The shift to remote work and its consequences
As in every industry, the COVID-19 pandemic has, of course, affected the cyber insurance market. During 2020, most organizations around the world have moved abruptly to a “remote work” mode, a transition which should have taken years to implement. This rapid transition has raised the number of security vulnerabilities that could be exploited, from phishing attacks in the form of Covid-19 organizational updates, hackers targeting the healthcare sector in an attempt to steal vaccine information, malicious apps containing ransomware, and many more.
Cyberattacks have, sadly, become more frequent and severe. Ransomware attacks alone have risen by an astonishing 715% this year (Bitdefender’s Mid-Year Threat Landscape Report 2020). Ransom demands have also increased to an astonishing record of $23 million for a single ransomware demand, which occurred earlier this year. This is shocking, compared to five-and six-figure price tags being the norm only a year ago. In fact, the EU’s law enforcement agency, EUROPOL, now regards ransomware attacks as the most prominent cybercrime threat. According to the Hiscox Cyber Readiness Report, which sampled 5,569 companies across eight countries, the total cyber losses amongst their study group rose from $1.2 billion to nearly $1.8 billion, a figure which reflects the true impact of these attacks.
The dramatic increase in ransomware attacks also means that there is an increase in business interruptions, which can be extremely devastating for organizations. They are not only requested to pay the ransom itself, but they are also forced to deal with the financial, legal and reputational consequences of the business interruption. (See figure below, taken from NetDiligence Cyber Claims Study 2020)
Overwhelming increase in claims and demand
In this new reality, where instead of just securing an internal network, IT organization have to secure thousands of remote workers accessing critical systems, organizations have realized that anything that they do will never be enough. And that they need to also prepare themselves to the probable scenario that they will eventually get hacked. One of the ways to prepare is to cover the residual risk of an attack with a cyber insurance policy.
Consequently, this year we saw a substantial increase in demand for cyber insurance. And in parallel the companies that are already insured have increased their claims. It therefore makes sense to assume that when cyber products are in such high demand, the market will need to address the lack of capacity, by raising the prices and hardening the policy conditions.
Insurers are leaving the market
But there are those who think the overwhelming rise in ransomware attacks, and consequently the rise in demand and claims, is not a natural linear progression, which is always expected. They argue that it’s not just a matter of prices and conditions, but rather that ransomware is no longer insurable. Which means that insurance companies will not be able to cover this type of risk for long.
In the last few months alone, we’ve seen some carriers exit the cyber insurance market. It’s no secret that there have been some systemic issues in the cyber insurance market, the losses and the difficulty in evaluating the ever-changing risk have caused insurers to strongly reconsider if cyber is indeed their “growth engine”, as many have claimed before.
Those that stayed are cherry picking
Insurers that haven’t left the market are also becoming more cautious. They are cherry picking the “safest” businesses, therefore deciding not to ensure businesses that are at high risk. They also lowered capacity for each policy, with the aim of lowering their risk by diversifying it throughout different businesses. This is called “line deduction”, and it means that instead of offering $10M a year ago, they would now only offer $5M.
Insurers are also reevaluating where they stand in large cyber towers. When there’s far less competition, insurers are less motivated to take the primary position and excess carriers are expressing concerns, both from new entrants that are willing to jump at the opportunity, pushing prices down, partially because they have much less visibility on the real market condition compared to the large insurers who often have more data.
What should happen in 2021
I personally do not agree with those who claim that cyber threats, and specifically ransomware attacks, are not insurable. The dramatic increase in demand and in the risk will require all market players to “step up their game” and adapt to this change.
Enterprises will have to increase their cyber security investments; Regulators and governments will become more involved in creating relevant guidelines, legal frameworks, and task forces that will help companies deal with state-sponsored attacks; and lastly, insurance companies will have to step up their game as well. Sure, they may (and should) raise premiums by 10%-30% and harden their underwriting conditions, but they should also shift their mode of operation, from dealing with just the signing and renewing of the policies to more-proactive involvement with their clients that includes ongoing risk evaluations, on-going guidance on the measures that organization need to put in place, and proactive assistance in the containment of the damages as part of their cyber incident response protocols.
To realize these activities, insurance companies will have to provide their staff with in-depth technological training and the relevant set of skills required to understand and communicate with technical figures within their clients’ organizations. They should also be able to use the aggregated data and technological tools that will allow them to leverage their unique perspective across a multitude of organizations and industries.