As we discussed in last year's year in review article, we are pleased to report that the cyber insurance market continued to stabilize during 2023, despite the fact that ransomware was once again on the rise. While 2022 started out with 50% to 150% increases, we regularly saw flat increases or even decreases at renewal in 2023.
Continued intense competition between markets certainly played a role in this stabilization, as incumbent markets were eager to retain business. This stabilization was in stark contrast to the threat landscape, which only expanded as the year progressed. Let us dive into a recap of the year in cyber and what clients can expect in 2024.
Not even two weeks into the year, approximately 11,000 flights were delayed and more than 1,300 flights were cancelled when the pilot alert system of the Federal Aviation Administration (FAA) failed. Even though there was no evidence to suggest this outage was due to a cyber-attack, this incident illustrated the fragility of our aviation system and the potential for a future malicious attack on our aviation network.
We saw the exploitation of the software of two popular file transfer services, Fortra’s GoAnywhere and Progress’s MOVEit. File transfer solutions have quickly become a valuable target for cybercriminals, given the wide range or organizations that use the software and the sensitive data being exchanged between these organizations and their partners. The Russia-linked Clop ransomware group claimed responsibility for the MOVEit hacks against banks, hospitals, hotels and energy companies and were expected to earn between $75 to $100 million from extorting victims to stop their data from being released online.
The Health Sector Cybersecurity Coordination Center of the Department of Health and Human Services issued an alert in January that the hacktivisit group ‘KillNet’ was actively targeting the health and public health sector by launching DDoS attacks. This highlighted the fact that threat actors continue to focus on the healthcare industry given the large volume of sensitive and confidential information these organizations store and the necessity of networks to be accessible to ensure patient care and safety. According to WTW’s proprietary cyber claims data for the first half of 2023, 17% of all claims and loss notifications were tendered by healthcare clients, which was third, only behind manufacturing and financial services clients.
Finally, chatbot and metapixel class action lawsuits continued to make their way through the courts. Many of these lawsuits are based on violations of decades-old laws, such as the Video Privacy Protection Act (VPPA) of 1988 and federal and state wiretapping laws. While such laws were originally designed for different technologies, they are now being applied to modern data collection methods.
Currently, more than 18 hospitals and health systems are facing lawsuits for allegedly installing the pixel technology on its websites and patient portals. In August, Advocate Health, reached a $12.2 million settlement involving millions of patients whose health information was shared with Facebook and other outside companies without their permission. There is still a wide range of approaches carriers are taking with respect to wrongful collection coverage, but many are broadly excluding coverage for the exposure and any claims or losses stemming from the use of meta pixel technology.
These new and continued threats have of course caught the attention of regulatory authorities. The year began with federal agencies flexing their cybersecurity enforcement muscles. The FCC submitted proposed cybersecurity regulations in an effort to modernize its ability to regulate the telecommunications industry in this area.
Not to be outdone, the TSA anticipates issuing specific regulations intended to secure railroads and pipelines, largely in response to the 2021 Colonial Pipeline attack. In March, the SEC announced a package of proposed policies designed to help harden the financial system against cyber incidents and soon after, in July, adopted rules, which included a requirement that all public companies disclose all cyber security breaches within four days after a registrant determines that the incident is material.
And then, in October, just to make sure organizations understood that their new cybersecurity edict was genuine, the SEC sued SolarWinds Corp., along with its CISO Tim Brown, in connection with alleged “misstatements, omissions and schemes that concealed both the company’s poor cybersecurity practices and its heightened -and increasing- cybersecurity risks” related to the 2020 supply chain cyber-attack on the company’s Orion Platform.
Finally, not a year goes by without new states following in California's footsteps in enacting privacy legislation that requires companies to give consumers more access to and control over their personal information. Iowa’s new consumer data privacy legislation was signed into law in March and in April, Indiana passed its own consumer data protection bill into law.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
