During a recent ThreatConnect webinar, Felicia Thorpe, Managing Advisor at AHT Insurance, offered her insights on the latest trends in the cyber insurance market and changes that need to be considered to battle the surge in ransomware attacks.
The increasing sophistication and cost of cyberattacks, particularly ransomware, have led to a massive jump in demand for cyber insurance, while many carriers are raising premiums (by 30% to 50%) and instituting more restrictive policy terms and coverage limits.
ThreatConnect: What kind of concerns are you hearing from clients about ransomware and what are you seeing in terms of the impact on the insurance industry?
Thorpe: I have had so many conversations with clients who have essentially said, ‘Look, I’m not really looking to increase our limit. I’m not worried about ransomware. I’m not Target, I’m not Walmart.’ And there was not a lot of claims experience coming through to show what it looked like for a middle-market company. And probably in the last few years, I would say from 2018 until this year, that has exponentially grown in terms of loss experience.
But just in that year, the level of increase was pretty significant. And so was the amount that was demanded. So Q1 to Q2, ransoms went up $100,000. And we’re talking about middle-market organizations. It can be very scary to hear numbers like $70 million, $40 million, $20 million, which is what we’re seeing with some of the big organizations that have just released their information about what they had to pay. But most people will then just say, ‘Well, that doesn’t really pertain to me.’
ThreatConnect: What has the surge in ransomware attacks and the large payouts we’ve seen meant for the underwriting process?
Thorpe: Underwriters and the carriers are now realizing it’s a big, big payout. But prior to probably two or three years ago, I was presenting applications to my clients that had somewhere between five to 15 questions regarding their cybersecurity posture. And there was no checking. There was no verification of things being completed, no certifications being required. And there were no internal resources really in place at the carrier level to ensure that they were making good underwriting decisions. The policies, while probably more expensive than others, were not based on any real substantial loss experience.
If you think about your general liability or your property, you’re talking about hundreds of years of data to point to what it costs to repair if you’ve had a big fire. There has not been a significant number of claims to come in and get that same sort of actuarial data for them to be able to appropriately underwrite. So they really are having to learn as they go.
So now we’re in a situation where these claims are coming in fast and furious. You’re seeing a huge reduction in limits. So whereas we would be able to, for maybe a middle-market company, provide $5 to $10 million in cyber coverage, most of my carriers are coming back and capping at $5 million, which means we’re going to excess carriers. There could be significant carrier reductions, so a lot of people are getting out of the game of doing cyber all and all.
It used to be a hot place to be. You could just say “cyber,” people were like, ‘Okay, we probably need to do that,’ and there was no downside. Now you’re seeing specific carriers are wanting to be in that space, understanding it, and appropriately pricing it. And we’re getting a lot of non-renewals, which is indicative of the questions being asked and the answers being received. If you do not have a good cybersecurity posture, it is very likely you can get a non-renewal on your cyber in terms of the policy.
Carriers are now saying ‘We need you to have some skin in the game. There’s no way that we can insure you for $5 million and you haven’t done the basic things to make sure that you’re protected.’ The underwriters are putting in a lot more time and effort. They’re utilizing companies like ThreatConnect to get more information. They’re doing a lot more pre-work. And I’m seeing an increase from those five to 15 questions to sometimes it can be up to 10 pages.
Ransomware in particular now has a supplemental application that is being required in most cases in order to offer coverage. So you will have to do a cyber insurance application, and then what you’ll see is an additional page to three pages of supplemental questions that are specific to ransomware.
ThreatConnect: Are you seeing an issue with the point in time nature of assessing a client’s security before issuing a policy? Do you see a future where the industry is going to get to a point where we need to leverage cyber risk quantification on an ongoing basis?
Thorpe: I think that that would make the most sense. I think if you see significant losses, they’ll probably have to integrate that as part of their policy delivery and maintenance. I mean, we’re talking about a small period of time [looking back] where they didn’t even really request much information. So I think they are learning as they go. They’re learning lessons by how much they payout. And there are more and more cybersecurity companies who are lending their expertise to the carriers, and they seem to be much more responsive to that now than they were five years ago.
How do we do this?
The cyber insurance industry is desperately trying to find a way out of this crisis and the solution is right under our nose – automated cyber risk quantification. Cyber Risk Quantification (CRQ) is a critical part of cybersecurity and advanced technology that gives security teams the tools to translate cybersecurity into financial risk and business impact which allows for proactive cyber defense and data-driven decision making. Translating cyber risk into financial and operational terms clearly shows business leaders and board of directors the most important risks and determines the actions needed to mitigate those risks.
“Cyber risk quantification is a tool. It’s a decision-making capability,” Jerry Caponera, VP of Cyber Risk Strategy at ThreatConnect said. “You have to accept some level of risk. You have to transfer it where you can, and then you have to mitigate risk in ways that provide the most effective return on your investment.” Bottom line is, the cyber insurance industry desperately needs a better way to quantify risk and automated cyber risk quantification is the only way to keep up against the onslaught of advanced threats.
Learn more on how to seek insurance protection against advanced threats and ransomware and why cyber risk quantification will be your best friend through the process with our on-demand “Understanding Cyber Insurance” webinar.
Anjali Chauhan contributed to this report.