Rising Ransomware Attacks force Rate Corrections, raise concerns on Viability

A continuous wave of ransomware attacks since early 2020, has destabilized critical infrastructure around the world and exacerbated the pandemic’s economic distress. Insurers that protect companies against cyberattacks are shoring up prices with cyber policies reaching unheard-of price levels. Cyber risk, a lucrative business line since its introduction in the 1990s, had seen the industry make handsome profits in most years. But the burgeoning of sophisticated ransomware gangs who freeze system networks in a bid to extort, is scrambling the cyber insurance business model.

In 2020, the world seemingly entered a new era of cyberattacks. Although there have been many years of viruses, breaches, and other attacks, last year saw heightened bad actor sophistication, a propensity to make ransomware payouts, and geopolitical uncertainty — conditions that hackers have exploited. Ransomware attacks increased an incredible 485% in 2020 year-on-year. More than 100 U.S. federal, state and municipal agencies, over 500 health care organizations and around 1,680 educational institutions were struck by ransomware attacks last year, as well as many thousands of businesses. The collective additional cost and lost revenues companies face from cyberattacks could reach as much as $5.2 trillion during the coming three years. Gross written premiums are projected to reach $20.6 billion by 2025.

Ransomware attacks made up all of the growth in cyber insurance claims in 2020, and now account for 75% of cyber claims. In other words, cyber insurers are now mostly dedicated to covering one type of risk—ransomware—that barely existed five years ago. The severity of financial consequences has been unprecedented. Ransoms have skyrocketed from five-figure price tags into the millions, including $10 million reportedly paid by Garmin. Several ransom demands were far higher before being negotiated downward. In response, insurers are hiking premiums. Rapidly rising insurance premiums imply that ransomware attacks aren’t just hurting the companies that get hacked, but even others that buy cyber insurance by increasing their costs of doing business.

American International Group (AIG), for instance, has tightened terms of its cyber insurance, with prices moving north by nearly 40% globally. In the first quarter of 2021, US cyber insurance premiums rose an average of 18%, outstripping all other major categories. Without much relevant data to guide them, insurance companies have had to basically guess how they should price premiums to account for the risk of ransomware.

Before the pandemic—and the surge in ransomware attacks—the insurance industry’s heuristics mostly worked out. In 2019, the cyber insurance industry’s loss ratio, the percentage of income paid out in claims, was 44.8%. Insurance companies were keeping more than half the money they charged in premiums. But in 2020, the ratio grew to 67.8%, leaving less than a third of what carriers charged in premiums.

European insurance giant AXA has opted to drop ransomware payment coverage from new cyber insurance policies in France, due partly to uncertainty over the continuing legality of making such payments. AXA is the first major cyber insurance company to drop ransomware payments from its coverage.

Ransomware actors are known to go to great lengths to determine if a potential target is insured, as it increases the likelihood of payments. This induces a self-reinforcing cycle, by rewarding hackers and encouraging more ransomware attacks. With around 250 companies buying at least $200 million in protection, it would only take a handful of insured losses of a little higher amount to wipe out an entire year’s premium.

Beyond covering cost of ransoms, ransomware insurance has protected against follow-on expenses like downtime and reputational damage. The tough question the cyber insurance industry is grappling with, is whether it can make a return to profitability. One of the key challenges to the industry’s viability is there isn’t enough global premium to absorb losses from a systemic event and the next NotPetya could potentially sink the industry.

Cover Image

You get 3 free articles on Daily Fintech. After that you will need to become a member for just US$143 a year (= $0.39 per day) and get all our fresh content and our archives and participate in our forum.