Cyber insurers are charging more for coverage and being more cautious with their underwriting because of a sharp uptick in the frequency and severity of ransomware claims, according to several underwriters and brokers. The sharp rise in claims may even push some insurers out of the cyber market.
Paul Bantick, head of global cyber and technology at Lloyd’s of London insurer Beazley PLC, said in an interview that cyber insurance prices had hovered between flat and increases of 5% over the past two years. But recently, increases ranging from 15% to 25% are “becoming more and more common,” he said, and that is widely expected to continue through 2021.
Bob Parisi, U.S. cyber product leader at Marsh & McLennan Cos. Inc.-owned broker Marsh LLC, said preliminary data for the third quarter showed that prices had increased by about 10.5% on average, following rises of 7% in the second quarter and 6% in the first quarter. The recent acceleration “is a material change in the pricing and I think it reflects those ransomware claims being paid,” Parisi said in an interview.
A growing threat
Estimates of increases in ransomware attacks vary, but certain signs point to a large spike. Darren Thomson, head of cyber security strategy at cyber insurance analytics company CyberCube, said such attacks so far this year are 7x higher than what they were in 2019.
Although such a significant increase cannot solely be attributed to widespread adoption of working from home amid the coronavirus pandemic, that phenomenon has played a role. Ransomware often enters a company’s systems through weak remote access points and virtual private networks. Johnty Mongan, cyber risk consultant at insurance broker Arthur J. Gallagher & Co.’s U.K. operation, said companies’ rush to configure themselves for lockdowns “started to really amplify the problem of poorly configured remote working.”
More attacks means more insurance claims. Beazley saw a 239% increase in ransomware claims in 2019 compared with 2018, based on incidents reported to the insurer from U.S. middle-market and private enterprise companies with a Beazley Breach Response or InfoSec product. Severity is also increasing: The Beazley data shows ransomware payments in 2019 were 3x as large as 2018 payments, and the total costs of ransomware payments were up 228% over the same period.
“We are seeing a lot more ransom demands that are now reaching the hundreds of thousands and millions, where before it was more in the tens of thousands to hundreds of thousands,” Laetitia Fouquet, global head of cyber at loss adjuster Charles Taylor Adjusting, said in an interview. She added that the largest ransomware demand she had seen, although it was not paid, was €30 million.
Cyber insurance programs often have layers of excess coverage that kick in once the primary layer has been exhausted. William Wright, a partner at Paragon International Insurance Brokers, said the lower excess layers would not previously have been triggered by ransomware. But now that claims bills are reaching £20 million or £30 million, “suddenly the excess layers are in play on a risk type that [the insurers] were never previously having to rate for or consider in the same way,” he said. As a result, the biggest price changes are in the low excess layers.
The ransom payment is only part of the claims expense. Fouquet said the biggest costs are actually IT expenditures related to investigating, identifying and containing attacks, and then restoring systems. Business interruption claims for downtime after attacks are also making up an increasing amount of the overall bills. Fouquet said a majority of claims in June and July had a business interruption element. “We were not seeing that last year,” she added.
A further concern is that attacks are becoming more targeted, sophisticated and vindictive. Instead of simply locking companies out of their systems and demanding a ransom to regain access, ransomware is increasingly siphoning off data, which cyber criminals can threaten to release either to put more pressure on victims to pay the ransom or extort even more money. According to the Coveware ransomware report for the second quarter, data was exfiltrated in 22% of ransomware incidents, compared with 8.7% in the first quarter.
Wright said the combination of ransom and data theft, plus rising ransom demands, is “like the worst of all worlds” for insurers and policyholders. “You only need two or three of those claims at that type of payout amount to happen for the market to suddenly find themselves feeling a little bit in hot water,” he said.
No end in sight…