The relatively nascent cyber insurance sector has benefited from rapid expansion in recent years, owing in part to the Covid-19 pandemic which forced businesses to digitise and adopt remote working practices. However, the increasing frequency and severity of cyber security incidents have led to lower cover limits and increasing premiums.
The cost of premiums facing SMEs increased 102% in Q1 2022, largely driven by increasing ransomware attacks. Increasing premiums have limited penetration rates among SMEs. According to the Federation of Small Businesses, at the start of 2021, there were 5.5 million SMEs in the UK, while GlobalData estimates there are a total of 5.2m UK SMEs without cyber insurance, a penetration rate of 6%.
On 9 February 2023, the UK government revealed it had sanctioned 7 Russian cyber criminals through a series of coordinated actions with the US government. The ransomware strains, Conti and Ryuk, were responsible for extricating at least an estimated £27 million. There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million.
This action follows a spate of ransomware incidents globally which has seen Royal Mail, engineering company Vesuvius and car dealership Arnold Clark each fall victim to coordinated ransomware attacks in recent months.
In a 2022 report, IBM estimates the cost of data breaches has surged 13% from 2020 to 2022, with 83% of organisations surveyed having had more than one data breach. The average time taken to identify a data breach is 277 days and the average cost is estimated to be US$4.35m These breaches have, in turn, fueled price increases which are passed onto customers.
We spoke to GlobalData analysts, Benjamin Hatton and Ben Carey-Evans, and Jeff Laskowski, VP of global professional services for Absolute Software, to explore cyber insurance penetration rates in the face of increasing claims and premium costs.
Cyber attacks are continuing to rise in frequency and severity, yet cyber uptake among UK SMEs fell in 2020 due to rising premiums: what can cyber insurers do to increase uptake in policies written?
Ben-Carey Evans: The challenge facing cyber insurers is that the cyber risk is higher than ever, businesses in the UK are more concerned than ever about cyber insurance, but the penetration rate for the product remains very low. This is because premiums are so high, but insurers will struggle to reduce premiums, as they face extremely high potential claims. Insurers have less control in cyber than in other lines, as several of their customers could be hit by a large-scale attack in the same day. The scale of the damages can also be vast due to GDPR fines and potential reputational damage.
Our 2022 UK SME Insurance Survey found that 32.7% of UK SMEs felt the level of cyber risk they faced either increased or significantly increased in the year. This is compared to 30.7% in 2021. This shows that the level of concern continues to rise at a significant rate post-COVID.
However, our data also shows that the penetration rate for cyber insurance remains extremely low. It was at 12.1% in 2022, up slightly from 11.2% in 2021. This makes it the 9th most popular SME insurance product and suggests that a huge number of SMEs are very exposed to cyber-attacks.
Our Survey also found that 56.9% of those SMEs who did have cyber insurance in 2022 saw their premiums increase in the last year, which is the leading reason why insurance take-up is increasing slowly.
Benjamin Hatton: This is a significant challenge to cyber insurers. While uptake of policies did decrease in 2020 and 2021, they rose in 2022 – possibly due to the increased threat of cyber attacks from Russia. The financial impact of a cyber attack is massive, even from just the ransom often demanded by attackers, so this is naturally increasing the prices of premiums. To increase uptake of policies, providers could look to integrate risk and security management tools and processes into their product offering. For example, Hiscox has also launched its CyberClear Academy, an online library of interactive cyber training programs that managers can use to monitor their staff’s cybersecurity awareness. Incorporating such tools into the product could increase uptake as customers would be able to find more value for their premiums other than just a rebate (it might not even be a full rebate) in the event of an attack.
Jeff Laskowski: Cyber insurers are incurring increasing losses due to claims associated with cyber breaches including ransomware. To counter this unsustainable business model for insurers, they are forced to increase the scrutiny of policy acceptance and raise premiums to cover these outgoing claim payments. Customer organisations are thus forced to improve their core security posture, demonstrate security efficacy, or pay these rising premiums to cover expenses related to a cyber breach. It is a complex model where cyber insurers must balance their own profitability with the needs of customer organisations, especially given the broader economic headwinds all organisations face.
Would you say COVID-19 escalated the nascent cyber insurance market into maturity / are the difficulties in the cyber insurance market merely growing pains?
Ben Carey-Evans: COVID-19 undoubtedly increased the level of concerns that business had with regards to a potential cyber-attack. A range of high-profile cyber-attacks made the heightened level of risk very clear. Having staff outside the office also made businesses more vulnerable. It was a key trend in the industry before, but the forced rise in digitalization in COVID has made it even more important since.
