Ransomware Is Battering the Cyber Insurance Industry

Many executives have the impression that insurance carriers are abandoning the cyber market, given skyrocketing payouts following the surge in ransomware attacks.

Well, that’s not exactly true.

While anecdotal evidence suggests that some smaller carriers are limiting or eliminating cyber coverage, most carriers, brokers, and reinsurers that Endpoint surveyed are still very much in the space. In fact, Fitch Ratings, which assigns insurer credit ratings, says the $4.8 billion U.S. cyber insurance market grew 74% in 2021. GlobalData forecasts that gross written premiums will be worth more than $20 billion by 2025.

Do you know your risk score?

“Cyber insurance has become the fastest-growing segment of the U.S. property and casualty market as evolving threats have boosted demand for coverage,” says Gerry Glombicki, senior director at
Fitch Ratings.

Despite the appearance of being a healthy market, however, the cyber insurance industry has reached a crossroads. Carriers are still making money, but they are also dramatically overhauling their underwriting models to keep pace with the evolving profile of risk.

The upshot for treasurers and other executives looking for policies: Cyber insurance is still widely available, but organizations will
have to pay more and jump through extra hoops for considerably
less protection.

What does cyber insurance cover?

Executives who are newer to this world should know that cyber insurance works much like any other type of insurance. Companies apply for coverage from brokers or carriers. Underwriters evaluate an applicant’s security posture to make sure each applicant is taking basic precautions against cyberattacks that could lead to significant downtime and loss of income.

We expect most of our clients will face some sort of cyberattack every five to seven years.

The underwriters consult ever-changing models to determine how much coverage they are willing to offer and at what rate. If everything looks good, the policy is issued, and the carrier will typically transfer a portion of that policy’s risk to a reinsurance company. The reinsurance market makes it possible for insurers to write even more policies and continue expanding their business.

In the past, underwriting was a quick and straightforward process, according to David Anderson, U.S. head of cyber at reinsurance broker McGill and Partners. Applicants might be asked if they had antivirus (AV) and backup capabilities.

“If they did, then the insurer would say, ‘Great, here’s a quote, have a nice day,’” Anderson says. “Now, it’s ‘Show me.’ The underwriting process has become a lot more intense, lengthy, and intimate.”

Ransomware attacks change everything

The scourge of ransomware has changed the playing field for both insurers and the organizations they protect. Consider some of
the statistics:

• Reported ransomware attacks surged nearly 51% last year compared to 2020.
• Adjusted losses totaled more than $49 million, a nearly 69% spike from the $29.2 million in 2020.
• Average ransomware payments reached $812,000 in 2021, compared to $170,000 in 2020.
• Ransomware was involved in 75% of all cyber insurance claims during the first half of 2021.

Insurers are concerned about these developments, as well as about the rising sophistication and sheer audacity of cyber assaults.

Attackers in 2021 displayed a disturbing trend in the scale of their demands and the amounts reportedly received: Kaseya VSA ($70 million demanded); Acer ($50 million demanded); insurance company CNA Financial ($40 million paid); Kia Motors ($20 million demanded); and Colonial Pipeline ($4.4 million paid).

To cope with this outburst of nefarious activity, the insurance industry clamped down hard on underwriting terms to reduce higher claims volume, which rose 100% annually over the past three years, according to Fitch.

Paying more for less cyber insurance

As a first step, the industry raised direct-written premium rates 74% in 2021. On average, U.S. companies now pay $1,485 a year, or $124 a month, for cyber coverage. “Prices are increasing at a pace considerably higher than other commercial business lines,” notes a Fitch report.

At the same time, the industry trimmed cyber insurance limits—the most they’ll pay for a claim—from $10 million to $5 million for many industries, while raising deductibles, also known as “retentions,” reports the National Association of Insurance Commissioners (NAIC). Indeed, industry experts say they have seen cases of deductibles jumping from around $25,000 to as much as $250,000 in the past year or two.

What’s more, carriers are becoming much more selective about which industries they are willing to underwrite. It’s becoming “next-to-impossible” to insure sectors that have been disproportionately targeted, such as government, education, healthcare, and utilities, says Kirsten Bay, CEO of Cysurance, which specializes in cyber insurance for small and midsize companies. You can also forget about getting good coverage if you’re a managed service provider (MSP).

“That doesn’t mean there is no availability,” she says. “It means the
$5 million limit you really need is going to be a lot harder to get.
For example, they might offer $3 million of coverage, charge a lot more for it, and tell you the other $2 million must come from an excess policy.”

