photon_photo - stock.adobe.com

Cyber insurance costs up by a third

The frequency and severity of ransomware attacks is a leading factor behind a substantial increase in the cost of obtaining cyber security insurance

The proliferation of double extortion ransomware attacks and the relative ease of their execution by cyber criminal gang affiliates has led to what may be the largest medium-term rate increase across the entire insurance market as providers of cyber insurance try to keep ahead of spiralling loss costs, according to data from reinsurance brokerage Howden.

In a report, titled Cyber insurance: A hard reset, Howden reported that global cyber insurance pricing has increased by an average of 32%, just under a third, year on year (YoY) in June 2021.

This increase has also come alongside a more demanding and rigorous attitude to insuring organisations against cyber attacks to begin with – insurers are now also demanding more evidence of preparedness, resilience and appropriate risk management practice.

“Cyber risk has undergone multiple episodes of change and development in its relatively short history, but nothing quite so impactful and fundamental as the events over the past year,” said Shay Simkin, global head of cyber at Howden.

“Covid-19, and all of its attendant effects on technology adoption and cyber security, combined with independent or connected changes to the loss environment, has added a big dose of complexity into an already complicated risk landscape.

“The cyber insurance market is currently driven by a demand and supply imbalance which shows no sign of relenting any time soon. Claims are up, capacity is down and underwriting profitability is, at best, under pressure.

“The impact on insurance buyers is stark; the importance of being prepared for a cyber attack has never been clearer. With insurers now demanding markedly higher cyber security standards before deploying capacity, businesses need analytical solutions designed specifically for them, combined with focused, expert intermediation to help them secure the coverage that meets their need,” said Simkin.

The report data reveal how, up to recently, cyber has been a highly lucrative business for the sector, with gross written premiums (GWPs) more than doubling since 2016 at a compound annual growth rate (CAGR) of 22% – outpacing the broader commercial sector. This is expected to continue, and Howden predicts GWP will approach $20bn (£14.4bn or €16.9bn) by the middle of the decade.

Howden said that as cyber risk grows in both perception and reality, the cyber insurance market now has real momentum behind it. No other business line, it said, has such a fluid risk landscape coupled with high-growth potential, and this tension is playing out right now, with demand for cyber cover increasing at a time when supply is actually dwindling for various reasons – some providers have exited the market, and some are openly discussing banning insurance against ransomware hits.

Nevertheless, all things remaining equal, this strong growth is expected to continue, and Howden said the degree of progression to date pointed to a market that was adapting and responding to current challenges with innovative solutions, while continuing to pay claims quickly and consistently when needed.

CybSafe founder and CEO Oz Alashe said he was unsurprised that costs were being driven up: “Growing numbers of claims as well as recent high-profile attacks – including the attacks on Ireland’s healthcare system, a key US fuel pipeline, and meat supplier JBS – have put huge pressure on the insurance market. As a result, costs are rising, and conditions for pay-outs following ransomware attacks are becoming increasingly stringent.

“Rising costs of insurance should be an added incentive for organisations to take their cyber security seriously. With cyber insurance companies becoming more vigilant about the requirements that must be met before providing them cover, getting the cyber security fundamentals right is more important than ever for organisations.

“Effective security awareness training, as well as a deliberate focus on security behaviours, like using stronger passwords and backing up data, are simple steps that organisations should take to protect themselves and ensure they can access the appropriate insurance,” added Alashe.

Read more about cyber insurance

Read more on IT risk management