Despite a perception that insurers are blanching at the costs from covering cyberattacks and shying away from offering new policies, new research and insurance executives indicate that cyber-specific insurance has never been more popular.
As cybercrime, ransomware attacks and nation-state espionage campaigns have risen to a higher prominence in the C-Suite over the past decade, companies have increasingly turned to purchasing cyber-specific insurance plans, which can influence what cybersecurity plans a company has in place and dictate decision-making over cyberattacks, such as whether to pay a ransom.
As ransom payments and other damages have eaten up a larger share of payouts, observers have been predicting that the insurance market will plateau as insurers take on increasing costs and reconsider the wisdom of underwriting the unreliable security programs that businesses put into place.
But that does not appear to be happening, yet — and experts have said in some respects, business has never been better for the cyber-insurance industry. Ross Kadish, a risk management and insurance consultant at Associated Risk Management, pointed out that cyber insurance is the fastest growing sector in the property/casualty insurance market and “nothing [else] is even close right now.”
“Despite the proliferation of ransomware with increasing frequency and severity, the industry is not collapsing like many expected would happen — in fact, quite the opposite,” said Kadish in May at an event hosted by the Institute for Security and Technology.
“Very recently in the last couple years in particular, there’s been a lot of earned premium growth [around cyber] and the reason is the risks are increasing along with the fact that insureds — or would-be insureds — are becoming more and more aware and afraid of those risks. The other thing is despite the losses in the earlier days, insurance companies have an appetite for the risk.”
Kadish’s argument is bolstered by a survey released last week by consultant firm RSM detailing privacy and data security trends among mid-sized businesses. It found that the proportion of cyber insurance plans purchased by businesses has gone up among small, mid-size and larger companies across the board.
“The cyber-insurance landscape has undergone many significant changes in recent years, as insurance companies have imposed more restrictions on qualifications and coverages after dealing with more and more expensive breaches,” Matt Franko, a principal analyst at RSM, said in the report. “Cyber insurance is still a valuable element of a comprehensive cybersecurity strategy for middle-market companies. But, as always, companies need to make sure a policy makes sense, with the appropriate coverages for their needs.”
The survey collected responses from more than 400 senior executives at “mid-sized” organizations, a term that encompasses a large cross section of businesses that make between $10 million and $1 billion in annual revenue.
The data shows that 68% of middle market companies have cyber-specific insurance plans in place compared with 61% last year. Among larger companies, the increase is even more pronounced: 70% this year compared with 57% last year. The most popular activities covered were for hacking, data destruction, business interruption and failure to safeguard data.
Mixed cybersecurity results
However, there is some evidence to suggest the daily deluge of ransomware attacks and payouts are having some impact. One area where the industry is seeing a dip in coverage is around ransomware, where approximately half of executives reported having plans for extortion-based attacks and theft this year, a drop of more than 10% from last year.
Cyber-insurance executives said that as their policies have become more popular, they have increasingly used data from clients to identify common weak points or areas of emphasis (like multifactor authentication and other approaches) that companies must address in order to qualify for coverage. Policies are also getting more expensive, as 70% of executives say they saw an increase in premiums over the last year.
While cyber insurance is a relatively new phenomenon and insurers say their internal data shows clients who implement their security advice see fewer successful attacks, outside observers have reported more mixed results as to whether cyber insurance promotes better security practices among policyholders.
Other observers have warned that insurance premiums around cyberattacks may currently be underpriced.
According to proprietary data culled from digital risk firm At-Bay, while most insurance markets are cyclical and play out over five- to 10 years, cyber insurance cycles tend to move faster — over one- to two years — and price increases are often tied directly to rising rates of ransomware.
“There is a consistent cycle between ransomware frequency and policy pricing. Two to three quarters after ransomware frequency peaks, we see a responding increase in pricing,” Roman Itskovich, At-Bay’s founder and chief risk officer, wrote this month.
At-Bay’s data also shows that we are currently in a market where ransomware frequency is increasing but prices are declining. That tracks with findings from threat-intelligence companies and other sources that have seen a dip in successful ransomware attacks among clients in 2022 followed by a renewed burst of activity at the start of 2023. If prior correlations between ransomware attacks and pricing hold, businesses could soon see another large increase in cyber premiums toward the end of the year.
It's not just the insurance industry that is grappling with how to quantify cyber risk. Business leaders may understand the threat at a general level but still tend to view the issue in simplistic terms, believing a certain level of investment or attention can “solve” the problem of cybersecurity or takes it off the table as a major concern.
The reality can far more nuanced, and more work needs to be done convincing C-Suite executives that cybersecurity risk and investment exist on a spectrum.
“The biggest challenge for my clients is that they all know what they want to do [but] they have chief executives or presidents or chancellors who, if you ask ‘What is your risk tolerance for ransomware or cyber?’ they’ll universally answer: 'Zero.' Now how would you like to be that CISO or CIO?” asked Kadish.
