An 18-month spree of ransomware attacks has imperiled critical infrastructure around the world and worsened the pandemic’s economic pain. Now insurers that protect companies against the risk of cyberattacks are jacking up the prices of cyber policies to unprecedented levels to reflect the growing threat that hacks pose to businesses.
Cyber risk used to be a plum business line for insurance companies. Since insurers began offering cyber policies in the late 1990s, they’ve generally made handsome profits covering companies for the costs associated with getting hacked, according to Jamie MacColl, a cybersecurity researcher at the UK’s Royal United Services Institute (RUSI) for Defence and Security Studies.
But the recent rise of sophisticated ransomware gangs—professional hackers who freeze major companies’ computer networks in order to extort them—is scrambling the cyber insurance business model. “Ransomware has really brought home for the market that the price was too low,” said MacColl, who co-authored a RUSI report released in June on the state of the cyber insurance industry. “They don’t have enough premium to cover their losses. I think this is probably the first year where cyber insurance as a market will have made a loss.”
In response, insurers are hiking premiums, and at a faster clip than any other sector. While the pandemic has driven up insurance premiums across the board, cyber insurance has gotten especially expensive.
In the first quarter of 2021, US cyber insurance premiums rose an average of 18%, according to data from the Council of Insurance Agents & Brokers. That outstripped all other major categories. The only insurance lines that come close are directors and officers liability insurance and employment practices liability insurance, which protect companies and executives who put their workers in harm’s way (for example, by insisting they them to come into work during a pandemic).
Insurers struggle to price cyber risk
Skyrocketing insurance premiums mean that ransomware attacks aren’t just hurting the companies that get hacked. They’re also spreading the economic pain to every firm that buys a cyber insurance policy and faces a rising cost of doing business.
But pricing policies for cyberattacks present a unique problem for insurance companies. They’re a relatively new, fast-evolving form of risk. That means there’s not much data to draw on to develop the precise actuarial tables that insurance companies normally use to carefully balance the amount of money they take in through premiums against the amount of money they expect to pay out in claims.
“Very early cyber insurance policies start being offered in the late ‘90s, and they don’t look anything like the cyber insurance policies that are being sold today—partly because cyberattacks then didn’t look anything like they do today,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University. Back then, she said, most policies narrowly focused on legal liabilities related to data breaches: If a hacker got into a company’s servers and stole its customers’ usernames and passwords, the insurer would help the company pay for things like notifying affected customers and settling lawsuits.
It wasn’t until 2015 that ransom payments started to be incorporated into cyber insurance policies—and even then, they were a relatively small risk. But during the pandemic, the number of ransomware attacks has exploded.
Ransomware attacks were responsible for all of the growth in US cyber insurance claims last year, and now account for 75% of all cyber claims, according to a June report on the cyber insurance industry from AM Best. In other words, cyber insurers are now almost entirely dedicated to covering one type of risk—ransomware—that barely existed five years ago.
Without much relevant data to guide them, insurance companies have had to basically guess how they should price their premiums to account for the risk of ransomware. “When we talk about raising prices, we’re not talking about fine-tuning a really sophisticated pricing algorithm [the insurance companies] have developed over the years,” said Wolff. “They’re just saying, ‘Oh, I guess we should be charging more. Everybody go up a few percentage points.’”
Before the pandemic—and the accompanying surge in ransomware attacks—the insurance industry’s hunches worked out. AM Best data show that in 2019, the cyber insurance industry’s loss ratio—that is, the percentage of its income that it had to pay out in claims—stood at 44.8%. That means insurance companies were pocketing more than half the money they charged in premiums.
But by 2020, the insurance industry’s loss ratio grew to 67.8%, meaning that insurers kept less than a third of what they charged in premiums last year. Three of the top 20 cyber insurers (AIG, CNA, and Sompo Holdings) actually lost money on their cyber policies. Now, the cyber insurance industry is hiking premiums to avoid even thinner profits—or an outright loss—this year.
The steady rise in cyber insurance premiums underscores the escalating risks that all businesses now face from organized criminals and state-sponsored hackers. US federal reserve chairman Jerome Powell recently said he views cyberattacks as the greatest threat to the global economy. Judging by the prices of new cyber insurance policies, insurance companies have signaled that they agree.