Getty Images
Cyber insurance premiums, costs skyrocket as attacks surge
As cyber attacks and losses have increased, so has demand for cyber insurance. But now premiums are reflecting a harsh new reality.
The cyber insurance market is undergoing a massive shift as premiums have increased upwards of 50%, according to infosec experts and vendors, with some quotes jumping closer to 100%.
As cyber attacks such as ransomware ramp up, threatening the data and privacy of governments and private sectors, cyber insurance needs are changing and becoming more expensive. Between millions in ransom demands and an increase in threats like supply chain attacks, enterprises require different coverage than in the past. Not only has the price of coverage surged, but the cyber insurance business model is rapidly evolving as well.
A Sophos "Guide to Cyber Insurance" report spoke on this pivotal period, as the "market hardens for the first time in its 15-plus year history." The report, published this summer, observed that premiums are increasing as insurance carriers' payouts continue to rise. Meanwhile, according to an S&P Global report in June, cyber insurers' loss ratio increased for the third consecutive years in 2020, surging more than 25 points to reach 72.8% (the loss ratio is costs and claims payments divided by total premiums).
Despite rising premiums, the demand for cyber insurance is increasing on all fronts, from tech giants to small and medium-sized businesses. Shawn Tuma, partner at law firm Spencer Fane LLP, specializes in data privacy and cybersecurity risk management and has observed the demand increasing over the last few years. However, he said the trend has grown even stronger over the last year.
And ransomware isn't the only threat fueling demand for coverage. Supply chain threats were highlighted in several attacks recently, including SolarWinds, Accellion and Kaseya. In the case of SolarWinds and Kaseya, customers were impacted through automatic updates and victims continued to emerge months after. Therefore, protecting the supply chain has become a priority.
"Companies are now starting to realize that there is no such thing as 'secure' in today's cyber world and therefore, they need to find a way to manage some of the risk and plan for being resilient in the event they, or a company in their supply chain, has a cyber incident," Tuma said in an email to SearchSecurity.
Coalition CEO Joshua Motta also cited supply chain threats as one reason for the increase in demand, among others. Overall, he said the demand for insurance is far outstripping the supply. On Sept. 28, the cyber-risk platform announced a series E funding round led by Durable Capital for $250 million, which Motta said highlighted the increased interest in cyber insurance.
Motta said the demand is skyrocketing, largely driven by claims and by an increasing number of organizations experiencing cyber losses, or another vendor in their supply chain experiencing an issue. New requirements also fuel the rise.
"It's also increasingly becoming required by an organization's counterparties," Motta said. "Insurance is, I think, being increasingly seen as an important mechanism for organizations to transfer and manage that risk amongst themselves."
Tim Francis, enterprise cyber lead at insurance giant Travelers, said the percentage of companies purchasing a cyber insurance policy continues to increase. Specifically, there has been around a 20% increase over the past three years, based on this year's Travelers Risk Index.
"Of the 1,200 respondents in the national survey, 56% said their company has purchased cyber insurance," Francis told SearchSecurity. "As recently as 2018, that number was 39%."
Is ransomware dictating the cyber insurance game?
As demands have increased, so have premiums. The increases have been partially driven by a rise in ransomware attacks and ransom payments. This year saw some of the biggest ransom demands ever, including one made by REvil for $50 million against PC manufacturer Acer. JBS USA paid $11 million, also to REvil hackers. One month prior, U.S. Colonial Pipeline Company paid $4.4 million to restart operations (though the FBI seized a portion of the payment back).
Ransom payments became such a problem that in May, one of Europe's biggest insurers, AXA France, suspended reimbursements as part of its cyber insurance policies for customers in France. Officials with the Paris Public Prosecutor's Office and the French National Agency for the Security of Information Systems criticized insurance policies that cover ransom payments, which prompted the change at AXA France.
The White House has also been aggressive in its fight against ransomware, issuing new directives and a strong stance against giving into ransom demands. However, research by Sophos shows organizations with cyber insurance are more than twice as likely to pay ransoms as those without.
