2021's ransomware upsurge: How will emerging business threat impact cyber insurance?
We discuss how the rise of ransomware attacks, where businesses are forced to pay to access critical systems by criminal hackers, will impact cyber risk underwriting with Visesh Gosrani, chair of the IFoA Cyber Risk Investigation Working Party.
The upsurge in ransomware strikes in 2021 has sent shockwaves through the cyber risk insurance market, and the tremors are heading toward actuaries working in that sector.
There was a 93% year-on-year increase in ransomware attacks from the first quarter of 2020 to the corresponding period this year., reports Check Point, and ransomware could account for as much as 40% of all cyber-attacks by the end of the year.
The increase in ransomware may be attributable to multiple factors – such as the rise in attack opportunities presented by people working remotely due to the Coronavirus pandemic – but pay-outs against cyber risk policy claims have also been named as a contributory factor.
In such cases, cyber-criminals first infiltrate insurers to find out who their cyber risk policyholders are, and then subject those insureds to a ransomware attack, knowing that extortion demands will be met by their policies. Insurance Journal confirms that cyber-criminals now routinely try to learn in advance how much cyber risk coverage ransomware targets have. It says: “Knowing what victims can afford to pay can give them an edge in ransom negotiations”.
One baseline impact that has ‘convulsed the market’ (subscription required) is that insurers did not factor the prospect of heightened risk levels into their 2020-2021 policy premium calculations, and so have been hit hard by the number of claims by policyholders struck by ransomware in the last 18 months.
Pricing policies for cyber attacks present a unique problem for insurers,” says a report from Quartz. “[Cyber-attacks are] a relatively new, fast-evolving form of risk… There’s not much data to draw on to develop the precise actuarial tables that insurance companies normally use to balance the amount of money they take in through premiums against the amount of money they expect to pay out in claims.”
Direct evidence comes from UK insurer Lockton London, which saw a 144% increase in ransomware-related notifications during 2020. Initial ransom demands increased exponentially, making seven-figure ransom demands the norm, with the largest being upwards of $30m.
“Ransomware was the cause of about 7% of claims notified to Lockton in 2019, with the cost of these claims representing approximately 70% of total amounts paid by insurers,” the company reported. “By contrast, in 2020 ransomware was the cause of about 15% of all notified claims, accounting for 95% of the paid amounts.”
Lockton points out that cyber insurance claims typically take an average of two-to-three years to develop fully when accounting for the ‘long tail’ aspects of the incident, such as third-party litigation and regulatory interest.
Total cyber claims in the US, meanwhile, rose 18% in 2020 owing strictly to first-party ransomware claims, which were up 35% in 2020 and now account for 75% of cyber claims, according to research from AM Best.
A knock-on result of this is that risk pricing can now be based on variables like an insured’s size or vertical sector. A May 2021 report from the US Government Accountability Office found that the growing number of cyber-attacks has led insurers to reduce coverage limits for certain sectors, such as education and healthcare.
Insurers are also likely to apply more rigorous scrutiny of insureds’ risk exposure before they will consider them – e.g., what is its cyber incidence track record? Has it invested in cyber security tech and qualified IT security personnel? Has it implemented an effective cyber risk awareness culture (like staff training)? Does it comply with recognised cyber security standards and been penetration-tested, etc.?
An additional factor is the high proportion of instances where data held hostage is not recovered even when ransom payments are made. Research by Cybereason found that of UK organisations that opted to pay to regain access to their ransomed systems, 46% indicated that some or all of the data was corrupted.).
Neither does a pay-out necessarily enable the business to quickly return to normal, or mean that attackers will not strike again.
IFoA Expert Member Viewpoint: Q&A with Visesh Gosrani, Chair of the IFoA Cyber Risk Investigation Working Party.
In June the Financial Times reported that major ransomware attacks that had occurred since April have ‘convulsed the insurance market’. What have been the effects of these (and other) attacks for cyber risk insurers?
Visesh Gosrani: Previously, the main consideration for the insurance market was whether or not a ransomware attack would occur and preventing it from occurring. Now the issue is that frequency of ransomware attacks is increasing, and the realisation is that no organisation is immune. As insurers have seen the attack likelihood increase with the presence of a cyber insurance policy found by attackers then reportedly being used to push a ransom demand, insurers are having to rapidly rethink which policies they sell and how they manage their policyholders.
The FT also reported that as ransomware attacks increased, cyber risk premiums went up 27% on 2020 levels. Is the surge in ransomware attacks the only factor at play here – or are there other factors that are contributing to cyber insurance premium changes?
VG: Insurers writing cyber risk buy reinsurance to cover the risk that they are uncomfortable retaining. Reinsurance for all risks has been increasing in price. Therefore, reinsurers have to pay more to offload the risk they do not wish to retain, and they pass this on to the insureds. This year, reinsurance rates have seen rises of 5% -to-15% generally. In addition, insurers and reinsurers are recognising that they have significant exposure to cyber risk through cyber policies already written, and also through the potential for cyber perils to impact non-cyber policies. This recognition that exposure to cyber is much greater than previously expected, and the possibility for one trigger to cause significant losses to many insured companies, is reducing the appetite to continue growing the portfolio for some insurers, thus pushing prices up further.
If they continue to worsen in frequency and impact, how do you think these trends will bring about a review of cyber risk parameters that will affect cyber insurers’ expectations of actuarial assessment?
VG: Worsening trends will require better scrutiny of prospects. The additional insights will need to focus on the attractiveness of the target (which is mainly the ROI on the attack), this will require the use of cyber trend analysis insight coupled with tools that assess how easy it may be to successfully carry out different types of attack on an insured. In summary: the underwriting assessment will need to become more sophisticated; the actuarial assessment will need to incorporate mechanisms to reflect the quality of underwriting.
Will the continuation of ransomware/cyber extortion affect actuarial practice and bring new challenges for IFoA members working within the cyber risk assessment market sector?
VG: For actuaries, cyber risk is also challenging because of the pace at which it is evolving. The increased prevalence has made it harder for actuaries to reserve for cyber risk because initially, ransomware claims were focused on business disruption, and these settled much faster than data breach claims. Actuaries have more confidence when the pace at which claims settle does not differ significantly. To add to the confusion, ransomware has now evolved further to include data breach. This means that a ransomware event may give rise to a further claim after the initial business disruption, thus delaying the final settlement of the claim.
The actuarial challenge is in allowing for this rate of change in claims evolution when there is not significant data. Actuaries also have to estimate how much capital is required in case their best estimate of claims is incorrect, or other events cause the insurer to need more funds to settle claims. Estimating this uncertainty is very difficult, as there is very little precedent for the extent to which policies could be affected by new types of claims, the changing impact of claims (as described above with ransomware), and also the extent to which reported claims could prove to be underestimated.
How will the ransomware upsurge inform the work of the IFoA Cyber Risk Investigation Working Party?
VG: The Working Party will continue to help the actuarial profession navigate these challenges. We have workstreams considering pricing, reserving, and capital, all of which are affected by the ransomware surge, and we are writing guidance to assist actuaries in appropriately considering new developments with respect to ransomware and other cyber-related issues. We encourage anyone interested in assisting with the development of thought leadership in these areas to get in touch. We occasionally call for new members on the working party and knowing that someone is interested allows us to bear them in mind if there is an appropriate need in the working party when we put out that call for members.