As Ransomware Booms, Are Cyber Insurers Getting Cold Feet?Expect to See Extortion and Social Engineering Attacks Excluded From More Policies
Are insurers getting cold feet over covering losses to ransomware?
See Also: 2021 State of the Phish
Today, more than 75 different insurers offer cyber policies or policies that include some type of cyber coverage.
Standard & Poor's: "Currently, commercial and private cyber insurance premiums total about $5 billion, and we expect this to increase 20%-30% per year on average in the near future."
But as more victims who carry cyber insurance are being pressured to pay out more, and increasingly seem to be doing so, insurers have been seeing their profit margins take a hit.
The problem is being compounded by the damage caused by more sophisticated ransomware operators, leading to damages "increasing by orders of magnitude," often due to lengthy and expensive incident response efforts, warns insurance giant Aon.
As a result, some insurers are reportedly looking to exclude more costly types of cybercrime, including ransomware, unless customers pay a premium for these types of coverage or pass prerequisite checks on their security posture.
Who Pays Ransomware Profits?
As success stories go, for the criminally inclined, ransomware has been behind a banner year in illicit profits, no matter the ongoing COVID-19 pandemic.
Constant innovation is one factor, as ransomware operations have continued to refine their business strategies, including exfiltrating and leaking stolen data, using affiliate programs to boost their reach, and even hiring call centers to run boiler-room operations to pressure victims to pay.
In Q3, the average ransom payment - when a victim paid - was $233,817, which was an increase of 31% from the previous quarter, reports ransomware incident response firm Coveware.
Gangs' successes carry an obvious cost for victims who pay; their criminal profits put a drain on someone else's budget. When victims do pay a ransom, some will remit it entirely from their own coffers. But many organizations now carry cyber insurance with ransomware or extortion protection.
As ransomware payouts have risen, however, insurance providers' profits have been taking a dive. Accordingly, some insurers now appear to be "attempting to shelter themselves from these losses, either by excluding extortion events from standard cyber insurance coverage or by introducing onerous new conditions on policyholders," the Seriously Risky Business newsletter reported last week.
Experts across the security and insurance industries say that, with ransomware racking up record profits, there's little chance of it abating anytime soon.
"We expect that ransomware will be the main claims story of 2020," as it was in 2019, according to a June report issued by Aon.
"Frequency and severity of ransomware continues to drive losses with frequency up significantly in 2020, however, more alarmingly, the severity of the damage is increasing by orders of magnitude," Aon says. "Complexity of breaches and lack of competition has driven increase in incident response expenses eclipsing U.S. costs."
Ransomware Hits More Sectors
Aon says in its June report that "2019 was the year we were all (nervously) waiting for: although ransomware has been on the rise for years, it was last year that the insurance industry felt the impacts far and wide."
Ransomware previously led to some large payouts - for example, after the 2017 NotPetya destructive wiper malware outbreak. But claims tied to that attack were mostly "limited to a few large multinationals," Aon says, whereas more ransomware claims have been "spread across companies of all sizes - and especially the small, commercial segment."
Loss Ratios Increase (That's Bad)
Cyber policies had been a nice little earner for insurers.
But beginning in 2019, 192 different U.S. providers of stand-alone cyber insurance products reported that their collective loss ratios - referring to the ratio of losses to premiums earned - increased by 12.7%, meaning that profits fell.
The problem was the increase in the number of victims submitting claims. From 2018 to 2019, the average amount per cyber insurance claim actually fell slightly from $50,401 to $48,709, while premiums rose by about 11%.
Over the same time period, however, the frequency of claims increased. "The average 2019 claim frequency across all companies was 5.6 claims per 1,000 policies, up from 4.2 in 2018," Aon reports. "This jump in frequency more than offset a reduction in the claim severity."
As a result, market watchers say premiums are sure to increase. "Currently, commercial and private cyber insurance premiums total about $5 billion, and we expect this to increase 20%-30% per year on average in the near future," Standard and Poor's says in a cyber risk report issued in September.
Insurance providers might also make it more difficult to collect a claim for certain types of cybercrime.
Standard and Poor's reports that, in some cases, it's already beginning to "see exclusions for certain industries, such as critical infrastructure or financial service companies," as well as certain types of claims, including business email compromise - aka CEO fraud - attacks, as well as "cyber extortion payments."
Market Set to Evolve
In the longer term, however, Standard and Poor's expects to see insurers getting better at analyzing cyber risks and moving beyond simply existing to pay out claims.
"Insurers can provide additional value by providing assistance services and helping policyholders better handle cyber risks," S&P says.
Benefits include helping insurers differentiate themselves from each other, as well as "reduce the frequency and severity of cyber claims," the company says. "More efficient cyber prevention and sophisticated management in a claims scenario heavily correlate with a lower claim cost and are therefore also a key advantage for an insurer."
Ransomware operators' business smarts and constant push to innovate have been the keys to their success. Cyber insurers must follow suit.