Global cyber insurance pricing has increased 32% as insurers continue to grapple with increasing cyber risks, according to a new report from international insurance broker Howden.
The report, titled Cyber Insurance: A Hard Reset, examines how three key factors are driving today’s cyber insurance market – rampant ransomware attacks, higher rates and changing regulations.
Ransomware is now the predominant cyber threat confronting businesses of all sizes, according to Howden. The number of ransomware attacks worldwide spiked by 170% between Q1 of 2019 and Q4 of 2020, and the severity of incidents has been increasing as well.
For US companies that decided to pay a ransom in the first quarter of 2021, the average payment was up more than 400% from FY2019. The average cost of ransomware remediation has also increased, rising to US$1.85 million this year from US$700,000 in 2020. Average remediation costs in several major markets, including the US, now exceed US$2 million, according to the report.
The availability of accessible and relatively low-cost ransomware kits, or ransomware-as-a-service (RaaS), combined with a new strategy that involves both data encryption and the publication of stolen data, known as double extortion, has caused the frequency and severity of ransomware attacks to skyrocket, Howden said.
These factors have driven the largest medium-term rate hike across the entire insurance market as carriers scramble to get ahead of rising loss costs. Global cyber insurance pricing spiked by 32% on average between June 2020 and June 2021, Howden found. That’s on the back of a 50% rise since data tracking began. Insurers are also demanding more from businesses’ cyber resilience and are only willing to deploy capacity if they are satisfied by companies’ risk management frameworks, the report found.
“Cyber risk has undergone multiple episodes of change and development in its relatively short history, but nothing quite so impactful and fundamental as the events over the last year,” said Shay Simkin, head of cyber at Howden. “COVID-19 and all of its attendant effects on technology adoption and cybersecurity, combined with independent or connected changes to the loss environment, has added a big dose of complexity into an already complicated risk landscape.”
Simkin said that the cyber insurance market is being driven by an imbalance of demand and supply, “which shows no sign of relenting anytime soon.”
“Claims are up, capacity is down, and underwriting profitability is, at best, under pressure,” Simkin said. “The impact on insurance buyers is stark; the importance of being prepared for a cyber attack has never been clearer. With insurers now demanding markedly higher cybersecurity standards before deploying capacity, businesses need analytical solutions designed specifically for them, combined with focused, expert intermediation to help them secure the coverage that meets their needs.”
Other key findings of the report include:
Until recently, cyber has been a lucrative business for reinsurers, and the market has grown quite a bit over the last five years. Gross written premium has more than doubled since 2016, outstripping the broader P&C commercial sectors. A similar growth rate is predicted for the global cyber market over the next few years, with GWP projected to approach US$20 billion by 2025, Howden reported.
The COVID-19 pandemic has amplified the risks associated with cyber and revealed pre-existing vulnerabilities. While businesses are investing in data and cloud security to deal with the changes brought about by the pandemic, such as the proliferation of remote work and accelerated digitalization, cyber criminals are often one step ahead of them, Howden found. The report said that cyber criminals have exploited interest and concerns about the pandemic to entice users to click on malicious links or attachments. Delays in breach discovery due to a reduction in on-site staff have exacerbated the issue.
Preparation is the best solution for any cyber incident, Howden said. The company said that superior mitigation and response measures can support shareholder value and minimize reputational risks in the event of a cyber attack. Unprepared companies, however, usually suffer disproportionate impacts that can lead to regulatory intervention or litigation.
“The clear takeaways to emerge from our study are simple: planning and investment in cybersecurity and incident response is money well spent,” Howden noted.