Due to increased demand, major European and American insurers and syndicates operating in the Lloyd's of London market have been able to charge higher premium rates to cover ransoms, network repair, business interruption losses, and even PR fees to repair reputational damage.
However, the rise in ransomware attacks, as well as the increasing sophistication of attackers, has made insurers wary. According to insurers, some attackers may even check to see if potential victims have policies that make them more likely to pay out.
"Insurers are changing their appetites, limits, coverage and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved – where people were offering 10 million pounds ($13.50 million), nearly everyone has reduced to five."
Lloyd's of London, which controls roughly one-fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, according to industry sources who spoke on the condition of anonymity. Lloyd's has refused to comment.
Ransomware encrypts victims' data, and hackers typically offer victims a passcode to unlock it in exchange for cryptocurrency payments.
It has replaced data theft and sale to third parties as the preferred attack method for cyber criminals.
Suspected ransomware payments totaled $590 million in the first six months of this year, compared to the $416 million reported for the entire year of 2020, according to US authorities in October. more info
A ransomware attack on Colonial Pipeline in May, one of the largest heists, shut down the largest fuel pipeline network in the United States for several days. more info
According to insurance broker Aon, profits for cyber insurers in the United States will fall in 2020. The combined ratio - a measure of profitability in which a level greater than 100% indicates a loss - increased by more than 20 percentage points from 2019 to 95.4 percent.
While insurers struggle to keep up, businesses are under-insured.
"It's very unlikely people are getting the same limits - if they are, they are paying an extraordinary amount," David Dickson, head of enterprise at broker Superscript, said.
Dickson stated that one technology client had previously purchased professional indemnity and cyber cover for 130 million pounds for 250,000 pounds. The client could now only get 55 million pounds of cover for 500,000 pounds.
According to a report released last month by U.S. broker Risk Placement Services (RPS), insurers who issued $5 million cyber liability policies last year have reduced their limits to between $1 million and $3 million in 2021.
COCAINE IS JUST AS PROFITABLE
According to a European Union report published in October, the COVID-19 pandemic and the rise of home working have allowed cyber criminals to thrive.
Meanwhile, Coveware, a cyber security firm, compared the 90 percent-plus profit margin from ransomware attacks in 2021 to the gains made by Colombian cocaine cartels in 1992.
Previously, hackers used a scattergun approach, such as sending out thousands of phishing emails, but now they are more targeted, reading balance sheets and focusing on specific industries.
According to Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, attacks are shifting away from healthcare facilities and municipalities - which have weak IT controls but also little money - and toward manufacturing or logistics firms.
According to insurance broker Marsh, premium rates have nearly doubled in the United States and increased by 73% in the United Kingdom as a result of the frequency and severity of ransomware attacks. RPS stated that rates for some policies had risen by up to 300 percent.
Whereas ransom payments used to be around $600, they are now as high as $50 million, according to Michael Shen, head of cyber and technology at insurer Canopius, and insurers are sometimes asking policyholders to pay half of the ransom.
According to industry sources, the United States and France are among the countries most concerned about ransom payments.
The FBI has stated that it does not support paying ransoms, and a few states in the United States are considering prohibiting municipalities from paying ransoms.
While insurers are less willing to provide large amounts of coverage, they warn that failing to pay ransoms could backfire.
"Of course no-one wants to pay criminals," Adrian Cox, CEO of insurer Beazley told the Reuters. "At the same time, if you ban it ... you could cripple a lot of businesses whose systems have been disabled."
Such companies have deep pockets and cannot afford extended outages to repair their systems, so they would rather pay ransoms, particularly if they have insurance to cover them.
"We advocate to everyone you don't disclose your insurance because that's crucial to your business," Scott Sayce, global head of cyber at Allianz Global Corporate & Specialty, said.