As Cyber Losses Mount, Cyber-Insurance Market Challenges Grow

Man holding virtual blue safe with lock icon and dial and the words CYBER INSURANCE in glass above a desk in an office

September 20, 2021

Man holding virtual blue safe with lock icon and dial and the words CYBER INSURANCE in glass above a desk in an office

Conditions in the cyber-insurance market during the first 6 months of 2021 were even more challenging than many anticipated, according to a recent report.

According to the midyear 2021 Global Cyber Market Update from Arthur J. Gallagher & Co., entering this year, the expectation was for a turbulent and difficult cyber market.

"Those predictions came true, and by some measures, the market conditions that unfolded in the first half of 2021 were more challenging than many expected," the report says. "Cyber-claim frequency and severity continued their upward trend. This led to a swift response from the cyber-insurance market as they imposed significant limitations of capacity, narrowed the scope of coverage terms, heightened underwriting scrutiny, and significantly increased rates."

For cyber-insurance buyers, the result has been complex and time-consuming renewals, often resulting in less coverage at higher costs, Gallagher says.

The Gallagher report notes that the ransomware threat remained a major factor in the cyber-insurance market during this year's first half. Through the first quarter of this year, the average ransomware demand rose to more than $220,000, the report says, with victims' average downtime growing to 23 days.

Some 77 percent of ransomware attacks also included threats to publicize stolen data, according to the report.

The growth in ransomware attacks is a global phenomenon, according to Gallagher. Citing the Check Point 2021 Cyber Security Report, the report notes that countries in the Europe, Middle East, and Africa (EMEA) region experienced a 36 percent increase in ransomware attacks so far in 2021, with the United States seeing a 17 percent increase, and the Asia Pacific region experiencing a 13 percent increase.

"Notably, hackers continued to focus on key targets in the supply chain, where a successful attack on one could impact thousands of other victims," the Gallagher cyber-market report says. "A global software company, an international food distributor, and a US-based fuel supplier are just a few examples of crippling cyber attacks that impacted victims in the supply chain over the first half of the year."

Those sophisticated attacks on supply chain targets allowed the criminals behind them the opportunity to increase ransom demands while also potentially providing access to additional targets, Gallagher says.

In addition to the growth in ransomware attacks, losses from social engineering attacks also continued to grow, according to Gallagher. The report cites data from the Federal Bureau of Investigation's IC3 2020 Internet Crime Report that showed a record 69 percent increase in cyber crime from the prior year's report. Half of all those losses—some $1.8 billion—stemmed from business email compromise attacks, Gallagher says.

As for the current state of the cyber-insurance market, Gallagher notes that after experiencing 2020's losses and seeing cyber-claim trends deteriorate further through the first half of this year, cyber underwriters have increased their focus on insurance buyers' data security controls.

"Virtually every [insurer] will require attestation of at least some preventive controls, which likely include multifactor authentication (MFA), Remote Desktop Protocol (RDP), data backup practices, segregation of networks, encryption, patch management, Privileged Account Management (PAM), employee training, and a host of others,” the Gallagher report says.

Many cyber-insurance applications now require supplemental ransomware applications focused on risk controls meant to prevent or mitigate the impact of ransomware attacks. Many insurers are refusing to offer coverage to buyers lacking those controls, Gallagher says, while those who are offered coverage might see rate increases as high as 300 percent.

"Even the best-in-class risks that comply with all underwriting required security controls are seeing increases in the 40 percent to 60 percent range," the Gallagher report says.

Cyber-insurance policies that are available in the current marketplace often include a number of coverage restrictions, the report says, including sublimits and coinsurance requirements for ransomware claims, new exclusions related to use of end-of-life or at-risk software or email platforms, and coverage limitations related to coverage triggers for regulatory investigations.

Gallagher says that it has also seen cyber insurers' risk appetites decrease for some industry classes including municipalities, education, and manufacturing. Meanwhile, new entrants to the cyber-insurance market are beginning to experience pressure to obtain additional financial backing, while many established cyber insurers are facing their own significant rate increases from cyber reinsurers.

Gallagher says it expects the cyber-reinsurance treaty market to take "affirmative steps to maintain profitability and reduce systemic risk that may affect their exposure, putting further pressure on rates."

On the plus side, Gallagher notes that for cyber-insurance buyers, navigating the current complex and time-consuming application process can help elevate buyers' own cyber-security maturity levels. "The natural outcome includes both the identification of security vulnerabilities and taking steps toward remediating them," the report says.

In addition, cyber insurers will often offer discounted cyber-risk management services, such as employee training, incident response planning, vulnerability scanning, intrusion identification, and in some cases, resources to correct security flaws, Gallagher says.

For the remainder of 2021, Gallagher says it expects cyber-insurance underwriting scrutiny to increase while capacity continues to shrink. As rates continue to increase and insurers push for ransomware cost-sharing, insurance buyers will be forced to increase self-insured retentions and more actively manage cyber risks, the report says.

September 20, 2021