Market Review 2.0: Cyber Risk

Market Review 2.0: Cyber Risk

An Update for Alternative Asset Managers

Cyber threats in the alternative investment industry are growing increasingly larger and more sophisticated. Alternative Asset Managers and in some cases their respective Portfolio Companies, have worked closely with Cyber Security vendors to help defend against and mitigate the effects of Cyber Incidents. Putting together a robust Cyber Security program requires a multi-faceted approach. Creating an incident response team, performing regular tabletop exercises coupled with other vendor due diligence are just some of the strategies being implemented. For most managers, Cyber Insurance has become an integral and key component of a firm’s Cyber Security Program. Our July 2020 Cyber Risk Market review outlined the early implications, threats, emerging risks and impact of the COVID-19 pandemic. The below commentary includes a cyber insurance market update and cyber risk considerations for 2021.

COVID-19 and Work from Home

COVID-19 continues to impact the cyber threat landscape. The global shift from the corporate office setting to working remotely has increased the exposure and probability of phishing and hacking attempts. Purplesec, a leading cybersecurity firm, asserts that cybercrime is up 600% due to the COVID-19 pandemic. As a result, insurers expect claims and losses related to this shift to continue to rise, as organizations and their cyberinfrastructure are still more vulnerable than usual due to the current work-from-home environment.

The Ponemon Institute, a pre-eminent research center dedicated to privacy, data protection, and information security policy, published a report in October 2020 titled Cybersecurity in the Remote Work Era: A Global Risk Report that details the current environment of increased cyber risks. Some key findings are below:

  • The remote workforce has significantly reduced the effectiveness of organizations’ security posture.
  • Credential theft and phishing/social engineering are the most frequent types of cyberattacks since COVID-19.
  • IT security budgets and in-house expertise need to increase.
Threat Landscape 2.0

Our July 2020 report outlined the top risks and impacts facing Alternative Asset Managers. Alternative Asset Managers possess high amounts of sensitive client and non-public information that make them a prime target for cybercriminals. The number of threats has increased exponentially as investment and private equity firms become more dependent on outsourcing and adopt new technologies to support operations. Our top three cyber risks are as follows:

  • Ransomware
    • Ransomware is malicious software that infects a computer system and blocks access to it or your data until a ransom is paid. The inability to access critical systems, the publication of investor details, or dealing with the technology and legal sides of a ransomware attack can derail many companies.
    • Costs surrounding ransomware attacks continue to rise year over year. See below for the 2020 Purplesec statistics:
      • Average payment increased 104%
      • Downtime increased 200%
      • The average cost of an attack was $133,000
  • Social Engineering
    • Social engineering attacks involve the psychological manipulation of employees into performing actions or divulging confidential information. These attacks typically involve phishing scams that use email, social networks, and more. According to a 2021 IBM report, the financial services and investment industry was the most attacked industry.
  • Reputational Risk
    • A cyber event can have a profound impact on a firm’s reputation. According to a survey at PwC, 87% of consumers “will take their business elsewhere if they don’t trust a company is handling their data responsibly.” This fact is concerning for asset managers and their ability to attract future investors.
Cyber Market

Our July 2020 update predicted alternative asset managers will see cyber insurance premium increases at their next renewal. At the time of this publication, Cyber Insurance premiums are now expected to increase 10% to 30%. These increases are due to the current threat landscape, increased costs surrounding cyber events, and rising reinsurance premiums.

Heavily exposed industries will experience renewal rates on the higher side: health care, higher education, public entities, manufacturing, financial institutions, construction, and large media and technology companies. These industries have an increased risk profile and are targeted with greater frequency.

Primary capacity generally remains strong, with active competition and over 70+ markets offering stand-alone Cyber Insurance. However, there now is some hesitation related to primary or low excess positions on multi-layered insurance programs. Furthermore, insurers are seeking higher rates online for excess layers given the competitive primary pricing and ever-increasing risk profile. As such, there is currently less interest and ultimately less competition to compete for excess positions where the pricing is unattractive.

As you may know, pricing is not linear in layered insurance programs. Traditionally, each excess layer will charge a fixed percentage of the underlying policy premium. This is also referred to as a “Rate on Line” (ROL). Currently, the ROL for excess positions is between 60 and 70% of the underlying policy premium. ROL’s as well as rates per million continue to trend sharply upwards and remain largely dependent on the specifics of any particular risk. Larger organizations with a significant number of client records consisting of personally identifiable information, or companies who are susceptible to possible business income and extra expense losses may see ROLs in excess of 75% or higher.