Read also: Cyber Lessons Learned One Year Into Russia’s War in Ukraine

Some carriers are even trying to limit big payouts by restricting—sometimes severely—the size of companies they are willing to underwrite, says Kurt Suhs, CEO of Cyber Special Ops, a concierge-style service that helps companies respond to cyberattacks. He says carriers may pressure brokers about writing billion-dollar policies and limit coverage to companies with $250 million in revenues
or less.

Prove it or lose it

More commonly, carriers are tightening their qualifying requirements. Just as someone applying for life insurance might have to take a physical and share their medical history to qualify for premium rates, cyber insurers require organizations to meet basic standards of cyber hygiene.

Some insurers have either reduced how much cyber they’ll write or
have even pulled out of the market entirely.

Good practices typically include having multifactor authentication (MFA), endpoint protection, robust AV, up-to-date redundant and offline backups, and security awareness and training programs. Cyber risk scores are increasingly important to insurers, as well. If an organization cannot check all the necessary boxes, it will likely face higher rates, reduced coverage, or a rejected application.

“These are the kinds of data points every underwriter now views as pass-fail issues,” says Anderson of McGill and Partners. “Lack of MFA is a complete nonstarter, for example. If you don’t have it for remote access, you’re not insurable.”

The rising number of cyber-hygiene prerequisites can be frustrating for executives, says Cysurance’s Bay. But she says the constraints also present the opportunity for CISOs to talk to their C-suite about the need to fund more cybersecurity upgrades across their organization.

Read also: How CISOs can talk cyber risk so that CEOs actually listen

“Security professionals need to have more conversations with their leaders around the value of investing in cybersecurity and the financial impact that could have on the business,” she says. “I think between what’s happening with cyber insurance and the rise of ransomware, that’s an easier conversation than it has ever been.”

In addition to security requirements, most insurers are adding to the list of situations they won’t cover, known as “exclusions.” For instance, having learned their lessons from 9/11 and the pandemic, few private insurers are willing to share losses resulting from cyberwarfare or infrastructure failure.

The federal Terrorism Risk Insurance Program (TRIP) might help insurers cover some losses from cyber-terrorism attacks. However, the rules governing what constitutes a terrorism-related incident are narrowly written and not helpful to companies at this time. Recently, the lack of coverage has led the U.S. Government Accountability Office (GAO) to recommend that the Treasury Department and the Department of Homeland Security assess the need for a federal insurance backstop—much as the government subsidizes crop insurance, for example—to correct the lack of coverage for critical infrastructure organizations, in particular.

Reducing exposure to cyberattack claims through higher premiums and exclusions has helped the cyber insurance industry reduce its direct loss ratio, or what it pays claimants, from 72% in 2020 to 65% last year, according to Fitch. Recently, The Wall Street Journal described how White House officials applauded the application of more scrutiny to approval standards amid a wave of nation-state attacks, especially since the Russian invasion of Ukraine.

Read also: The Ukraine invasion doesn’t only affect insurance rates—it’s also made threat hunting teams critical. Here’s how

But tougher guidelines have also had the effect of decreasing the availability of previous levels of cyber insurance, which is a key “reason why people think coverage is disappearing,” says Anderson.

To cyber insure or not?

The perception that insurance isn’t available will probably persist as carriers continue changing their business models to remain profitable, says Tom Johansmeyer, head of PCS, a division of the data analytics and risk assessment firm Verisk that focuses on calculating catastrophic insured property losses. Despite the appearance of being all-in on cyber insurance, “some insurers have either reduced how much cyber they’ll write or have even pulled out of the market entirely,” he says.

The upshot for organizations, he adds, could be a widening “cyber insurance protection gap.” Even if companies or agencies qualify for a level of coverage, they may not get enough to cover potential losses.

Read also: How to minimize losses from the get-go? Unify IT and security

Shrinking coverage has led some organizations to question whether they need cyber insurance or if they could just pay out-of-pocket if an incident occurs. “We talked to a school district where their premium was going up from $1 million to $2 million a year, despite the fact they’d had no losses or claims,” says Suhs of Cyber Special Ops. “They started saying to themselves, ‘Is it worth self-insuring?’ I think more organizations are doing that these days.”

Not everyone recommends the self-insurance approach, however, given the magnitude of losses organizations could face in the event of a serious cyberattack.

“We expect most of our clients will face some sort of cyberattack every five to seven years,” says Anderson. “Even with the prices and premiums we’re seeing today, if you assume you’re going to be hit and it’s going to cost you, [buying insurance] is probably a pretty good trade in the long run.”