In an effort to keep pace with the rapidly developing cyber industry, the cyber liability insurance package has evolved at a staggering speed. The cyber insurance market has missed out on the luxury of time; unlike other insurance products, which gradually developed into pristine and empirically calculated offerings, today’s cyber insurance package has yet to fully ripen. Indeed, this year saw the cyber insurance market’s biggest transformation in its 20-year history. The commercial significance of having comprehensive cyber cover has continued to burgeon over 2021. But the market is far from stabilizing, as the short-term habits picked up over COVID-19 progress into long-term trends for the future. These include remote working, the increased emergence of new technologies, and reliance on IoT for business operations which has, in turn, elevated the potential cyber risks facing any business, in any industry.
This article will focus on the main evolutionary steps that the cyber insurance market has taken this year, namely the increased caution with which carriers have deployed capacity, trends in demand, and price hikes.
Ransomware Cyber Coverage at the Top of Buyer Wishlists
The last twelve months have been beset with cyberattacks aimed at causing business interruption, reputational harm, and even physical damage. But by far the most persistent and severe attacks this year have focused on first-party extortion and ransomware incidents, as cybercriminals have eyed up valuable data collected throughout the pandemic and the soaring uptake of technology during the lockdown. Some reports have suggested that the average ransomware payouts in the US rose by nearly 300% in 2020. Although figures for 2021 have not yet been finalized, it does not seem that these trends have in any way subsided. These crooked gangs have cashed in using two relatively new attack methods over the past year in particular: double extortion and Ransomware as a Service (also known as RaaS).
This mode of attack developed in the wake of WannaCry and NotPetya – as the world woke up to the risks of ransomware attacks, increased emphasis was placed on backups and restoration. The result today is that, rather than simply encrypting data and then deleting it when a ransom is not paid, cybercriminals now exfiltrate data before they encrypt it and threaten to leak it or sell it to the highest bidder if an organization refuses to cough up. Losses stemming from this kind of attack are increasingly severe – victims of this kind of attack often have to weigh up the better of two evils, balancing their reputation and regulatory fines on the one hand, and extortionate ransom payments on the other.
Lower-level criminals have had skyrocketing success over the past year in deploying out-of-the-box ransomware kits for lucrative attack campaigns. These kits can be easily sourced on the Darkweb for as little as $40 per month, and enable criminals with little-to-no technical knowledge to flood the market with devastating success. This has caused a veritable headache for organizations and cybersecurity experts alike. The rise of this attack method has meant that the probability of being hit has dramatically increased.
As ransomware has fast become a key concern for businesses this year, insurers have reported greater demand for cyber extortion/ransom coverage, overtaking “cyber-related business interruption”. Advisen has revealed that 86% of its buyers this year listed ransomware coverage among their top three priorities for insurance.
Supply Chain Attacks On The Rise
Supply chain attacks are problematic because of their domino effect on a network of providers. One of the most severe of these attacks was the 2020 SolarWinds attack, the ramifications of which have continued to impact the insurance industry today. This was a major breach involving 425 companies of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. The perpetrators are believed to be a Russian state-sponsored group who achieved the breach by hacking a compromised update to SolarWinds’ Orion software.
It’s safe to say the scale of these attacks has put insurers on notice. As these have continued to add pressure on carriers, they have responded accordingly by tightening their conditions for giving out insurance policies.
Read more about supply chain attacks and the issue of silent cyber here.
Cyber Policy Buyers Must Put Their Money Where Their Mouth Is
Cyber insurance is typically structured as a tower, whereby a portion of risk might be underwritten by a different insurer or party. But there has been an increased reluctance from insurers to attach themselves to the primary layer within these towers (the one that takes the initial hit after the client has paid their excess), due to the sheer magnitude of ransoms demanded over the past couple of years – it has become increasingly likely that the primary policy will payout in full in these scenarios, conferring very little commercial advantage to the policy carriers.
As a result of adverse loss trends and increasingly frequent, vicious attacks, some underwriters have imposed coinsurance (where the insurer and buyer share the costs of a breach or attack) or higher sub-limits specific to ransomware attacks. A recent Advisen survey suggests that 23% of underwriters prefer excluding coverage for extortion demands, and almost 50% opt for the inclusion of coinsurance with the buyer. In this way, coinsurance is being leveraged by carriers as an effective risk-management and bankruptcy-prevention mechanism.
Put simply – today’s buyers are unlikely to achieve complete peace of mind from ransomware through an insurance policy. Those wanting extra cushioning will need to pull their own weight and put their money where their mouth is, by increasing security controls and preparing capital reserves to pay for any unanticipated attacks. Minimum requirements for obtaining a policy will also continue to change.
Price Hikes to Cyber Insurance are Set to Continue
Following a relatively stable pricing period between 2016 and 2019, insurance has spiraled dramatically over the past two years, with little respite in sight for 2022. According to Howden’s “Cyber Insurance a Hard Rest” report, cyber insurance pricing has undergone a correction of over 30% in response to increased frequency and severity of claims. Others in the field claim that this figure is extremely conservative, arguing that the rate of correction has reached over 100%. Global cyber insurance pricing today is nearly 50% higher than early 2019 levels. This rise may plateau over time, but, given that insurance pricing will always respond to the volatility of the market it seeks to protect, it seems unlikely that any stability will persist for long in the world of cyber. But it is not just those who have recently woken up to the importance of acquiring cyber coverage who are struggling. Companies looking to reinsure themselves are also facing a startling rise in costs, and are looking to their insurers for a satisfactory explanation for this.
Another symptom of the hardened market is pricing disparity – although, for those businesses who come to their insurers prepared, this can truly work to their advantage. Those with meticulous cyber hygiene, who can proudly present a robust attack response plan, the collaboration of board level, IT and security stakeholders, comprehensive training programs and appropriate defense mechanisms can secure far more favorable pricing conditions. In particular, businesses with tried and tested incident responsible measures paid almost 40% less on average in 2020 than those without.
The key takeaway from the cyber insurance market of 2021 is that its product is not the bandaid to heal all. Rather, insurance is a measure to be taken in tandem with impeccable cyber hygiene. Insurers will be looking to capitalize on what has undoubtedly become one of their fastest-growing markets, whilst safeguarding their own solvency – this delicate balance will be found in the careful selection of the right customer with the right cyber resilience.
Interested to learn more about the latest developments in cyber insurance? Visit our course catalog for more information on our cyber insurance training.