CyberGuide - Information Security and Cyber Risk Management

‘Hard reset’ in the cyber market shifts focus to risk mitigation

By Erin Ayers, Advisen

Cyber insurance faces a “hard reset,” as the industry and businesses wrestle with a digital pandemic that has transformed the risk, the market, and what it means to be insurable, according to a recent report from Howden Group.

Three main factors drive today’s cyber insurance market, per the broker’s report: Ransomware, rates, and regulation. The shifting risk landscape has insurers boosting prices to stay ahead of the losses threatening profitability.

“The impacts for insurance buyers have been stark: supply is at a premium and rate rises for cyber insurance are amongst the highest across the entire market,” said Shay Simkin, global head of cyber at Howden, in the report. “Insurers are also demanding more from businesses’ cyber resilience, and are only willing to deploy capacity if they are satisfied by the strength of companies’ risk management frameworks. Or to put it differently, insurers are essentially cherry-picking accounts based on companies’ level of cyber security hygiene.”

The report cited average rate increases of over 30% in 2021 for cyber cover, and global cyber pricing now stands at 50% higher than at year-end 2019.

There have been double-digit increases all around for ransomware: 170% for the number of attacks worldwide between Q1 2019 and Q4 2020; 145% rise in costs in 2021 compared to 2020; and a 405% increase in the average ransom payment in the U.S. at Q1 2021 compared to 2019.

The staggering numbers and worries about aggregation have complicated an already tricky business, according to the report. There’s clear opportunity for growth in cyber, which has insurers balancing underwriting discipline and heightened demand. Howden’s Simkin emphasized that differentiated risk management can help unlock capacity and that relationships matter.

“One important point to make, however, is the distinction between renewals and new business. For the former, insurers continue to place value on relationships (broker and client), which are making renewals easier to manage,” he said.

One key consideration in cyber risk is the unique fact that customers and regulators frequently view cyberattack victims unfavorably, resulting in financial penalties and reputational damage.

“This is a harsh reality, given it is next to impossible to prevent cyberattacks (although mitigating measures can, of course, minimize the fallout) and the risk landscape is complex, dynamic and indiscriminate,” commented Simkin in the report.

Given the focus on risk management from insurers and regulators alike, “the importance of being prepared for a cyberattack cannot be overstated,” according to the report, which included insights from cyber modeler Kovrr, threat intelligence firm KELA, and forensics provider WireX. Any company can be a target, but unprepared companies frequently pay more in remediation costs, are less likely to be deemed insurable, and usually face sterner regulatory scrutiny and litigation.

The market shift, from a long-underpriced product to now stringent underwriting and rating, is meant to bring about a shift to encouraging risk mitigation, according to the report.

“Conditions are certainly challenging at present but market cycles come and go. A sustainable private market solution exists for cyber. Increased insurance penetration will, over time, facilitate a better understanding of the risks and aggregations involved, and incentivize risk mitigation,” the broker said.

Editor Erin Ayers can be reached at [email protected]