Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.
Increasing cybercrime incidents resulting in large losses – combined with some carriers retreating from writing the coverage – are driving cyber insurance premiums sharply higher.
Once a diversifying secondary line and another endorsement on a policy, cyber has become a primary component of any corporation’s risk-management and insurance-buying decisions. As a result, insurers need to review their appetite for the peril, risk controls, modelling, stress testing and pricing.
According to A.M. Best, prospects for the cyber insurance market are ‘grim’ for several reasons:
- Rapid growth in exposure without adequate risk controls,
- Growing sophistication of cyber criminals, and
- The cascading effects of cyber-risks and a lack of geographic or commercial boundaries.
While the industry is well-capitalised, A.M. Best says individual insurers who venture into cyber without thoroughly understanding the market can put themselves in a vulnerable position.
“The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity, and carriers pulling back coverage,” according to Joshua Motta, co-founder and CEO of Coalition – a San Francisco-based cyber insurance and security company. “We’ve seen many carriers sublimit ransomware coverage, add coinsurance, or add exclusions.”
Worsening since the pandemic
A recent Willis Towers Watson study found primary and excess cyber renewals averaging premium increases “well into the double digits”. One factor helping to drive these increases, Willis writes, is the sudden shift toward remote work on potentially less-secure networks and hardware during the pandemic, which has made organisations more vulnerable to phishing and hacking.
The average cost of a data breach rose year over year in 2021 from US$3.86million to US$4.24million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. Costs were highest in the United States, where the average cost of a data breach was US$9.05million; up from US$8.64million in 2020, driven by a complex regulatory landscape that can vary from state to state, especially for breach notification.
The top-five industries for average total cost were:
- Health care
- Financial
- Pharmaceuticals
- Technology
- Energy
For the health care sector, the average total cost rose 29.5 percent, from US$7.13million in 2020 to US$9.23million in 2021.
Since start of the year, cyber insurance rates have increased 7 percent for small businesses, according to AdvisorSmith Solutions. For mid-size and large businesses, AdvisorSmith said those increases were closer to 20 percent.
Insurers’ reactions
AIG last month said it is tightening terms of its cyber insurance – noting that its own premium prices are up nearly 40 percent globally, with the largest increase in North America.
“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber-loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” CEO Peter Zaffino said on a conference call with analysts.
In May, AXA said it would stop writing cyber policies in France that reimburse customers for extortion payments made to ransomware criminals. In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment to regain access.
The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back. An IBM survey of 600 U.S. business leaders found that 70 percent had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than US$10,000 and 20 percent paid over US$40,000.
Two advisories last year from U.S. Treasury agencies - the Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) – indicated that companies paying ransom or facilitating such payments could be subject to federal penalties. These notices underscore businesses’ need to consult with knowledgeable, reputable professionals long before an attack occurs and before making any payments.
More like terror than flood
Cyber-risk is unlike flood and fire, for which insurers have decades of data to help them accurately measure and price policies. Cyberthreats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.
Insurers and policyholders need to be partners in mitigating these risks through continuously improving data hygiene, sharing of intelligence, and clarity as to coverage and its limits.