On 16th August, A recent high-profile attack on Ryan Specialty Group coincided with the company’s IPO launch. AXA also experienced a cyber-attack with hackers claiming that more than 3TB of personal and medical information was stolen, according to the FT. Analysts believe that the attack occurred due to a change in policy positioning at AXA on paying ransomware demand for cyber cartels.
These attacks on large insurers follows the large increase in 2021 for cyber-attacks across the economy, with high-profile incidents on the Colonial pipeline in the US and on JBS, the world’s largest meat producer.
Therefore, it is not surprising that cyber insurance rates have increased across the board, with 47% of US firms who buy insurance, taking out cyber coverage as part of their insurance, according to US Government Accountability Office (GAO).
While cyber insurance take-up is on the increase, the very nature of the product is undergoing a radical change, with many insurers now insisting on more strict questions as a prerequisite for providing coverage.
AIG has implemented 25 detailed questions on a client’s security measures in order to judge whether they provide coverage, according to the FT.
“If [clients] have very, very low controls, then we may not write coverage at all…. But mostly what we’re doing is reducing the cover that we’re offering, so if clients do not meet the control level that we are looking for then we will have to reduce our limit with respect to ransomware by half” according to Tracie Grella, AIG’s Global Head of Cyber Insurance speaking to the FT.
AIG is also putting in a policy of “coinsurance” where clients essentially share the losses under the policy.
Many market insiders believed that the primary layer of cyber insurance, whereby insurers take an initial hit above their client’s excess, is shrinking due to the size of ransoms paid. Other costs such as hackers hotline and websites that publicise hacking increase the likelihood of a first policy being paid out in full.
“As ransomware-as-a-service really took off, we’ve seen the complexity, the frequency and the severity of ransomware incidents just skyrocket” according to Sarah Stephens, Head of Cyber for Marsh speaking to the FT.
The proliferation of cyber-attacks seems to have reduced insurer’s appetite for taking on new cyber business with more than 73% of brokers reporting a decrease in underwriter’s capacity to take on cyber risks in the 1st quarter of 2021 compared with 10% in 2020 according to Council of Insurance Agents and Brokers.
US Congress is currently debating whether to pass a bill requiring critical infrastructure owners, cybersecurity incident firms and federal contractors to report a cyber-attack within 24 hours of it happening. Also, in the US, insurers are reducing cyber coverage for specific sectors in the US such as education and healthcare according to the US Government Accountability.
Captives to the Rescue
With cyber premiums and rates skyrocketing due to the rise in ransomware attacks, it is no surprise that many firms are considering ditching cyber policies altogether and setting up captive insurance firms.
Also, with the rise of cyber-attacks occurring, there remains the ongoing issue of “silent cyber policies”.
Shifting to a captive model, many brokers argue, would protect firms from the large swings in pricing. While there has been a small take-up, many brokers are reporting that many of their clients are actively considering the move and have requested more information on captives, according to the FT.