At a time when the need for cyber insurance has never been more clear, brokerages have spent much of 2021 decreasing coverage and increasing rates. But on Friday, tucked into a Reuters story, a big shoe appeared to drop: Lloyds of London, the carrier holding nearly a fifth of the cyber insurance market, discouraged its syndicate from taking cyber business in 2022.
If the industry appeared to be in flux much of this year, it may be time to consider what happens when it destabilizes.
"The fear of loss of coverage is driving investment in security in some industries, like manufacturing," said Jess Burn, an analyst at Forrester looking at insurance and incident response. Those fears are justified she added; the current model for cyber insurance, where policies were plentiful and easy to get, was never sustainable.
Insurance is ripe for change
Cybersecurity is a historically new phenomenon compared to many of the other fields that are insured. Actuaries have data on lifespan and risk factors going back centuries. Global cybercrime is much newer, with the exponential growth of lateral-moving enterprise ransomware only happening within the last five years.
Without much data on cybercrime losses, insurers who took an industry-standard hands-off approach to accept customers without much diligence on security practices were flying blind. Meanwhile, the risk environment changed from occasional data theft to rampant extortion.
According to S&P Global Market Intelligence data, in 2016, 43 cents out of every one dollar paid in cyber insurance premiums was spent paying an insurance claim or related cost. Between 2016 and 2019, that number – known as a loss ratio, when it's written as a percentage – never went as high as 48 cents. In 2020, it ballooned to 73 cents on the dollar.
Something had to change.
"Cyber insurance was only ever meant to be for a novel, an unforeseen catastrophic event. When things like ransomware were limited to someone's grandmother on their old PC, that was a license to print money," said Burn. "But now that music has absolutely stopped and they're reeling from those losses."
The industry responded by trying to consolidate data aggregation to create a more sustainable industry. A group of key insurers teamed up over the past year to create CyberAccuView, a data-sharing service to try to work out a more standard practice.
Industry analysts predict that the old, lenient, everyone-can-afford-an-outlandish-policy era of insurance is probably nearing its end. In its place will likely be policies dependent on higher base security standards offering lower maximum payouts.
Only a few years ago, the common hope among policymakers that insurance companies would create these standards in lieu of a government body. Many of the physical security standards for home and business owners come from their insurance policies rather than regulation.
"That was originally the plan. But there was an irrational exuberance around this particular market – a bubble. And there weren't any questions asked when the money was coming in. But now the losses have happened. I think the cyber insurance industry will be a force for good in this area."
Several of a new breed of financial tech firms emphasizing data-driven security policies, including network monitoring software in their dealings and requiring things like patching, believe their model for insurance is sustainable.
"We see a positive trend in the cyber insurance market where organizations embrace the risk assessment process required by insurers as an opportunity to justify and accelerate cybersecurity initiatives," said Chris Reese, head of insurance at insurer Cowbell Cyber. Many businesses welcome the resources provided by cyber insurance providers to help them achieve insurability."
With declining coverage, said Burn, it is likely that companies will begin incorporating more risk language into contracts to pass liability up or down the supply chain, and mitigate third-party risk.
Planning for being priced out of the market
There are two groups of people who should be concerned about being priced out of the market, said Burn and others. One are the enterprises that either cannot budget for the insurance premiums or will no longer be offered insurance. The other will be ransomware groups themselves.
The latter will be key in what happens if broad changes overcome cyber insurance. A major determinant of the cost of a ransomware attack is insurance maximums; ransomware actors will find the digital records of insurance policies and use them in negotiation. When those numbers drop, the profit per attack will likely decline. With more uninsured victims, profits are likely to drop even more.
"We find that with victims that don't have insurance, conversations are much more difficult. Budgets become much more constrained. There's often a heightened sense of pressure on negotiating the figure down to fundamentals that allows victim to recover, and sometimes you're not able to bridge that gap between the victim and the threat actor," said Bryce Webster-Jacobsen, director of intelligence operations at Groupsense, a cyber intelligence firm with a well-known ransomware negotiation practice.
How ransomware actors will respond to lower profits is not clear. Ransomware is a low-cost, high reward scheme; it's likely that profit margins will still be high, even if not as exorbitantly high as they currently are. Actors could try to optimize profits through better targeting or higher volume, or – in the extreme case – be forced to change crimes.
While ransomware actors may be less comfortable, victims without insurance will be placed in an even more precarious position.
"Without insurance, a company has to figure out how they're covering not just the actual ransom itself, but all of the expenses related to recovery and investigations and the incident response," said Webster-Jacobsen.
Those expenses could include lawyer fees covering a hefty breach negotiation contract, business losses from downtime and public relations costs, in addition to the technical costs of investigating and restoring the network.
All of these costs, said Webster-Jacobsen, need to be part of disaster planning.
"Reducing the amount of cyber insurance coverage or the availability of cyber insurance plans will probably reduce the amount of payments that are able to be made, but that doesn't stop ransomware attackers are ransom operators from conducting attacks," he said.