A report from the Malwarebytes Threat Intelligence Team titled 2023 State of Ransomware reveals a huge surge in attacks between July 2022 and June 2023. Of the 1,900 attacks cited, nearly half (43%) originated in the United States.
This represents a 75% rise in U.S. attacks since 2022. And according to blockchain analytics firm Chainalysis, the volume of payments to ransomware attackers surged to $449.1 million during the first six months of 2023 — despite an overall drop in crypto crime — and is well on its way to reaching its second largest annual total on record, estimated at $898.6 million.
As cyber insurance pushes toward a potential end to its hard market, surplus line insurers are emerging with a considerable portion of the marketplace. They now account for more than 60% of direct cyber premiums written in the sector, according to AM Best.
“Ransomware continues to be the major threat facing our clients,” reported Philippa Berry, Cyber Product Development Leader, CFC Underwriting, Ltd. “We have seen a marked increase in the severity of ransomware claims, driven by both an increase in the value of the actual extortion demands and the significant business interruption losses that clients incur through a ransomware attack. Recently we have seen cyber criminals increase the use of data exfiltration as a pressure tactic, as they believe victims are more likely to pay an extortion demand if there is the threat of sensitive data being leaked.”
“The first half of 2023 saw a significant rise in ransomware attacks — up nearly 50% compared to 2022,” reported Shay Simkin, Global Head of Cyber at Howden. One bit of good news, he noted, is that that many companies are becoming more resilient through the implementation of cybersecurity measures. “Buyers that have the correct risk controls in place are being rewarded.”
“Ransomware is a major source of cyber insurance losses,” said Andy Moss, partner and member of the Litigation Department Insurance Recovery Group at Reed Smith LLP. “The only difference between now and two or three years ago is that I am seeing fewer clients have to pay ransoms because companies have hardened their systems,” he said. “They have better backups such as the cloud and more protection against ransomware attackers.”
Rates stabilize, premiums rise
According to the report “Cyber insurance market stabilizes as profitability improves” (Moody’s Investor Services, June 6, 2023), citing Munich Re, the global cyber insurance market is currently estimated at approximately $12 billion in premiums, but is projected to grow to $33 billion in premiums by 2027. Moody’s reports that since 2017, cyber insurance (including both standalone policies and cyber insurance coverages that are part of a package policy), has grown at over a 30% CAGR through 2022, and reached over $7 billion in direct premiums written.
Annual rate increases for cyber insurance of more than 100% were recorded during the first half of 2022. However, the corresponding period in 2023 saw flat renewals, Howden’s Simkin reported. “We have seen decreases in recent months, as pricing has come off historical highs.”
While pricing has stabilized compared to the past several years, the cyber market is not soft, pointed out Tim Foody, Area Senior Vice President, Executive Lines at Risk Placement Services (RPS). “Capacity has gotten easier to come by in 2023. Many excess layers are being absorbed by underlying carriers taking on a larger limit than they were willing or able to in 2022.”
“Cyber pricing has been moderating, after the sharp increases seen in 2022 and there have been a lot of new entrants to the market,” observed Greg Chambers, Underwriting Manager for Cyber and Technology, AXA XL. “The way the market has been softening recently, it will continue to soften unless there’s an influx of claim activity or some sort of major event.”
The cyber insurance market has been in a corrective state as far as pricing is concerned, driven by a need to get the price right to match the threat environment, Berry pointed out.
“The market is reaching a point of maturity and with that comes stability of pricing for clients, which is good news,” she noted. “Cyber insurers are operating with renewed confidence in the market, and I’d say that the market has reached its most competitive level for a number of years, particularly in the U.S., and capacity is increasing — although not back to where it was pre-pandemic.”
As we look at the 2023 cyber insurance market and out toward 2024 and beyond, it is important to keep reinsurance capital in mind, Simkin said. “The direct market’s use of reinsurance is the single biggest differentiator between cyber and any other class of business,” he pointed out.
“With approximately 45% of cyber premiums ceded to reinsurers currently, broad capacity constraints and price corrections in the reinsurance market present potential limitations. Cyber reinsurance supply will need to increase significantly to meet demand between now and 2030 from USD6bn-USD18bn,” said Simkin.
Specialized cyber services
As ransomware attackers become more sophisticated, cyber insurance is becoming more sophisticated, too. One of the most exciting developments in today’s cyber insurance world is the quantum leap into specialized services aimed at helping clients to prevent attacks and to deal with them if they happen.
“Cyber insurance policies are not merely there to protect a client’s balance sheet,” says Howden’s Simkin. “They also offer additional services, such as incident response services, legal assistance in event of a claim, PR assistance, and ransomware negotiation and payment, which is particularly important for clients who don’t have all the resources to deal with cyber events.”
“I believe the evolution of cyber insurance as a service is the most valuable and impactful development that the market has ever seen,” said CFC’s Berry.
“Cyber insurance as a service” first manifested as incident response services, providing support and guidance to clients when they suffer a cyberattack to minimize the impact of the attack and help them recover and get back to normal business operations as quickly as possible. “This service-driven approach has evolved further, with the latest and most exciting development being proactive cyber insurance: proactively working to defend policyholders from attacks happening,” Berry said.
“CFC pioneered this approach in 2021, and we have built a dedicated team of cyber specialists whose sole job is to prevent cyberattacks from occurring against our clients,” she continued. The team accomplishes this challenging task through a combination of vulnerability scanning, dark web monitoring, and leveraging threat intelligence feeds from both government and private sources, to identify exposures in real time and convert this data into actionable intelligence to stop an attack from occurring.
“Identifying clients who are actively being threatened means we can get to them before the cybercriminals do, thwarting the stress and damage that a cyber incident can cause. Each month we are helping to prevent hundreds of cyber incidents, which translates into tens of millions of dollars saved in potential losses,” Berry reported.
Cyber success tips
The burgeoning cyber market presents a bevy of opportunities for agents and brokers who are committed to taking five strategic steps. First on the list is build your expertise.
“To be successful as brokers, we must be true cyber experts, with the technical understanding required to communicate with cyber buyers and understand their needs,” stressed Simkin.
The more you know, the better service you can provide, in the form of all-important client education. “We need to ensure that clients fully understand the services available to them under their policies and provide them with clear protocols on how to use those services,” he said.
Foody of RPS suggests teaming up with an expert who can provide advice if you have questions about the quickly changing cyber landscape. “The cyber market is evolving too rapidly for most people to keep up with,” he said. “You need to partner with someone who is in the space every day and knows what to look for and ask about.”
Second, brokers and agents need to take pains when selecting cyber carriers; in today’s market, only the best will do.
“Agents and brokers should look for reliable, established cyber carriers,” advised Anthony Dolce, Head of Professional Liability and Cyber for The Hartford. “These carriers should have dedicated cyber claims teams that can act as additional resources for their insureds as well as those that provide additional cyber-related services, at both the pre- and post-loss stages. Also, look to carriers that can provide varied solutions to your clients’ situations, including tailoring the types of coverage that is needed, whether it be stand-alone cyber, cyber mixed with Tech E&O or Cyber linked with professional liability insurance.”
“Agents and brokers must be mindful about the services offered by, and experience of, the cyber insurers with which they are placing business,” CFC’s Berry agreed. “The real value of a cyber insurance policy extends far beyond the words written on the pages of the policy documents — it is in the proactive services provided to policyholders to prevent cyberattacks from happening and the critical support of incident response services if an attack does occur.”
“Cyber coverage varies dramatically from one insurer to another on any given risk, so each quote needs to be reviewed thoroughly,” stressed Foody. “The market has been turbulent in recent years and for a while, cyber underwriting was done with a machete. Now it’s being done with a scalpel.”
Third, look at cyber holistically. “It’s important not to look at cyber in a vacuum,” said Moss of Reed Smith. “There can be a lot of overlap in terms of coverage areas, depending on the type of claim. For example, if a company is a financial services, healthcare, or law firm, cyber matters can turn into professional liability matters if clients and customers are affected.”
The Securities and Exchange Commission (SEC) recently adopted rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose annually material information regarding their cybersecurity risk management, strategy, and governance. Under the new SEC rules, a cybersecurity event can become a D&O issue, potentially triggering crime coverage, as in the case of invoice manipulation, Moss explained.
“If a cyberattack affects employee benefit plans and results in an invasion of employee privacy, it could also involve fiduciary coverage. It’s vital to analyze how cyber coverage fits into the client’s overall insurance program, given what the company does for business and the types of risks they face,” he advised.
“The key thing to understand is that cyber insurance is part of the insured’s overall cybersecurity toolkit, which includes IT infrastructure, employee training, and more. Each of those items is essential,” Foody of RPS noted.
Fourth, find ways to bring SMEs and SMBs into the growing cyber market. “Although cyber risk awareness is growing across the board, cyber insurance essentially remains focused on the large corporate market,” pointed out Simkin. “More work needs to be done in engaging with smaller companies, where data consistently show low cyber insurance uptake overall.”
Fifth and finally, it’s vital to continuously stock your talent pool with cyber-savvy insurance pros.
“Talent attraction is crucial,” Simkin said. “To succeed, we must attract young, eager people and give them the opportunity to learn, creating a new generation of true cyber insurance specialists who add value for the benefit our clients.”