In some cases, we have seen inverted towers, where the top excess layer is more expensive than the middle layers on a program. This happens when a minimum rate per million is achieved and the program flattens out. Minimum rates per million for Cyber coverage are in the $6,000 – $8,000 range. Inversion usually happens on towers of more than $50,000,000.

Underwriters continue to be more conservative and detailed in their risk analysis. As a result, buyers should continue to expect the underwriting process to take longer and prepare accordingly. Insureds should continue to anticipate increased scrutiny from underwriters as they assess data protection controls, security measures, and compliance in a heightened regulatory environment.

Further Cyber Risk Considerations

Given the recent uptick in M&A activity, Alternative Asset Managers need to be aware of potential issues related to M&A activity. Companies should engage their IT staff early in the acquisition process to evaluate risks. The potential for reputational and financial harm from a cyber incident could have impacts on a firm’s valuation.

Additionally, the worldwide rollout of 5G networks will continue in 2021. Increased bandwidth and speed will facilitate the world’s transition to a cloud-based society and expand the use of the “Internet of Things”. Companies will now need to invest in greater and more sophisticated levels of monitoring for their networks, controls, and technology in order to address these increased exposures.

by EPIC Insurance Brokers

Financial Accounting Advisory Services: U.S. GAAP / IFRS/ HGB

Upon request, we can assist you in solving complex accounting and reporting challenges under U.S. Generally Accepted Accounting Principles (U.S. GAAP), International Financial Reporting Standards (IFRS) or Handelsgesetzbuch requirements (HGB).

These challenges often arise in the context of business combinations, impairment of goodwill and long-lived assets, common control transactions, equity transactions, fair value assessments, derivatives and hedge accounting, income tax accounting, lease accounting, restatements, revenue recognition, and when new accounting standards are introduced.

California Voters Approve Enhanced Data Privacy Rights

California Voters Approve Enhanced Data Privacy Rights

On November 3, 2020, California voters approved Proposition 24, an initiative intended to strengthen existing personal data privacy rights.  Proposition 24 builds on and will supersede the California Consumer Privacy Act (CCPA) of 2018, that went into effect this past January, and that provides Californians with the ability to better understand how their personal data is being used, along with the right to opt out of certain data collection programs.

The new law is known as the California Privacy Rights Act of 2020 (CPRA).  The CPRA creates a new state agency – the California Privacy Protection Agency (PPA) – that will be responsible for enforcing privacy laws, as well as promulgating the rules that will flesh out the broader, statutory language.  Before the establishment of the PPA, California’s Attorney General was responsible for enforcing the data privacy law.  Even so, Xavier Becerra, California’s current Attorney General, has stated that because of his office’s limited resources, they are able to prosecute only the most serious violations.

The CPRA expands coverage of the data privacy laws to businesses that ‘control’ the purchase, sale or sharing of personal information, which is intended to blunt efforts by some data collectors to outsource the collection process.  At the same time, the new statute raises from 50,000 to 100,000 the number of consumers or households whose data is being collected by a business in order for that business to be subject to the law. The new law tightens the sanctioning regime, in part by eliminating the prior law’s 30-day period grace for businesses to correct violations before fines could be imposed.

Under the 2018 law, consumers had a right to obtain information from businesses that sold their personal data.  The CPRA expands that to also include businesses that share personal data. The CPRA also creates a new category of “sensitive personal information,” and enables consumers to limit the use of such data, even when properly collected.  Sensitive personal information includes such seemingly obvious things as social security, driver’s license, and passport numbers, as well as genetic information, along with other information.  Also included within the concept of sensitive personal information is precise geolocation data, defined as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.”  For rough comparison, a square residential block typically is about 400 feet by 400 feet.  A circle with a radius of 1,850 feet has an area of approximately 247 acres.

For those who are bothered by targeted advertising pop-ups that seem magically to appear following web searches (the technical term is “cross-context behavioral advertising”), the new law provides a method for opting out of such advertising.  The CPRA also gives consumers the right to request that inaccurate personal information be corrected.

Interestingly, the CPRA permits amendments only to the extent that they further enhance consumer privacy.

On balance, and while the CPRA unquestionably expands consumers’ rights and businesses’ obligations, it also provides some points of clarification as to whether a given business is covered by the statute, and how a covered business is to comply with its data privacy obligations.  As with the earlier CCPA, rights and obligations under the CPRA should become clearer once the expected regulations are promulgated.

The CPRA takes effect on January 1, 2023, although it will apply to data collected from January 1, 2022, on.

If you have any questions regarding the issues raised in this client alert, please contact your Labor and Employment counsel at Smith, Gambrell & Russell, LLP.