Published March 15, 2023
Author: Ash Khan

Cyber insurance companies are losing money. Their loss ratios – total claims plus the insurer’s expenses divided by total premiums received. These are now routinely around 60%, posing an existential danger to the insurance sector. Moreover, potentially renders cyber risk uninsurable owing to diminishing profitability.

 

The insurance industry is combating its losses by raising rates. Which have now increased by 94% between 2019 and 2022, producing the false appearance that the industry is growing. The industry is witnessing increasing income from higher premiums rather than rising take-up rates or expanded coverage. This sudden increase in premiums is due to an increase in ransomware assaults.

 

Creating a market

 

As compared to other types of insurance, cyber insurance remains a very uncertain market, especially given the ever-changing threat scenario. Before 2016, cyber insurance was considered an optional add-on for organizations with increased IT security risks. Moreover, with fewer legal implications for data breaches (i.e. GDPR standards) and significantly less understanding or awareness of cyber dangers.

Nonetheless, the frequency and expense of cyber-attacks have increased dramatically in the last five years.

In 2016-17, attack numbers increased, as did the prominence and magnitude of events. It was due to the development of notable viruses such as WannaCry and NotPetya. Numerous high-profile private sector businesses, including Uber and Equifax, fell prey to the assaults.

Several high-profile cases (such as British Airlines, Facebook, and Marriott) in 2018 led to an increase in cyber insurance demand, thereby boosting the market.

 

The advent of ransomware marked a key year for the cyber insurance business in 2020. Which is now experiencing an unparalleled rate of assault. With insurers’ average loss ratio reaching 66.9%, cyber insurance has lost its reputation as a more profitable line of insurance.

The cost of ransomware alone climbed from $416 million in 2020 to over $1.2 billion in 2021. Thus placing substantial strain on cyber-insurers’ profitability and raising their loss ratios according to FinCEN (the US financial crimes bureau).

 

The worldwide cyber insurance industry is expected to increase from $12 billion to $60 billion in the next ten years. Most of such a rise is attributable to premium rate hikes rather than higher take-up rates or coverage expansion.

 

 

Although insurers want to reassure us that the market is beginning to stabilize as it grows. However, some are predicting a major fall or the “imminent demise” of cyber insurance as we know it (like Forbes).

Future of cyber insurance

Merck & Co and Mondelez vs Zurich were two key cyber insurance cases concluded in 2022. Both are linked to the 2017 NotPetya malware assault. Which was carried out by Russia’s military intelligence service as part of the conflict with Ukraine. The former resulted in a $1.4 billion victory for Merck. The Mondelez case was resolved behind closed doors, presumably indicating a less favorable settlement that fell short of Mondelez’s objectives.

Both lawsuits were based on the claim of an “act of war” provision. As an example, Merck’s policy excluded “hostile or warlike activity.” However, the court agreed with Merck’s defense that this exclusion applies only during a recognized conflict involving military forces.

While many hailed these results as a victory for consumers. The fact is that insurance firms are rising prices and limiting terms to recoup their expenditures in future years.

AIG reports a more than 40% increase in cyber premiums, noting that it is “obtaining tougher terms and conditions to meet escalating cyber loss patterns” like Lloyds.

They stated losses have the potential to considerably surpass what the insurance industry can sustain. They also emphasized the importance of more “strong” language in policy provisions to exclude cyber-attack risk coming both from war and non-war state-backed cyber-attacks to decrease exposure. These explanations show insurers’ persistent determination to contest similar claims in the future.

Cyber Insurers New Policy

Even if an organization can pay increasingly high cyber premiums the compensation claim procedure can be lengthy and complicated.

Businesses must also implement an ever-increasing set of security measures in a changing regulatory landscape to qualify for coverage, including:

  1. Banks and financial regulators must make stricter expectations.
  2. New cybersecurity frameworks (for example, NIST framework updates)
  3. The Information Commissioner’s Office has issued new advice (ICO)

 

Insurers now want a lot more information about how businesses monitor and manage their day-to-day cybersecurity operations. This includes minimum criteria for multi-factor authentication (MFA) and endpoint detection and response (EDR).

Auditors Higher-level evidence of employee training, vulnerability scans, and monitoring system logs, according to Grant Thornton, will be continuous requirements.

Managing cyber risk exposure can’t be based solely on insurance in an era of geopolitical uncertainty, skyrocketing rates, and compliance issues.

Reconsidering cyber insurance

It might be intimidating to have no coverage. But eliminating the apparent safety net of insurance may be exactly what businesses require – a wake-up call to make their operations more secure.

Not by ticking compliance boxes or depending on minimum standard yearly testing to satisfy insurers, but by building measures that make their organization more robust to assault.

This is not to imply that cyber insurance is a waste of money as it is an additional layer of risk mitigation.

Yet, many businesses are rethinking the purpose of cyber insurance and whether to renew their coverage in 2023 and beyond.

Security team recommendations

 

While many businesses may or may not choose to renew their cyber insurance coverage in 2023. They must reinvest in their cyber defense capabilities.

They must guarantee that any possible breach effect is minimized. Organizations must accept that compromise is unavoidable and plan appropriately.

Whatever changes occur in the cyber insurance market, organizations must develop confidence in their capacity to avoid, detect, respond to, and recover from cyber assaults by going beyond compliance.

Organizations must be certain, at the very least, that:

  1. Backups have been thoroughly tested to verify that recovery is both viable and practicable.
  2. By efficient identity and access control and network segmentation, the ‘blast radius’ has been reduced in the event of a compromise.
  3. To provide operational resilience, a well-established recovery plan has been devised and tested against event scenarios, and contingencies for important business services are in place.

 

Those organizations that choose not to get cyber risk insurance must guarantee that they have strong security policies in place. As for insurers, they must work hard to maintain reasonable rates while minimizing their loss ratios.