The hot market for cyber insurance is starting to stabilize

The cyber insurance market has begun to stabilize after a wave of ransomware attacks in recent years has prompted a steep rise in premiums, observers say.

Cyber ​​insurance can pay ransoms to hackers who lock down corporate technology systems or can help offset the cost of responding to data breaches. Now, premium increases in recent years appear to slow, if not stop altogether, as insurers improve their risk assessment, new entrants to the market begin to offer coverage, and supply and demand take hold.

“Things are getting better,” said Jason Krauss, Head of North American Computing Products Coverage for WTW Insurance Brokerage..

“It’s unbelievable, true, that I tell you that a 20% increase. [in premiums] not bad. But it is seen as a good thing ”.

The IT insurance market has gone through a “difficult” period, according to insiders, with rising premiums and less flexibility on the part of insurers in terms of offers. Premium prices increased by more than 34% on average in the fourth quarter of 2021, according to data from the Council of Insurance Agents & Brokers, and some companies reported much higher rate hikes.

“It was painful,” said Kristen Peed, director of corporate risk management at professional services firm CBIZ. Inc.

and a board member of the risk management company RIMS. Some colleagues in risk management have seen increases of up to 200%, Ms Peed said.

“We’ve had two painful years of renewal with increasing deductibles, restrictions and … price hikes,” he said.

Insurance itself remains relatively niche: insurer Munich Re Group estimated the global value of cyber insurance premiums at $ 9.2 billion in early 2022, compared to hundreds of billions of dollars spent in the United States alone for commercial insurance, according to the Insurance Information Institute — but the events that drive premium increases have become familiar.

The 2021 attack on Colonial Pipeline Co. resulted in the payment of a $ 4.4 million ransom, one of several recent multimillion-dollar ransomware attacks. According to data from the Treasury Department, US financial institutions reported ransomware-related transactions totaling more than $ 1 billion last year, a sharp increase from previous years. But that’s a figure that barely scratches the surface of the economic scale of crime, experts say.

With higher payments from insurers, premiums have increased at higher rates. “It was a little bad there for a while,” said Robert Parisi, North American head of IT solutions for Munich Re. He described a hockey stick-like increase in premium prices over the past two years. The hikes mark a correction for premiums, which were probably too cheap for years, he added.

“The underwriting is aggressively moving towards ‘How can we get a deeper and more insightful look,'” Parisi said. Meanwhile, he noted, prices, while not falling, are rising less rapidly than in recent years.

Insurance companies have tightened underwriting standards that come with issuing new policies and have begun to review the defenses companies are putting in place to thwart cyberattacks. Companies are asked about their cybersecurity systems and could have their agreements with popular cloud hosting companies reviewed, Parisi said.

Businesses have beefed up security, with bogus phishing emails to check for inattentive workers and multi-factor authentication becoming commonplace. And more organizations are ready to answer insurers’ questions, said Brent Rieth, a leading US practice for IT solutions at broker Aon PLC. “They have more appropriate controls in place,” he said.

However, the new subscription applications have not been welcomed by companies looking to obtain insurance. “Across the board, our clients have complained about the new requirements that must be met to be insured or even reinsured,” said Richard Peters, cybersecurity expert and chief executive officer of the Berkeley Research Group consulting firm.

For small and medium-sized customers, requests are costly and time-consuming. Insurers expected some to conduct expensive security risk assessments, Peters said.

Roberta Sutton, a Potomac Law Group partner who advises insurance companies, said all of her clients were asked to complete more detailed ransomware insurance applications.

Some companies have opted against insurance, said Ed McNicholas, co-leader of cybersecurity practice at Ropes & Gray LLP law firm. But not all companies can, as some must have cyber insurance to work with partners, McNicholas said. Proposed government violation regulations could also prompt companies to turn to insurance companies to offload certain risks, he said.

Tighter underwriting, somewhat reduced demand, and more carefully crafted insurance policies are likely helping to drive down prices, which observers generally hope will drop further.

But securing the evolution of cyber risks remains a challenge, because cyber insurance providers don’t have much actuarial data for those risks, and even if they did, it probably wouldn’t be “terribly insightful,” Munich Re’s Parisi said.

“We are all concerned about ransomware now and rightfully so,” he said. “The cyber insurance community needs to be agile and flexible enough in how it views risk.”

Write to Richard Vanderford at Richard.Vanderford@wsj.com

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

.

Leave a Reply

%d bloggers like this: