Cyber insurers are losing money. Their loss ratios – total claims plus the insurer’s costs, divided by total premiums earned – are now consistently above 60%, which presents something of an existential threat to the insurance industry, making cyber risk a potentially uninsurable area due to falling profitability.
The insurance sector is battling its losses by increasing premiums – which have gone up by some 94% between 2019 and 2022 – creating the artificial impression that the sector is growing. The industry is not seeing increased take up rates or expanded coverage – just increased revenues from higher premiums.
The growth in ransomware attacks is to blame for the rapid premium hike. For example, the Merck and Mondelez insurance settlements of $1.4b and up to $100m (due to the Russian NotPetya attacks in 2017) provoked insurers to tighten terminology on ‘state actor’ attacks to further limit their risk exposure, while simultaneously raising premiums.
As of March 31, 2023, Lloyds of London (the world’s largest insurance marketplace) will require its underwriters to include clearly defined exclusion clauses for state-backed cyber attacks within standalone cyber policies.
Making the market
In 1997, AIG was the first company to offer cyber insurance – in a bid to gain market share, despite any actuarial data to inform policies or premiums – making it completely unknown territory. Cyber insurance remains a highly unpredictable landscape compared to other forms of insurance cover, especially given the ever-evolving threat landscape.
Before 2016/17, cyber insurance was an emerging market, often viewed as an optional add on for organisations with heightened IT security risks, with less legal ramifications for data breaches (i.e. GDPR requirements) and far less knowledge or awareness of cyber threats.
Taking Lloyds as an example, the UK-based insurer referred to cyber in its pre-2016 annual report as a “newer or less well understood sector”, mentioned in the same breath as “nuclear, chemical, biological and radiological (NCBR) threats”. The cyber market was predominantly mentioned as part of its plans for “thought leadership” and “innovation”, with Lloyds noting that “many insured [were] first-time buyers”.
But the frequency and cost of cyber-attacks have risen enormously in the past five years.
In 2016-17, attack figures rose as did the notoriety and scale of incidents, with the emergence of notorious malware such as WannaCry and NotPetya, with several high-profile private sector companies falling victim to attacks, including Uber and Equifax.
2018 saw the introduction of new GDPR laws and additional high-profile cases (such as British Airways, Facebook and Marriott) increase demand for cyber insurance, expanding the market.
By 2020, the rise of ransomware marked a significant year for the cyber insurance industry, now facing an unprecedented attack rate (Travelex, Orange, Toll Group). Cyber insurance’s reputation of being “more profitable for insurers than other lines of insurance,” ended, as insurers’ average loss ratio reached a record high of 66.9%.
In 2022, FinCEN (the US financial crimes agency) reported the cost of ransomware alone increased from $416 million in 2020 to almost $1.2 billion in 2021, putting significant pressure on cyber-insurers’ profitability and increasing their loss ratios (currently as much as 66.4%).
The global cyber-insurance market is still anticipated to grow from $12bn worth of annual premiums to $60bn in the next five to ten years according to Lloyds. But much of that growth is due to premium rate increases, rather than increased take-up rates or the broadening of coverage, according to MIT’s Josephine Wolff.
And it’s virtually impossible to precisely predict the future cyber insurance market.
While insurers want to reassure us that the market is beginning to stabilise as it continues to grow, others are proclaiming the industry’s dramatic decline or the ‘imminent death’ of cyber insurance as we know it (like Forbes).
This isn’t just the media catastrophising. The CEO of Zurich, Mario Greco, recently stated “what will become uninsurable is going to be cyber” – citing threats to critical infrastructure that can fundamentally disrupt wider society as his primary concern.
How is cyber insurance changing?
Two landmark cyber insurance cases were resolved in 2022: Merck & Co and Mondelez vs Zurich. Both trace back to the 2017 NotPetya malware attack, attributed to Russia’s military intelligence agency and deployed as part of the conflict with Ukraine. The former resulted in a $1.4b win for Merck, whilst the Mondelez case was settled behind closed doors – potentially suggesting a less favourable outcome which fell short of Mondelez’s demands.
