The intensity and severity of cyber events has accelerated during the COVID-19 pandemic as more and more people are working remotely and from home. This increasing frequency of cyberattacks has brought volatility to the already spiking claims losses causing many to wonder how enterprises and insurers can manage cyber risks in this new era. Our three-part blog series will explore this as well as initiatives to deal with cyber insurance challenges and what the future may hold for the cyber insurance market and its impact on enterprises.
The global cyber insurance market currently stands at nearly US$7.8 billion and is expected to grow at more than 20 percent CAGR over 2020-25, driven by the increasing number of cyber-attacks, the increasing need for IT compliance and regulations, and massive financial and non-financial losses (such as reputational loss system downtime, reduced efficiency, etc.). McAfee has reported that in 2020 these losses reached nearly US$1 trillion, increasing about 50 percent from 2018. To put this in perspective, the losses account for nearly 16 percent of the global insurance premium volume.
Pandemic forces change
The pandemic has forced enterprises to rapidly shift to a remote/work-from-home format, compelling them to re-think their cybersecurity strategies, reassess their cyber threat exposures, and develop cyber policy plans that can adequately manage any potential threats.
Enterprises are not alone. Insurers have been significantly impacted by the rapid growth of cyber-attacks and burdened with the dramatic increase in claims losses from the policies sold. In 2020, the insurance industry is estimated to have faced more than a 27 percent increase in the number of claims, primarily driven by the increasing intensity of ransomware and phishing attacks, according to a report by insurance company Allianz. As these threats evolve and their severity increases, insurers are constantly facing the challenge of controlling these claims losses.
While the global pandemic has accelerated technology adoption, at the same time, it exposed cyber vulnerabilities and under-preparedness in enterprises, an analysis of the World Economic Forum’s Global Risks Report 2021 found. As the adoption of complex technologies such as AI/ML (artificial intelligence/machine learning) tools, IoT (Internet of Things) devices, and cloud infrastructure has increased, so too has the complexity of cyber-attacks. While cyber-threats such as phishing, ransomware, trojans, and botnets have remained prevalent, risks exist for more evolved and unknown strikes such as industrialized social engineering attacks.
With the growing sophistication of cyber-attacks, the average cost per attack for firms has also gone up. According to a survey conducted by McAfee, 67 percent of the surveyed companies reported that the average cost per attack was more than US$500k. Addressing the threat of cyber risk and plugging these losses is a critical priority for business leaders. However, efforts to back up IT resources and data and set broader cyber response plans have been limited due to a lack of expertise.
Cyber risk measurement and analytics needed
Today, we are observing an increase in demand for cyber risk measurement and analytics capabilities as organizations look for the right cybersecurity talent and technologies to help address these challenges. Insurers are trying to provide enterprises with the right cyber insurance policies to help curb these losses. However, they face their own set of challenges, including the underwriting of cyber insurance policies. A lack of historical data limiting their ability to accurately model risks, drive precision in pricing risks, and create coverage loss limits. Some cyber events go unreported, challenging insurers to get adequate information on cyber-attacks. Without an accurate cyber risk assessment, these policies may be ineffective, exposing insurers to significant losses in a major cyber event.
Another key challenge for insurers while underwriting cyber risk is ‘accumulation risk.’ While dealing with cyber risk, insurers must be aware of the increasing interconnectedness within networks that lead to dependent vulnerabilities of the commonly used systems that may translate into an untargeted spread of the attack to the adjacent networks. This adds a layer of complexity to underwriting, taking into consideration an unplanned impact on a larger number of clients.
Mounting claim losses raises concern
Growing claims losses due to increasing frequency and severity of attacks is another key concern for insurers. In mid-2020, an American GPS and fitness tracking company was a victim of a ransomware attack where a demand was made for US$10 million to get its systems back online. Similarly, in other cases companies have faced large monetary and non-monetary losses that translated into an increasing loss ratio for insurers. In the US, the average loss ratio for the top 20 insurers (who offer standalone cyber insurance policies) by Direct Written Premium in 2019 increased to 48.2 percent from 34.5 percent the prior year, according to a report on the US cybersecurity insurance market. For 2020, these loss ratios are expected to shoot up dramatically, given that the industry has already started calling 2020 a loss-making year for cyber coverages.
Managing cybersecurity risk is all about anticipating loss and building a sound strategy and plan to both prevent and quickly respond to threats by taking these actions:
- Enterprises must beef up cybersecurity capabilities and invest in the right set of technology and talent levers to bolster cyber risk assessment capabilities
- Insurers must identify the full set of dependencies to assess the complete severity of the attack
Failure to embrace cyber risk management could have severe consequences and leave organizations so far behind that they may be unable to catch up. To address these challenges, enterprises and insurers must proactively work together to mitigate cybersecurity risk.
Next in this three-part series is Cyber Insurance Market Dynamics, where we will discuss the measures taken by both enterprises and insurers to address these challenges. While enterprises are investing in Identity and Access Management (IAM) software, endpoint encryption, and other technologies, insurers are putting their money into bolstering underwriting efforts to model cyber risks more accurately.
If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Supratim Nandi ([email protected]), Mehul Khera ([email protected]), or Barbara Beller ([email protected]).