The market for cyber insurance, according to observers, has begun to stabilize after a surge in ransomware attacks in recent years pushed up premiums dramatically.
Cyber insurance can be used to pay ransoms to hackers who encrypt company technology systems, or it can be used to offset the cost of responding to data breaches.
The recent premium increases appear to be slowing, if not stopping entirely, as insurers improve their risk-evaluation skills, new market entrants begin offering coverage, and supply and demand assert themselves.
“Things are looking up,” said Jason Krauss, head of cyber product coverage for insurance brokerage WTW in North America. “It’s incredible, right, that I’d tell you that a 20% increase [in premiums] isn’t bad. However, it is regarded as a positive development.”
According to industry insiders, the cyber insurance market has been going through a “tough” period, with rising premiums and less flexibility from insurers in terms of offerings. According to data from the Council of Insurance Agents & Brokers, premium prices increased by more than 34% on average in the fourth quarter of 2021, with some businesses reporting far steeper rate increases.
“It was excruciating,” said Kristen Peed, director of corporate risk management at professional services firm CBIZ Inc. and RIMS board member. Ms. Peed stated that some colleagues in risk management saw increases of up to 200%.
“We’ve had two painful renewal years with rising deductibles, restrictions, and…price increases,” she explained.
The insurance itself remains relatively niche—insurer Munich Re Group estimated the global value of cyber insurance premiums at $9.2 billion at the start of 2022, compared to hundreds of billions of dollars spent on commercial insurance in the United States alone, according to the Insurance Information Institute—but the events that drive premium increases have become familiar.
One of several recent multimillion-dollar ransomware attacks, the 2021 attack on Colonial Pipeline Co. resulted in a $4.4 million ransom payment. According to Treasury Department data, US financial institutions flagged ransomware-related transactions totaling more than $1 billion last year, a significant increase from previous years.
However, experts say that figure only scratches the surface of the crime’s economic scale.
With higher insurer payouts came higher premium increases. “It was kind of nasty there for a little while,” said Robert Parisi, Munich Re’s North American head of cyber solutions. Over the last two years, he described a hockey stick-like rise in premium pricing. The increases are a correction for premiums that were arguably too low for years, he added.
“The underwriting is aggressively moving toward the question, ‘How can we get a deeper, more insightful look?'” Mr. Parisi explained. Meanwhile, while prices are not falling, they are rising more slowly than in recent years, he noted.
Insurance companies have tightened the underwriting standards that accompany the issuance of new policies and have begun reviewing the defenses that businesses have put in place to thwart cyberattacks. Companies are questioned about their cybersecurity systems, and their contracts with popular cloud hosting companies may be scrutinized, according to Mr. Parisi.
Businesses have tightened security, with phishing emails and multifactor authentication becoming commonplace to test for inattentive employees. And, according to Brent Rieth, U.S. practice leader for cyber solutions at broker Aon PLC, more organizations are prepared to respond to insurers’ questions. “They have better controls in place,” he said.
However, new underwriting requirements have not been welcomed by businesses seeking insurance. “Our clients have been lamenting the new requirements that must be met in order to be insured or even reinsured,” said Richard Peters, a cybersecurity expert and managing director at consulting firm Berkeley Research Group.
Increased demands are costly and time-consuming for small and midsize clients. According to Mr. Peters, insurers expected some to conduct costly security risk assessments.
Roberta Sutton, a Potomac Law Group partner who advises businesses dealing with insurance companies, stated that all of her clients have been asked to complete more detailed applications for ransomware insurance.
According to Ed McNicholas, co-leader of the cybersecurity practice at Ropes & Gray LLP, some businesses have chosen not to purchase insurance. However, not all businesses can, as some require cyber insurance in order to work with partners, according to Mr. McNicholas. Proposed government regulations regarding breaches may also drive businesses to seek risk transfer through insurance companies, he believes.
Stricter underwriting, slightly lower demand, and more carefully crafted insurance policies are all likely contributing to lower prices, which observers believe will continue to fall.
However, insuring evolving cyber risks remains difficult because cyber insurance providers don’t have much actuarial data for such risks, and even if they did, it wouldn’t be “terribly insightful,” according to Mr. Parisi of Munich Re.
“Ransomware has everyone worried, and rightly so,” he said. “The cyber insurance community must be fairly nimble.”