It’s a sure sign of trouble when leading insurance industry executives are worried about their own prices going up.
Two separate CEOs of major insurance giants remarked in recent weeks about a considerable jump in cyber insurance premium prices: AIG’s chief executive said rates increased by 40% for its clients, while Chubb’s chief executive said that company was charging more, too.
Rather than welcoming the trend, Chubb CEO Evan Greenberg offered a warning. Those price increases, he said, still don’t reflect the grave risk that a catastrophic cyber event poses. “That is not addressing by itself the fundamental issue,” he said.
Those are just two data points about how, in the past year, the evolution of ransomware has radically altered the landscape of cyber insurance, according to analysts inside and outside the industry. Cyber insurance covers a range of ransomware-related costs, like extortion demands, remediation efforts and other losses.
Ransomware now accounts for 75% of all cyber insurance claims, up from 55% in 2016, according to the credit ratings agency AM Best. The percentage increase in claims is outpacing that of premiums, said a June report which concluded that “the prospects for the cyber insurance market are grim.” Fitch Ratings in April found that the ratio of losses to premiums earned was at 73% last year, jeopardizing the profitability of the industry.
A lack of profitability could lead to yet more premium increases, insurers fleeing the cyber insurance market or policyholders receiving more limited coverage. Problems in the cyber insurance marketplace stand to limit its ability to be a force for effective data protection techniques in the wider private sector, as clients look to insurers for guidance on specific security tools and measures.
“For the cyber insurance market, we are in the very first and most pivotal challenge that we’ve ever had,” said Michael Phillips, chief claims officer for Resilience. “This is our crisis moment.”
There’s less agreement about what could turn things around. Some changes are underway, with insurers imposing stricter cybersecurity safeguards for policyholders or reducing coverage limits. Such requirements could help businesses bolster their defenses, but may also make it harder for others to meet the threshold and therefore leave them without coverage. And reduced coverage limits means higher costs for ransomware victims.
Some observers suspect that over time, the insurance industry — around for hundreds of years in the United States — will acclimate to the risk and costs. Others suggest insurers might be scared away from offering cyber coverage, something that has happened in corners of the industry. And yet others think government intervention might be necessary.
“I think there’s going to be a breaking point,” said David Anderson, vice president and head of major accounts at Lockton Cyber Technology Practice, a brokerage. “I just don’t know what it’s going to look like.”
Cyber insurance is in high demand, a condition that could keep the industry from veering into disaster. Client take-up rate — or the proportion of existing clients opting for cyber coverage — rose 46% in 2020, according to the Government Accountability Office.
Even before the rise of ransomware, though, many analysts maintained that cyber insurance was particularly difficult due to an absence of historical data that complicated the kind of risk forecasting the industry typically uses to set prices. The issue has become severe enough that seven major insurers in June formed a company, CyberAcuView, to combine their data collection and analysis resources.
Now, rates are rising considerably as ransomware attacks increase. One North Carolina school board, for example, recently approved $22,318 for one year of cyber liability insurance — up from last year’s cost of $6,653, or a 235% jump.
“Before this current environment that we’re in, underwriters were almost entirely focused on privacy — how many records do you have, how well are those records protected,” Anderson said, adding that underwriters are now focused on business interruption costs.
There are other factors making the industry picture negative. AM Best noted that an earthquake insurer can diversify its books by offering insurance in different geographical regions, but cyber-risk has no such boundaries. And the losses right now are “crazy,” said Fred Eslami, senior financial analyst at AM Best.
Some contend that the cyber insurance industry at least partly has itself to blame for the growing expense it’s incurring from ransomware payments. Paying the attackers keeps them in the crime business, after all, ensuring future attacks. And it can have secondary effects, too.
“In too many cases the insurance model incentivizes paying criminals instead of having good security in place beforehand,” a Brookings Institution paper argued last month. A representative of the REvil ransomware gang said the gang targets companies that it knows have insurance, as they are “the tastiest morsels.”
The insurance industry publicly resists the notion that it’s anything but a positive force against ransomware, providing a backstop against expenses that can ruin ransomware victims.
Where it’s going
Some insurers have vocally indicated that they want no part of cyber insurance. Others have done so more subtly.
“What is more common than very public exits, are strategy changes that might signal an exit,” said Phillips. That could mean covering fewer and fewer aspects of ransomware costs, he said. AXA, for instance, has said it will stop paying ransom demands for future policyholders, partly in response to French government pressure to halt the practice.
“They’re going to say, ‘You want to buy it from us, fine, but you’re only going to get a tenth of what you got last year,’” Phillips said.
Others might limit coverage in other ways. “As companies are deemed risky then maybe there’s a higher deductible, or the insurance company might say, ‘I’m not going to write a $5 million limit on your cyber, I’m just going to limit my exposure to you to $500,000,’” said Sridhar Manyem, director of industry research at AM Best.
Remaining insurers are trending toward more thoroughly examining prospective policyholders’ security controls, interrogating them on whether they have taken steps such as multifactor authentication as a condition of receiving coverage.
Previously, Anderson said, carriers used paper applications with yes or no questions and “you took everyone’s word for it.” Now, he said, “They go through everything with a fine-toothed comb.”
More immediately worrisome for Phillips is whether some insurers will deem more potential policyholders uninsurable and refuse to provide them coverage because their security is too poor — a situation that would be worrisome for those who lack the financial means to obtain security technology, like municipalities or small businesses.
For the insurers that weather the storm, momentum seems to be building for firms to take a more active role in breach response situations.
The U.S. Ransomware Task Force made up of industry, government, non-profit and academic cyber experts, recommended creating cyber response funds to aid local governments trying to recover from cyberattacks and either don’t have insurance, or insurance won’t cover certain costs.
The U.K.’s Royal United Services Institute think tank, meanwhile, recommended more government intervention, such as suggesting that insurers work with the government to write minimum security standards that would be included as part of any ransomware coverage, or that the government provide breach notification data to insurers.
Tom Johansmeyer, head of Property Claim Services at Verisk, said that the cyber insurance industry might need to push through any potential profitability downturn. “I think we’re going to need a certain amount of tolerance for loss,” he said. While cyber insurance is a newer industry, however, there’s a considerable amount to be lost now as opposed to a line of business in its infancy.
Cyber insurance could consider learning from other forms of insurance. Anja Shortland, a professor at King’s College London who has studied kidnap for ransom insurance, said the practice of “disruptive bargaining” drove down payout demands from kidnappers.
“They’ve got very clear control of the ransom negotiations, and they tell their customers, ‘This is how you’re going to run this,’” Shortland said. “‘And you’re not going to panic. Yes, you will get some really horrible threats, and they might say they will take an ear off and they always get that on the fifth phone call. We’ve yet to receive an ear, so don’t cave in.”