Fears ransomware losses could reverse cyber market softening

A big jump in ransomware attacks is likely to slow softening in the cyber insurance market and potentially lead to rate hikes in 2024, experts warn.

After a respite last year, ransomware attacks are again on the rise. According to cyber security firm Akamai, the number of companies that fell victim to ransomware in the second quarter increased 143% on Q1, while cyber insurer Corvus says ransomware attacks in June broke new records with a 179% increase year on year.

Cyber insurance claims frequency also picked up during the first half of 2023, according to Michael Daum, global head of cyber claims at Allianz Commercial. Based on Allianz claims activity in the first six months of 2023, the insurer expects a 25% increase in the number of claims by the end of 2023. “The attackers are back, and focused again on Western economies, with more powerful tools, enhanced processes and attack mechanisms,” Daum said.

One of the drivers for increased claims frequency has been the effectiveness of the Clop ransomware group, which was responsible for a string of attacks exploiting a zero-day vulnerability in file transfer software MOVEit. Affecting over 2,300 companies and 62 million individuals, that vulnerability is generating claims for insurers.

“Unlike other zero-day vulnerabilities and supply chain attacks like SolarWinds and Kaseya, MOVEit is arguably where we have seen insurers play straight off the bat with losses. Costs are being incurred and insurers are actively paying out on MOVEit breaches,” according to Nick Barker, head of Arthur J. Gallagher’s cyber practice in London.

Meanwhile, there were a host of recent ransomware attacks on hotels and casinos in the US. MGM Resorts said last month’s cyberattack against its US systems is expected to cost about $100m after operations at its resorts were disrupted by the breach.

The company said it also incurred almost $10m in expenses for consulting services, legal fees and other third-party advisors brought in to address the cyberattack. It confirmed it has a cyber insurance policy in place.

“Although the company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses and future expenses, the full scope of the costs and related impacts of this issue has not been determined,” MGM said in a filing to the US Securities and Exchange Commission (SEC).

The increase in ransomware attacks and claims raises questions for the cyber insurance market, which was beginning to soften after two years of significant price increases and a reduction in claims.

According to Marsh, global cyber insurance price increases moderated to just 1% in the second quarter of 2023, compared to 11% in the prior quarter and 28% in the fourth quarter of 2022. Cyber insurance prices increased almost 83% in the first quarter of last year and 36% in the second, said the broker.

“In terms of premium, we see stabilisation and a softer market, with some clients even experiencing decreases,” explained Paulina Vélez Gómez, risk management cyber leader for Europe at Marsh. Some clients experience double digit decreases, depending on specific cases, she added.

Vélez Gómez said that while ransomware attacks are growing, Marsh is not yet seeing a big rise in claims. “Our clients experience claims, but we have not seen big losses this year due to ransomware attacks. This is important. My perception is that clients are better prepared to face the risk, so while they may be experiencing attacks, they are better prepared and are not experiencing losses that will be transferred to insurers,” she said.

But if the market is to avoid future rate hikes, risk management will need to keep pace with cyber criminals’ evolving tactics, according to Vélez Gómez. “We need to be proactive in understanding how these criminal enterprises behave and work together to be prepared for future threats, and not only ransomware. But if companies are not able to face these threats, then the market could turn again to a hard market,” she said.

Gallagher also sees a softening market for cyber insurance, fuelled by new entrants and increased growth appetite. According to Barker, rates for well risk-managed organisations are seeing flat to decreases of 10% for primary, while excess layers have experienced reductions ranging from 15% to as high as 50%, with the median towards the lower banding.

But he fears this could change. “The market is softening at a time when claims are increasing, so there will be an inflection point at some stage. Realistically, we will see the market continuing [to soften] for the rest of this year and into next year, but it would not surprise me if we are talking about potential rate increases at the back end of next year and early 2025, pending no major systemic loss,” said Barker.

That said, he sees a number of factors mitigating the impact of higher ransomware losses, including insurers’ growth appetite and improvements in cyber risk management among insureds.

“While we have seen an increase in claims activity, the severity of losses has not been at the levels of 2019 and 2020. Because cyber risk management globally has made vast strides in recent years, arguably off the back of the hard market and insurers pushing for better risk management, the effect of recent [cyber attacks] has not been as severe,” he said.

