Cyber insurers are likely to continue reducing exposures and raising rates in response to ransomware losses, according to Fitch Ratings.
Ransomware losses have surged, said Fitch. The direct loss ratio for standalone cyber insurance spiked last year, despite almost 30% growth in direct written premiums, the ratings agency explained. The aggregate loss ratio for US standalone cyber insurers was 73% in 2020, up on the 47% in 2019 and 34% in 2018. The increase in losses was in large part due to claims from ransomware attacks, according to Gerry Glombicki, a director at Fitch Ratings.
Speaking on a Fitch webinar, Mr Glombicki predicted that the frequency and cost of ransomware incidents will further increase during the near term. “Cyber has become very relevant due to the number of incidents and the associated costs,” he said.
The average total cost of a ransomware breach was $4.62m in 2021, while victims paid a total of $350m in ransom demands in 2020, a 300%-plus increase on the previous year.
In response to losses, cyber insurers have increased rates and taken steps to reduce exposures, according to Mr Glombicki. Average price increase for cyber cover were 25.5% in the second quarter of 2021, adding to the 18% increase in the first quarter and 11.1% in the fourth quarter of 2020. “As losses have increased, prices have increased in kind, and terms and conditions have become more restrictive,” he said.
Some insurers have withdrawn or pulled back from cyber as a result of recent losses, or tightened terms and conditions, said Mr Glombicki. Insurers are also applying stricter underwriting criteria, for example requiring policyholders to have two-factor authentication in place, he added.
Reinsurance is another factor influencing cyber insurance, as many standalone cyber insurers reinsure as much as 60% of their cyber business, said Mr Glombicki. “As losses go up, the cost of reinsurance increases,” he said.
Some industries are targeted more than others. Public services, healthcare, professional services and consumer services account for half of all ransomware attacks, but no industry is immune, according to Mr Glombicki.
Even cyber insurers themselves are being targeted by cybercriminals. A number of insurers – including Chubb, Axa and Tokio Maine – have been victims of ransomware attacks this year. As such, regulators and ratings agencies are increasing their focus on cyber risks and controls at insurers, according to Mr Glombicki.
Criminals are partly targeting insurers to access data on cyber insurance clients, explained Mr Glombicki. One cyber gang said it is “going after writers of cyber insurance” to identify companies that have cyber insurance and the size of limits purchased, then using this information to “elevate” extortion demands, he said.
Despite media attention, the cyber market is still relatively small, continued Mr Glombicki. The cyber insurance market accounts for less than 0.5% of the US P&C market, which writes about $725bn in annual premium.
Total US cyber premiums increased 22% in 2020 to $2.7bn, of which the standalone insurance market accounted for $1.6bn, while $1.1bn was packaged cover. The top five writers – Chubb, Axa XL, AIG, Travelers and Beazley – account for 50% of the combined market, while the top 20 have 87% market share.
Following several high-profile incidents this year, including the Colonial Pipeline and Kaseya attacks, ransomware now has the attention of governments and law enforcement, according to Mr Glombicki. As a result, discussions are ongoing about the role of cryptocurrencies and whether cyber insurance can be used to pay a ransom, he said.
A combination of regulatory response and hardened cyber defences by corporates could help address the rising threat of ransomware, said Mr Glombicki. However, there is no single solution to ransomware, which requires a multifaceted approach, he added.
Companies need to improve cyber hygiene and reduce their attack surfaces, while segmenting IT systems from operational technology, said Mr Glombicki. Fitch also recommends companies have three backup copies of data, including in two different formats and at least one different location. Incident response plans need to be in place and practised regularly with defined roles and responsibilities, it added.
Fitch already assesses an organisation’s cybersecurity as part of its credit ratings process. In April, Fitch partnered with SecurityScorecard to help investors understand a company’s cyber risk posture, its vulnerabilities and cyber risk management. A weak score would lead to further discussions on cyber risk management and governance, Mr Glombicki said.