Insurers don’t have your back: mounting losses reduce their interest in business


Even before the war in Ukraine, the cyber insurance industry was beginning to row back on supporting organizations that were attacked by state-sponsored groups.

This reticence rested on commonly employed but rarely used war exclusion clauses. This shift came to a head in the Merck & Co., Inc. et al. v. ACE American Insurance Co., et al. case, which addressed a 2017 attack on the drug company's computer systems, which caused an estimated loss of around $1.4 billion.

The attack was implemented by the Notpetya malware, which the insurers claimed was a tool of the Kremlin, and that the attack was part of the ongoing conflict with Ukraine. While the court ultimately sided with Merck, saying that they should reasonably expect to be covered against everything but traditional forms of warfare.

Nonetheless, the case has prompted a response from the industry, with Lloyd's Market Association recently announcing four specific cyberwar exclusion clauses. While these clauses are supposedly illustrative, they are likely to provide some structure to subsequent changes in the sector.

Hard times

The episode marks a notable hardening of the sector in the last year. Whereas during much of 2021, there was a sense that cyber insurance was relatively easy for companies to access, this is no longer the case, despite it increasingly being a part of any organization’s cybersecurity defenses.

This is set against a backdrop in which the number of ransomware attacks shot up by around 150% during 2020, with the average ransom payment rising by 82% during the same timeframe. These two trends have resulted in steeper losses for the insurance sector, which has subsequently reduced their appetite for what is a pretty uncertain and volatile line of business.

Indeed, it is increasingly argued that the cyber insurance sector needs significant additional capital to adequately address the scale of risk faced by organizations today. After all, we’re in a world in which attacks can strike multiple organizations at once, with losses running into hundreds of millions of dollars.

Shrinkflation

In consumer marketing, the concept of “shrinkflation,” whereby products stay the same price but consumers get less for their money, is pretty common, and it’s likely that the cyber insurance sector will undergo similar changes in the next year. Industry data suggests that firms are spending more to get the insurance that covers less than it did a year ago. What’s more, premiums are increasing by up to 75%, depending on the level of coverage you actually want.

While this gives the impression of a burgeoning market, insurers themselves seem to be getting cold feet and are either reducing the amount of cyber exposure they’re willing to have or pulling out of the market altogether. This is underpinned by a challenging loss environment for the sector, with a worsening loss ratio, which is calculated by the insured losses divided by the premiums secured, seen in the past year. For most of the history of cyber insurance, this ratio has hovered around the 60% mark, but in 2021 it reached as high as 80%.

Cyber insurers have attempted to hedge against this risk by having a burgeoning reinsurance sector. Indeed, much of the growth in cyber insurance has been underpinned by reinsurance, with the sector enabling insurers to share the risk they’re taking on. This has grown in recent years, however, with now around 55% of all business underwritten being sent to reinsurers. With losses mounting, however, even reinsurers are getting edgy about taking on any more risk.

For the sector to maintain its vitality in the long-term, this will inevitably change, which is likely to mean premiums rising, but this should ideally come from a growing market rather than the stagnating market we have today.

Stemming the tide

Of course, the sector could also be greatly helped by organizations becoming more effective at rebuffing cyber attacks. There has been some progress in this direction, not least the recent announcement that decryption keys can be provided even without ransom payments in the wake of the Kaseya cyberattack last year. These kinds of diplomatic breakthroughs inevitably take time to achieve, however, and so the sector will need short-term assistance if it is to maintain its viability.

That is likely to mean more capital is required, with insurance-linked securities (ILS) likely to provide it. ILS consists of the fund managers that offer reinsurance through a range of financial instruments to align the insurance sector and capital markets. While the sector is still relatively small, it nonetheless has over $100 billion to play with, which could allow for reinsurance to be offered to reinsurers. ILS funds have already offered this process to help protect properties in the event of natural disasters when a similar capital shortage was evident.

It’s the sort of help that perhaps the cyber insurance sector and the reinsurers that underpin it, need today. It will need more outreach, however, as the ILS market doesn’t really understand cyber insurance, or cybersecurity more broadly, today. There is a degree of interest, however, but there will need to be some concrete steps to make it happen. If organizations are to continue securing insurance against the risk of cyberattack, we must hope that these steps do indeed occur and more capital is injected into the system as soon as possible.