Cyber attacks began to climb last year, but big ransomware strikes over the past two months have convulsed the insurance market. Ireland’s healthcare system, a key US fuel pipeline and, then this week, meat supplier JBS are among the ambitious targets to have been briefly shut following attacks.
Western officials have pointed the finger at criminal groups likely to be based in Russia.
In a typical ransomware incident, hackers lock up a target’s network or hold its data until a ransom has been paid. For the businesses that buy cyber insurance (in the US, about half of those who purchase insurance), ransomware is covered under their general policies.
These offer a mixture of financial compensation, for losses including business interruption and ransom repayments, and services such as data recovery. As the severity and frequency of the attacks increase, the cost of cyber insurance is surging.
From the start of April to mid-May, premiums jumped 27% from last year’s levels, according to the latest like-for-like data from insurance broker Aon. Nor are insurers simply increasing prices.
They are also becoming more vigilant about controls at the companies to which they sell cover. For US insurer AIG, the tougher underwriting approach put in place this year starts with an additional 25 detailed questions on clients’ security measures.
“If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.
“But mostly what we’re doing is reducing the cover that we’re offering, so if clients do not meet the control level that we are looking for, then we will have to reduce our limit with respect to ransomware by half.”
For those customers, AIG is putting in place so-called coinsurance, where clients essentially share the losses under the policy.
The ransomware threat was rammed home to the industry last month after Axa, one of Europe’s largest insurers, fell victim. Axa scrambled to establish the extent of the damage after hackers claimed they had made off with three terabytes of data, including personal and medical records.
The Paris-based insurer has not commented on whether a ransom has been paid.
The assault on Axa emerged after the company said its French business would suspend the writing of insurance policies that refund the cost of ransom payments made to cyber cartels, a stance taken at the urging of local officials.
A person familiar with the matter said the attack began before the insurer made that decision on ransom payments.
Cyber insurance is normally structured as a tower, where each portion of the risk might be underwritten by a different group.
For the primary layer, the one that takes the initial hit above the client’s excess, conditions are getting tougher, say market participants.
“One of the things we are seeing with the large corporate clients is that the market for primary insurance is really drying up,” said Graeme Newman, chief innovation officer at London-based insurance provider CFC, as the size of ransoms paid and other costs make it more likely that first policy will pay out in full.
“There are very few insurers that are looking to attach at that level.”
The proliferation of different types of ransomware, alongside the growth of a cottage industry supporting those launching attacks, has contributed to the surge in incidents, according to Sarah Stephens, head of cyber for the international division at Marsh, the world’s biggest insurance broker.
“As ransomware-as-a-service really took off, we’ve seen the complexity, the frequency and the severity of ransomware incidents just skyrocket,” she said, adding that third-party services include support hotlines and websites for publicising attacks.
Evidence of insurers’ concern is multiplying. A survey by The Council of Insurance Agents and Brokers, a US industry body, found that 73% of its members — those who find coverage on behalf of companies — reported a decrease in underwriters’ capacity to take on cyber risks in Q1 2021.
That compares with a 10% drop a year earlier
Insurers are using a mixture of financial incentives, in policy and pricing changes, in an attempt to persuade companies to strengthen their controls.
Plenty of ransomware attacks are not targeted at all, experts say — they are scattergun efforts that search for businesses with weaknesses such as not having multi-factor authentication on email or on remote access to their networks.
“Everyone has to recognise that the claims environment and the cyber threat environment is significantly worse than it was two years ago, and therefore you can’t exist in this market without what I consider the most basic controls,” said CFC’s Newman. “Yet we are seeing large corporates come to market without the basic controls in place.”
Radical Options
According to industry experts, some businesses are examining whether to abandon buying cyber policies altogether and instead set up their own captive insurance companies.
A captive is an entity established and capitalised within a group to provide insurance cover to the rest of it, in return for a premium. It can then either purchase reinsurance or just hold on to the risk itself.
If some companies are balking at the rising cost of cover, there is a growing expectation that governments might ultimately intervene to try to kill off ransomware attacks.
Last month, the US opened a debate over the merits of making ransom payments, a practice that is opposed by the FBI. Some insurance experts fear banning them will simply push payments underground, making them and attackers harder to trace.
Whether or not governments outlaw ransom payments, the volume of attacks has led some to conclude that companies and insurers risk being overwhelmed. Governments may have to provide more security services and even a financial backstop.
The post Important: As ransomware demands explode cyber insurance companies rethink premiums appeared first on Payments Cards & Mobile.