European cyber pricing to stabilise in H2: Marsh

Cyber insurance pricing in Europe is likely to stabilise in the second half of 2022 as measures to stem ransomware losses bear fruit, according to Marsh.

Despite concerns over the potential for cyberattacks linked to the war in Ukraine, rates in the cyber European cyber insurance market are likely to moderate this year, according to Jean Bayon de La Tour, head of cyber for continental Europe at Marsh. Insurers understand that buyers will not accept further price increases, he said, speaking on a DBRS Morningstar webinar.

The cyber insurance market in Europe hardened for the first time in 2021 as carriers reacted “violently” to losses arising from ransomware claims, said the broker. Rates in continental Europe peaked in the fourth quarter of 2021 with average year-on-year increases of 90%, with some companies paying as much as 200% to 300% more for cover, according to Marsh. However, price increases in Europe slowed to 80% in the first quarter of 2022 in response to a fall in claims.

A spike in ransomware losses in 2020 and into 2021 pushed the market into a loss-making position, Bayon de La Tour explained. However, price increases, higher deductibles, reduced limits and coverage restrictions have helped the cyber insurance market return to profitability, he added.

And buyers do not have the stomach for further rate increases, the Marsh broker warned. “After increases in 2020, 2021 and 2022, new increases will not be sustainable. Some clients already question if it is worth buying this type of cover for such a high price,” he said. A number of companies have already decided to no longer buy cyber insurance, although this is the exception, he added.

“Insurers understand this and we expect in the second half of this year that premium will be more or less flat because all the losses have been paid, and because insurers have returned to profitability. Clients will not suffer another year of increases,” Bayon de La Tour said.

The cyber insurance market has become so difficult for buyers that companies are now asking themselves whether it is worth buying the cover on offer, confirmed an experienced Spanish risk manager during a separate webinar organised by the country’s national risk management association Agers.

“It has got to a point where one starts asking oneself whether it is worth paying for the transfer of this risk,” said Juan Gayá, risk and insurance manager at retail group El Corte Inglés.

But cyber claims activity has now “stabilised”, despite the heightened threat of cyberattacks from the war in Ukraine, according to Bayon de La Tour. A “global wave” of ransomware attacks had caused an increase in the frequency and severity of cyber claims in Europe in 2020 and 2021, affecting companies of all sizes and across all sectors, he said. However, the frequency of ransomware claims has “gone down slightly” since its peak in the first quarter of 2021, he added.

The fall in ransomware claims reflects coordinated action by governments to tackle cybercrime, and cybersecurity measures implemented by insureds, explained Bayon de La Tour. “We understood what were the right IT security controls to deploy in order to have a successful setup against ransomware. So, that was implemented in our companies and we see it is really helping to reduce the frequency and the severity,” he said.

“The insurance industry is also pushing in that direction and is advising clients to put in place IT security controls – such as multifactor authentication (MFA), endpoint detection and response, and network segregation. Basic cyber hygiene controls that are mandatory to have a cyber insurance policy, are the ones that are mitigating the loss. It is working and it is helping reduce the amount of successful ransomware,” he added.

Cybersecurity controls like MFA are now essential for companies that want to buy cyber insurance, explained Bayon de La Tour. “MFA is now a deal-breaker. The benefit now if you have MFA is to continue cover. If you don’t have MFA, insurers will not be keen to cover you because the risk you will be attacked by ransomware is too big… We saw these tools, MFA at first, are working and really mitigating the risks, and insurers are imposing it,” he said.

According to Bayon de La Tour, companies must first understand cyber risk and what it means for their own organisation in terms of frequency and severity of loss. They can then invest in the right cybersecurity controls to reduce the frequency of attacks, and take out insurance to deal with the severity. To help its clients fight against ransomware claims, Marsh has identified 12 basic cyber hygiene controls. “It is critical for clients and insurers to work on these 12 key controls,” said Bayon de La Tour.

“Cyber insurance is one of these lines where we can do a lot before to mitigate. These key controls are working in that direction. The challenge we have is the fast-evolving cyber risk landscape,” Bayon de La Tour said.