While Motta said Coalition never recommend paying ransoms, many businesses find themselves between a rock and a hard place with options of going out of business or paying the ransom.
"Insurance can be lifesaving, where it's the life of the corporation, like a lifesaving tool to help continue their operations," Motta said. "I certainly never envy the policyholder that has to make that choice, but I believe if there was to be a prohibition on paying ransoms or otherwise, not only would it be counterproductive but you would risk disenfranchising the tens of millions of businesses, small businesses in this country, that don't have an alternative, for better or worse."
Chester Wisniewski, principal research scientist at Sophos, said every time a company pays a ransom, the cybercriminals win. Instead, he believes insurers need to provide more incentives to the policyholders to improve their security postures and maturity model.
"If these policies can provide services, incentives or discounts to organizations to start adopting the practices that we all know are correlated with people not ending up as the victim, then everyone wins. The insurance companies can make more money and premiums come down and criminals stop getting paid. That's where I want to be. Right now, it's the other way around," he said.
Motta referred to the evolution of ransomware as a business model innovation and less of a technological innovation, which attributes to the increase in attacks and therefore demand for insurance.
"It's become the dominant criminal business model because it's the highest return with the least amount of effort that has driven loss costs for organizations up dramatically," Motta said. "The severity of the losses for businesses is much higher than other forms of cyber incidents and as a result, so too is the cost of insurance rising as well as coverage being paired back."
Doug Cahill, vice president and senior analyst at Enterprise Strategy Group, told SearchSecurity that while cyber insurance is not exclusive to ransomware, the two tend to be connected because the risk of the latter is often a catalyst for the former. "Ransomware has been a driver for purchasing cybersecurity insurance, a market dynamic exploited by cybercriminals," Cahill said in an email to SearchSecurity.
Ransomware recovery induces even more costs. A Sophos report revealed the average cost of recovery in 2021 was $1.85 million, up from $761,106 in 2020. The average ransom paid was $170,404. Wisniewski said when a ransomware attack occurs, it's always much closer to a business-ending event for a small business. "It's not even about the ransom; it's still costing millions of dollars."
On the other hand, while ransomware recovery and ransom payment amounts have had a substantial impact on increased demand and premiums, Tuma also believes the number of claims that the insurance companies are seeing plays a big factor.
"And the fact that the cyber insurance carriers are getting a better understanding of the market is also contributing to the increase," Tuma said.
Stephen Bish, lead cybersecurity strategist at accounting firm Schneider Downs, agreed that increased ransom demands play a role, but the increased frequency and impact of cyber attacks in general plays a much larger role -- as do the losses associated with them.
"Providers have to continuously adapt to the risk landscape of their clients," Bish said in an email to SearchSecurity. "As the average annual losses per client continues to increase for providers, so must the premiums for the business to function."
How much have premiums increased?
Just two years ago, infosec and insurance experts alike marveled at how cheap policies were; in some cases, companies could purchase $1 million in coverage for under $1,000. But times have changed for the cyber insurance market.
On a nominal basis, Motta estimated that across cyber insurance, prices have increased about 50% year over year, which is part of the greatest increase of any line of insurance he is aware of. Tuma has also observed a substantial increase in premiums over the past year. He agreed that companies should anticipate a 50% or more increase.
Paired with reduction in coverage, though, Motta believes that number to be even higher. Coalition has not had to reduce coverage, he said, but it may not be the same for all companies.
"If you say that's the nominal price increase, or if you pair that with the reduction coverage, the real pricing increases are upwards of 100%, so now you're paying 50% more for half the coverage," Motta said.
In a video for Schneider Downs on why cyber insurance premiums are increasing, Bish said premiums have increased 75 to 100% just in the last year, due to losses going up, which he said are at "an all-time high."
This presents a new problem for insured companies; the premiums may be too high. According to Bish, many organizations are struggling to manage the cost of the increased premiums, but cyber insurance still plays a necessary role in any mature organization's cybersecurity and risk mitigation strategy.
Wisniewski also observed a change with cyber insurance purchasing starting in early 2020.
"Too many insurance companies were losing too much money and so some of them started pulling out of the market, and some of our customers and partners started saying they were having more difficulty acquiring policies," Wisniewski said. "They were either more expensive than they were, the premiums were increasing or that they were being much stricter with their criteria."
Heightened risks produce new business models
As enterprises look to expand coverage, cyber insurers are changing tactics there, too. Tuma has observed new companies emerging that combine security services along with the insurance product as a primary business model.
Coalition is one example of a cyber insurer that also offers infosec services and products to help manage risks. In the future, Motta believes insurance companies will have to be native technology companies, collecting and analyzing data at a scale that he said has never been done in the industry. Typically, Motta said underwriting happens once a year in commercial insurance, which is an eternity for emerging risks like cyberthreats.
"What if an insurance company could actually reduce the uncertainty of loss?" Motta said. "What if we could prevent something bad from happening to you, versus just helping you after the bad things happen, and that's one of the things that is dramatically different about our approach."
One example he provided was if a company opens up a remote access point to their network that's accessible over the public internet. Motta said the likelihood they will file a claim is more than 20 times higher. That became particularly problematic during the pandemic and the rise in remote work.
"If we can point out either at the time they're applying, or maybe it's during the middle of the policy period when they turned it on, because let's say there was a global pandemic and people had to work from home," he said.
Additionally, cybersecurity tools are now being integrated into the underwriting assessment process for more traditional insurers to better determine if a company is insurable.
"The more informed they can be about the existing level of risk of these companies and the more they can then help mitigate that risk with security services, the better off the insurer will be," Tuma said. "More importantly, the more secure the company will be if it heeds the advice it is receiving during underwriting and through these technological tools."
Motta said combining services gives the insurance side of Coalition a better sense of how vulnerable a prospective client is. For example, Motta said about 4% of companies that apply for insurance with them have already been compromised. "There are indicators of compromise that exist, where we believe there's already a fire burning, they just haven't discovered it yet," he said. "We decline, probably in total, about 13% of businesses that apply for insurance with us."
The frequency of claims made by Coalition policyholders is 70% lower than the U.S. market average, Motta said. In addition, Coalition has its own digital forensics and incident response services to help contain or mitigate loss.
While the market adapts to an increase in attack frequency and severity, as well as an unknown number of pending threats, Wisniewski finds insurers to be moving in a positive direction. One difference he's observed is insurance companies becoming more open to sharing information such as claims payouts to help others identify looming threats and potential weaknesses within their organizations.
"I think there has been a perception, certainly with people like myself and a lot of my colleagues and other companies, that's always been negative on insurance because we felt it wasn't playing a positive role in helping these companies get better," he said. "It was just like, 'I can buy this thing and then I don't have to worry about actually bothering to secure my stuff' and that's how it worked for the last five years."
Bish said the reality is that cyber-risk in general is likely to get worse before it gets better, but it is pushing insurers to implement stronger practices for companies.
"Providers are including prerequisites that shift focus toward prevention by enforcing basic controls such as multifactor authentication," Bish said. "By not insuring organizations that fail to comply with the most basic cybersecurity controls, providers can drastically reduce their exposure to risk without raising the bar to the point of inaccessibility."
Even with improvements in risk assessments and insurance carriers becoming more proactive with customers' security postures, the industry faces daunting challenges. Attacks continue to increase, and unforeseen events like the COVID-19 pandemic can introduce new threats and tactics. Wisniewski said attack techniques change so frequently that it's difficult to assess a given organization's readiness, which will be a major challenge for insurers, vendors and customers going forward.
"Because if you're ready for today's threat, but in six months they completely pivot and start doing something else, you might not be well prepared to defend against."
Enterprise Strategy Group is a division of TechTarget.