The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it.
After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.
Cyber attacks began to climb last year, but big ransomware strikes over the past two months have convulsed the insurance market. Ireland’s healthcare system, a key US fuel pipeline and, then this week, meat supplier JBS are among the ambitious targets to have been briefly shut following attacks. Western officials have pointed the finger at criminal groups likely to be based in Russia.
In a typical ransomware incident, hackers lock up a target’s network or hold its data until a ransom has been paid. For the businesses that buy cyber insurance (in the US, about half of those who purchase insurance), ransomware is covered under their general policies. These offer a mixture of financial compensation, for losses including business interruption and ransom repayments, and services such as data recovery.
As the severity and frequency of the attacks increase, the cost of cyber insurance is surging. From the start of April to mid-May, premiums jumped 27 per cent from last year’s levels, according to the latest like-for-like data from insurance broker Aon.
Nor are insurers simply increasing prices. They are also becoming more vigilant about controls at the companies to which they sell cover.
For US insurer AIG, the tougher underwriting approach put in place this year starts with an additional 25 detailed questions on clients’ security measures. “If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.
“But mostly what we’re doing is reducing the cover that we’re offering, so if clients do not meet the control level that we are looking for, then we will have to reduce our limit with respect to ransomware by half.”
For those customers, AIG is putting in place so-called coinsurance, where clients essentially share the losses under the policy.
The ransomware threat was rammed home to the industry last month after Axa, one of Europe’s largest insurers, fell victim. Axa scrambled to establish the extent of the damage after hackers claimed they had made off with three terabytes of data, including personal and medical records. The Paris-based insurer has not commented on whether a ransom has been paid.
The assault on Axa emerged after the company said its French business would suspend the writing of insurance policies that refund the cost of ransom payments made to cyber cartels, a stance taken at the urging of local officials. A person familiar with the matter said the attack began before the insurer made that decision on ransom payments.
Cyber insurance is normally structured as a tower, where each portion of the risk might be underwritten by a different group. For the primary layer, the one that takes the initial hit above the client’s excess, conditions are getting tougher, say market participants.
“One of the things we are seeing with the large corporate clients is that the market for primary insurance is really drying up,” said Newman of CFC, as the size of ransoms paid and other costs make it more likely that first policy will pay out in full. “There are very few insurers that are looking to attach at that level.”
The proliferation of different types of ransomware, alongside the growth of a cottage industry supporting those launching attacks, has contributed to the surge in incidents, according to Sarah Stephens, head of cyber for the international division at Marsh, the world’s biggest insurance broker.
“As ransomware-as-a-service really took off, we’ve seen the complexity, the frequency and the severity of ransomware incidents just skyrocket,” she said, adding that third-party services include support hotlines and websites for publicising attacks.
Evidence of insurers’ concern is multiplying. A survey by The Council of Insurance Agents and Brokers, a US industry body, found that 73 per cent of its members — those who find coverage on behalf of companies — reported a decrease in underwriters’ capacity to take on cyber risks in the first quarter of the year. That compares with a 10 per cent drop a year earlier.
Insurers are using a mixture of financial incentives, in policy and pricing changes, in an attempt to persuade companies to strengthen their controls. Plenty of ransomware attacks are not targeted at all, experts say — they are scattergun efforts that search for businesses with weaknesses such as not having multi-factor authentication on email or on remote access to their networks.
“Everyone has to recognise that the claims environment and the cyber threat environment is significantly worse than it was two years ago, and therefore you can’t exist in this market without what I consider the most basic controls,” said CFC’s Newman. “Yet we are seeing large corporates come to market without the basic controls in place.”
A report last month from the US Government Accountability Office found that insurers were also reducing coverage for some specific sectors such as healthcare and education.
Lloyd’s of London insurer Beazley, another prominent cyber underwriter, is also asking clients more questions and urging them to improve their defences.
“We are underwriting differently to the different threats. We are doing a lot more [questioning] around what’s the culture of the firm? What’s your attitude towards cyber security? How much training do you do?” said Paul Bantick, the company’s global head of cyber & technology.
As the cost of cyber insurance leaps, some companies in need of protection are considering radical options. According to industry experts, some businesses are examining whether to abandon buying cyber policies altogether and instead set up their own captive insurance companies.
A captive is an entity established and capitalised within a group to provide insurance cover to the rest of it, in return for a premium. It can then either purchase reinsurance or just hold on to the risk itself. The option can protect companies from swings in pricing, brokers say.
Stephens from Marsh said just a handful of its corporate clients had moved this year to buying cyber insurance through captives, but “a lot of clients have asked us to take a look at it”.
If some companies are balking at the rising cost of cover, there is a growing expectation that governments might ultimately intervene to try to kill off ransomware attacks. Last month, the US opened a debate over the merits of making ransom payments, a practice that is opposed by the FBI. Some insurance experts fear banning them will simply push payments underground, making them and attackers harder to trace.
Whether or not governments outlaw ransom payments, the volume of attacks has led some to conclude that companies and insurers risk being overwhelmed. Governments may have to provide more security services and even a financial backstop.
“There is a need to find a way to cover the risk, which is too large for the insurance industry itself,” said Isabelle Santenac, global insurance leader at consultancy EY.
“There will be a need to find some public-private partnerships to ensure that the risk is covered [and] to also work on how to limit the risk and prevent the risk.”