Covering cyberattacks was profitable business for insurers — until ransomware grew out of control.
Cyber insurance has generally been a risky, albeit profitable, insurance line.
For the first time, the line’s profitability is no longer assumed. The overall combined ratio for cyber insurance is 95.4% for the year 2020, according to Aon Reinsurance Solution’s U.S. Cyber Market Update published in June 2021. For stand-alone cyber policies, which are purchased separately rather than as part of insurance packages, the combined ratio was 100.1%, according to the report, which notes that these numbers may be understated.
What’s more, cyber insurance posted its highest rate increase of 18% for the first quarter 2021, accelerating from its first quarterly double-digit climb of 11.1% in the fourth quarter 2020, according to the Council of Insurance Agents and Brokers’ Property/Casualty Market Survey (see Figure 1).
“The market has definitely hardened. Insurers want to batten down the hatches and want to offer less — reinsurers too,” said Jon Laux, head of cyber analytics for Aon’s Reinsurance Solutions. “The whole industry is reckoning with the fact that the risk is underpriced and undermitigated.”
Insurance lines commonly experience pricing cycles. It takes a while for claims experience to reveal a trend troubling enough to compel tighter underwriting selection and adjustment. For well-established insurance lines, which went through developmental adolescence decades ago, adjusting prices just goes with the territory.
But having originated a couple of decades ago, cyber insurance is a line now going through its own developmental adolescence. “The cyber insurance market is still evolving, and today it’s in a state of flux,” said Eduard Alpin, chief actuary for Resilience Cyber Insurance Solutions, a program manager combining cyber security and cyber insurance.
How cyber insurers, customers, regulators and other stakeholders respond will shape the line’s maturation going forward. “We are in a crucible,” warned Laux.
The cyber insurance line has grown significantly since data breaches began making headlines in the early-to-mid 2010s. In 2020, about 200 insurance groups offered cyber coverage. This figure is up from 140 groups in 2016, according to the Aon report, which is based on data from the National Association of Insurance Commissioners (NAIC) Cybersecurity and Identity Theft Insurance Coverage Supplement.
Another measure of cyber insurance’s growth is direct written premiums (DWP). The total DWP for stand-alone and package policies accelerated by 22% in 2020 to approximately $2.7 billion, up from a 14% increase in 2019, according to “U.S. Cyber Insurance Market Update,” released in May 2021 by Fitch Ratings. Stand-alone cyber premium rose 29% in 2020, reflecting a growing interest in securing affirmative cyber coverage and dedicated limits for related exposures to address coverage ambiguity, the report notes.
Alpin suggests that the DWP amount is higher and is closer to $6 billion because the NAIC statutory data does not capture all cyber insurance. Alpin explains that cyber insurance policies in the United States can be written in many ways, are heavily reinsured, typically through quota shares, and can be written by companies based in London and Bermuda.
Increases in cyberattacks are not the only factor driving growth, however. According to the Fitch report, more comprehensive regulatory and legal requirements, such as the California Consumer Privacy Act and the New York Department of Financial Services Cybersecurity Regulations, are also driving cyber insurance growth.
From 2014 to 2020, the cyber insurance market expanded rapidly; premium volumes grew and coverage broadened, Alpin said. Carriers noticed the high growth and high profitability and jumped into the market. “Underwriting was very lax during the soft market,” he said. “Often underwriters were only given a company name and asked for a quote, no application.”
For the year 2020, Laux observes that some carriers were enjoying reasonable profitability, but many others sustained significant losses. Among U.S. cyber insurers, the incurred loss ratio was 76.7% at the 75th percentile and 137.8% at the 95th percentile. “The question now is what is 2021 going to look like?” he says.
Laux states that the inflection point in the direct incurred industry loss ratio — the direct loss plus defense and cost containment (DCC) ratio — took place in 2019. In just one year, the loss ratio rose from 44.9% in 2019 to 67% in 2020, according to Aon’s report. That is a far cry from the enviable low of 32.4% in 2017.
For stand-alone cyber insurance, which is growing in popularity compared to coverage sold in insurance packages, the incurred loss ratio rose dramatically in 2020 to 73%, compared to an average of 42% for the previous five years from 2015 to 2019, Fitch Ratings notes in its report.
Prior to the loss ratio increases, Laux said, there seemed to be some margin in cyber — even when including a reasonable catastrophe load — regardless of whether the expense ratio was closer to 30% or 40%. “Now I would say that margin is gone,” he observes, “when incorporating a CAT load, it’s definitely gone.”
Alpin estimates the cyber insurance line experienced $4.2 billion in industry losses in 2020, based on the incurred loss ratio estimates of around 70% and $6 billion in collected premium.
