U.S. insurers are reevaluating their approach to cybersecurity cover as increasingly common ransomware attacks push premiums higher and ratchet up demand for coverage.
The frequency of ransomware events between 2018 and 2020 quadrupled, according to Rachel Rossini, underwriting manager for cyber for AXA XL, who said those events were "about 1,000% more severe."
According to a report from the CyberEdge Group, an IT research firm, 86.2% of organizations in the U.S. experienced at least one cyberattack in 2021, up from 80.7% a year earlier. Rossini said this rise in ransomware attacks has led to Axa XL "re-underwriting our entire book" as the company gets in tune with their clients' cybersecurity needs.
The higher-risk environment has resulted in written premiums for all cyber policies jumping to $4.83 billion in 2021, a 74% year-over-year increase from $2.77 billion in 2020, according to an S&P Global Market Intelligence analysis. Premiums for stand-alone cyber policies spiked 92.3% to $3.15 billion in 2021 from $1.64 billion in the prior year, while cyber coverage included in policy packages spiked 47.6% to $1.68 billion from $1.14 billion in 2020.
Rossini said rate increases in 2022 have averaged "above 100%" compared with 2021, increases that were not necessarily spurred simply by higher demand.
"It has more to do with just the supply and the willingness of insurers to put up limits and the amount of premium we need to charge for it to sustain the losses we've been seeing," Rossini said.
Bob Wice, Beazley PLC's head of underwriting management for cyber, said the premium surge began after the market started to change due to a drop in capacity in late 2020.
"Insurers were starting to realize that they were getting hit in a way that they'd never been before with these types of ransomware events," Wice said in an interview. "So pricing and demand were up because there were a lot of public reports about organizations getting hit with ransomware attacks."
The cyber market continues to wrestle with "unsustainable" rates and an influx of new, inexperienced carriers, Rossini said, adding that there was a lack of "nuanced underwriting" in the market.
Cyber premium prices increased by an average of 27.5% in the first quarter, according to a report from the Council of Insurance Agents and Brokers. The report also cites an analysis by the Computing Technology Industry Association, which found that the cost of cyber claims increased by 10% in 2021, and the average cost for a data breach came in at more than $4 million.
Ukraine war impact
An increase in Russia-based cyberattacks is one of the outgrowths of the invasion of Ukraine. A report published by Microsoft Corp. said it detected 128 organizations in 42 countries other than Ukraine that were subjected to Russian network intrusion efforts, with the U.S. as the top target.
Microsoft President Brad Smith said in the report's introduction that while governments have been the primary targets for Russian entities, they have also focused on think tanks, humanitarian organizations, IT firms and critical infrastructure suppliers. The attacks Microsoft monitored had a 29% success rate, but that number "likely understates the degree of Russian success," Smith said.
The war has not had a serious effect on claims for AXA XL, which is the third-largest cyber insurer in the U.S., behind Chubb Ltd. and Fairfax Financial Holdings Ltd. and ahead of Tokio Marine Holdings Inc. and American International Group Inc. Even still, Rossini said the company has taken "proactive underwriting actions" such as network segregation to ensure that any action taken against one network does not affect others around the world.
"A lot of our clients that have shut down a lot of their operations in Russia or Ukraine ... have been winding down as a result of the war, which is unfortunate," Rossini said.
Small business security
Ransomware attacks have not been limited to large organizations. Richard Clarke, chief insurance officer for Colonial Surety Co., said the concern for underwriters for small businesses is how well they know their customers and how those businesses authenticate potential access to their computers, networks and systems. Smaller businesses might be a bit less equipped to deal with ransomware cyber extortion, Clarke said.
After years of thinking they could stay under the radar as far as exposure to cybercrime goes, Clarke said small businesses are changing their attitudes, and demand for insurance and increased network security is rising.
"I think every business tries to put a cost-benefit factor on the premium versus their perception of the exposure," Clarke said in an interview, adding that the premiums must be balanced against a business owner's perception of exposure.
"The aim is to get to the point where the small business owner will say, 'Yeah, I don't think that's such an unreasonable cost for that insurance protection.'"