All eyes are on cyber insurance. It is the celebrity of the commercial insurance market, grabbing headlines worldwide with an equal mixture of excitement and scandal. It is always evolving and is attractive to intellectual minds – both lawful and criminal – because of its complexity, its constant evolution, and its seat on the cutting edge of digital innovation.
In recent years, most cyber insurance headlines have focused on ransomware. This variation of malware allows hackers to lock businesses or individuals out of their systems until they pay a ransom, often in cryptocurrency. In the past few years, there has been a significant uptick in the frequency and severity of ransomware attacks, impacting businesses of all sizes and in all sectors.
Several factors have contributed to the surge in ransomware incidents, including the COVID-19 pandemic and the mass scramble to shift entire workforces to a remote set-up with continued access to corporate networks.
The emergence of ransomware-as-a-service (RaaS) has also played a part. With RaaS, criminals can purchase ready-made and relatively cheap malware on the dark web, which they can then use to target victims with either a ‘spray and prey’ or a more targeted approach. Some hackers are using more sophisticated strategies, such as double and triple extortion campaigns, to ensure their ransomware attacks generate as much financial gain as possible.
The greater the loss, the catchier the headline: BUSINESS PAYS US$40 MILLION CYBER RANSOM – that’s certainly going to score a few clicks, and it keeps all eyes on cyber insurance because US$40 million is no small sum.
The surge in ransomware attacks has, in turn, equated to some very severe cyber insurance claims, ruining the loss ratio of the industry, and forcing insurers to respond by increasing premiums, restricting capacity, and introducing strict underwriting and risk management requirements.
Essentially, cyber insurers have had to make “corrections” to their strategies, which typically cause long-term benefits but short-term stress for insureds. That has kept the industry in the headlines even more so. Consider reading this: DISTRICT SCHOOL BOARD REPORTS WHOPPING 334% INCREASE IN CYBER INSURANCE PREMIUM. That was an actual headline in the United States in January this year.
Before cyber insurance, a 300% rate increase was pretty much unheard of. It’s no wonder that this was picked up by mainstream news reporters, versus 5-10% premium increases in other lines of commercial insurance.
Now, the cyber insurance market is showing signs of stabilisation after two years of extreme volatility – but there are always new risks to contend with. When Russia invaded Ukraine in February 2022, there was a general expectation that the conflict could lead to a rise in state-backed cyberattacks, not just in eastern Europe but in countries around the world depending on their allegiance.
This resulted in yet another headline grabbing moment for cyber insurance, when Lloyd’s of London released a new cyber mandate that will require its insurance groups to exclude “catastrophic” nation state cyberattacks from stand-alone cyber insurance policies from March 31, 2023.
This move by the world’s oldest insurance marketplace is meant to ensure that cyber insurers are clearly stating what they will and will not cover. It reflects a growing trend in the market to tighten the terms and conditions in cyber insurance policies in response to the ever-evolving nature of the cyber risk landscape, the rising cost of ransomware, and increasingly rigorous regulatory controls worldwide.
The Lloyd’s announcement – not the first time the market has forced participants to provide clarity on cyber exposures – has caused a flurry of feedback from the industry, with many expressing concerns over the issue of attribution for cyberattacks, and the difficulty of determining whether an attack is nation-state backed or just a criminal group affiliated with a nation.
I’m not surprised Lloyd’s has made this move, considering the current state of the cyber insurance market and the major geopolitical volatility, but I really don’t expect to see too many headlines along the lines of: UTILITY GIANT FALLS PREY TO STATE-BACKED CYBERATTACK. Therefore, I don’t expect this move to have too great of an impact. Rather, I think it is simply a timely “tidying up” of the wording in cyber insurance policies.
I would be remiss if I didn’t acknowledge some more positive headlines in cyber insurance. First: THE CYBER INSURANCE MARKET IS GROWING RAPIDLY. Fitch Ratings recently estimated the cyber insurance industry has US$8 billion to US$10 billion in gross written premium, as is expected to reach up to US$22.5 billion by 2025, as demand for coverage expands with recognition of threats.
Second: INNOVATION IS RIFE IN CYBER INSURANCE. Yes, threat actors are constantly changing their tactics, but cyber insurers are responding with equal gusto. The amount of progression the industry has made in the past five years around cyber risk mitigation, security controls, network scanning and defence tools, and around policy wording and pricing is just astounding.
It always feels like cyber criminals are one step ahead of the game. That’s one of the reasons why cyber insurance has this celebrity-like status. It’s always in the spotlight because there’s always a new threat or risk for insurers to contend with - but all in all, I believe the market’s doing a great job.