Cybercrime has skewed away from commoditizing personal information to pursuing more lucrative extortion methods, like ransomware, against organizations of all sizes. Here’s how the cyber market is reacting.
The overall state of the cyber insurance marketplace is much like that of a growing child. It is maturing at a very rapid pace and is currently in its teenage years—complete with mood swings, the search for identity, irrational behavior, limit-testing and drained wallets.
Like teenagers, the cyber market has its own bad influences. Namely, claims, which are increasing in type, frequency and severity. The number of cyber claims has doubled over a two-year period, reaching approximately 18,000 in 2019, according to an A.M. Best report.
The pandemic has only widened the attack surface in the work-from-home environment, broadening the opportunities for business email compromise. This has led to a significant increase in social engineering and wire fraud claims with funds being distributed to cybercriminals at an alarming rate.
Meanwhile, ransomware is the neighborhood bully. Having evolved from the early days of “spray and pray" emails that distributed malware indiscriminately to thousands of individuals, hoping a few would click the link and pay hundreds of dollars each, the average ransom paid is now more than $200,000, according to “Trends in Ransomware and Doxing H1 2020 Review" by Kivu in partnership with Hiscox.
In most cases, when a ransom is paid, the decryption key is released. But the industry is now beginning to see outliers, such as an insured who pays the negotiated ransomware payment but does not receive the decryption key, allowing the perpetrator to resurface and demand the original amount again.
Further, ransomware has evolved beyond the exchange of bitcoin for decryption keys to include more traditional extortion demands to prevent the release of private information, corporate secrets or incriminating evidence.
As losses have developed in frequency and severity, those carriers that have been in the cyber market the longest have developed a level of maturity that the newcomers have yet to realize. As a result, market-leading insurers are either strategically increasing rates on select industry classes, such as healthcare, manufacturing, public entity, education and construction, or issuing portfolio-wide increases ranging from 20% to 60%. Some carriers have implemented increases of 100% or more to help improve their underwriting performance in certain classes.
The industry has also witnessed the exodus of some insurers from certain classes of business, or even a complete withdrawal from the cyber market.
As the long-standing cyber markets make necessary adjustments, some of the newer entrants to the marketplace continue to engage in a virtual race to the bottom in the rates and retentions they are seeking from small and medium-sized enterprises. Time will tell if they experience the same results as their more seasoned peers but so far, there is nothing to suggest they won't. Broad coverage plus low premiums plus a constantly evolving threat leads to low or no profits.
For larger-scale risks, insurers have significantly increased the availability of risk management resources, such as tabletop exercises enabling insureds to simulate cyber events under a variety of real-world scenarios, network penetration testing, scans for remote desktop protocol, employee awareness training, and more. Those organizations that make a priority of engaging their key stakeholders at every level stand to benefit greatly from these exercises.
So, will this teenager ever grow up?
The cyber insurance marketplace has been at an inflection point for some time, and it continues to react to the ever-changing threat landscape. Capacity is tightening in the small-to-midsize enterprise sector. For larger risks, building large towers of cyber insurance coverage requires more marketing and participants than it did even one year ago.
Pricing in the public entity space has doubled in many cases, while limits have been cut in half for those with less than favorable loss history. Several carriers have exited this sector altogether.
More highly regulated industries, such as healthcare, finance and retail, continue to remain attractive targets for cybercriminals, and there is no sign of any broadening of terms and conditions, pricing or capacity in these areas.
Cyber carriers are taking numerous actions to address deteriorating loss ratios, such as hiking premiums; reducing coverage limits; increasing retentions; and requiring incident response plans, employee training and better controls in the areas of data segregation, access and backup. We are also seeing the return of sublimits on first-party coverages, a trend that is expected to continue.
As cybercrime has skewed away from commoditizing personal information on the dark web to pursuing more targeted and lucrative extortion methods, the pain has been felt by organizations of all sizes. As a result, cyber insurance has become an indispensable part of the risk management equation.
Steve Robinson is national cyber practice leader at Risk Placement Services. To learn more about the cyber insurance market, read the full white paper: The Evolution of the Cyber Insurance Market: Welcome to the Teenage Years.