Russia’s War in Ukraine added a big dose of complexity into an already complicated cyber risk environment, elevating the threat of large-scale attacks at a time when the market was still adjusting to rampant ransomware, according to Howden.
Cyber risk has undergone several episodes of change in its relatively short history, but escalating ransomware frequency and severity in 2021 and 2022 was unlike anything experienced previously.
The accompanying retrenchment of insurance capacity, coupled with a wave of demand globally, caused a supply and demand imbalance of such extremity that the average cost of cover more than doubled (see 5 Key Benefits of Ransomware Insurance).
2022 introduced further uncertainty into the market
Given the protagonists in the Ukraine war – Russia and Ukraine host some of the worst offending ransomware gangs – the prospect of cyber warfare and spillover to other states is real.
The cybercriminal therefore demands a ransom to free the locked system, threatening to publish the data, including personal information and company data, if the ransom is not paid.
The insurer’s annual review of the cyber risk landscape also highlights the emerging threats posed by the growing reliance on cloud services, an evolving third-party liability landscape that means higher compensation and penalties, as well as the impact of a shortage of cyber security professionals
The array of groups operating in the cyber battlefield also potentially complicates distinctions between state-sponsored attacks and those carried out by non-state actors.
The situation remains highly unpredictable, but most cyber activity linked to the conflict has so far been relatively contained, and the large-scale attacks widely predicted in the run up to invasion have not (yet) occurred (see Global Cyber Crime, Fraud & Ransomware Survey).
In fact, the immediate effect of the conflict appears to have contributed to a reduction in ransomware frequency, as both warring sides refocus their efforts and resources.
The near four-fold increase in ransomware incidents through 2020 and the first half of 2021 abated in the second half before falling further last year.
Ransomware attacks nevertheless remains at elevated levels, especially when compared to data breach trends over the last four years.
Frequency index for global ransomware vs data breach incidents
Perhaps an even more decisive factor in suppressing attack frequency (and severity) has been improved cyber hygiene. This is something that the insurance market has augmented by requiring companies to have minimum standards of cyber security in place in order to access capacity (see about New Cyber Risk & Ransomware Trends).
Insurers’ deployment appetite is now correlated directly to the sophistication of security controls, and, as a result, companies are investing heavily to improve their risk posture.
This has not only made them more resilient to conventional, financially motivated cyber attacks, but also to the considerable risks that exist in such a highly charged geopolitical climate.
The cyber risk landscape doesn’t allow for any resting on laurels. Ransomware insurance and phishing scams are as active as ever and on top of that there is the prospect of a hybrid cyber war.
Most companies will not be able to evade a cyber threat. However, it is clear that organizations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms.
The burdens on companies getting to this point have been considerable, but the cost of insurance cover is now more commensurate with attritional loss costs, and hardened cyber defences have left companies less vulnerable to prolonged disruption or outsized losses in the event of a breach.
Most buyers are looking to maintain existing levels of coverage overall in spite of the rising costs, but this has inevitably caused strain in an environment of restricted capacity and increased uptake – see for trends around supply, claims and demand in the United States.
Capacity, claims and demand trends in U.S. cyber market
With increased competition, the ingredients for a more mature cyber market are now in place
These difficulties notwithstanding, there are signs that conditions in the cyber insurance market are starting to moderate or even stabilise. Howden show Global Cyber Insurance Pricing Index from 2014, along with year-on-year changes, attests to this.
Within the last 12 months, average rate increases have fallen from 120% plus to low double-digits, yielding flattening pricing overall, albeit at historically high levels.
The global economy is in a precarious position heading into 2023. The combination of an energy shock, rapid inflation, rising interest rates and geopolitical tensions has seen growth lose momentum.
Howden’s Global Cyber Insurance Pricing Index
With existing carriers looking to increase capacity deployments, boosted further by a series of new entrants, the ingredients for a more mature cyber market are now in place. Insurance buyers will therefore be expecting a rational cyber market this year, with access to capacity that rewards improved risk profiles.
The prospects for 2023 are looking up, but, as is always the case with cyber, much will depend on geopolitics.
The global economy is in a precarious position heading into 2023. The war in Ukraine has superseded COVID-19 as the dominant economic driver, even as China continues to grapple with fresh outbreaks. The combination of an energy shock, rapid inflation, rising interest rates and geopolitical tensions has seen economic growth lose momentum.
The insurer’s annual review of the cyber risk landscape also highlights the emerging threats posed by the growing reliance on cloud services, an evolving third-party liability landscape that means higher compensation and penalties, as well as the impact of a shortage of cyber security professionals.
Such potential vulnerabilities mean that today a company’s cyber security resilience is scrutinized by more parties than ever before, including global investors, meaning many firms now rank it as their major environmental, social, and governance (ESG) risk concern, the report notes.