Cyber insurance is not a replacement for harm prevention measures. The prices are high and will continue to go up. Here’s why.
While doing research for a customer about trends you can expect for 2021, I found a number of outlets warning that the cyber insurance market was hardening with rises in premiums. Should we expect this trend to continue or will premiums stabilize? If your cyber risk management strategy relies on risk transfer, this question is vital to the long-term viability of your strategy.
Let’s start by looking at why the premiums are rising now. Then, we will look at the incentives created by insurance to guess if these underlying causes should be expected to persist in the future.
Why are Cyber Insurance Premiums Rising?
The hardening of the cyber insurance market, i.e., the increase in premiums and deductibles and a reduction of the ability to shop for better rates, started a while ago for large enterprises. This publication from 2015, tells a story where companies that retained large quantities of personal information were increasingly having difficulty finding good insurance rates, while small and medium businesses still could find good rates. This makes sense. Because the focus at that time was on data breaches, a breach at a small and medium business was not as expensive as one in a large firm that held massive amounts of data.
However, with the value of stolen PII declining due to a glut of supply, cyber criminals have turned to ransomware to monetize compromises. We can see from the Coveware report that the ransom payouts have skyrocketed over the past few years, even if Q4 2020 showed somewhat of a decline because a large part of the sample declined to pay.
The same report also shows that ransomware is predominantly a a problem for small businesses, with 50% of the ransomware clients with under 250 machines.
However, the Coveware report looks exclusively at the ransom payment side of the story. Usually, cyber insurance will also cover interruption costs which can comprise a large portion of the incident costs, especially if a company elects not to pay the ransom as shown in this Gallagher report.
So, if large companies are getting squeezed for holding large volumes of PII, and small and medium businesses are getting squeeze due to the surge in ransomware, it bears to reason that the cyber insurance market is hardening. In fact, many insurance trade publications list ransomware events as one of the main causes for the hardening market.
However, underneath this very reasonable conclusion lies an uncomfortable truth: a global rise in the impact of cyber events drastically raises the risks. Because risk is the conjunction of probability and impact, this means that the probability of cyber events has not gone down substantially in the insurer’s risk pool.
Will the Trend Continue?
Because the rise in premiums is due to insurance broker realigning their portfolios to be more in line with conditions on the ground, we can use actual cyber risk as an estimator for premiums. If the risk is rising, we should expect the premium to rise. If the risk is declining, we should expect the market to soften again. So, are we expecting a rise in the severity or prevalence of cyber attacks?
It is possible that the extortion demands for ransomware have hit a ceiling. After all, there is evidence that many small and medium businesses go under after a ransomware event. The Q4 data from the Coveware report could be explained from the demands being so large that companies are more willing to risk longer interruptions. However, as can be seen in the Gallagher data, interruptions cost more than ransom payments. Furthermore, as the insurance market hardens, insurance companies will add cap to payouts. Ironically, this may be the most effective limitation on the impact of cyber events, as many suspect cyber insurance to be one of the main drivers in increased extortion demands.
However, even if damages have indeed hit a ceiling, reaching the maximum the victim market can bear, it is unlikely to go down. In fact, there are signs the attackers are innovating to keep the costs high, for example coupling ransomware with data exfiltration to compel victims to pay maximum ransom. So, in the best case, in terms of cyber event impact, we should expect things to stay the same.
In terms of cyber events prevalence, many hoped the introduction of cyber insurance would help drive overall risk down. In other areas of risk, such as fire and theft, insurance has historically played a large role in the prevention of events (as evidenced by this 1927 paper). This has not been the case in cyber. This data from Statista shows the evolution of data breaches, one of the first types of cyber events that was covered by cyber insurance.
So, greater cyber insurance adoption in the marketplace has not driven down the prevalence of the main risk they cover.
Cyber Insurance Adoption Hasn’t Driven Down Risk
The main reason why we do not see such a decline, is that there is currently little done in terms of discount incentives for cyber insurance. The bottom line is, nobody knows for sure what works to prevent cyber events and companies doing everything right can still fall prey to cyber attacks.
In the absence of incentives that reduce your premium, as a customer, the most rational course of action is to invest the absolute minimum amount for prevention. After all, you are paying the same price to transfer the risk to the insurance company. You’re getting a better deal if the risk is bigger. On the flip side, if you have good security practices, you are subsidizing the poor practices of your neighbours.
Also, if the insurance company want to grow their market, they need to look at companies that haven’t yet bought cyber insurance. Presumably, these companies are less “cyber aware” than the early adopters of cyber insurance, especially since the cyber insurance was self-selecting with minimum security practices required to qualify. Adding more customers is unlikely to help the risk pool.
So, from a purely game theoretical framework, until cyber insurance figures out a way to provide incentives for good cyber security practices, it engenders a moral hazard that incentivizes their customers to take on more risk, not less. Coupled with the fact that they may be one of the main drivers for increased cyber event impact, you should expect to continue to see the market harden.
What Does It Mean For My Cyber Strategy?
If your cyber strategy relies primarily on cyber insurance, you should expect to pay more for less coverage as the years go by. You should not reasonably expect the trends underlying the current hardening of the market to go away.
Also, you should make sure to read your contract carefully. Insurers do not like paying out on premiums. As the payout rate rises, you should expect insurers to become more litigious. Make sure you know exactly what exceptions exists to your coverage and what “cyber preconditions” are tolerated by the insurer (and that these preconditions were adequately disclosed).
Finally, if your insurer introduces a payout limit, makes sure you have the proper security controls to limit impact of cyber events to fall within the payout limit.
Can CYDEF Help?
Of course! Our SMART-Monitor detection and response service can help detect and respond cyber incidents before they become insurance claim-size cyber crises. Contact us to get more information or sign up for a free trial.