As more and more big names are breached or hit with nasty ransomware strains, businesses are coming around to the realization that there can be severe financial consequences for organizations that don’t attempt to factor risk-sharing insurance strategies into their risk management process.
As a result, insurers began providing cyber insurance to corporate clients — creating the cyber insurance market. Like any new insurance market, there have been growing pains as both insurers and policyholders adjust to the constantly evolving dynamics of the current threat landscape. Insurance providers have had to take on increased risk with ransomware attacks on the rise, the ever-increasing cost of data breaches, and the changing regulatory landscape.
These risks are further compounded by the lack of visibility into the cybersecurity performance of their client. Without insight into how well the insured are protecting their infrastructure, it’s extremely difficult for insurance providers to properly gauge the risk of providing an insurance policy. Providers are then forced to mitigate this increased risk by increasing premium prices, excluding ransom demand coverage from future policies, and reinsuring their own policies to offset the risk to other insurers. These issues make the navigation of the current cyber insurance market daunting for businesses looking to purchase insurance as well as for existing insurance firms to wade into the market.
Overall Industry Trends
Like most new industries, cyber insurance has been a rapidly changing marketplace. Growing pains make it difficult to accurately predict what lies ahead, but by understanding the recent trends in the industry, we can make educated guesses about what consumers want today and in the near future. The three primary forces impacting the industry are:
- Rising direct written premiums
- Insurers are increasingly relying on reinsurance to mitigate risks
- Changes in the regulatory landscape causing market uncertainty
The first trend is, of course, the surging price of insurance premiums. In the face of increasing cyber threats over the past few years, demand for cybersecurity insurance coverage has shot up after strings of high-profile data breaches have cost businesses millions of dollars. C-suite executives have been pressured to answer the call to mitigate risk in the wake of attacks against marketplace giants. According to a Harvard Business Review article by Tom Johansmeyer, recent high-profile cyberattacks have driven executives to explore acquiring cyber insurance, though the financial hardships of COVID-19 have caused that to become a difficult expense to justify for industries who have struggled in recent years. He also concludes that “while more attacks could stimulate demand, they also create a supply problem, making insurers warier of providing coverage and reinsurers (who provide insurance for insurance providers) less interested in backing cyber liabilities.”
Another trend of late has been the increase in cyber insurance providers relying on reinsurance — the practice of insurance providers mitigating risk by ensuring the policy that they are providing to the customer with a third-party insurer in exchange for a cut of the premiums — to offset the risk imposed by cyberattacks. As noted by Johansmeyer, with the market volatilities of the last two years, insurers have become warier of committing resources to businesses seeking cyber insurance without the backing of a reinsurer. While the industry grapples with the rise in ransomware attacks identified by security researchers everywhere, premiums and reinsurance are soaring as the cyber insurance market adjusts to the increased risk.
Finally, there is increasing uncertainty about the state of the regulatory landscape and how that will affect markets. With multiple US states now adopting and enacting new laws protecting customers’ privacy and data, more states will follow in the coming months and years. These laws may bring big changes to the insurance markets as more companies are being held to stricter standards and regulations, causing their premiums may go up in accordance with the backlash they may face if found not abiding by these new laws. While these new laws are beneficial for the customer, the exact details of how a company will protect itself — and its customers — are not set in stone just yet.
Rising Premiums
Over the past several years, one thing has become clear; insurance premiums are rising. According to an analysis by Fitch Ratings, after only modest direct written premium (DWP) growth from 2016-2019, premium growth sharply increased in 2020 and looks poised to continue increasing into 2021. In their analysis of cybersecurity insurance filings in statutory financial statements, Fitch estimates that “Industry DWP for cyber coverage in standalone and package policies increased by over 22% in 2020 to approximately $2.7 billion.” If we look at the historical data provided, cyber insurance has been a rapidly evolving marketplace, with revenue from direct written premiums almost tripling since 2015.