Both cases were founded on the contention of an ‘act of war’ clause. Merck’s policy, for example, did not cover ‘hostile or war-like action’, but the court agreed with Merck’s defence that this exclusion only applies to actions which explicitly “involves the use of armed forces” as part of a recognised conflict.
While many welcomed these outcomes as a win for policyholders, the reality is that insurance companies are raising premiums and tightening terminology to cover their costs in the coming years.
AIG reports a more than 40% rise in cyber premiums, adding that like Lloyds, it is “obtaining tighter terms and conditions to address increasing cyber loss trends”.
In a bulletin to underwriters in August 2022, Tony Chaudhry, Underwriting Director at Lloyds, addressed the size and scale of the risks posed by cyber-attacks to the insurance industry, specifically at “state actor” level.
He warned “losses have the potential to greatly exceed what the insurance market is able to absorb”. Chaudhry also reiterated the need for more “robust” language around policy clauses “to exclude cyber-attack exposure arising both from war and non-war state-backed cyber-attacks” to reduce exposure. These clarifications indicate insurers’ continued desire to dispute similar claims in future.
Even if organisations can afford (or justify) increasingly expensive cyber premiums, the compensation claim process can be lengthy and difficult – more than five years for both the Mondelez and Merck cases).
Companies are also required to deploy an ever-increasing set of security controls in a changing regulatory landscape to qualify for cover in light of increasingly rigorous compliance checks, with:
- Stricter demands from banks and financial regulators
- Updated cybersecurity frameworks (i.e. NIST’s framework revisions)
- New guidance from the Information Commissioner’s Office (ICO)
Today, insurers require much more detail regarding how organisations monitor and manage their day-to-day cyber security operations, including minimum standards for multi-factor authentication (MFA) and endpoint detection and response (EDR).
Auditors Grant Thornton outlined that higher-level evidence of staff training, vulnerability scans and monitoring system logs will be ongoing requirements.
Between such geopolitical ambiguity, soaring premiums and compliance challenges, organisations cannot rely on insurance as the primary method of managing their cyber risk exposure.
Rethinking cyber insurance
Zero coverage may be daunting. But removing the perceived safety net of insurance may be exactly what organisations need – a wake-up call to make their business more secure.
Not by checking compliance boxes to satisfy insurers, or relying on minimum standard annual testing, but by implementing controls that make their organisation more resilient to attack.
This isn’t to say that cyber insurance is a waste of money with those who have the means and resources to fund it as an added layer of risk mitigation.
However, many organisations are now reconsidering the role of cyber insurance and whether to renew their policy in 2023 and beyond.
Cyber insurance is not the norm for a majority of UK organisations.
The UK government Cyber Security Breaches Survey 2022 revealed only 43% of UK businesses have insurance policies which cover cyber risks. And the fact that less than 1% of UK organisations have made a claim is evidence that the diminished role of cyber insurance may not be as impactful as some might speculate.
Advice for security teams
While many organisations may decide not to renew their cyber insurance policy in 2023, it is vital they reinvest in their cyber defence capabilities.
They must ensure potential breach impact can be minimised. Organisations must assume compromise is inevitable – and plan accordingly.
Regardless of how the cyber insurance market may change, organisations must gain confidence in their ability to prevent, detect, respond and recover from cyber attacks by looking beyond compliance.
As a minimum, organisations must be confident that:
- Backups have been tested to ensure recovery is possible and practical
- The ‘blast radius’ has been minimised in the event of a compromise through effective identity and access management, and network segmentation
- A well-established recovery plan has been designed and tested against specific incident scenarios, and contingencies for critical business functions are in place to ensure operational resilience.
Those with cyber insurance should review their policy, and perhaps schedule a frank conversation with their broker about exactly how they are covered.
Those organisations opting out of cyber risk insurance must ensure they have robust security controls in place. Meanwhile, insurers must work to keep premiums affordable and attractive enough to entice customers – while managing their loss ratios.