Two cyber insurance industry initiatives grapple with rise of ransomware
Twice in the past few weeks, insurers have joined together in response to the spiraling ransomware attacks that have rocked their industry.
In mid-June, seven top insurance companies formed CyberAcuView, a company to combine their data collection and analysis powers in a bid to strengthen risk mitigation in the cyber insurance industry. The chief executive officer of CyberAcuView told CyberScoop that ransomware was one of the factors that drove creation of the company.
Then, last week, the American Property Casualty Insurance Association (APCIA) released its guiding principles on cyber extortion and ransomware, including its views on regulation.
Both are signs of the cyber insurance world trying to wrap its arms around ransomware, a phenomenon that is leading to costlier payouts, prompting insurers to demand security improvements from policyholders and in some cases driving companies to step back from what they’re willing to cover.
For instance, the annual growth rate in cyber insurance premiums the past four years has been 20%, while the average growth in claims has been more than 39%, according to a report from credit agency AM Best that warned of a “grim” cyber insurance market. Ransomware, AM Best said, now accounts for 75% of cyber claims.
“We are all wrestling with, and I think coming to, some level of standards for the industry,” Michael Phillips, chief claims officer at cyber insurance company Resilience, said about the joint APCIA and CyberAcuView developments. Phillips also was a co-chair of the public-private Ransomware Task Force collaboration.
The establishment of CyberAcuView reflects a recommendation from the Ransomware Task Force to create a body to share ransomware loss data. Data about ransomware attacks is historically difficult to come by, as fewer than half of victims come forward by one estimate. The FBI has similarly relied on insurers to learn more about threat groups and specific incidents amid the dearth of data.
CEO Mark Carmillo said that task force’s report, as well as a recent Government Accountability Office publication considerimg how industry might get a grasp on loss data, highlighted the need for “the industry to work together to advance common policy definitions, collect and aggregate cyber data, and accelerate loss-control best practices — all to improve overall risk mitigation and ensure a competitive marketplace.”
AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance and Travelers — companies that collectively have a major share of the U.S. cyber insurance market — joined to create CyberAcuView.
“The industry has been discussing the need for a platform like CyberAcuView for several years now,” Carmillo said via email. “With the formation of CyberAcuView, we now have the industry support to help move these initiatives forward to greatly benefit policyholders.”
While reports on cybersecurity insurance claim payouts indicate cyber insurance has broadly better payout rates than other kinds of insurance products, some cyberattack victims have challenged insurers in court over what other kinds of policies cover cyber-related damages.
The APCIA, meanwhile, released guiding principles on how it believes the U.S. government should tackle ransomware — or not. For instance, it states that, “Subject to applicable sanction and other laws, insurers must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion.”
It’s a hotly debated subject among policymakers: whether the U.S. should forbid companies from making ransomware payments at all, given the notion that payments incentivize ransomware gangs to continue committing their crimes. But permitting payments “is consistent with the long-standing approach to the parallel issue of crime or kidnap & ransom coverages, which are allowed by regulators so long as those payments do not violate sanctions laws,” the APCIA contends.
“Ransomware attacks are increasing in both frequency and severity as bad actors continue to evolve and adapt,” David Sampson, president and CEO of the APCIA, said via email. “APCIA has an opportunity to play a role in addressing this societal problem through partnership with policyholders, policymakers, and other stakeholders.”
Sridhar Manyem, director of industry research and analytics for AM Best, said the joint CyberAcuView and APCIA developments “demonstrate a realization by the insurance industry that cyber is punching way beyond its weight in terms of attention.”
“Given the relatively recent nature of cyber, the combined effort can provide more transparency into losses and help insurance professionals better understand and underwrite,” he said via email.