Cyber insurers are charging more for coverage and being more cautious with their underwriting because of a sharp uptick in the frequency and severity of ransomware claims, according to several underwriters and brokers. The sharp rise in claims may even push some insurers out of the cyber market.
Paul Bantick, head of global cyber and technology at Lloyd's of London insurer Beazley PLC, said in an interview that cyber insurance prices had hovered between flat and increases of 5% over the past two years. But recently, increases ranging from 15% to 25% are "becoming more and more common," he said, and that is widely expected to continue through 2021.
Bob Parisi, U.S. cyber product leader at Marsh & McLennan Cos. Inc.-owned broker Marsh LLC, said preliminary data for the third quarter showed that prices had increased by about 10.5% on average, following rises of 7% in the second quarter and 6% in the first quarter. The recent acceleration "is a material change in the pricing and I think it reflects those ransomware claims being paid," Parisi said in an interview.
A growing threat
Estimates of increases in ransomware attacks vary, but certain signs point to a large spike. Darren Thomson, head of cyber security strategy at cyber insurance analytics company CyberCube, said such attacks so far this year are 7x higher than what they were in 2019.
Although such a significant increase cannot solely be attributed to widespread adoption of working from home amid the coronavirus pandemic, that phenomenon has played a role. Ransomware often enters a company's systems through weak remote access points and virtual private networks. Johnty Mongan, cyber risk consultant at insurance broker Arthur J. Gallagher & Co.'s U.K. operation, said companies' rush to configure themselves for lockdowns "started to really amplify the problem of poorly configured remote working."
More attacks means more insurance claims. Beazley saw a 239% increase in ransomware claims in 2019 compared with 2018, based on incidents reported to the insurer from U.S. middle-market and private enterprise companies with a Beazley Breach Response or InfoSec product. Severity is also increasing: The Beazley data shows ransomware payments in 2019 were 3x as large as 2018 payments, and the total costs of ransomware payments were up 228% over the same period.
"We are seeing a lot more ransom demands that are now reaching the hundreds of thousands and millions, where before it was more in the tens of thousands to hundreds of thousands," Laetitia Fouquet, global head of cyber at loss adjuster Charles Taylor Adjusting, said in an interview. She added that the largest ransomware demand she had seen, although it was not paid, was €30 million.
Cyber insurance programs often have layers of excess coverage that kick in once the primary layer has been exhausted. William Wright, a partner at Paragon International Insurance Brokers, said the lower excess layers would not previously have been triggered by ransomware. But now that claims bills are reaching £20 million or £30 million, "suddenly the excess layers are in play on a risk type that [the insurers] were never previously having to rate for or consider in the same way," he said. As a result, the biggest price changes are in the low excess layers.
The ransom payment is only part of the claims expense. Fouquet said the biggest costs are actually IT expenditures related to investigating, identifying and containing attacks, and then restoring systems. Business interruption claims for downtime after attacks are also making up an increasing amount of the overall bills. Fouquet said a majority of claims in June and July had a business interruption element. "We were not seeing that last year," she added.
A further concern is that attacks are becoming more targeted, sophisticated and vindictive. Instead of simply locking companies out of their systems and demanding a ransom to regain access, ransomware is increasingly siphoning off data, which cyber criminals can threaten to release either to put more pressure on victims to pay the ransom or extort even more money. According to the Coveware ransomware report for the second quarter, data was exfiltrated in 22% of ransomware incidents, compared with 8.7% in the first quarter.
Wright said the combination of ransom and data theft, plus rising ransom demands, is "like the worst of all worlds" for insurers and policyholders. "You only need two or three of those claims at that type of payout amount to happen for the market to suddenly find themselves feeling a little bit in hot water," he said.
No end in sight
Pricing is only part of insurers' response to the growing ransomware problem. Underwriters have started to introduce specific ransomware question sets during the underwriting process. Policyholders giving satisfactory answers are likely to be rewarded with flat premiums rather than discounts.
"There is no talk anywhere about reducing premiums because of good risk management," Mongan said.
Insurers may even try to cap ransomware payouts available under cyber policies using sublimits. Wright said "a couple" of companies had tried to introduce such sublimits but brokers were "not going to accept that."
The surge in ransomware claims could prompt some insurers with small cyber books to bow out of the market. While declining to name companies that are exiting, Bantick said the industry is indeed seeing capacity decline.
Parisi said "at least one carrier" operating at the small end of the market serving small to medium-sized companies had left the market. His view on capacity, however, is that it remains stable. Wright acknowledged that some companies will cut capacity "at some point" but argued that such moves "won't hurt the market at all."
Even so, there is little sign of ransomware claims abating. Parisi said there was a 400% increase in ransomware attacks in 2019 compared with 2018, but a 200% increase in claims, indicating a lag. Eventually claims will accelerate, he said.
"I think we are just at the beginning of the wave," Wright added.