Not surprisingly, when insurers started to notice rising losses in late 2019 and 2020, rates went up and coverage began to tighten. From fourth quarter 2016 to fourth quarter 2018, rates were declining quarterly before beginning a modest incline in 2019 and picking up speed into their first double-digit increase in fourth quarter 2020 (see Figure 1).
“Regarding companies’ portfolios, some companies are reducing their cyber portfolio sizes by non-renewing certain policies,” Alpin said. “Others are also managing their exposure by not writing new business on certain segments or going out with high rate increases — in some cases up to 50%.”
Carriers also are sublimiting some of these coverages, Alpin said, citing AIG, which began introducing a sublimit at 50% for any cyber event when ransom is demanded. They’ve also introduced co-insurance to the cyber market, requiring their clients to contribute 50% to any ransomware loss.
However, while profitability has generally deteriorated, some segments of business have remained profitable. “Recent disappointing results for some or most of cyber insurance underwriters should be seen as a minor turbulence and not a major disruption,” offers Alex Krutov, president of Navigation Advisors LLC.
The declining profitability in cyber insurance is driven by increases in claims costs, primarily due to ransomware.
The average 2020 claim frequency across all companies was 5.62 claims per 100 policies, which was virtually unchanged since 2019 based on NAIC data cited in “Ransomware and Aggregation Issues Call for New Approaches to Cyber Risk,” published by A.M. Best in June 2021.
Aon reported that the high loss ratio is primarily due to the average claim size increasing from $48,709 in 2019 to $74,354 in 2020. Another way to look at insurer costs, according to data provided by A.M. Best to Actuarial Review, is the average incurred losses per claim by calendar year. While the amount is driven by reserves, it also shows an upward trend in claim costs (see Figure 2). “Cyber claims are becoming more sophisticated,” explained Sridhar Manyem, director of industry research and analytics for A.M. Best. They are also more expensive to process.
The loss ratio is mostly driven by ransomware, which has been increasing dramatically while less lucrative cyber data breaches have been on the decline, according to Aon’s “Cyber Insights for Insurers,” released in April 2021. Specifically, from fourth quarter 2018 to fourth quarter 2020, ransomware increased 621%, while other data breaches decreased by 84%.
The cybersecurity firm Sophos reports that the average ransom paid by a mid-sized organization is $170,404, according to its “State of Ransomware 2021” white paper published in April 2021. The average bill for rectifying a ransomware-involving attack — including downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc. — is $1.85 million worldwide, double the 2020 costs. The report is based on a survey of 5,400 information technology decision makers in 30 countries that was conducted in January and February 2021. Even worse, there is no guarantee of data returning. On average, only 65% of the encrypted data is restored after paying the ransom.
The Federal Bureau of Investigation and many cybersecurity experts recommend against paying ransoms. In May French insurer AXA announced it would not pay ransoms to cyber attackers for its clients in France. “It might be a good test to see if they can offer cyber without ransomware coverage,” Alpin said. Ironically, a couple of weeks later, ransomware attacked AXA’s Asian division, though the two events are reportedly unrelated.
AXA is not alone. CNA Financial Corporation, one of the top 10 largest cyber carriers in the United States, was forced to move operations offline in March 2021 due to ransomware. Cyber insurers are inviting targets for ransomware attackers, suggests an article at Cyberscoop.com, because client data could reveal the most potentially lucrative policyholders.
CNA paid a ransom of $40 million following an attack on its own systems, Bloomberg Business News reported, though that figure is unconfirmed. If accurate, it would be one of the largest ransoms ever paid by a company.
Even more disconcerting are cyberattacks on infrastructure upon which the public depends. The cyberattack on the Colonial Pipeline, which reduced available gasoline by 45% from Washington, D.C., to Florida in early May for about a week, led to an eye-popping ransom of $4.4 million. Before the month was over, cyber attackers went after JBS Foods, the second-largest producer of beef, pork and chicken in the U.S.
The CNA and Colonial Pipeline ransoms got the attention of the U.S. Congress. In June 2021, Congresswoman Carolyn Maloney (D-N.Y.), chair of the House Oversight and Reform Committee, wrote the CEOs of both companies requesting them to provide all attack-related documents and communications, including those related to any ransom payments.
“I am troubled that the company declined to provide the Committees with any information regarding how and why you decided to pay the attackers, including whether federal agencies and law enforcement had any input on your decision,” she wrote on June 3. “… I am extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”
Compared to other established commercial insurance lines, cyber insurance is in its gawky adolescence stage. “It’s not a child anymore, and yet it’s clearly lacking in maturity,” said Laux, whose rap “Cyberlescence,” personifies the cyber insurance line. “And until this last year, there was a lot of chest-puffing and self-congratulatory behavior among the cyber insurance community,” he explained, due to its fast growth and good results.
