Ride the Lightning

Ransomware Now Comprises 75% of Cyberinsurance Claims

August 25, 2021

CyberScoop reported on August 23 that ransomware now accounts for 75% of all cyber insurance claims, up from 55% in 2016, according to the credit ratings agency AM Best. The percentage increase in claims is outpacing that of premiums, said a June 2021 report which concluded that “the prospects for the cyber insurance market are grim.” Fitch Ratings in April found that the ratio of losses to premiums earned was at 73% last year, endangering profitability.

Cyber insurance premium prices have increased by 30-40% this year. AIG’s chief executive said rates increased by 40% for its clients. But those increases, according to Chubb CEO Evan Greenberg, still don’t reflect the serious risk that a catastrophic cyber event poses. Cyberinsurance covers a wide range of ransomware-related costs, including extortion demands, remediation efforts and other losses.

Lack of profitability could lead to yet more premium increases, insurers leaving the cyberinsurance market or policyholders receiving more limited coverage.

What could turn things around? Some insurers are imposing stricter cybersecurity safeguards for policyholders or reducing coverage limits. Such requirements could help businesses bolster their defenses but may also make it harder for others to meet the threshold and therefore leave them without coverage. Reduced coverage limits means higher costs for ransomware victims.

Cyberinsurance is in high demand, a condition that might avoid disaster for the industry. The proportion of existing clients opting for cyber coverage rose 46% in 2020, according to the Government Accountability Office.

Some of the increases in premiums seem wild. One North Carolina school board recently approved $22,318 for one year of cyber liability insurance — up from last year’s cost of $6,653, or a 235% jump. That’s the largest percentage I’ve seen!

Is the industry itself to blame? Some think so. Paying the attackers rewards the crimes and encourages future attacks. 

“In too many cases the insurance model incentivizes paying criminals instead of having good security in place beforehand,” a Brookings Institution paper argued last month. A representative of the REvil ransomware gang said the gang targets companies that it knows have insurance, as they are “the tastiest morsels.”

Insurance company AXA has said it will stop paying ransom demands for future policyholders, partly in response to French government pressure to halt the practice. Other might limit coverage. “As companies are deemed risky then maybe there’s a higher deductible, or the insurance company might say, ‘I’m not going to write a $5 million limit on your cyber, I’m just going to limit my exposure to you to $500,000,’” said Sridhar Manyem, director of industry research at AM Best.

Insurers are more thoroughly examining prospective policyholders’ security controls, asking them, for instance, whether they have adopted multifactor authentication as a condition of receiving coverage.

As I can attest from Sensei’s experience, the applications are a lot longer and far more detailed. They are no fun to fill out – we literally have to explain to our clients what the application questions mean and what answers the cyberinsurance companies are looking for. Clients are generally very unhappy with the high standards (and monies required to meet those standards) that cybersecurity insurance companies are looking for.

Notice: The new RSS feed for Ride the Lightning is https://senseient.com/feed/?post_type=ride-the-lightning for those that wish to subscribe in a reader.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson