Insurers Must Brace for Catastrophic Cyber Risk

(Bloomberg Opinion) -- Charles Darwin said that a species best survives hardship when it is adaptable to change. That’s a mantra the insurance market will need to embrace if it wants to stem millions of dollars in payouts for cyber attacks amid high demand for protection.  

In the past year, insurers have doubled the cost of annual premiums being charged to corporate clients, according to three cyber insurance providers interviewed by Bloomberg Opinion. A typical small business that previously paid $10,000 annually for $5 million worth of cover in the event of an attack is now likely paying closer to $20,000, with just $1 million worth of protection. Regardless of making a claim, premiums are shooting up while companies are getting less bang for their buck. Some are being priced out altogether. 

Industry-wide, more than 80% of insurers reported a rise in cyber claims in the fourth quarter of 2021, many of them from ransomware attacks, forcing premiums up by 34%, data from the Washington-based Council of Insurance Agents and Brokers show, the 17th straight quarter in which prices rose. That has pushed up loss ratios for cyber insurers to nearly 70% in the last two years (the higher the loss ratio, the worse for the insurer) leaving little room for profit in an already illiquid market.

Cyber breaches have become so broad and volatile in recent years that insurers have pulled out of the sector completely, raising the specter that certain kinds of attacks could become uninsurable. The reason is simple: Ten years ago, hackers targeted companies that held credit card numbers or social security details that they could sell on the black market. Claims were low and insurers charged relatively little. 

But in the past two years, hackers have found a more quick and dirty route to making money with ransomware attacks, which jumped in volume by 150% last year. Such gangs will target pretty much any company that relies on being online, from a large car manufacturing facility to a small wood carving business.

In mature sectors like home and property, fire, auto and travel, insurance companies have reams of data to guide them. But cyber is new, fast-changing and lacking information. Insurers caught short found themselves paying out more than expected. 

Insurance providers now fear what some in the industry have been referring to as a looming “catastrophic risk,” which has yet to occur — the cyber equivalent of the entire state of Florida getting flooded. Their concern is that a single incident will affect an array of systems across the globe because so many individuals and companies are tied to a handful of large providers for their cloud services or mobile operating systems. A successful attack on one major platform could trigger a torrent of claims that send multiple insurers into bankruptcy. It would be far worse than the NotPetya virus, which targeted Microsoft Corp.’s Windows based systems and caused more than $10 billion worth of global damage. 

Until now, legacy insurers have made superficial preparations. Many limit their exposure by simply not covering “acts of war” — a term that’s more clear-cut in the physical world than in the cyber one. In new wording added to contracts recently, all that's needed to invoke such a provision is for a government to declare the hack to be state-backed. And an insurer can merely "rely upon inference which is objectively reasonable" in doing so. That means that a hack connected to Russia’s war on Ukraine, for example, might trigger the escape clause, leaving insurance clients out of luck.

Some insurers also refuse coverage if a client doesn't at least have multi-factor authentication, while others require that clients continuously monitor employee devices for incursions, ensure they tightly control who can access the most sensitive parts of a network, and that they train staff to ward off intrusions.  

A passel of young companies is developing some promising strategies. They sell cyber insurance as more of a service than a transaction. Rather than simply filling out a form detailing their cyber practices and then paying their premium, clients let these insurers regularly monitor activity on their network, collecting and analyzing file logs without breaking into the customer’s network themselves. 

For that to work, though, clients need to become less squeamish about letting insurance providers monitor the hygiene of their networks. An array of startups have sprung up, including Security Scorecard and BitSight, that assess an organization's cybersecurity performance, provide a metric and benchmark them against peers. (A higher score means better reputation and lower insurance premiums.) Rotem Iram, CEO of San Francisco, Calif.-based At Bay Inc., says his company scans for common vulnerabilities among its more than 18,000 clients and uses the findings to patch those who may still be exposed, essentially acting to decrease its own liability as an insurer.

The increasing role insurers themselves are playing in protecting their clients from attack means it probably won't be long before we see such companies starting to buy cybersecurity providers outright. The benefits of owning a vendor would extend beyond cutting risk for customers, allowing insurers to collate and analyze the data crucial to actuaries analyzing and pricing risk.

The rapid pace of change in threats — from release of data to ransomware to shutting down infrastructure — has made it hard for the industry to keep tabs. Whereas in the past victims tended to keep attacks secret, they're now being encouraged — and even required — to share more information with the companies protecting them from liability. That can help insurers better predict and calculate the cost of attacks, and make the outcome of a catastrophic incident far less ruinous. 

More From These  Writers and Others at Bloomberg Opinion:

• Global Cyber Guerrillas Coming to Ukraine's Aid: Culpan & Olson
• Expensive Hacks Are Becoming Part of Web3 Life: Parmy Olson
• Tonight's T-Bone Steak Is Critical Infrastructure: Tim Culpan

Cyber insurance premiums totalled between just $8 billion and 13 billion globally for last year, compared to $220 billion for the U.S. car insurance industry, according to Henri Winand, CEO of digital insurance marketplace AkinovA Ltd.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Parmy Olson is a Bloomberg Opinion columnist covering technology. She previously reported for the Wall Street Journal and Forbes and is the author of "We Are Anonymous."

Tim Culpan is a technology columnist for Bloomberg Opinion. Based in Taipei, he writes about Asian and global businesses and trends. He previously covered the beat at Bloomberg News.

©2022 Bloomberg L.P.