Cyber Insurance: An Ever-Increasing Need Today
As cybercrime becomes more common and costly, cyber risk continues to increase for all organizations. The COVID-19 pandemic has shifted more of our work and lives online, and this shift has introduced new vulnerabilities that criminals are aggressively exploiting. From the rise of ransomware to recently- revealed cyber-espionage campaigns, it is clear that cybersecurity is now critically important to almost every aspect of modern life – from consumer protection to national security.
Insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers, but one that is growing rapidly.
In 2019 the U.S. cyber insurance market was $3.15 billion. It is estimated that by 2025, it will be over $20 billion. And these numbers understate insurance coverage of cyber risk, as many insurance claims arising from cyber incidents are submitted under non-cyber insurance policies.
A robust insurance market that effectively prices cyber risk will also improve cybersecurity. By identifying and pricing risk created by gaps in cybersecurity, cyber insurance can create a financial incentive to fill those gaps to reduce premiums.
The Risks for Insurers
As cyber risk increases, so does the risk in underwriting cyber insurance. The damage done by many types of cybercrime – such as business email compromises – continues to rise. But the biggest driver is an increase in the frequency and cost of ransomware attacks. A 2020 survey by DFS revealed that from early 2018 to late 2019, the number of insurance claims arising from ransomware increased by 180%, and the average cost of a ransomware claim rose by 150%. Moreover, the number of ransomware attacks reported to DFS almost doubled in 2020 from the previous year.
The global cost of ransomware was approximately $20 billion in 2020. The cyber insurance industry has reported that escalating costs are creating pressure to increase rates and tighten underwriting standards for cyber insurance.
DFS recommends against making ransom payments. Ransom payments fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks. An October 2020 guidance by the Office of Foreign Assets Control (OFAC) stressed the national security risk posed by ransom payments, and stated that intermediaries – including insurers – can be liable for ransom payments made to sanctioned entities.
Given the problem of identifying the attacker at the time of a ransomware incident, insurers and their policyholders risk violating OFAC sanctions when paying a ransom. Similarly, the FBI warns again
st paying a ransom because it fails to guarantee that an organization will regain access to all of its data or that its data won’t be released publicly, and also because paying a ransom emboldens criminals to target other organizations. In 2020, data extortion became a common feature of ransomware attacks, but experts have noted that in many cases even when victims paid, their data was subsequently leaked.
Many insurers still have work to do to develop a rigorous and data driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk.
Managing this growing risk is an urgent challenge for insurers. In addition to overall rising costs, insurers must account for the systemic risk that occurs when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.
Cyber Insurance Risk Framework
To foster the growth of a robust cyber insurance market that maintains the financial stability of insurers and protects insureds, the NY State Department of Financial Services (DFS) created a Cyber Insurance Risk Framework that outlines best practices for managing cyber insurance risk (the Framework).
The Framework is a result of the DFS’ ongoing dialogue with the insurance industry and experts on cyber insurance. Over the past year, the DFS have had dozens of meetings with insurers, insurance producers, cyber experts, and insurance regulators across the U.S. and Europe.
About CMR & Associates + PolicySmart®
CMR & Associates’ risk management consultants provide independent retirement and insurance advice by reviewing your current plans to improve coverage and reduce cost. Through CMR’s proprietary database – The CMR Database® (comprised of some 13,000 brokers and specialists globally), we maximize access to the insurance and retirement industry for greater options that will translate to better coverage and lower cost.
Please email CMR & Associates or call 877-447-4301 or 212-447-4300 for more information.