A significant contributor to the recent trends in cyber insurance pricing can be attributed to a surge in ransomware attacks. Over the last year, security researchers have found that ransomware attacks have increased by over 150% and resulted in a string of high-profile attacks against government agencies, critical infrastructure, and private businesses. The research also indicates that there has also been a drastic increase in the average ransomware payment by victims, to the tune of a 290% increase according to a report published by the Howden Group. This means that we are seeing both a rise in frequency as well as the severity of ransomware attacks on consumers, businesses, and public entities alike. The most notable example of late is the Colonial Pipeline ransomware attack which occurred because leadership repeatedly failed to address identified security flaws or to implement a program that encouraged good cyber hygiene practices. As a result, Colonial Pipeline paid the $5 million ransom against the advice of law enforcement and security experts. Another disastrous attack occurred only a month after the Colonial Pipeline incident when the meatpacking company JBS USA announced that they paid an $11 million ransom after ransomware halted their North American and Australian operations. The Russian ransomware-for-hire syndicate REvil was attributed to the attack, and facing the consequences of meat supply chain shortages, JBS felt pressured into paying the ransom.
Some cyber insurance experts conclude that these attacks directly correlate with the rise in insurance premiums since it’s usually insurance providers who are left holding the bag in situations like these. Insurance companies have reported that their gross written premiums have increased by as much as 40% in the wake of these ransomware attacks. Intuitively, this makes sense; an increase in ransomware attacks will naturally result in an increase in cyber insurance claims, which increases the risk for providers, which then results in an increase in written premiums. However, there is some room for optimism here; cybersecurity insurance provider Aon indicated in their Q2 2021 Global Market Insights report that pricing increases are decelerating as increased capacity has flown into the market and as the combination of rising deductibles and reinsurance has helped offset risk.
How Performance Impacts Premium Costs
The largest contributor to what determines the cost of insurance coverage in cybersecurity is always going to be the risk profile of the policyholder and the risk appetite of the insurance provider. Policyholders with a weaker risk management program represent a higher risk to insurance providers, driving the cost of coverage up for all insurance holders. It, therefore, follows that organizations with a lower risk profile will pose less risk to insurance providers, which allows them to provide better rates. In terms of reducing risk, it’s all about risk management, cybersecurity performance management, and being able to demonstrate cybersecurity effectiveness and maturity.
Effectively tracking and managing cybersecurity performance is critical because it allows decision-makers to have the best possible understanding of the organization’s cybersecurity strengths and weaknesses, which, by allocating budget to improve the most impactful performance metrics, allows for more efficient cybersecurity spending and a more effective cybersecurity program overall. Additionally, being able to provide evidence of a strong continuous monitoring program goes a long way in proving to an insurance provider that the organization has a strong cybersecurity culture focused on continuous improvement. That kind of information during a risk assessment is invaluable in proving cybersecurity performance and in reducing risk, which in turn reduces insurance premiums.
Relying on Reinsurance to Mitigate Risks
With the larger risk profile cyber insurance providers are taking on board, they have looked for ways to mitigate the inherent risk in the industry. Policy providers can offset the risk presented by a particular policy by ensuring the policy with another insurance provider, essentially obtaining insurance on the policy that they provide to the customer in return for a percentage of the premiums. In the event that a policyholder suffers a cyberattack and files a claim with the primary insurance provider, they, in turn, would file a claim with their reinsurer to offset the cost of damages presented in the insurance payout. While this reduces the amount of direct written premiums for the primary policy provider, they can mitigate the risk by diversifying their risk profile by increasing their overall capacity of policies. Specialized businesses have even cropped up surrounding the reinsurance market, which specializes in partnering with primary insurers to provide risk-sharing capabilities and to solve gaps in coverage.
With all that said, it’s important to remember that premium rate hikes cut both ways; reinsurers are also increasing their written premiums in the face of increasing risk, which increases the cost for the primary insurer and results in higher prices for the consumer. Some security experts are concerned about the sustainability of the cyber insurance market given that:
- Ransomware attacks are only expected to increase in frequency in the future.
