- organisations will need to better articulate their cyber maturity as insurers look to improve risk selection
As organisations’ reliance on technology has increased, so has the efficiency of criminals looking to capitalise. In 2018, the total cost of cybercrime to the world’s economy was estimated to be around US$600bn, but this is predicted to grow to between to above US$2trn+ in 2022. It’s no surprise, that the global cyber insurance market is also expected to grow from an estimated US$9bn in 2020 to US$20bn by 2025 as organisations look to transfer some of this risk. But the spiralling losses are leading insurers to sharply raise premiums and reduce appetite over the last year, placing more pressure on businesses who want to buy cyber insurance cover to better articulate their IT posture to the market and be prepared to answer questions on their overall cyber security framework / approach.
Ransoms more targeted and causing more damage
A key driver of this growth in cyber event costs has been the explosion of ransomware and its associated business interruption impact. The situation is also being made worse by the growth of aggregation events – ransomware attacks that target technology service providers who inadvertently spread the attack to their customers – like the recent Kaysea attack which is estimated to have impacted up to 1,200 clients and led to an initial ransom demand of US$70m.
Ransoms are also getting more complicated as criminals carry out more due diligence before the attacks. And when they are finally getting inside the networks, those attacks can be a lot more focused in their intensity and can take longer to remediate – an average of 21 days in Q4 2020.
Interestingly, hackers are sitting in organisations’ systems and exfiltrating data before asking for a ransom, so if the ransom is not paid, they can then sell the data on the dark web – a so-called double ransom attack, which is used as motivation to get victims to pay the ransoms in the first instance.
Insurers remediate their portfolios
As a direct consequence of this heightened ransomware activity, insurers are experiencing increasing losses and – given the difficulties in modelling the correct sustainable price for cyber in an uncertain risk landscape – have responded with sharp pricing increases towards the end of last year and rising steadily through 2021. This is partly a response to years of rapid growth in the class of business and a previously prolonged soft cyber insurance market, which has led to some cyber insurer portfolios having to remediate to make sure that risks contained within have a minimum baseline of cyber maturity.
Insurers are working towards the goal of better risk selection, which means those clients who can articulate their cyber governance and give insight on their security controls and internal processes should experience a warmer reception from underwriters. In addition, many carriers are using extra tools to help them with their underwriting and to help insureds gain more insight into current trends. Carriers are, for example, issuing reports where a third party has scanned an insured’s IT perimeter on the hunt for open ports or unpatched software, and there is also more underwriting emphasis on multi-factor authentication, privileged access, tested and segregated back-ups, and endpoint protection. But there isn’t just one or two areas that insurers are scrutinising; their approach is more holistic taking in the whole cyber security sphere and how each company handles the risk, which also means it is important for buyers to start earlier in the submission process than they’re perhaps used to when it comes to renewal.
Broad cover is still available
The good news for cyber insurance buyers is that broad cover is still available, although it is narrowing in certain areas. And while most carriers are looking to reduce lines in terms of capacity, most organisations are still able to renew cyber limits on existing programs. However, the emphasis should remain that, important though it is, cyber insurance is just one leg of a cyber security strategy that should also include a comprehensive cyber security approach to governance, technology and internal processes.