The cybersecurity threat landscape continues to evolve in ways that increase operational and legal risks to life sciences organisations. At the same time, the cybersecurity insurance markets have been rapidly evolving to respond to record losses in 2020, when carriers paid out 72.5% of their premiums. In response, premiums were up 122% by the end of 2021, and up 48% more in the first half of 2022.
Carriers have looked to other ways to stem losses, such as increasing underwriting requirements and targeting new exclusions; eligibility questionnaires have become nearly as extensive as a full-on cybersecurity assessment. Companies with gaps in their security controls or their security documentation often find they are unable to renew their cyber policy, while others have had claims denied where incidents revealed that the company's security controls were not consistent with statements made in their application. In July 2022, Travelers Property Casualty Company of America sued a policyholder in US court, seeking recission of the insurance contract. Travelers alleged that the policyholder claimed to use multifactor authentication forallprivileged account access, but in reality only required multifactor authentication for remote user access. The case settled quickly, with the court issuing a judgment in Travelers' favour in August 2022.
Insurers are also narrowing the scope of their coverages by excluding more types of cybersecurity incidents. From WannaCry to SolarWinds, many of the most significant and disruptive cybersecurity events in history have been linked to state-sponsored hackers. After years of litigating whether or not the US$10 Billion-dollar NotPetya global malware incident was an act of war committed by Russia, many carriers now expressly exclude state-backed cyberattacks. By 31 March 2023, all Lloyds of London policies that protect against physical and digital damage caused by cybersecurity incidents will have such an exclusion.
Companies should expect that insurance markets will continue to evolve as the industry responds to the dynamic cybersecurity threat landscape. Industry players are calling for increased cybersecurity talent to strengthen underwriting. They're also looking for new, forward-looking risk models, as historical data has proven to be a less-than-perfect predictor of future losses. All of this translates into more requirements and more risk for cybersecurity insurance applicants.
To mitigate this risk, life sciences companies should not only strengthen their defences, but also prepare for a successful underwriting process. Prior to seeking insurance, they should assess whether or not their cybersecurity and privacy programme meets common industry requirements. On an ongoing basis, the required practices must be followed across the company, enforced, audited, and documented in security artifacts. Finally, the security artifacts should be safely stored so they are available if the company's security controls were to be questioned during a coverage dispute.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.