Benjamin Hatton: I wouldn’t say the market is mature yet at all, but the pandemic certainly contributed to its growth. The increased awareness and importance put on cybersecurity naturally grew considerably when everyone was forced to work remotely, and cyber insurance was a key part of this for many companies.
I think the second part of this question is hard to answer. I think cyber insurers are becoming increasingly wary of the huge pay outs that some cyber policies may have to cover and are now starting to withdraw some offerings as they feel the risks are too great. The only way to reduce these risks is to improve protection in the first place, so that’s probably the direction we’ll see the product go.
Jeff Laskowski: Certainly, early adopters in the cyber insurance market did not accurately predict the wide variety of cyber maturity across customer organisations. This led to complacency for some organisations to not fully invest in cyber defences or recovery capabilities but rely on a cyber insurance claim to cover any incurred losses.
This contributed to the rise of ransomware attacks and thus more pay-outs for insurers, forcing insurers to mature quickly – increasing their policy requirements based on cyber maturity as well as raising premiums modelled upon expected losses. It also forced cyber insurance policies to contain restrictions limiting claims to certain phases of a cyber incident, such as investigation and restoration, but excluding any improvements or updating of infrastructure which could prevent a recurring cyber-attack.
Will easy pay-outs from cyber insurers promote, fund and encourage ransomware attacks?
Ben Carey-Evans: Yes, automated pay-outs would appeal to customers, due to the potential size of the claims and the damage an attack can cause. Businesses more often than not have to close down in the aftermath of an attack too, so this would be very helpful towards their cashflow. This won’t be easy for insurers though.
Automated claims can occur in certain lines where damage is easy to access. Cyber is a more complex product though, and assessing things such as reputational damage isn’t easy to automate or even execute quickly.
Benjamin Hatton: This is the classic moral hazard problem in insurance. Company X has cover so doesn’t need to worry about protecting itself so leaves itself vulnerable because it knows the insurance will cover it. Many cyber policies will not pay out until the root cause of the breach has been found, because the insurers will be unwilling to pay out for such lax attitudes. I don’t think [this scenario] will really be a significant issue. It’s the equivalent of people deliberately crashing their car for the insurance payout, which certainly does happen, but it is regularly found out and dealt with accordingly.
Jeff Laskowski: Yes, but only in the short term since this would not be sustainable for cyber insurers. As ransomware attacks continue to increase, these losses would mount quickly and do nothing to incentivise organisations to accept responsibility for their cyber defences and improve their cyber resiliency or ability to recover from a cyber attack.
How can the cyber insurance sector switch to a preventative approach rather than merely mitigating the damages and interruption?
Ben Carey-Evans: Most of the leading cyber insurers (especially the cyber specialists) will offer some form of preventative coverage already. The risks are just too great to offer a policy and wait for a claim to come in and then pay-out. Preventative measures can range from simple staff training to 24/7 security monitoring, so there are different levels, and the more secure policies will be very expensive.
The issue for insurers isn’t necessarily moving to prevention, but convincing businesses that a full-scale preventative policy is value for money. The cost-of-living crisis is hitting hard for businesses and the sharp rises in cyber insurance policies in recent years is the biggest reason that penetration rates have remained low despite the increased threat and concern from businesses.
Benjamin Hatton: A lot of the leading cyber insurers have already begun to do this. In June 2021, Chubb formed CyberAcuView with other leading cyber insurers, a company aimed at mitigating cyber risk in the insurance industry. Also in the consortium are AIG, The Hartford, and Travelers.
Jeff Laskowski: We’ve seen billions of dollars invested in preventative controls, yet ransomware and cyber-attacks continue to rise. Cyber insurers should continue to require organisations to improve their security maturity and balance their focus on both preventative and resilient capabilities. For example, device endpoints are often the largest attack surface of an organisation and we’ve seen that these endpoint defensive controls often degrade and fail over time.
By adopting proven self-healing technology, organisations can better prepare for these mounting attacks and achieve an improved cyber-resilient posture across their endpoint fleet. The ability to prevent or quickly recover from a cyber-attack would reduce losses on both the organisation and the insurer, as well as limit the forced ransom payment in many cases. This benefits the insurer as well as limits the forced ransom payment in many cases. This benefits the insurer, the victim organisations and at the same time, reduces the probability of malicious threat actors receiving payment.