This piece is by Alla Valente, Senior Analyst, Forrester, and it looks at the highly topical ransomware issue, or more accurately a denial of service attack. The recent organised attack of hundreds of companies in Sweden and the USA shows how difficult it is to trade when someone has taken away your ability to process a payment – in person, or online. That’s the problem that cyber insurers have to deal with, how can they solve it?
The first half of 2021 has been anything but quiet for cyberinsurance. At Forrester, we have seen a steady flow of interest in the topic, with questions coming in not just from the private sector but also from the public sector. Some are trying to navigate acquiring a cyberinsurance policy for the first time, while others are struggling with their renewal coverage decisions and rising premiums. It’s no surprise, given the state of the market.
Ransomware Causes Disruptions And Ripple Effects Across Providers And Their Customers
No business is immune from the threat of cyberattacks. Small businesses are especially vulnerable: In a recent study by Hiscox, 23% of small business owners surveyed said that they had had an attack in the past 12 months. The average loss for US small businesses? Nearly $26,000. Worse, many of those small businesses go out of business within six months of the attack.
And if this is the ‘Roaring 2020s’ – a predicted period of post-pandemic period of accelerated growth and dynamism – then cyberinsurers are among the first to taste their own champagne. Cyberinsurance providers like AXA, Chubb, and CNA have been thrust into the spotlight after suffering their own ransomware attacks and data breaches.
Meanwhile, AXA France has announced that it is no longer selling new cyberinsurance policies with ransomware payment coverage within France. It will continue to assist customers with damage and recovery costs.
AXA’s decision, an industry first, is unlikely to be the last to take drastic measures to stay solvent as policy claims reach an inflection point tipping toward unprofitability. Unlike the actuarial models built on years of data that inform traditional business insurance policies, cyberinsurance policies don’t have the benefit of robust historical data. Could it be that many unknown variables and a lack of cybersecurity subject matter expertise at the insurer level have created a product that’s underpriced in the current environment?
Cyber Insurers Face Additional Pressures
All that business demand for cyber coverage is happening when market capacity and appetite to write the coverage is shrinking. Yes, demand is outstripping supply. Fitch Ratings estimates that 2020 US cyber direct loss ratios were at 73%, the highest recorded level in six years, highlighting the extent of increased cyber damages and claims. The result? A hardening market where premiums for standalone cyber policies are expected to increase by 30% in 2021 — if they can be bought — and insurers tightening up their underwriting standards and exclusions.
According to Moody’s, cyber risk is a global concern and “an increasingly important factor in our financial sector credit analysis.” We think it’s fair to say that cyber risk is business risk.
Musings About The Future
When forces collide and disruption mounts, change is inevitable. We see four possible shifts:
- Cyberinsurance capacity challenges increase. With shrinking capacity, we’ll reach a point where some organizations will not qualify for cyberinsurance. They won’t be insurable through typical commercial channels and coverages.
- Risk management maturity becomes the qualifier and the gauge. An insurance carrier will acquire smart cyber startups to improve its ability to monitor cybersecurity posture. Today, we already see partnerships between insurers and managed security service providers (MSSPs) primarily geared toward servicing the small and medium-size business market with discounted rates on their premiums for use of a specific MSSP partner’s services. The insurers themselves may even morph into a sort of alternative security services provider, enabling greater profits with lower risk.
- Cyberinsurance becomes the price of admission for the partner ecosystem. Cyberinsurance will become mandatory for all third-party relationships, not just IT vendors. Requiring cyberinsurance is common in IT service contracts, but as firms increasingly share more PII, protected health information, and IP with more vendors, suppliers, and partners, a cyber policy will become a need-to-have rather than a nice-to-have.
- Digital business DNA will test underwriting processes — and underwriter skills. Not all businesses have the same digital profile. Healthcare providers capture sensitive financial and medical information about their customers. Even artisans at the local craft fair or on Etsy have their own digital profile. That means that cyberinsurance underwriting inputs need to capture more about the digital nature of potential customers. It also means that underwriters will have to be able to stomach a new launch track: quickly developing competencies in all things digital, even at the microindustry level. The demand for these digital chops also must include regulators.
Outside and industry forces will change the future of cyberinsurance, and we’ll get to experience that change with all its bumps and dips. For companies still thinking cyberinsurance is their umbrella for protection, it’s not. It’s a tool in the toolbox for managing risk. Better, more mature risk management should be the goal.