- The price of ransom demands is increasing.
- Organizations continue to demonstrate neglect for security initiatives (such as Colonial Pipeline) and the general uncertainty that comes with the territory of providing insurance to an industry that is as rapidly evolving as cybersecurity.
Reinsurance helps mitigate those inherent risks by increasing the overall coverage pool and distributing the risk among several insurers, allowing for greater sustainability for the cyber insurance industry.
Market Research
Even before the COVID-19 pandemic, the changing environment of data storage and cloud coverage has been followed by the rapid growth of cyber insurance. Initially, cyber insurance was primarily designed for companies that hold data and, if that data got into the wrong hands, protection from the fallout. In Q1 of 2020, when companies and governments mandated telework and other remote possibilities, the once straightforward cyber insurance market had to pivot to adjust to new demands and coverage.
The umbrella for cyber insurance now covers more than just data breaches — ransomware attacks, malware incidents, and phishing — and will continue to expand into new frontiers as cybercriminals find new ways to infiltrate a company’s IT infrastructure. This changing market has caused an increase in cyber premiums, lower coverage limits, and implementation of cyber-specific policies.
According to the Government Accountability Office, insurance brokers saw an increase in pricing from 10-30% in late 2020 alone. And, in some instances, industries such as education and healthcare have had their coverage limits lowered in response to the actual price of a cyber-attack. In a report done by TDI, the average cost of a data breach for healthcare and education are $6.45 and $4.77 million, respectively. These numbers are much higher than the $2.64 million average costs of a cyber incident for a small to medium-sized business.
As insurance companies grapple with the ever-changing landscape of cyber warfare, so does the pricing. In a report by Embroker, insurance prices scale with the overall health and well-being of a company’s IT and security. For example, the size of the industry, amount of — and sensitivity — of data, and annual revenue all take part in formulating the insurance pricing. Even though some parts of that equation are not changeable, there are ways a company can reduce the price of its cyber insurance. The most important thing a company can do to lower their insurance is to bolster their security and manage their liabilities. This includes active training with current employees on the risks of phishing and scamming and identifying what to look out for possible attacks.
Changing Regulatory Landscape
Just as insurance companies are grappling with the changes to the cyber warfare field, the rapidly changing regulatory landscape creates additional headaches. On January 1st, 2020, California became the first state to introduce and start regulating a consumer privacy act. More than a dozen additional states have followed suit — making businesses implement more reasonable security measures to safeguard their customers’ and internal data. With a mandated increase in security, companies have to deal with the rising costs of keeping that data secure. Moreover, the rising costs directly relate to rising premiums on the cyber insurance front.
As additional states will follow California’s lead, we will quickly see it becoming the norm rather than the outlier of having privacy laws. In addition, even if a company is based in State A, they must adhere to State B’s consumer privacy act if they have a certain amount of customers present in State B. That is to say, an individual state’s privacy act goes well beyond their own border — for both the company and the consumer.
In addition, the recent executive order signed by President Biden pushes for greater collaboration between the federal and private companies on cyber threats. The executive order will primarily do two things: change the policy on current cyber threat reporting and assessment and remove barriers to sharing threat information between private and public sectors. Overall, it will bolster the US’ cybersecurity technology and infrastructure, directly through advancements in federal entities, but also through increased collaboration with the private sector.
Closing Thoughts
The growing cyber insurance industry is being fueled by a massive increase in ransomware and the pandemic-induced shift towards a more remote workforce. The lack of visibility insurance providers have into the security posture of their policyholders is especially problematic for cyber insurance providers since it prevents them from having a realistic understanding of the risk they are taking on.
There are tools and programs that are beginning to emerge that can provide this critical insight into client cybersecurity performance, but widespread adoption is not here. The future of the industry depends on these tools that can collect data on the internal performance of an organization. This data informs risk and premiums as well as helps the policyholder understand their gaps and the path to advance and mature on their cybersecurity journey.
