Published on December 03, 2021

Most asset classes within the insurance industry have data going back for centuries; however, the cyber insurance industry is still in its infancy. Due to an increase in ransomware attacks, sophisticated hackers, and costly data breaches, many cyber insurance providers are becoming afraid to take on more business.

According to a recent Reuters’ article, London-based underwriting behemoth Lloyd’s of London has been discouraging its 100-member syndicate from taking on cyber insurance business in 2022. Seeing as Lloyd’s of London represents nearly one fifth of the entire global cyber insurance market, this is absolutely huge news.

Attacks are increasing in the current remote work environment

The pandemic resulted in a shift to remote work and an increase in cyber risk for organizations. In a recent study, 83% of IT professionals said they believed remote workers posed an increased cybersecurity risk; and sure enough, cyberattacks increased over the last year.

According to a recent threatscape report, cyberattacks were up 17% in Q1 2021, compared to the same quarter in 2020. Not only are organizations more vulnerable, but attackers are getting more sophisticated. All of these factors have caused insurance providers to become nervous.

Premiums, deductibles, and coinsurance are all on the rise

Insurance premiums are climbing, as are loss ratios. In the insurance world, a loss ratio is the ratio of losses paid out to the premiums earned, usually expressed as a percentage.

In August, American International Group (AIG), the second biggest underwriter of standalone cyber insurance policies in the United States, raised their premiums 40% globally, with the largest premium hikes in North America.

Limits are decreasing

While cyber insurers are charging more than ever for premiums, they’re also lowering the amounts they’re willing to pay out. According to Caspar Stops, head of cyber and technology at Optio Insurance, limits have come down by nearly half; companies that were paying out £10 million last year are now only paying out £5 million this year.

On an earnings call with analysts, AIG CEO Peter Zaffino said, “We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware, and the systemic nature of cyber risk generally.” Coinsurance—splitting the risk between customers and insurance providers—is also becoming popular.

Additionally, insurers are issuing new exclusion clauses. Just last week, Lloyd’s of London underwriting director Patrick Davidson issued new cyber war and cyber operation exclusion clauses, stating that the insurance group will no longer cover acts of cyber war or “nation state retaliation attacks.” Of course, whether an attack can be attributed to a nation state can be a rather gray area, leaving Lloyd’s with a great deal of latitude. To put it mildly, this is a rather ominous development, and it speaks to the extent that cyber insurance providers are becoming skittish.

Bad actors are getting more savvy

Ransomware groups are moving away from scattergun attacks, and they’re increasingly engaged in targeted attacks.

Historically, these groups preferred to target healthcare companies and municipalities, given that these organizations often have understaffed IT departments; however, these targets also usually have less money to pay out. As of late, ransomware groups have shifted their attention to manufacturing and other industries.

These bad actors usually have a good idea as to the amount that any given target company can pay. Savvy cyber criminals are likely conducting social engineering attacks to ascertain which companies are insured. After all, insured companies may be particularly attractive targets to bad actors, as these companies are presumably more likely to pay a ransom. As a caveat, this isn’t a reason to avoid cyber insurance.

What’s on the horizon

For years, cyber insurance companies enjoyed rising premiums. In fact, according to the National Association of Insurance Commissioners, premiums have doubled since 2015, and insurers fetched $3.15 billion in premiums in 2020 alone. However, the times are changing.

The near future appears to be filled with more risk assessment processes, lower payouts, and higher premiums. It’s likely that we will see a pullback and restriction of coverage, followed by a restructuring of premiums. The current panic that we’re seeing from the Lloyd’s of London underwriting team, and others, will eventually fade.

It’s vital to have a robust security infrastructure in place

Cyber insurers are asking more and more questions before issuing insurance. Many providers require their clients to have certain measures in place, such as mandatory infosec training; a company-wide password policy; two-factor authentication at all critical access points; frequent data backups; strong patch management, and robust physical security. Some insurers will even require that organizations have adequate network monitoring software in place before they provide coverage.

So, with cyber insurance underwriting standards changing rapidly, it’s more important than ever to have strong cyber hygiene and appropriate IT security infrastructure in place.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x