Cyber has been an evolving line for the past 20 years, Alpin said, and coverage has been broadening the entire time.
“Frankly,” said Robert Parisi, head of cyber solutions North America at Munich Re, “even in the current hardening market, the dollar you spend on cyber insurance today gets you much broader coverage than the dollar you spent in 1999.” Parisi, who pioneered of one of the earliest cyber insurance products, said cyber insurance has evolved tremendously from its early iterations in 1999 and 2000. Coverage has expanded beyond its focus on e-commerce companies and liability to include privacy breaches and responses and contingent business interruption, he explained. “Then cyber insurance products began filling in coverage gaps when traditional coverage lines began to introduce cyber exclusions,” he explained.
More recently, in 2020, the COVID-19 pandemic has compelled insurers to address issues stemming from Bring Your Own Devices and a new remote workforce, he explained, with several insurers clarifying the meaning of a covered “computer system … to expressly include the personal devices used by remote workers.”
Although cyber is making more steps toward maturation, the sophistication of cybercrime is also evolving. “Because of these variables, it’s hard to say when the market will mature,” Alpin said. Its development depends on many factors, he observed, such as the coverage being offered, insured security controls, amount of data that carriers can accumulate and use, and the U.S. government response to attacks.
“We will see cyber mature when loss trends and pricing stabilize, coverages become more standard and consistent year over year, and penetration rates increase,” said Alpin.
The hard market is an opportunity for insurers to underwrite coverage more carefully and selectively while insisting on and assisting with tighter cybersecurity. “Anecdotally, buyers of cyber insurance feel like the insurer questions are a waste of time and that there’s too many,” Laux said. But, because of the market hardening, “If insurers want to ask more questions in underwriting or raise rates significantly, now they can.”
Insurers should also take a closer look at data they already have. “There is a shortlist of repetitive actions that the threat actors are doing that is generating the claims right now,” Laux explained.
Cyber models are also still evolving. There is not enough data to price cyber, Manyem observed, and modeling “is an art and science.”
Krutov warns that “catastrophic components of cyberrisk are often not fully reflected in cyber insurance premiums and not properly taken into account by cyber insurance underwriters in their portfolio management.” He sees opportunity “for those underwriters who can differentiate themselves by better quantifying cyberrisk, both on an individual risk level and in managing their overall portfolios.”
Alpin offers that there are some parts of the policy where insurers have a lot of information. For example, carriers know how much they have paid out on breaches, liability and expense claims, and they have information on business interruption and ransomware. Alpin adds that publicly available information is available from sources such as Coveware and NetDiligence.
At the same time, however, Krutov cautions against relying too much on historical data because it is very limited and may be completely inapplicable to the current risk environment. “Cyberrisk continues to evolve in ways not reflected by the current models and often unanticipated by experts,” he says.
Alpin points to trends that can change so quickly, such as the recent uptick in ransomware frequency and severity. “When the trends are 5% to 10% year over year, and next year it’s 50% to100%, that’s something hard to predict,” he says.
It is also difficult to predict how long trends will last because they could change quickly, Alpin says. For example, if governments ban cryptocurrency worldwide, which is highly unlikely, that will eliminate the main way ransomware hackers are paid.
Always lingering in the background is the possibility that a significant cyber event or ”Cybergeddon” could shut down entire systems on a broader scale than has happened so far. The Colonial Pipeline and JBS Foods attacks could be preludes to future threats to the public infrastructure that could have even worse implications.
That means the line’s most significant potential challenges could be yet to come. Krutov calls these current difficulties important reminders. “We have to place greater emphasis on assessing cyberrisk and, in particular, on managing this risk on a portfolio basis,” he says.
The cyber insurance line’s maturation will depend significantly on the insurance industry’s ability to respond to ever-morphing risk. Modeling is challenging when cyberrisk and incidents are continuously dynamic, limiting the usefulness of some past data. At the very least, the past demonstrates that the bad actors will continue to raise the stakes with cyberattacks, higher ransoms and whatever comes next.
While insurers strive to anticipate future cyberrisk, underwrite coverage appropriately and assist in risk management, the fundamental reality is that preventing cyberattacks remains the customer’s responsibility.
At the organizational level, preventing cyber incidents should not be seen as the sole responsibility of the IT department but must become part of its culture.
Until insurers and their insureds live and breathe cybersecurity, they will be in constant reactive mode to cyber criminals’ latest innovations.
Annmarie Geddes Baribeau has been covering insurance and actuarial topics for more than 30 years. Her blog can be found at www.insurancecommunicators.com.