Increasing cybercrime incidents leading to large losses ̵1; combined with some operators withdrawing from writing coverage – are driving cyber insurance premiums significantly higher.
Once a diversifying secondary line and further policy approval, cyber has become a primary component of all companies' risk management and insurance purchasing decisions. As a result, insurers need to review their appetite for hazard, risk controls, modeling, stress testing and pricing.
According to A.M. It is best that the outlook for the cyber insurance market is "gloomy" for several reasons:
- Rapid growth in exposure without adequate risk controls,
- Growing sophistication of cybercriminals and
- The cascading effects of cyber risks and a lack of geographical or commercial boundaries.
While the industry is well capitalized, AM Best says that individual insurance companies that venture into cyber without fully understanding the market can put themselves in a vulnerable position.
"The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity and carriers withdrawing coverage," according to Joshua Motta, co-founder and CEO of Coalition, a San Francisco-based cyber insurance and security company. "We have seen many operators sublimate ransomware coverage, add coin insurance or add exclusions."
Exacerbated since the pandemic
A recent Willis Towers Watson study found that primary and surplus cyber renewals on average are premium increases "Far into the double digits." One factor that is helping to drive these increases, Willis writes, is the sudden shift toward teleworking on potentially less secure networks and hardware during the pandemic, which has made organizations more vulnerable to phishing and hacking.
The average cost of a data breach increased year-on-year from 2021 from $ 3.86 million to $ 4.24 million, according to a new report from IBM and the Ponemon Institute – the highest in the 17 years this report has been published. The costs were highest in the United States, where the average cost of a data breach was $ 9.05 million, an increase from $ 8.64 million in 2020, driven by a complex regulatory framework that can vary from state to state, especially for reporting infringements.
The The five best industries for the average total cost were:
For healthcare, the average total cost increased by 29.5 percent from $ 7.13 million in 2020 to $ 9.23 million in 2021.
Since the turn of the year, cyber insurance rates have increased by 7 percent for small businesses, according to AdvisorSmith Solutions. For medium-sized and large companies, said AdvisorSmith, the increases were close to 20 percent.
AIG said last month that it is tightening the terms of its cyber insurance, noting that its own premium rates are rising nearly 40 percent globally, with the largest increase in North America.
"We continue to carefully reduce cyberbullying and have stricter conditions for dealing with growing cyber-loss trends, the growing threat associated with ransomware and cyber-risk systems in general," said CEO Peter Zaffino at a conference call with analysts.
In May, AXA announced that it would stop writing cyber policies in France that replace customers for blackmailing ransomware criminals. In a ransomware attack, hackers use software to block access to the victim's own data and demand payment to regain access.
The FBI warns against paying ransom, but studies have shown that business leaders today pay a lot in hopes of getting their data back. An IBM survey of 600 U.S. executives found that 70 percent had paid a ransom to regain access to their business files. Of the companies that respond, almost half have paid more than $ 10,000 and 20 percent have paid more than $ 40,000.
Two last year's advice from US financial authorities – the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicated that companies that pay redemption or facilitate such payments may be subject to federal penalties. These messages underscore companies' need to consult with knowledgeable, reputable professionals long before an attack occurs and before making any payments.
More like terror than flood
Cyber risk is unlike flood and fire, for which insurance companies have decades of data to help them accurately measure and price policies. Cyber threats are relatively new and are constantly evolving. The existence of malicious intentions leads them to have more in common with terrorism than with natural disasters. Insurers and policyholders need to be partners in mitigating these risks by constantly improving data hygiene, sharing intelligence and clarity about coverage and its limits.