Are insurers reacting too defensively to ransomware?
There are worrying signs that cyber insurers are in retreat, but they must consider more than just loss ratios when evaluating the market.
The statistics illustrating the explosion of ransomware over the past two years have become all too familiar for anyone with a stake in the insurance industry.
Attacks increased nearly 150% since COVID-19-induced work-from-home commenced and ransomware payouts for U.S. businesses have exploded in the last two years — from under $10K to more than $178K per event at the end of Q2 2020, with large enterprises averaging payouts over $1M. The full list of eye-burning statistics seems endless.
The insurance industry has become painfully aware of the threat this poses to their commercial and cyber portfolios in particular. Until recently, the cyber market had enjoyed a few years of plain sailing with average loss ratios as low as 34% in 2018. Rising claims, largely driven by ransomware, pushed this up to nearly 50% in 2019 and even higher in 2020. Today, an increasing number of carriers’ cyber loss ratios exceed 100%.
We are now seeing worrying signs that cyber insurers are in retreat. Reports suggest that along with price increases, cyber capacity is being cut, limits reduced, and wordings tightened. Some carriers have pulled out altogether. Meanwhile, some insurance buyers’ associations are reporting that the cyber insurance covers available in the market during recent renewals are failing to offer adequate protection.
Is the market overreacting? Cyber is, after all, one of the biggest challenges facing their business customers. There is more to consider than loss ratios: the market’s reputation, relevance, and a stake in a potentially huge market are also at risk.
The big known unknown
Before we answer the question, let’s first look in more detail at why ransomware is causing such a headache for insurers.
First, visibility is extremely poor. We know the threat environment is high but has it peaked, or are we only halfway up the curve? Pricing and capital allocation are challenging in the absence of a credible answer.
Second, historical data is limited, and data sharing is not established like it is for other cyber risks such as data breaches. While there are plenty of high-level descriptive assessments of ransomware trends, they do little to answer key underwriting questions: what is the average total cost of a ransomware attack? How do claims break down between business interruption, recovery, and restoration? Are attacks targeted or purely opportunistic?
Third, criminals are raising the stakes by deploying increasingly sophisticated technology, including machine-learning models that exploit vulnerabilities faster than non-automated defenses can react. It is hard to feel in control of a risk moving at such a pace.
With traditional data sources scarce, many underwriters are still relying on limited techniques such as basic segmentation to price and select risk. Given the fast-evolving nature of this peril, the risk of adverse selection in this environment is very real.
Anticipating criminals’ next moves
But what if there is a way forward that enables insurers to reduce the uncertainty and push ahead in this important market? In recent years there have been remarkable advances in the ability to harvest relevant cyber data coupled with innovative machine learning techniques that can empower insurers to understand and anticipate this peril.
Cybercrime is ultimately a cat-and-mouse game between threat actors and their targets. It is about offense and defense. Technological advances allow insurers to scan businesses in microscopic detail and at scale to identify and unpick the rules of the game and reveal which companies are at higher risk of a ransomware incident.
This approach leans on two underappreciated principles.
First, despite the perceived uncertainty surrounding ransomware, cybercriminals’ strategies are remarkably stable, and therefore, as rational actors, their behavior is predictable. Second, if an organization’s security weaknesses are visible to cybercriminals, they are also visible to anyone with the appropriate knowledge and software.
These have long been true, but today we have the technology to exploit it.
For example, an analysis of publicly reported ransomware incidents between 2010 and 2020 revealed that the presence of certain risk signals significantly increases the likelihood of a successful attack by the following multiples:
This demonstrates that, rather than relying on instinct or educated guesses, insurers can turn to threat and exposure signals — such as mentions on the dark web, compromised user passwords or spam activity — to select and quantify ransomware risk at both firm and portfolio levels.
This takes underwriters beyond the basic facts. Over the past 18 months, insurers have learned the hard way that the existence of cyber controls, as indicated by an underwriting questionnaire, is no guarantee that the control is being used in the right way. Advanced data gathering techniques are able to assess both what controls are in place and how they are being used, as well as supporting underwriters to identify more granular lines of questioning.
Insurers leveraging such analytics-driven capabilities will have a colossal advantage when it comes to risk selection, helping them to identify high-risk companies, rank firms in a portfolio based on risk factors and inform trend analyses of cyber threats.
They will also be able to use the insights to engage in meaningful conversations with current and potential policyholders about risk controls and security management, thereby improving their claims performance.
The way forward
Let’s return to the question of how the insurance industry should respond to the current ransomware threat. Limiting exposure is a natural response to rising claims and an uncertain environment but it is already frustrating businesses, many of whom have invested in this line of insurance for years, only to find terms and capacity paired back at their moment of need. It may only be a short-term reaction, but it risks long-term damage and potentially ceding this market altogether.
There is another path. Armed with microscopic, scalable data and supported by platforms that can manage, coordinate, and model it, insurers can have the confidence to put capital judiciously against their exposure and continue to support their clients.
There is no perfect or complete solution, and deploying analytics is only one ingredient in tackling this peril.
But remember this: insurers do not need the perfect approach to attract the “right” kind of risk. To reduce adverse selection, they just need a tool that is more sophisticated than their competitors. Most insurers are starting to bring analytics into their underwriting process, but those that move faster along the analytics maturity curve will have the information advantage over their peers.
Related: