The cyber insurance market has started to stabilize after a spike in ransomware attacks in recent years led to a sharp rise in premiums, observers said.
Cyber insurance can pay ransoms to hackers who lock down company technology systems, or it can help offset the cost of responding to data breaches. Today, the premium increases of the past few years appear to be slowing or even coming to a complete halt as insurers improve their risk assessments, new market entrants begin to offer coverage, and the supply and demand assert themselves.
“Things are looking up,” said Jason Krauss, North America Cyber Product Coverage Manager for Insurance Brokerage.
“It’s amazing, isn’t it, that I tell you that a 20% increase [in premiums] not bad. But it’s seen as a good thing. »
The cyberinsurance market has been going through a “challenging” period, according to industry insiders, with rising premiums and less flexibility from insurers in terms of offerings. Premium prices rose by more than 34% on average in the fourth quarter of 2021, according to data from the Council of Insurance Agents & Brokers, and some companies reported much larger rate increases.
“It was painful,” said Kristen Peed, director of enterprise risk management at a professional services firm.
and member of the board of directors of the risk management company RIMS. Some colleagues in risk management have seen increases of up to 200%, Ms Peed said.
“We’ve had two painful renewal years with increasing deductibles, restrictions and… price increases,” she said.
Insurance itself remains relatively niche — insurer
estimated the global value of cyberinsurance premiums at $9.2 billion at the start of 2022, compared to hundreds of billions of dollars spent in the United States on commercial insurance alone, according to the Insurance Information Institute, but events resulting in increased premiums have become familiar.
The attack of 2021 against Colonial Pipeline Co. led to a $4.4 million ransom payment, one of several recent multimillion-dollar ransomware attacks. US financial institutions have reported ransomware-related transactions totaling over a billion dollars last year, a sharp increase from previous years, according to Treasury Department data. But it’s a figure that barely scratches the surface of the economic scale of crime, experts say.
With higher payouts by insurers, premiums rose to higher rates. “It was a little nasty there for a while,” said Robert Parisi, North American cyber solutions manager for Munich Re. He described a hockey-stick-like increase in premium prices at the over the past two years. The increases mark a correction in premiums, which for years were arguably too cheap, he added.
“The underwriting is moving aggressively towards, ‘How can we get a deeper, more insightful look,'” Mr. Parisi said. Meanwhile, prices, if not falling, are rising less rapidly than in recent years, he noted.
Insurance companies have tightened the underwriting standards that accompany the issuance of new policies and have begun to review the defenses that companies put in place to thwart cyberattacks. Companies are asked about their cybersecurity systems and can have their agreements with popular cloud hosting companies reviewed, Parisi said.
Companies have stepped up security, with fake phishing emails to test inattentive workers and multi-factor authentication becoming commonplace. And more and more organizations are ready to answer questions from insurers, said Brent Rieth, US practice leader for cyber solutions at Broker.
APIs. “They have more appropriate controls in place,” he said.
However, the new underwriting requests have not been well received by companies trying to obtain insurance. “Overall, our customers have been complaining about the new requirements that must be met to be insured or even reinsured,” said Richard Peters, cybersecurity expert and managing director at consultancy Berkeley Research Group.
For small and medium-sized customers, the increased requirements are costly and time-consuming. Insurers expected some to carry out costly security risk assessments, Peters said.
Roberta Sutton, a partner at the Potomac Law Group who advises businesses dealing with insurance companies, said all of her clients have been asked to complete more detailed ransomware insurance applications.
Some companies have opted against insurance, said Ed McNicholas, co-head of the cybersecurity practice at law firm Ropes & Gray LLP. But not all companies can, as some must have cyber insurance to work with partners, McNicholas said. Proposed government regulations around breaches could also cause businesses to turn to insurance companies to offload some risks, he said.
Tighter underwriting, somewhat reduced demand and more carefully crafted insurance policies are all likely contributing to lower prices, which observers generally hope will fall further.
But assuring the evolution of cyber risks remains difficult, because cyber insurance providers don’t have a lot of actuarial data for these risks, and even if they did, it probably wouldn’t be “very insightful”, he said. said Mr. Parisi of Munich Re.
“We are all worried about ransomware now and rightly so,” he said. “The cyberinsurance community needs to be quite nimble and flexible in how they approach risk.”
Write to Richard Vanderford at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8