The largest ransomware pay-outs by cyber insurers in the last two years has averaged £3.26 million in the UK and $3.52 million in the US.
According to a recent survey of global insurers across the UK and US conducted by enterprise security company, Panaseer, found that 82% are expecting the rise in premiums to continue, with 74% of insurers agreeing that their inability to accurately understand a customer’s security posture is impacting price increases.
Cyber landscape consistently evolving
Panaseer recently released its latest report on the state of the cyber insurance industry, which highlighted the responses from the survey.
With the cyber landscape consistently evolving, ransomware is now considered to be the greatest cyber threat to the UK, while the US was the most targeted region in 2021, accounting overall for 53% of all ransomware attacks globally.
Recent data compiled by analysts at Fitch Ratings showed that ransomware attacks are even becoming a growing risk for US Corporates.
The vast majority of cyber losses, and thus the protection provided by most coverages, concern non-physical damage and disruption. The existing market for cyber physical insurance is small and specialised. Cover for physical asset damage may either be purchased be purchased as part of an inclusive cyber policy or considered as a ‘silent’ cyber coverage.
GDPW for cyber insurance
This analysis indicates that GDPW for cyber insurance can be estimated globally at around USD 8.61 billion in 2021 rising to almost USD 9 billion if captive insurers are also included, and with the US alone likely to make up over a half of the total. With regards to the competitive structure of the market, it shows that the top 20 groups for this class are likely to have accounted for almost 77% of premiums worldwide and the top 100 groups for over 98%.
However, to help combat the ransomware crisis, Panaseer found that 87% of insurers want a consistent approach to analysing cyber risk, and 89% want direct access to customer security metrics and measures proving the status of security controls.
Metrics and measures will absolutely have a bigger role in insurance. There is a new market developing where insurers will offer a reduction on pricing if you provide a quarterly report through a specific security platform, because they know it’s a good product that helps to improve cyber hygiene. It is likely we will see the old way of doing cyber insurance coming under pressure, as there are smaller, more agile organisations capable of doing more and offering support.
Insurers believe that cloud security is the most important factor
Meanwhile, whilst premiums have risen and policies have tightened over the last five years, Panaseer’s research found that it is now the manufacturing, financial services and healthcare industries that are making the most cyber insurance claims.
The survey also showed that 40% of insurers across the UK and US believe that cloud security is the most important factor when assessing a potential customer’s security posture. This is closely followed by Security Awareness (36%), along with Application Security (32%), Vulnerability Management (31%), Privileged Access Management (31%) and Patch Management (30%), which highlights that insurers expect to see evidence of a layered, multi-faceted approach to cybersecurity.
In recent years, malware and ransomware cyberattacks have been causing severe disruption for global businesses and their supply chains. In addition to the rise in malware and ransomware attacks, the threat of state-sponsored cyber-attacks has become a significant focus for businesses and governments.
Unfortunately there are no optional security measures. Insurers expect organisations to have good cyber hygiene across a broad spectrum of security areas, both on-premise and cloud environments, with the evidence to prove it.
That’s why transparent data and security automation is so important, because it’s hard for any organisation to be perfect at all these technical disciplines.
The growth in the use of ‘double extortion’ tactics by cyber criminals
Recent years have seen growth in the use of ‘double extortion’ tactics, whereby cyber criminals combine the initial encryption of data with a secondary form of extortion, such as the threat to release sensitive or personal data. Hackers will also now attempt to encrypt or delete backups, making restoration and recovery more difficult or impossible. According Cyber Risk Barometer worrying recent trend has seen attackers harass employees to gain access to systems, as well as go directly to company senior executives to demand ransoms.
Results from the survey also showed that even if the current rate of cyber-attacks remains the same, the vast majority of respondents (84%) claim their organisations would continue to offer cyber insurance over the next three years.
47% of total respondents said they are ‘very confident’ in their underwriting process, 44% are only ‘somewhat confident’, and 9% said they were ‘not that confident’ or ‘not at all confident’, rising to 15% among UK respondents.
Cyber insurance cover
As the cyber risk landscape has changed, the insurance industry has turned its focus to helping clients improve the quality of their cyber risk management.
Cyber insurance cover is designed to protect organizations and individuals from digital threats such as data breaches, malicious cyber hacks on computer systems or denial-of-service attacks.
This insurance may include first-party cover for the cost of investigating a cybercrime, recovering data lost in a security breach, restoration of computer systems, loss of income incurred by a business shutdown, reputation management, extortion payments demanded by hackers and notification costs, in case of a requirement to notify third parties affected.
As the cyber class matures, it is likely that the coverage in place on insurance policies will be limited by increasingly sophisticated exclusions of acts of war and systemic risk, with cover bought back separately where there is appetite.
This approach is important to ensure that aggregate risks are properly understood, controlled, and priced for, and that customers are clear about what risk they will be protected for and what risk they will retain.