As the cyber risk environment evolves from occasional data theft to rampant extortion, cybersecurity experts believe that the current cyber insurance model – where policies are easily accessible – is ripe for a change.
This comes as several insurance providers have decreased coverage and pushed up rates in recent years as a surge in ransomware attacks have left them smarting from hefty payouts.
One of these insurers, Lloyd’s of London, which accounts for almost a fifth of the global cyber insurance market, has reportedly discouraged its syndicate from taking cyber business next year, according to Reuters.
“Cyber insurance was only ever meant to be for a novel, an unforeseen catastrophic event,” Jess Burn, senior analyst at advisory firm Forrester, told SC Magazine. “When things like ransomware were limited to someone’s grandmother on their old PC, that was a license to print money. But now that music has absolutely stopped and they're reeling from those losses.”
Data from market intelligence firm S&P Global has shown that the loss ratio from cyber insurance has risen in recent years. From 43 cent for every dollar in 2016, the figure has jumped to 73 cents per dollar in 2020.
Industry insiders that SC Magazine interviewed said that the cybersecurity sector responded by “trying to consolidate data aggregation to create a more sustainable industry.” This led to the formation of CyberAccuView, a data-sharing service aimed at creating a more standard practice.
However, the experts still predict that policies will be dependent on “higher base security standards offering lower maximum payouts.”
They added that “a new breed” of fintech firms that are placing emphasis on data-driven security policies, including the use of network monitoring software, can help create a sustainable model for cyber insurance.
“We see a positive trend in the cyber insurance market where organisations embrace the risk assessment process required by insurers as an opportunity to justify and accelerate cybersecurity initiatives,” Chris Reese, head of insurance at Cowbell Cyber, told SC Magazine. “Many businesses welcome the resources provided by cyber insurance providers to help them achieve insurability.”
There are certain groups, however, that are in danger of being priced out of the market, according to the experts. These include businesses that can no longer afford higher insurance premiums or those denied cyber coverage altogether, and the ransomware groups themselves.
“We find that with victims that don't have insurance, conversations are much more difficult,” Bryce Webster-Jacobsen, director of intelligence operations at cyber intelligence firm Groupsense, told SC Magazine. “Budgets become much more constrained. There’s often a heightened sense of pressure on negotiating the figure down to fundamentals that allows the victim to recover, and sometimes you’re not able to bridge that gap between the victim and the threat actor.”
Industry experts admit that they are still not sure how ransomware gangs will respond to reduced profits.
“Ransomware is a low-cost, high reward scheme; it's likely that profit margins will still be high, even if not as exorbitantly high as they currently are,” they told SC Magazine. “Actors could try to optimise profits through better targeting or higher volume, or – in the extreme case – be forced to change crimes.”
Webster-Jacobsen, however, believes that although reducing the amount and availability of cyber coverage will also slash the amount of payments ransomware groups can receive, it will not prevent them from conducting cyberattacks.