response planning, data backups and other risk mitigation procedures. Nevertheless, ransomware exposures remain elevated.

Connectivity raises the stakes

While the severity of malicious attacks remains concerning, a troubling uptick in frequency is occurring in non-malicious events such as network outages and system errors. The high level of connectivity in modern business operations translates into widespread impact.

This problem was highlighted in July by a massive IT outage involving widely used cybersecurity vendor CrowdStrike. The outage was traced to a technical error during a software update. It resulted in one of the largest non-malicious system outages in history, affecting millions of Microsoft Windows systems around the world. Disruptive as it was, the ultimate loss is likely to be limited in scope because the outage was not malicious. The financial loss could have been far worse had the outage been caused by malicious threat actors.

In contrast to the widespread impact of the CrowdStrike outage, which shut down businesses in many industries, similar events a few years ago were more limited. For example, in 2016 Southwest Airlines and Delta Air Lines each experienced IT system glitches that forced them to cancel or delay thousands of flights. Southwest’s and Delta’s unrelated outages lasted for days before their networks were restored.

Preventing or mitigating future outages is possible, through cyber insurance and strong risk management. Contingent business interruption coverage in the context of cyber risk is available, but underwriting it is challenging. At Nationwide, we strive to understand a policyholder’s critical vendors and establish a definition of a system failure. Equally important are winnowing down the threat of disruption and making necessary adjustments to mitigate the risk.

Cyber claims evolving

As if malicious and non-malicious events were not challenging enough, the nature of cyber claims is expanding and evolving. Ransomware and data privacy claims are expanding, and it’s not yet clear what types of cyber claims will emerge next. More jurisdictions are enacting laws that address data privacy. At the moment, there is no federal benchmark on data privacy, and states differ on their requirements and compliance procedures. As a result, Nationwide is closely monitoring the regulatory environment, particularly in the areas of biometric data and artificial intelligence.

Having adequate cyber insurance in place is only one part of the equation. Another important factor is robust cyber risk management practices. Nationwide offers a large network of specialist resources, ranging from legal services and breach coaches, to forensics and cybersecurity services, to provide expert assistance to our policyholders before, during and after a cyber incident.

For more information about cyber and professional liability solutions, please visit www.nationwide.com.

Tim Nunziata is Vice President and Head of Cyber Risk and Commercial E&O at Nationwide Mutual Insurance Company. Nationwide offers a broad set of management and specialty liability products for public and large private companies, across all industries, including financial services, retail and healthcare.

Products are underwritten by Nationwide Mutual Insurance Company and affiliates. Home office: One Nationwide Plaza, Columbus, OH 43215-2220. Nationwide, the Nationwide N and Eagle and Nationwide is on your side are service marks of Nationwide Mutual Insurance Company. © 2024 Nationwide

The material contained in this publication is designed to provide general information only. Whilst every effort has been made to ensure that the information provided is accurate, this information is provided without any representation or warranty of any kind about its accuracy and Nationwide cannot be held responsible for any mistakes or omissions.