Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester. .
Organizations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organizations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.
While raising premiums, some insurers are reducing coverage. If an organization bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.
In the recently released "2022 Voice of the CISO" report from Proofpoint, just 49% of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed. This is well below the 58% global average; Canada led the study at 88%, whereas the US ranked 11th worldwide. In that same report, 56% of global CISOs specifically cited the increase of ransomware attacks as a main driver of concern and a key reason to obtain cyber insurance.
Losses Are Wreaking Havoc
This situation was underscored in a March 2022 cyber insurance event, sponsored by cybersecurity vendor Sophos, called "Optimizing Your Cyber Insurance Position," where Marsh McLennan Agency (MMA) risk management consultant Marc Schein, national co-chair of the Cyber Center of Excellence, laid out why cyber insurers are revising their requirements for applicants and why their models needed to change.
Schein said the global average associated with ransomware recovery for 2021 was expected to reach roughly $20 billion. The frequency and severity of attacks are increasing, he said, and "insurers' rating models did not accurately predict some of the loss severity that they've actually been seeing [with] evolving privacy regulation."
Additionally, increasing regulatory fines and penalties "really have started to wreak havoc on the cyber insurance marketplace," Schein said.
The industry is seeing "increasing conservative limit deployment from certain carriers in response to an increase in volatility from large losses and deteriorating financial performance," he added. "They're not only raising prices, but they're also now starting to change the way that the coverage is structured."
Scott Godes, a partner with law firm Barnes & Thornburg, is a cyber insurance specialist. He agrees that major changes are occurring, noting that some carriers are implementing new exclusions and limitations on the types of coverage policyholders need the most. Nearly all carriers are raising their rates across the board.
"Carriers are getting significantly more aggressive on their claim positions," Godes says. "They are using outside counsel much more frequently to investigate, handle, and adjust claims. It seems very unlikely that carriers hire lawyers to adjust claims to give the most coverage possible to their insureds."
Insurers are finding that assumptions they made about potential losses, based on their experience with other insurance policies such as personal and property liability, are not accurate. Losses have been much higher on some cyber insurance policies over the past several years than insurers anticipated five years ago.
An August 2021 article in Canadian Underwriter highlighted the financial effect some of these assumptions are having on insurance companies' bottom line. "In cyber liability, total net premiums earned for the second half of 2021 were $94.15 million – $12.15 million from Canadian insurers and $82 million from foreign insurers," it reported. "But total net claims incurred (not including reinsurers' share but including adjustment expenses) were $106.26 million ($97.4 million from foreign insurers and $8.86 million from Canadian insurers), for a loss ratio of nearly 113%."
Setting Baseline Security Controls
Insurance brokers and carriers are responding to the higher losses from ransomware and unexpected costs by modifying how and to whom they write policies.
Insurers are beginning to require certain security controls be in place prior to sitting down with a prospect to discuss cyber insurance.
"What cyber insurance brokers and carriers want to see from policyholders is a real effort and investment made to reduce the likelihood of a ransomware attack and to be prepared to respond to one should it happen," Forrester's Burn says.
To that end, she recommends that organizations put the following controls in place immediately:
- Securing Remote Desktop Protocol (RDP) and other remote access configurations.
- Restricting macros from executing when downloaded from the Internet.
- Establishing an incident response plan — companies must have playbooks for common attack scenarios like ransomware and business email compromises, and they must test those plans and playbooks regularly with tabletop exercises and crisis simulations.
- Implementing multifactor authentication.
- Implementing an offsite backup solution.
MMA's list of controls includes the above, plus the following:
- Employee cybersecurity training.
- Third-party risk management (TPRM).
- Patch management.
- Vulnerability management.
- Endpoint detection and response (EDR) and managed detection and response (MDR).
- Logging and monitoring.
- End-of-life plan.
- Email filtering.
- Privileged access management (PAM).
TPRM is often poorly understood, since organizations have a difficult time determining the risks associated with their supply chains. It is even more difficult to determine the risk of a supply chain's supply chain.
Burn says she expects to see a new, focused breed of cyber insurance policies in the next 12 months to 18 months to cover the weakest link in the supply chain. What those policies will cover is still unwritten.