The cyber insurance market has never been more confusing. Cyber-attacks are up by 93%. In 2020, more than 60% of companies were subject to ransomware demands. And while attacks on large organizations like the Colonial Pipeline have captured the headlines, in fact 50% to 70% have targeted small and medium-sized companies, underscoring the wide reaching implications of this threat.
Average demands are up by a staggering 518% and actual payments are up by 82%.
At the same time, companies like AXA are dropping their cyber insurance coverage. Those who still offer policies are ratcheting up their rates and mandating increasingly stringent cybersecurity requirements for their clients. What is a company to do? Here’s perspective on this volatile landscape — and some guidance.
Insurance companies have been forced to raise their premiums as payouts become more common — and more costly. Sophisticated hacking tools are regularly able to penetrate extensive operational systems and capture enormous amounts of crucial data, leaving targeted organizations in a bind. “They have no choice but to pay up because these are systems that are critical to operating their businesses,” says Adrian Mak, CEO, and co-founder of AdvisorSmith.
“It is a relatively nascent type of insurance. The terms around it continue to evolve,” adds Daniel Soo, a principal in Deloitte’s cyber practice. “You’re seeing pricing models improve. That’s [also contributing to] the increases.”
At the same time, cyber criminals have taken note of cyber insurance itself as a potential revenue source, sometimes penetrating insurers in search of their client lists — a rich source of targets. This liability is, of course, passed along to the customer. “There need to be increased protections for the insurers offering these types of policies,” Soo exhorts.
Premiums are up by 30% on average, according to Howden Group. Companies such as AIG have admitted to cost increases of up to 40%. And while small business policies have seen less dramatic escalation, AdvisorSmith reports a 7% increase since last year.
Not only are premiums increasing, but some insurers are simply pulling the plug on cyber insurance coverage. A survey conducted in Q2 found that 80% of cyber insurers saw capacity reductions. The direct loss ratio is estimated at around 73% — meaning that most insurers are just about breaking even.
“The market for cyber insurance has changed fairly dramatically over the last year,” explains Mike McNerny, COO of Resilience. “It has hardened, which is essentially a decrease in the supply. At the same time demand is going up. You see customers that are in some cases unable to qualify for insurance altogether. This is a dramatic change from last year where it was essentially almost the exact opposite.”
“The appetite for taking cyber risk has decreased through many insurance companies across the industry,” Mak says. “That can mean anything from withdrawal from the market in the most extreme cases down to increasing underwriting standards.”
The volatility here can be attributed in part to the lack of diversification in the market, he claims. “It’s hard to predict the systematic risks that cut across geographies and industries. You may have an auto mechanic business and a hedge fund that run Windows. Both may be exposed to the same type of risk.”
Insurers are assessing their options accordingly. Consumers can expect some significantly different offerings in the coming years. “Now you see cyber insurance as an add on to other types of policies — an addendum to a property policy or a liability policy. I think you may see more standalone cyber insurance policies that cover the full range of attacks,” predicts Cindy Jordano, an associate at Cohen Ziffer Frenchman & McKenna.
“There’s probably going to be some level of consolidation. Some companies will understand how to do this better than others,” Soo concurs. “You’ll see capitalism come into play here.”
For all its current challenges, projections for the industry are robust. Its value will likely reach $28.6 billion in the next five years according to Allied Market Research.
Increasing Security Requirements
As attacks and subsequent payouts escalate, cyber insurers are implementing increasingly stringent security requirements for their clients — a trend further encouraged by government scrutiny.
“Placing capital at risk without requiring action on behalf of the insured is a kind of moral hazard,” says Resilience CEO Vishaal Hariprasad. Hariprasad was part of an August cyber defense summit at the White House. The Biden administration has been hawkish on cybersecurity and has already issued some initial guidance. Hariprasad and others have committed to cooperating with the government and with each other in further refining these standards.
Early cyber insurance policies only required filling out surveys on existing protocols. Now, insurers are moving toward active verification. “We need to be able to have a little more substantive evidence that you’ve done what you’re saying you’re going to do,” says Soo.
“This dynamic is causing a much-needed maturation in how the insurance industry is thinking about cybersecurity risks,” McNerny argues. “They are now thinking a lot harder about the kinds of controls they’d like to see in place.”
Multi-factor authentication is among the primary cyber hygiene practices that is emerging as an industry standard. Reduction of attack surface, protection of credentials, and network segmentation will likely become necessary to secure coverage as well. And not all these factors will be the responsibility of a given organization’s cyber security team.
According to McNerny, implementation will require a cultural shift. All employees need to be educated on how to prevent these attacks. “We often think in terms of technology,” he says. “But having a process in place can be just as important. How do you respond to an incident? Is the call sheet written down so you can access it when your computer is locked up by ransomware?”
And when it comes to accounting to the insurer, Soo thinks that things will become more procedural. As patterns emerge, protocols will fall into place. “It comes back to how the insurers are expecting to receive that information,” he says.
While the increasing standardization of security requirements is likely to stabilize the market to an extent, government involvement has created one hitch for both clients and insurers. This month the Office of Foreign Assets Control issued an advisory warning of potential sanctions for payments issued to entities and countries that are viewed as national security threats.
This of course adds further complications to ransomware situations, as insurers who assist clients in making payments may also be liable. How this will affect payment of claims and the structuring of policies remains to be seen. Payment of ransomware claims often exists in a legal gray area because many transactions are facilitated through cryptocurrency exchanges. But the specter of greater liability is accompanied by the possibility of additional cost increases.
Some 42% of companies don’t have adequate coverage in the first place and will likely end up paying at least some portion of the damage incurred by a cyber-attack out of pocket. Policy ambiguities — such as the percentage of business losses covered — have led to frequent legal disputes. “Some insurance companies are going back through their coverage forms with a fine-tooth comb,” Mak says. This often results in the denial of claims.
Jordano, whose practice focuses on assisting clients in maximizing insurance payouts, notes that disputes often arise due to the complexity of these claims. “It’s not like a fire, where you can point to your house and say, ‘Look, it burned down,’” she says. “There’s not as much historical precedent. With property insurance, you have centuries of precedent. With cyber insurance, the law has been made within the last ten years or so.” Experts are often required to assess the extent of the liability and depending on the specifics of the policy, cases end up in arbitration or in court.
As a result, Jordano believes companies will become more sophisticated in choosing appropriate policies, making sure that all potential liabilities are covered. “I think policyholders need to be very vigilant that they’re getting the benefit of their bargain because they’re paying so much for this coverage,” she says.
Is it Worth it?
Confronting this nightmare of complexity, many organizations may be left wondering whether it’s worth it to retain a cyber insurance policy at all. Is an expensive policy that may not pay out when a cyber-attack arrives at your doorstep really worth the investment? On balance, most experts say yes. Indeed, there are rumblings in some quarters that, like auto and homeowner’s insurance, cyber insurance may eventually become mandatory.
The potential fallout of a cyber-attack is too great a liability to shoulder — the aftershocks can shake a business to its core. The consequences extend far beyond an initial breach. Production downtime, exposure of customer data and resultant lawsuits, and reputational damage can compound and result in far more substantial losses. A properly structured cyber insurance policy can mitigate these problems.
“One of the most valuable parts of an insurance policy is the expert network that kicks into gear immediately after an incident,” McNerny advises. “They will have pre-thought-out playbooks with market leading vendors that can do things like digital forensics and incident response restoration. They can connect you to law firms and even public relations firms. That will make your recovery that much quicker.”
Why to Rethink Liability Insurance for IT
What You Need to Know About Ransomware Insurance
7 Security Practices to Protect Against Attacks, Ransomware