Earlier last month, CNA Financial reportedly paid a $40 million ransom after a ransomware attack and the CEO of Colonial Pipeline Co. admitted that his firm paid $4.4 million to a criminal gang after a ransomware attack led the company to shut down its 5,500 mile-long pipeline for nearly a week. It’s not clear whether Colonial Pipeline and CNA are seeking reimbursement from their insurance companies for the ransoms paid. However, increasing number of cyberthreats, especially ransomware attacks, is leading some cyber insurers to take drastic action. A recent report from GAO (Government Accountability Office) describes the current circumstances and challenges faced with regards to cyber insurance.
Let us take a look at the challenges faced by cyber insurance industry:
- Limited historical data exists on Cyber Losses and Events – This important since insurance companies use historical data to quantify risk and set premium rates for insurance products.
- Cyber policies lack common definitions – Common terminology can help lead to a more sustainable cyber market in which insurers make informed choices about the level of coverage and policyholders can understand their insurance protection.
- Some businesses have limited awareness of Cyber Risks and Coverage – Insurance industry (along with insurance agents and brokers) can help companies understand the risk, impact and cost of a cyberattack on their operations. This is important since some businesses (especially smaller ones) tend to underestimate their cyber risks and the cyber coverage needed to mitigate those risks.
- Cyber risks are evolving and could involve aggregated losses – The evolving cyber risk landscape makes it difficult for insurers to underwrite coverage.
Currently cyber insurance coverage varies by industry and entity size. For example one way to understand the extent of coverage is through take-up rates. Insurance take-up rates refer to the percentage of entities eligible for coverage that elect to take it. Take-up rates have increased from 26% in 2016 to 47% in 2020 based on data from Marsh McLennan , see chart below:
Here is a industry-wise view of the above data from Marsh McLennan:
The amount of growing risk has created uncertainty in evolving Cyber Insurance Market. Here are major factors that have contributed to it:
- Increased demand – The demand for cyber insurance has increased as businesses better understand and respond to increasing cyber risks. Data indicates that the number of cyber insurance policies have increased by about 60% in 2016-2019, from about 2.2 million policies to more than 3.6 million policies and the amount of total direct written premiums increased about 50% during same period, from $2.1 billion to $3.1 billion.
- Higher premiums – After holding relatively steady in 2017 and 2018, cyber insurance premiums increased markedly in 2020, as seen in the chart below:
- More cyber specific policies – Insurers offer affirmative cyber coverage – that is, coverage specific to cyber risk.
- Reduced coverage limits for certain sectors – Continually increased frequency and severity of cyberattacks, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain risker industry sectors like health care and education.
- Tighter terms and more exclusions – Insurers have been tightening policy terms and conditions for cyber specific policies. They have also been adding exclusions to traditional lines of coverage.
While the cyber insurance space continues to evolve driven by external factors, it is important that businesses take a proactive approach to cyber security rather than a reactive one.
Better to be safe than sorry.
Most organizations tend to focus heavily on the reactive side and are quite light on the proactive part. Read more about this imbalance between proactive and reactive cybersecurity here. Also, check out our guidance on preventing or limiting the impact of ransomware attacks here.