On 2 May, the US director of national intelligence, Avril Haines, warned a Senate panel that cyber warfare waged by foreign adversaries such as Russia and China, had become one of the “most pernicious transnational threats” to the country’s security. She noted that the number of international ransomware attacks – a large proportion of which target US entities – had risen by 74% year on year.
Yet the global cyber insurance market doesn’t seem to share Haines’s sense of alarm. Most providers have barely upped their premiums since early 2023, while some have even reduced theirs. Indeed, the average price of cyber coverage fell by 6% in Q1 2024 after edging down by 2% and 3% respectively in the last two quarters of 2023, according to international brokerage Marsh.
It’s a significant shift from the so-called hard insurance market of 2020-22, when premiums more than doubled, hitting historic peaks after a surge in ransomware claims during the depths of the Covid crisis. The ransomware epidemic of that period, coupled with the ever-present spectre of a catastrophically far-reaching cyber attack, led some observers to conclude that the risk was becoming virtually uninsurable.
So why has there been no replay of that sky-is-falling scenario? Experts in the field suggest several reasons, ranging from increased competition among insurers to improved cyber resilience among their clients.
One such expert is Kara Higginbotham, head of professional liability and cyber at Zurich North America. She reports that the market “looks slightly different” this time. For instance, “the risks are dispersed differently across a wider number of carriers”.
Nonetheless, the apparent resurgence of ransomware and other cyber threats may start pushing premiums back up before the end of this year. The cost of providing coverage remains far greater than it was before the Covid crisis – and insurers can’t absorb further increases indefinitely.
Cyber insurance goes global
Reinsurance giant Munich Re has estimated that premiums collected by cyber insurers worldwide rose from about £7.5bn in 2021 to £11.2bn in 2023.
Such a significant increase may have helped to keep premiums in check more recently, according to Tom Johansmeyer, global head of index classes at reinsurance broker Inver Re.
“Ransomware is always a concern, but what should make this year different is the fact that the global premium base is much larger than it was in 2021,” he says, explaining that this should give insurers more scope to absorb losses and so make the market less volatile than it otherwise could be.
And, while US entities still contribute about 60% of this market’s total premiums, Johansmeyer notes that uptake of cyber insurance in other territories has grown significantly since 2021. Research published last year by the Howden brokerage, for instance, reported especially strong growth in France, Germany, Israel, Scandinavia and the UK. Such diversification “should provide some amount of overall industry resilience”, he predicts.
Competition is heating up
Johansmeyer estimates that the five largest cyber insurers still account for as much as a third of the global market. But more entrants have arrived in recent years, which has put downward pressure on the price of cover as these newcomers seek to establish themselves by offering more competitive premiums.
Higginbotham says: “There are new entrants and new capacity entering the market. Because premiums were going up, there was more willingness on their part to jump in and insure these risks.”
These recent entrants have included not only traditional insurance and reinsurance firms but also newer industry entities such as managing general agents. These have teamed up with carriers to handle underwriting in specialised markets including cyber insurance.
Besides competing on price, insurers are going to greater lengths to tailor policies to fit clients’ risk profiles, according to Howden. This has also helped to make cyber insurance more of a buyer’s market.
But there is a downside to this increase in competition, warns Daniel Woods, a cybersecurity lecturer at the University of Edinburgh. He reports that anecdotal information compiled over the past six months indicates that some irresponsible insurers are undercutting rivals on underwriting standards.
“This risks undoing the gains in cyber resilience seen during the hard market between 2020 and 2022,” he argues.
Stiffening cyber defences
Indeed, improvements in clients’ cybersecurity practices over that period, partly in response to new requirements imposed by underwriters, helped to stabilise the insurance market and get premiums under control.
“The bar has been raised. Businesses are doing a better job of securing themselves,” confirms Adam Harrison, a cybersecurity expert and managing director at FTI Consulting.
He notes that making such improvements has paid off for mid-sized businesses in particular. These have attracted a large proportion of ransomware attacks because criminals view them as softer targets than large companies but consider them cash-rich enough to be worth hitting.
Peter Hedberg, vice-president, underwriting, at cyber specialist Corvus Insurance, reports that clients aren’t paying ransoms as often as they were because they’re better prepared to withstand attacks. When they’re using processes such as multi-factor authentication and ensuring that all backup data is encrypted or immutable, it means that “restoration is a far more viable option than it was before”, he says.
A renewed ransomware threat
While such precautions have helped to stabilise the cyber insurance market, insiders acknowledge that volatility could return. That’s in part because of a lag effect on premiums, because policies are typically renewed annually. This means that an uptick in prices reflecting the latest ransomware surge may well lie ahead.
Moreover, other threats, including IT supply chain attacks, have hardly gone away, while a growth in claims stemming from litigation over wrongful data collection has become a key concern.
In the US, alleged violations of laws such as the Biometric Information Privacy Act – introduced by the state of Illinois back in 2008 – have led to costly class actions against firms including Facebook, TikTok, HR software provider ADP and theme-park operator Six Flags.
A more recent privacy litigation trend concerns the use of pixel tracking, whereby companies use code embedded in their websites to gather information about visitors. Because such cases may take years to resolve, that only adds to the uncertainty about the likely scale of future losses.
“It is very possible that rates could increase, given what happens when carriers come to realise what losses they’re holding on their books,” Higginbotham warns.
And that’s not even including the impact AI could have in helping hackers to wreak havoc on IT systems.
“We take artificial intelligence very seriously. We’re very scared,” Hedberg admits. “The best we can do as underwriters is offer a reactively priced product and to protect our insurance.”