Cyber insurance market faces a reckoning as losses pile up
Cyber insurers reported a spike in losses in 2020 as companies across a wide range of industries were hit by costly cyberattacks and ransomware incidents, which will likely drive up premiums and put pressure on insurers to lower limits going forward.
The average paid loss for a closed standalone cyber claim jumped to $358,000 in 2020 from $145,000 in 2019, according to a recent report by Fitch Ratings. A key metric for the profitability of a line of insurance—the statutory direct loss plus defense and cost containment (DCC) ratio—also skyrocketed last year to 73%, which compares with an average of 42% for the previous five years for cyber insurance, the report found.
The numbers suggest that cyber insurance, which in recent years has been seen as a profitable new market, is facing a reckoning, said Jim Auden, managing director at Fitch. A direct loss plus DCC ratio of 73% means that many cyber insurance providers are likely experiencing big losses when other costs like underwriting and legal expenses are factored in, he said.
“From an industry perspective, results have definitely gotten worse in this line,” Auden said. “And it’s from all the things you’re reporting on—the number of breaches, ransomware attacks, the cost of these incidents continuing to go up. In 2021 I’m not sure we’ll see a big improvement for insurers.”
Pandemic-related shifts to remote work helped fuel a surge in cyberattacks over the last year. Cybersecurity firm Crowdstrike, for example, said it observed more hands-on-keyboard intrusions in the first half of 2020 than it did in all of 2019. The company attributed this increase to an expanded attack surface for cybercriminals to exploit, as well as COVID-19 related fears that made phishing attacks more successful.
Losses tied to individual attacks have also shown signs of a sharp increase, especially when it comes to ransomware. In recent months, reports have emerged of several companies paying eight-figure ransoms to regain control of their networks after cybercriminals locked up their data and computer systems. The average ransomware payment reached a peak of more than $233,000 in the third quarter of 2020, up 31% from the previous quarter that year, according to cybersecurity firm Coveware.
Many cyber insurance policies cover ransomware payments up to a certain limit. Auden says that the uptick in losses will inevitably push insurers to be more cautious in extending large limits to policyholders.
“Prices are going to continue to rise for these policies. Insurance companies will change the terms and conditions of what they cover and what they exclude. They will offer lower limits,” he said.
Auden added that the demand for cyber insurance is still strong, as companies look for ways to sheild themselves against losses related to cyberattacks. Direct written premiums for cyber insurance rose 22% in 2020 to over $2.7 billion, Fitch said.
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.