Cyber criminals are smart. Trying to keep up with them is like living through an episode of the Looney Toons classic, Wile E. Coyote and the Road Runner. You inch ever so close to working out their tactics, only for the dreaded “meep meep” to sound, signalling their speedy escape. It’s a challenging and time-consuming problem for cyber security officers, risk managers and insurance professionals to keep on top of.
The headline cyber issue over the past few years has been the growing prevalence of malware and ransomware. Hackers are infiltrating systems, encrypting networks, and then demanding ransom before offering de-encryption. The reason why this is such a big issue is because ransom demands are on the rise. Whereas demands of $25,000 or $50,000 would have been average a couple of years ago, now it’s not uncommon to see ransom demands of six or seven figures.
At the same time as these ransomware demands going up, the cost of cyber insurance has been going down. At present, it’s a relatively soft insurance market, with good loss ratios, and lots of market capacity. However, those with a real finger on the pulse of the cyber insurance industry are “waiting for the other shoe to drop,” according to Richard Fernandez, executive vice president, professional lines, AmWINS Brokerage of Georgia. There’s a feeling that, at some point, “the market’s going to blow up,” and this is partly due to the unbalance between the soaring severity of ransomware and the relative cheapness of cyber insurance policies, he added.
“In the middle market, I’ve heard some carriers start to talk about introducing sub-limits for ransomware and malware, because a $5 million limit for $18,000 in premium is going to do nothing to offset a $3 million ransomware pay-out,” Fernandez told Insurance Business. “It’s important to remember that hackers are very crafty. They’ve become a lot more brazen than they were in the past. Some have become so sophisticated that they’re able to hack into a data room, find their way to a company’s insurance policy and see what the cyber extortion limit is, and then match their ransomware demand to the limit on the policy. The company doesn’t necessarily need to have deep pockets; the hacker knows they’ll get a certain pay-out because the policy limits are such.
“We know that hackers are going into data rooms and looking at companies’ financials. We know they’re looking at other records, whether they find their way to the insurance policies or not, and they’re looking at companies’ revenues to essentially peg what they want their demands to be. I think that’s a very scary thing. If this trend continues, I could easily see cyber insurance pricing start to firm up very quickly over the next three to five years.”
This is one reason why carriers might start to introduce cyber extortion sub-limits in their policies, according to Fernandez. He said: “We’re getting to a point where you’re almost being adversely selected against because your limit is too high. If you start looking at the more complex cyber programs that are $100 million or more, that’s an extravagant amount of limit for a hacker to exploit. You have to wonder whether you’re adversely giving them a reason to attack you.”