In today’s rapidly evolving cybersecurity landscape, one threat has reached epidemic status: ransomware, or software that encrypts a victim’s data until a ransom is paid. Ransomware currently accounts for up to 40% of cyber insurance claims, according to Resilience Insurance’s Chief Underwriting Officer, CJ Pruzinsky.
“It continues to get worse, not only in frequency, but also in the demands themselves, which have gone from four- or five-figure sums to multimillion-dollar amounts,” Pruzinsky says.
Last year, ransomware attacks grew sevenfold from 2019, according to Mike Wilson, founder and chief technology officer of cybersecurity firm Enzoic. And according to IBM Security, the average cost of a data breach, many of which are caused by ransomware, hit $3.86 million in 2020.
“The impact of ransomware is debilitating, and it’s hurting companies of all sizes,” Shawn Ram, head of insurance at Coalition, told IBA in January. “I think if you solve ransomware today, you solve cyber risk. It’s the most prominent issue we’re dealing with.”
Like much that currently ails society, last year’s increase in ransomware can be largely attributed to COVID-19. The rapid onset of the pandemic forced companies to scramble to empower their workforces with the technology they needed to work remotely. Malevolent actors pounced on badly configured networks to launch ransomware and other cyberattacks.
The risks are especially grave for small and medium-sized enterprises, 69% of which still lack cyber insurance, according to a 2020 survey by cyber insurer Cyberscout. The survey also found that 51% of SMEs in the US did not have an ongoing training program on cybersecurity best practices – and 14% said they do not follow any cybersecurity measures for remote work, leaving the door wide open for cybercriminals.
“When you have a large percentage of the population working from home, when more individuals are using their own devices to log into a network, and when you have IT departments that have had to scramble in order to enable employees to work remotely, we’ve certainly seen adversaries exploit these tendencies,” Ram says. “Twenty-twenty was the perfect storm. Ransomware was a prominent topic in 2019 as well; it’s just grown in significance because of the proliferation of all of these things coming together at the same time.”
In addition, companies often have large gaps between their perceptions of cyber risks and the reality. A study by Hanover Insurance Group and Zogby Analytics in early 2020 found that nearly 70% of businesses considered breaches of personally identifiable information (PII) a top concern, yet only 19% of respondents had experienced a such a breach in the previous year. Likewise, just 11% of businesses were concerned about supply chain risks – one of the fastest-growing cyber threats today.
In 2021, Wilson expects not much will change in the cybersecurity landscape. He predicts one or two major companies will be hit with ransomware attacks and that susceptibility to such attacks will start to be considered in company valuations. He also believes the continued adoption of the Internet of Things (IoT) and remote working will bring heightened risks, as will the ongoing migration of data and services to the cloud.
State of the market
Not surprisingly, these compounding risks have been a boon for the cyber insurance market, which stood at $7 billion in 2020 and is expected to balloon to $20 billion by 2025, according to a recent report from Munich Re.
Yet the fast-evolving risk landscape has also taken a toll on cyber insurers, who have reduced their limits in the face of shrinking market capacity. At the same time, reinsurance capacity is becoming more expensive, and cyber terms are tightening. Michael Palotay, chief underwriting officer for Tokio Marine HCC’s Cyber & Professional Lines Group, told IBA in February that a number of cyber insurance carriers, including Lloyd’s carriers, are currently pulling out of the market due to these obstacles – and he predicts this trend will continue into 2021.
As a result, cyber insurers are being more selective when taking on insureds and determining what risk mitigation controls are in place. When a company hasn’t been able to buy cyber insurance because they didn’t have enough security controls, Palotay says his organization has seen them implement the necessary precautions, such as cloud-based backups, multi-factor authentication and endpoint security.
“Insureds are motivated because they see a difference in their product and policy rates,” he says. “Most companies do not want to remain vulnerable, so we are trying to do our part to help our insureds stay safe.”
What brokers want
So what are brokers looking for in a comprehensive cyber policy for their clients? Eighty-five percent of the brokers surveyed by IBA said first-party coverage is the most important element in a cyber policy, while 75% identified third-party coverage as the key element.
When it comes to the service that accompanies cyber policies, 63% of brokers said claims processing and payments were key, while 56% highlighted both underwriting expertise and access to risk mitigation partners as crucial. Pricing isn’t as important in the cyber insurance arena – only 38% of brokers listed price as the most important factor when selecting a cyber policy.
One of brokers’ top concerns in the cyber insurance space is the lack of capacity. One broker told IBA that “there is need for excess capacity in the national account space, as insureds are constantly considering higher limits due to the increased severity and frequency of breaches; this type of behavior will trickle down to the larger middle-market segment.”
Another broker added that cyber carriers “are all doing a really good job covering the customers’ exposures and pointing out the weakness areas in their systems, [but] we need to begin writing real limits and pricing for issues that are not being addressed with current policies, [such as] dependent business interruption and IoT/property/product liability issues.”
Brokers also expressed a wish for insurers to step up their educational efforts. “The insurance industry has done a really poor job on educating brokers and, more importantly, clients about how important the coverage is, how great the risk is and how comprehensive the coverage can be if properly placed,” one
respondent said. Another noted that the industry needs to be “educating non-tech businesses on their exposures.”
Underwriting was one area where brokers were generally pleased with their cyber insurers. “Through AI and scanning, they’ve been able to identify weaknesses and enhance underwriting,” one broker said of their cyber insurer. However, another wished cyber underwriters could “be more specific with the subjectives that they require to bond.”
Finally, brokers continue to expect innovation from their cyber insurers, in line with the constantly evolving threat landscape. Among their wishes were “easier-to-read policies,” “more robust pre-breach and post-breach services,” and “continued expansion of new coverages specific to cyber.” One broker also mentioned the need for more personal cyber coverage options: “Personal cyber seems to be a growing concern with so many high-profile breaches. It is starting to catch attention for people to protect themselves more.”