“Improved cybersecurity globally and how these losses are not as severe as pre-2020 times, means it will be reflected in improved underwriting performance and we will not see increases as drastic when the market turns as we did in 2019, when rate increases were up to 500%. We certainly won’t see that in the short term,” he added.

The recent increase in ransomware claims will also take time to filter through to insurer results, and therefore pricing, believes Barker. “While we are seeing an uptick in claims activity, it will take a while for that to be reflected in underwriting performance, especially as a number of breaches we are seeing are liability cases and may involve litigation, and it will therefore take a while for losses to evidence themselves,” he said.

Insurers are monitoring the situation on claims closely and some suspect rates will have to react.

Etienne Champion, chief underwriting officer (CUO) for Asia Pacific and Europe at AXA XL, said: “We have seen rates coming down and we think this is a reflection of the improved cyber security and maturity among the insured companies, and a reduction in ransomware activity in 2022. But the 2023 trend is clearly going in the opposite direction, so we think further adjustment in pricing may be required to ensure this fast-growing market is growing sustainably.”

Ralph Brand, president for continental Europe Insurance at Sompo International, said capacity will remain limited in the cyber market and the expected uptick in cyber claims will lead to “continued discussions with clients about their level of resilience and what capacity and terms we as an industry can offer for an acceptable price”.

Zurich’s CUO Penny Seach agreed that there will be a continued focus on monitoring claims trends in light of the increase in reported ransomware incidents this year. “Exclusions focused on unquantifiable systemic losses will gain momentum, and the understanding of accumulation scenarios will continue to mature and evolve,” she said.

And experts attending the recent US Wholesale & Specialty Insurance Association’s Annual Marketplace agreed that the worrying rise in ransomware could begin to increase the cost of insurance cover.

Steve Robinson, national US cyber practice leader of executive lines for Risk Placement Services, an Arthur J. Gallagher unit, envisions “there being some upward adjustment in rates, perhaps a return to more underwriting discipline” in the second quarter of next year.

There cannot continue to be “higher frequency and lower pricing for so long before loss ratios go up”, and when that happens there must be adjustments to ensure profitability, he said.

Michael Phillips, cyber practice leader USA for CFC Underwriting, said the cyber market is “a very unsettled place”. There is continued confusion around pricing, and a number of markets  have responded to ransomware frequency with quick corrections, he said.

“For brokers and buyers, that instability is making it difficult to close the sale,” Phillips said. “It’s making clients sceptical about the integration of the product when the prices are spiking up and down with a lot of volatility.”

The increase in ransomware attacks is only part of the picture. According to Allianz, evolving attack methods used by cyber criminals are raising the stakes. Double and triple extortion – using a combination of encryption, data exfiltration and Distributed Denial of Service (DDoS) attacks to extort money – are now more prevalent, explained Daum.

Changing tactics are also shifting the focus onto third-party liability as ransomware gangs now typically steal sensitive personal and commercial data and publish it on leak sites.

Some 75% of recent Allianz Commercial claims involved sensitive data exfiltration, up from 40% in 2020. Every ransomware claim tracked by the insurer involved the public exposure of data, an increase on 75% in 2020. In addition, the average ransom demand increased to €2.5m in the second quarter of 2023 from €863,000 in the fourth quarter of 2022, according to Allianz.

With more attacks resulting in the theft of sensitive data, companies’ willingness to pay a ransomware demand has increased. Allianz Commercial claims data showed that half of such claims result in companies paying an extortion demand, up from 40% in 2020. Companies are two-and-a-half times more likely to pay a ransom if data is exfiltrated in addition to being encrypted, according to Allianz.

It is urging companies to invest in early detection and response capabilities, as prevention measures will never make an organisation 100% secure. Analysis of claims notifications shows that breaches that were not detected and contained early can be as much as, or even more than, 1,000 times more expensive than those that were, the insurer said.

“Companies can reduce the number of attacks that surpass the first line of defence. There needs to be detection and response because it’s no longer possible to completely prevent every attack, no matter how much you invest in IT security. Companies need to catch these attacks before the next stage and prevent the most severe incidents that might bring their business to a halt and damage their reputation,” said Daum.