As major ransomware attacks continue to be an almost-weekly news item, companies up for policy renewal are getting an unpleasant surprise. Reinsurance broker Wills Re reports that cyber reinsurance rates are up by as much as 40% across the industry, following a period of several months that saw attacks on critical infrastructure and supply chains across the world.
The cyber reinsurance rate increase appears to be roughly tracking with an increase in the average price of ransom payments, which have gone up as ransomware attacks have become more highly targeted at large organizations with the ability to pay. But other factors are involved as well, and cyber insurers are cutting aspects of coverage even as rates go through the roof.
Surge in ransomware attacks drives rate increases
Cyber reinsurance costs are up as much as 40% for those coming due in July. Willis Re says this is a result of a failure by the industry to anticipate costs. The reinsurance industry insures the insurers that serve end customers, and reinsurance renewals generally come due at specific points in the year. The costs negotiated in these renewals serve as a bellwether for what the average organization can expect to pay for their individual insurance, as insurers have to cover the increased costs handed to them by reinsurers.
The most obvious driver of costs is the number of severe ransomware attacks in recent months. These include the Colonial Pipeline attack that disrupted gas distribution for a week, the JBS meatpacking breach that impacted food supplies in multiple countries, and the Kaseya breach that has spread out to potentially tens of thousands of end user businesses throughout the world.
Ransomware attacks are increasingly hitting large organizations that cannot afford substantial downtime, making them more likely to take their chances with a payment. This was the case in the Colonial Pipeline incident, in which a $4.4 million ransom was paid, and it was recently revealed that JBS paid its attackers $11 million as well. Numbers collected by cyber security firm Coveware indicate that the average ransomware payment in Q1 of this year rose to $220,000, up 43% from Q4 of 2020.
One of the reasons that large organizations are quick to pay ransoms is that they are frequently covered by cyber insurance policies, with that coverage extending to damage mitigation such as losses caused by business interruption and even blows to a company’s reputation. Reinsurers seem to have been caught unprepared by this cyber crime wave, having drastically underestimated the costs that would be incurred by all of these policies in a scenario such as this. In addition to the sudden increase in rates, the response is likely to be industry-wide cuts to cyber coverage.
Cyber reinsurance costs passed down the chain
Wills Re says that the demand for coverage is rising even as insurers eye cuts to their products to deal with costs, and as cyber reinsurance firms opt to take on fewer customers. The insurance industry refers to this as “hard market conditions,” a period in which firms generally undergo a major re-evaluation of their carrying capacities and acceptable levels of risk. Shaun Gordon, Co-Founder and CEO at BreachQuest, provided some inside information indicating that these rate increases are hitting certain industries particularly hard: “Our contacts are sharing that reinsurers are realizing that they didn’t properly understand the exposure to cyber … For instance in certain industries the trickle-down effect of reinsurance rate increases is driving significant increases in premium to clients. In industries, such as manufacturing and healthcare, we are hearing the premium increases can be as much as 100% and sometimes exceeding 150%.”
There is emerging debate that cyber insurance is an unsustainable industry given that these incidents are only expected to increase in frequency and severity in the near term, and that the mere existence of these policies is part of what’s spurring the massive growth in ransomware attacks. This dovetails with ideas that some governments are exploring, most notably those of France and the US, that banning or putting sanctions on ransomware payments is the only real means of curtailing the problem.
Some have suggested that the only path forward for the cyber reinsurance and insurance industries is to begin actively assisting customers with cyber security. At the very least, it may have to mandate stronger standards and training for network and device security or offer discounts to those that demonstrate a better-than-average security posture. According to Jack Kudale, founder and CEO of Cowbell Cyber: “Current pressures in the cyber insurance market foster innovation. Next-generation cyber insurers already go beyond coverage and claim response. They partner with policyholders and offer proactive risk management resources while also applying a more rigorous technology-driven review of applicants that enables precise risk selection and underwriting … Moving forward, the role of the insurers must go beyond response and recovery to include education and prevention. For example, organizations need cyber policies which are bundled with complementary cybersecurity training for all insured’s employees. This will eradicate one of the basic root causes of many attacks: an employee clicking on a phishing email.”
Governments are also examining the strategy of cutting off payments at the source, but that is yet another politically contentious issue. Ransomware attacks are almost exclusively accompanied by a request for payment in cryptocurrency, which governments are looking at regulating or even banning in some cases. But any attempt at increased government access to cryptocurrency is antithetical to its primary user base; legitimate users flock to it as an alternative to fiat currencies precisely because of the lack of government involvement.
In the near term, insurance customers should expect the bulk of cyber reinsurance costs to eventually be passed on to them as well as more precise language in contracts that limits coverage for ransomware attacks to very specific circumstances, if not eliminating some aspects of it entirely.