Even with cybersecurity mitigation strategies in place, organisations are finding it impossible to secure 2021 cyber coverage at 2020 rates, according to a new report from Risk Placement Services (RPS).
According to the new U.S. Cyber Insurance Market Outlook report from RPS, the insurance sector has put the brakes on cyber coverage despite increasing demand – primarily due to issues related to the COVID-19 pandemic and the increasing severity and frequency of ransomware attacks.
Carriers are hiking premiums – some as high as 300% at renewal – and lowering coverage limits on sectors that have been hardest hit by cyber crime and cyber extortion over the past year, RPS said. Those sectors include education, public entity/government, healthcare, construction and manufacturing.
Capacity restrictions that started to impact the market last year have intensified in 2021. Insurers that were happy to issue $5 million cyber liabilities policies in 2020 have scaled back to limits of $1 million to $3 million this year, even on renewals, according to RPS. As a result, organisations have had to turn to additional carriers to reach desired cyber liability coverage limits.
“This year’s changes in capacity, underwriting standards and even increases in premium were a necessary evolution,” said Steve Robinson, RPS national cyber practice leader. “Cyber insurance underwriting has become more reflective of today’s risks.”
One of the big risks is the proliferation of ransomware, which many attribute to the remote-work environment during the COVID-19 pandemic. The spike in employees working from home opened up technological vulnerabilities that hackers took advantage of, RPS said. During this time, claims frequency and severity skyrocketed at an unprecedented rate, and losses often far exceeded actuarial limits. In response, insurance companies began to develop models accounting for the unanticipated impact of ransomware on their bottom lines, RPS said.
One increasing ransomware risk is so-called “double extortion” – when cyber attackers demand payment for a decryption key, as well as a separate payment to prevent the release of customer data and non-public information.
“Ransomware has become a two-headed monster,” Robinson said. “Double extortion has become a contributing factor in cyber claim severity over the past year.”
Underwriting questions have become more strategic to better reflect current cyber exposures, the report found. Even on renewals, insurance companies are continually updating their questions about a company’s information security practices through supplemental application forms for ransomware and business interruption.
Multi-factor authentication (MFA) has become a must to qualify for cyber coverage, RPS said. MFA is one of the most effective ways to prevent a cyber extortion attack, according to Robinson.
Insurers are also increasingly incorporating the same scanning technology used by hackers into their own underwriting processes, as well as applying sub-limits or exclusions on cyber extortion and business interruption resulting from ransomware events in order to better control their loss ratios.
“As a result of industry underwriting and mitigation efforts, a better balance between cyber insurance coverage supply and demand is expected as we draw closer to 2022,” Robinson said.