The ransomware crisis is making cyber insurance harder to buy Join Our Newsletter

“You’ve got two very interesting dynamics happening, both at the same time,” explains Lori Bailey, chief insurance officer at Corvus Insurance. “One is a huge increase in claim frequency, which is a result of the ransomware epidemic over the last couple of years.”

The second dynamic is the growing value of claims. The average ransom demanded by cybercriminals in the first half of 2021 was $5.3m, up 518% from the 2020 figure, according to Palo Alto Networks’ Unit42 research division. The average payment grew by 82%, reaching a record $570,000.

These two dynamics are squeezing the insurance industry’s ability to pay out on its customers’ claims. "Carriers, and more specifically re-insurers, really struggle with this dynamic in the market,” says Bailey.

An insurer’s ability to cover risks is limited by the funds it has available to cover the costs of a claim. In the case of cyber insurance, those costs are astronomical, Andrea Rebora, cybersecurity associate at PricewaterhouseCoopers and a PhD candidate at Kings College London. "They don't have enough money for everyone,” he says. “The amount of money necessary to cover the potential clients is too great. It’s an absurd amount of money.”

As a result, insurers are putting up their premium prices and limiting the circumstances in which they will pay out. UK insurance marketplace Lloyds of London recently unveiled new rules stating that underwriters will no longer cover damage caused by “war or a cyber operation that is carried out in the course of war” including “retaliatory cyber operations between any specified states”.

Providers are also becoming more discerning in who they will insure, says Rebora. "There is clear proof they are not only increasing their prices, but that they can also pick and choose." Insurers are demanding evidence of effective cybersecurity defences before accepting a new client. “They want to see everything to the detail of what a client is doing to protect their networks or train their employees, to see if they have an incident response plan and so on,” Rebora explains. “They need to make sure that the client is worthy of their services."

This means that cyber insurance, in the traditional sense, may not be available to every company that wants it. "Some organisations… won't be insurable through typical commercial channels and coverages," analysts at Forrester predicted last year.

Some are therefore exploring other means. A “captive insurer” is an insurance provider that is wholly owned and controlled by its policyholders. The benefits include “the ability to tailor coverage for hard to insure or emerging risks,” according to accountancy firm PwC.

Bailey expects large companies to use captive insurers to mitigate cybersecurity risk. “Many companies have formed a captive insurance company for harder-to-place risk, or to take some of the risk onto their own balance sheet," she says. “I certainly think this is a trend that would absolutely continue in the future.” This is not an option available to everyone, however.

Cyber insurance: a condition of doing business?

For companies unable to secure cyber insurance, it may not just be risky but an impediment to their business, as it is becoming a condition of doing business in some areas. “In certain industries and certain revenue segments it's not uncommon to see a requirement for cyber insurance before engaging in a contract," says Bailey.

As a result, Forrester’s analysts predict, "a cyber policy will become a need-to-have rather than a nice-to-have."

This means that, despite the stress it places on their business, the ransomware crisis has put insurance providers in a position of considerable influence. “Because of these current trends, insurance companies have quite a fair amount of power,” says Rebora.

For some companies, the ongoing squeeze on the cyber insurance market may provide the impetus to invest in up-to-date precautions and protections. But for those without the capital or capability to do so, it could lead to lost opportunity and exposure to potentially insurmountable risk.

How long will the squeeze last? Estimates vary: Simon Milner, an agent at Miller Insurance, expects it to be resolved in the next two quarters, while Howden Group Holdings suggests it could last until at least 2025.

But it is not just individual companies that are at risk. The constraints of the insurance sector’s finances mean it may not be able to handle a catastrophic cybersecurity incident affecting multiple parties, warns Bailey.

"If there is some sort of large-scale cyber event, could the private sector and the insurance industry withstand that? Ultimately I think it would take something from the public sector in order to manage any kind of large-scale catastrophe,” she says.