They had been warned. “It was a business in Texas,” recalls Mario Vitale, chief executive of cyber insurance provider Resilience. The company had taken out coverage with Vitale’s colleagues for the past year, with no claims made in the intervening period. Then, during a routine internal scan designed to calculate their client’s exposure to a potential breach, a vulnerability was discovered.
“They kept saying they were going to fix it and fix it,” recalls Vitale, right up until the renewal date for their policy earlier this year. At first, Resilience refused to offer the company coverage – until their broker suggested a compromise. If you think the business is vulnerable to a ransomware attack, they suggested, perhaps a policy excluding coverage for that possibility was in order? The deal was struck. A week later, staff at the business found themselves locked out of their computers, with no coverage to pay the hacker’s demands.
In many ways, this episode illustrates just how dangerous ignorance about cybercrime has now become for businesses. Since 2019, ransomware has swept through both the public and private sectors like a plague, locking nurses and teachers as well as CISOs out of key systems. But it’s also thrown the nascent cyber insurance industry into turmoil. Far from guaranteeing a steady uptick in cautious clients fearful of becoming the next company to be hacked or worse, the sheer weight of claims has seen premiums skyrocket in price – prompting fears that SMEs are beginning to be priced out of the market altogether.
“I would be disingenuous if I told you that ransomware wasn’t a key factor in some of the headwinds that we’ve seen in the market with regards to pricing,” explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re. It’s been a rollicking ride for a marketplace that, for much of its history, seemed fairly tranquil. “What we had for probably the first 15 years of the cyber market was a softening market, where coverage constantly increased, and prices went down,” Parisi says.
Those days are clearly over. The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware. Its reasoning, according to the firm’s underwriting director Tony Chaudhry, was that policies shouldn’t “expose the market to systemic risks that syndicates could struggle to manage”.
This market crunch has come at a fraught moment for businesses. Although plenty of insurers still provide ample coverage for cyberattacks, the ability of companies to protect themselves has been limited by an international shortage of skilled IT workers. Failure on the part of a business to hire the right team to secure systems can, in turn, reduce its attractiveness to underwriters, who are keen to avoid signing new clients one week only to shell out for a ransom in the next. Then there’s the inherent unpredictability of the threat environment itself.
“I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a “less stable market… and also just a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”
Cyber insurance and the ransomware crisis
Cyber insurance does not have a long history. The market itself, explains Vitale, has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size. While its overall revenues were valued at $9.29bn at the end of 2021, that’s dwarfed by the accumulated value of property policies, for example, which stretch into the trillions.
At first, the market was dominated by huge firms with such sprawling exposure to hackers. A greater awareness of cybercrime generally, however, has prompted more SMEs to enter the segment. “When I launched Resilience in late 2020, I was amazed that a fairly high number – like, almost 20% of the submissions I was given – were first-time buyers of cybercrime insurance,” says Vitale.
The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defence: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of cyber-awareness training among staff. Particularly for large companies, adds Vitale, “underwriters will also use external scans to assess your vulnerabilities,” as well as stress test corporate systems from the inside.
In addition, some cyber insurers keep a close eye on chatter among cybercriminal gangs. “We are monitoring the dark web,” says Vitale, keeping tabs on the latest vulnerabilities and the exchanges among hackers on forums about which targets to hit next. Based on that intelligence, he adds, providers like Resilience can quickly update their clients with new data on which systems need to be secured, and how.
Even so, says Wolff, assessing a potential client’s cybersecurity posture properly remains a slow and complicated process – one that insurers, she adds, “haven’t found good ways to automate”.
It also didn’t help many cyber insurance providers weather the crisis of ransomware. After that, a rise in the price of premiums seemed somewhat inevitable. “Policyholders started filing a lot more ransom claims, and they [the insurers] were making a lot less money – and they were worried that would even start losing money,” says Wolff.
Some even argued that the mere existence of cyber insurance effectively helped fuel the crisis. “I definitely think that having insurance coverage for ransom payments changes the calculus for companies deciding whether or not to pay,” says Wolff. “It’s the difference between, ‘Am I going to be out of this money myself, or am I going to file a claim with my insurer and have them cover most or all of it?’”
For his part, Vitale has heard anecdotally of hackers targeting a business and rifling through their internal records for evidence that their gang is guaranteed a payment of a certain size under their existing insurance policy. However, he explains, there are plenty of ransomware victims in the private sector who don’t have coverage. Hackers, in other words, are going to hack, regardless of what insurance victims might have taken out. “At the end of the day, I don’t believe it’s added that much incentive,” says Vitale.
Even so, the growing threat posed by ransomware and other kinds of breaches is prompting a growing number of providers to push for even more transparency from clients. Some insurance companies have begun striking deals with hyperscale cloud providers directly, to obtain more data on the kinds of defences currently in place in their vast repositories – and how to improve them.
Munich Re announced such a deal with Google Cloud in March 2021. “We entered the arrangement, the partnership, wanting to get information inside the firewall,” says Parisi, allowing Munich Re to craft bespoke risk manager reports and obtain new insights into their clients’ potential exposure to cybercrime. “They get a quicker process, and we get more data that we can basically accumulate so that we can be more transparent and data-driven.”
The future of cyber insurance
Now that premiums have risen and terms and conditions for coverage have been tightened, has the cyber insurance market reached a new equilibrium? Vitale believes that it has – at least from Resilience’s point of view. “Our retention rate is very strong,” he claims, with the percentage of clients choosing to continue their coverage with the provider in the mid-nineties.
What’s more, explains Vitale, businesses now have a much more mature understanding of the risks posed by cybercrime than they did a decade ago. “I can tell you from the boards I sat on that… we never discussed cyber,” he says. “Now, there’s not a board meeting where there’s not an audit committee or a risk committee discussion, because it impacts the potential earnings of companies so severely.”
There are reports, too, that the number of ransomware demands seen over the past two years is beginning to plateau, or even fall. The same goes for premiums, argues Parisi. “Prices are still going up, but not as precipitously as in the past year or two,” he says.
Even so, this has led businesses of all stripes to question whether cyber insurance is affordable for them anymore, or at least if they need to buy as much excess as they did beforehand. Among some of the larger firms, says Vitale, this means that “instead of buying an $800m tower, they’re going to buy a $200m tower.” Meanwhile, for SMEs, says Wolff, market conditions are “certainly driving some of them to drop their coverage if they can’t afford it, or to reduce their coverage if they can’t afford as much as they used to have.”
That, in turn, may trigger more cases resembling that of Vitale’s client in Texas. Others, though, might be inclined to invest more heavily in antivirus and training, or outsource protection completely to a third party. “It’s sort of reinvigorating the conversation about, ‘Is this the best way to spend our cybersecurity dollars?’ says Wolff. “And, it’s always a trade-off: ‘If we spend it on insurance, we’re not spending it on something else.’ And so, as those prices rise, you see companies have come back and rethink that.”
Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they “have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients”, he says.
Resilience’s answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimise their vulnerability to breaches as far as is humanly possible. But the reluctance of reinsurers to fully commit to the market, he says, has “caused some constraints and concerns.”
While Vitale is optimistic that the cyber insurance industry will continue to expand (“I believe that this is a product line that will grow…to $25bn in premiums over the next three to five years,” he says), Wolff argues that the market is unlikely to grow much if interest from reinsurers remains tepid. Without them, she says, “you really can’t have very big cyber insurance policies, because the carriers won’t be willing to sell them.”
Ironically, continuing uncertainty around the future course of cybercrime remains the greatest enemy of insurers operating in this space. “I think the problem here,” says Wolff, “is that nobody really has a handle on what’s coming.”