A report by Fitch Ratings on Wednesday may bode well for cyber insurers, but businesses and their security organizations can expect to pay more for cyber insurance in the years ahead.
Fitch said cyber insurers will likely fare well in the next few years given meaningful price increases and tighter underwriting standards. However, Fitch noted that losses in the cybersecurity segment will remain more volatile than other insurance products.
Today, cyber insurance reaps estimated annual premiums of $8 billion to $10 billion, which industry experts says will reach up to $22.5 billion by 2025, as demand for coverage expands with recognition of threats.
Fitch also reported that the United States has become the largest cyber insurance market, with nearly $5 billion in statutory direct written premiums and 74% annual premium growth in 2021.
While cyber insurance will remain a good business, Lloyd’s pointed out in a market bulletin two weeks ago that cyber-related business comes with some clear risks.
“If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage,” wrote Tony Chaudhry, a Lloyd’s underwriting director. ”In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”
Sounil Yu, chief information security officer at JupiterOne, said the massive increases in cyber insurance, resulting from waves of recent, successful ransomware attacks, represents the gross miscalculations of "likelihood" made by most insurers.
“In other words, those who are highly incentivized to use rigorous, actuarial methods to calculate the value of security controls, still got it quite wrong,” Yu said.
John Bambenek, principal threat hunter at Netenrich, added that it’s always been the “easy button” to mitigate business risks through insurance. Bambenek said in fairness, nobody has a winning formula against ransomware and prosecutions aren’t going to solve the problem, so few other truly viable options are available.
“I would strongly prefer organizations investing in stronger detection and prevention technologies, however, the decision to insure and to harden the tech stack are not mutually exclusive,” Bambenek said. “I have no guarantees I can offer my customers, and any vendor who does is a charlatan … so cyber insurance is here to stay.”