Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home-working drove a surge in ransomware attacks that left them smarting from hefty payouts.
Faced with increased demand, major European and US insurers and syndicates operating in the Lloyd's of London market have been able to charge higher premium rates to cover ransoms, the repair of hacked networks, business interruption losses, and even PR fees to mend reputational damage.
But the increase in ransomware attacks and the growing sophistication of attackers have made insurers wary. Insurers say some attackers may even check whether potential victims have policies that would make them more likely to pay out.
"Insurers are changing their appetites, limits, coverage, and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved – where people were offering 10 million pounds ($13.50 million), nearly everyone has reduced to five."
Lloyd's of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, industry sources say on condition of anonymity. Lloyd's declined to comment.
US insurer AIG also said in August it was cutting cyber limits.
Ransom software works by encrypting victims' data and typically hackers offer victims a passcode to retrieve it in return for cryptocurrency payments.
It has become the attack of choice for cyber criminals, who previously favoured stealing data and selling it to third parties.
Suspected ransomware payments totaling $590 million were made in the first six months of this year, compared with the $416 million reported for the whole of 2020, US authorities said in October.
In one of the biggest heists, a ransomware attack on Colonial Pipeline in May shut the largest fuel pipeline network in the United States for several days.
US cyber insurers' profits shrank in 2020, insurance broker Aon found. Combined ratio - a measure of profitability in which a level of more than 100% indicates a loss - climbed by more than 20 percentage points from 2019 to 95.4%.
While insurers struggle to cope, companies are under-insured.
"It's very unlikely people are getting the same limits - if they are, they are paying an extraordinary amount," David Dickson, head of enterprise at broker Superscript, said.
Dickson said one technology client had previously bought 130 million pounds of professional indemnity and cyber cover for 250,000 pounds. Now the client could only get 55 million pounds of cover and the price was 500,000 pounds.
Insurers who issued $5 million cyber liability policies last year have scaled back to limits of between $1 million and $3 million in 2021, a report last month by US broker Risk Placement Services (RPS) found.
As profitable as cocaine
A European Union report released in October said the COVID-19 pandemic and rise of home working had enabled cyber criminals to flourish.
Meanwhile, cyber security firm Coveware likened the 90%-plus profit margin from ransomware attacks in 2021 to the gains Colombian cocaine cartels made in 1992.
Where hackers previously took a scattergun approach with methods such as sending out thousands of phishing emails, they have become more targeted, reading balance sheets and focusing on specific sectors.
Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, said attacks were moving away from healthcare facilities and municipalities - which have weak IT controls but also little money - to manufacturing or logistics companies.
Such firms have deep pockets and cannot afford extended outages to fix their systems, so would rather pay ransoms, especially if they have insurance to cover them.
"We advocate to everyone you don't disclose your insurance because that's crucial to your business," Scott Sayce, global head of cyber at Allianz Global Corporate & Specialty, said.
Premium rates have almost doubled in the United States and jumped by 73% in Britain as a result of the frequency and severity of ransomware attacks, insurance broker Marsh said. RPS said rates for some policies had risen by as much as 300%.
Where ransom payments were typically $600 a few years ago, they now are as high as $50 million, said Michael Shen, head of cyber and technology at insurer Canopius, and insurers are sometimes asking policyholders to pay half of the ransom.
The United States and France are among countries particularly concerned about ransom payments, industry sources say.
The FBI says it does not support paying ransoms, while a few US states are considering banning ransomware payments by municipalities.
But insurers, while less willing to provide large amounts of cover, say failing to pay ransoms could backfire.
"Of course no-one wants to pay criminals," Adrian Cox, CEO of insurer Beazley told the Reuters. "At the same time, if you ban it ... you could cripple a lot of businesses whose systems have been disabled."