Colonial Pipeline attack to hit cyber capacity says AM Best
The scale and severity of ransomware attacks against businesses could force more insurers to exit underwriting cyber risk, said AM Best, in response to the Colonial Pipeline attack in the US.
The ratings agency said insurers across the globe have been forced to rethink cyber insurance risks, with AXA already pulling out of cyber insurance that covers ransomware payments in France.
“Many insurers are now realising the significant risks inherent in the line,” AM Best said. “Insurers that lack the appropriate expertise, ability and controls for cyber insurance risks could be subject to losses outside of risk tolerance,” which could in turn impact ratings.
Premiums for standalone cyber insurance policies increased more than 28% in 2020, AM Best said, but claims continue to outstrip market growth. Between 2017 and 2020, annual premiums grew by 19% against 38% growth in claims. Incurred loss ratios were up 26 points in 2020.
Colonial Pipeline disclosed the cyberattack on Friday last week and it has been working to restore operations since the 5,500-mile pipeline was shut down. DarkSide has claimed responsibility for the attack, which involved an undisclosed ransom demand.
“As the Colonial Pipeline attack has shown, cyber is a very complex risk, with far-reaching impacts to clients and insurers alike,” said Sridhar Manyem, director of industry research and analytics at AM Best. “The classifications of these events as terrorism, criminal activity or acts of war have different implications for insurance, and will require guidance from government entities as clients and insurers navigate these cases.”
Meanwhile, AXA France has revealed that it has ceased providing ransomware reimbursement cover when underwriting new cyber policies.
AXA France, AXA’s general insurance business in France, is said to have made the move following French government concerns about the payment of ransoms, voiced during a recent parliamentary debate.
According to a report from AP, AXA said it was suspending the option in response to concerns aired by French justice and cybersecurity officials during a Senate roundtable in Paris last month, about the devastating global epidemic of ransomware. “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” cybercrime prosecutor Johanna Brousse said at the hearing.
AXA said in a statement: “As is standard market practice, we do provide ransomware cover as part of a broader cyber policy. The current cyber insurance market is very challenging, prompting many markets to look carefully at coverage and capacity. We also continue to monitor the evolving regulatory environment regarding ransom payments. We’re committed to working with our brokers and clients, in addition to regulators, law enforcement, cybersecurity professionals and others, to find appropriate protections and risk mitigation/reduction strategies to meet this evolving landscape.”
A spokesperson told AP that the suspension only applies to France and does not affect existing policies. She said it also does not affect coverage for responding and recovering from ransomware attacks, in which criminals based in safe havens including Russia break into networks, seed malware and cripple them by scrambling data.