Rising Cost of Cyberattacks Skyrocket Insurance Policy Costs
When Lloyd’s of London discovered problems in its IT systems in October, the 300-year-old insurance market temporarily took some of them offline, fearing it had suffered a cyberattack. After a thorough investigation, cyber specialists found nothing wrong, and life returned to normal after about a week.
But, even if there had been an attack, Lloyd’s would have been covered – its management set up cyber insurance to meet the costs.
It’s a form of hedging that seems like an obvious buy for an organization managing a global market. However, for other companies, the decision whether or not to purchase coverage is much more difficult, despite the rising profile and costs of ransomware attacks.
Cyber insurance premiums have skyrocketed in recent years. According to Sarah Stephens, head of international cyber insurance at brokerage Marsh, prices started to rise in late 2019.
The Marsh Market Index shows the cost of cyber insurance in the US growing at a rate of more than 100% year-over-year at the end of 2021, although it moderated to 79 % in the second quarter of this year. and 48% in the third.
Many companies say it’s not worth it and better invest in compensating controls
John Neal, chief executive of Lloyd’s, says the higher prices are a reaction to both an increase in claims and a long period of falling prices between 2010 and 2018. Since then, the cost of cyber claims has been pushed to rising by a sharp rise in the number and cost of ransomware attacks, in which criminals disable a company’s systems and demand a ransom – often millions of dollars – to bring them back online.
Cyber insurance, Neal says, “had become undervalued” and insurers were making product losses in 2018 and 2019. Prices needed to rise, he said, “to reflect exposure more meaningfully.”
Still, says Marsh’s Stephens, some customers have become “very frustrated with the process”, adding that many companies who had only recently started buying coverage found it “particularly shocking” to be hit with strong shocks so early. price increases.
On top of that, cyber insurers have become more picky about what business they are going to take on, insisting on tons of security information customers have in place and excluding certain types of incidents from coverage. they offer.
Andreas Wuchner of cybersecurity watchdog group Panaseer says some insurance buyers are now asking questions about the value of the product.
“A lot of organizations say it’s not worth the cyber insurance money, and it’s better to invest in compensating controls,” he says. “It’s very valid.”
Combine that with cost pressures elsewhere as inflation rises, he adds, and some companies decide to buy less insurance and retain more cyber risk themselves.
Stephens says only a “very small percentage of customers” have stopped buying cyber cover altogether, though she adds that some have taken a hybrid approach: buying less insurance and relying more on so-called captive insurers. , in-house insurance companies that many large companies have as a means of reducing their insurance costs.
Insurers say the benefits of their products go far beyond paying out money for a claim. They point out that they also provide services to help companies deal with cyberattacks when they occur – from rescuing data and systems, to negotiating with attackers, to dealing with customers and staff who were affected.
More stories from this report
“It’s a very unique and stressful situation to have a cyber event, especially ransomware,” says Paul Bantick, head of global cybersecurity and technology at insurer Beazley. “You want to have people on your side who have done it many times, who know the exercise, who can advise you and help you think through your options. If you don’t have anyone to help you, it’s a real challenge.
Preparation is everything and insurers can advise on checks, he notes. “The one thing that will always ring true is that the better you respond and the processes and controls you have to mitigate this, the less likely you are to pay a ransom.”
Bantick says that while it’s “not a big conversation” when insurers explain price increases to their customers, many of them understand the reason. “What customers are overwhelmingly aware of – more than ever – are the threats.”
Despite the price hikes and growing cost pressures companies are facing across their businesses, the insurance industry expects demand for cyber coverage to rise.
According to Lloyd’s Neal, the global cyber insurance market is expected to grow from $12 billion in annual premiums today to $60 billion over the next five to 10 years as threats increase.
“Companies need to look at the risks they face,” he says. “[They have to] get under the skin of their own protection and risk management measures.