Ride the Lightning

Cyberinsurance Firms Bracing for Catastrophic Risk

April 12, 2022

The Washington Post reported on April 7 that in the past year, insurers have doubled the cost of annual premiums charged to corporate clients. A typical small business that previously paid $10,000 annually for $5 million worth of cover in the event of an attack is now likely paying closer to $20,000, with just $1 million worth of protection. That has provoked consternation in all industries, including the legal vertical.

Some businesses worry that they are being price out of cyberinsurance.

More than 80% of insurers reported a rise in cyber claims in the fourth quarter of 2021, many of them from ransomware attacks, forcing premiums up by 34%. This is the 17^th (wow!) straight quarter in which prices rose. That has ratcheted up loss ratios for cyber insurers to nearly 70% in the last two years.

Some insurers have pulled out of the market completely, raising fears that certain kinds of attacks could become uninsurable. The reason is simple. Ten years ago, hackers targeted companies that held credit card numbers or social security details that they could sell on the black market. Claims were low and insurers charged relatively little.

But in the past two years, hackers have found a fast route to making money with ransomware attacks, which jumped in volume by 150% last year.

In mature sectors like home and property, fire, auto and travel, insurance companies have lots of data to guide them. But cyber is new, fast-changing and with almost no historic data. Insurers have paid much more than expected.

Insurance providers now fear what some in the industry have been referring to as a looming “catastrophic risk.” They worry that a single incident will affect systems across the globe because so many individuals and companies are using a handful of large providers for their cloud services or mobile operating systems. A successful attack on one major platform could trigger a flood of claims sending multiple insurers into bankruptcy. It would be far worse than the NotPetya virus, which targeted Microsoft Corp.’s Windows based systems and resulted in more than $10 billion worth of global damage.

Many cyberinsurance companies limit their exposure by simply not covering “acts of war” — a term much more clear in the physical world than in the cyber one. In new wording added to contracts recently, all that’s needed to invoke such a provision is for a government to declare the hack to be state-backed. And an insurer can merely “rely upon inference which is objectively reasonable” in doing so.

That means that a hack connected to Russia’s war on Ukraine, for example, might trigger the escape clause, leaving insurance clients having to absorb the losses.

Increasingly, insurers also refuse coverage if a client doesn’t have multi-factor authentication, while others require that clients continuously monitor employee devices for incursions, ensure they tightly control who can access the most sensitive parts of a network, and that they provide cybersecurity awareness training to employees.

Some companies have developed a new way of providing insurance. Rather than having applicants fill out a form detailing their cyber practices and then paying their premium, clients let insurers regularly monitor activity on their network, collecting and analyzing file logs without breaking into the customer’s network themselves.

This is alarming to many clients who are loathe to let insurance providers monitor the hygiene of their networks. An array of startups have sprung up, including Security Scorecard and BitSight, that assess an organization’s cybersecurity performance, provide a metric and benchmark them against peers. (A higher score means better reputation and lower insurance premiums.)

Rotem Iram, CEO of San Francisco, Calif.-based At Bay Inc., says his company scans for common vulnerabilities among its more than 18,000 clients and uses the findings to patch those who may still be exposed, essentially acting to decrease its own liability as an insurer.

We may soon see insurance companies starting to buy cybersecurity providers outright. The benefits of owning a vendor would extend beyond cutting risk for customers, allowing insurers to collate and analyze the data crucial to actuaries analyzing and pricing risk.

The rapid pace of change in threats — from release of data to ransomware to shutting down infrastructure — has made it hard for the industry to keep up. Past victims tended to keep attacks secret, but they’re now being encouraged — and even required contractually — to share more information with their cyberinsurance company. That helps insurers better predict and calculate the cost of attacks and makes the outcome of a cyber incident/data breach far less expensive.

We have never seen cyberinsurance be this volatile – and it may be only the tip of the iceberg.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson