As the cyber risk environment deteriorates significantly, a recently published AM Best report stated, “The outlook for the US cyber insurance market is bleak”.
The recent proliferation of ransomware attacks, which resulted in business interruptions and other related threats, has made cyberinsurance – which started as a diversifying sideline – a major part of a company’s risk management and insurance purchase decisions.
Consequently, according to the AM Best report, insurers urgently need to reassess all aspects of cyber risk, including appetite, risk control, modeling, stress testing and pricing, in order to become a viable long-term partner for dealing with cyber risk stay.
Cyber insurance “utilization” (the percentage of eligible customers who choose to purchase coverage) has increased from 26 percent in 2016 to 47 percent in 2020, according to a recent report from the Government Accountability Office (GAO) went hand in hand with higher cyber insurance prices and reduced coverage limits for some industries such as healthcare and education. In a recent survey of insurance brokers, according to the GAO, more than half of respondents’ customers saw prices rise 10 to 30 percent in late 2020.
“Cyber insurance rate increases have outpaced the general property / casualty industry, but cyber claims surge outpaced rate increases, suggesting more problems for 2021 as ransom demands continue to rise,” said Sridhar Manyem, director, industry research and analytics at AM Best.
The AM Best report says the challenges facing the cyber insurance market include:
- Rapid increase in exposure without adequate underwriting controls;
- The increasing sophistication of cyber criminals exploiting malware and cyber vulnerabilities faster than companies who may be late in protecting themselves; and
- The far-reaching impact of the cascading effects of cyber risk and the lack of geographic or commercial boundaries.
In April, Federal Reserve Chairman Jerome Powell said cyberattacks are the greatest risk to the global financial system, even more than the credit and liquidity risks that led to the 2008 financial crisis.
“The world is moving, and so are risks, and I would say that the risk that we are most closely monitoring right now is cyber risk,” said Powell. “There are scenarios where a large financial institution loses the ability to track the payments it makes, where part of the financial system comes to a standstill and we spend so much time, energy, and money protecting ourselves from these things. ”
The Fed chief’s concerns have since been confirmed by attacks on the Colonial Pipeline, JBS SA – the world’s largest meat producer – the New York Metropolitan Transportation Authority, and others.
Recently, FBI Director Christopher Wray compared the current spate of cyberattacks to the challenge posed by the September 11, 2001 terrorist attacks. He said the agency was investigating around 100 different types of ransomware, many of which were traced back to hackers in Russia.
As we have written elsewhere in relation to natural disasters, the world appears to have entered a phase where the traditional emphasis on risk transfer through insurance products is no longer sufficient to address the complex, interconnected dangers of today. A focus on resilience and preventive mitigation is appropriate, and insurers are well positioned to act not only as financial first responders, but also as partners in dealing with these evolving threats.
Ms. Winnie Tsen, Assistant Director, Financial Markets and Community Investment, US Government Accountability Office (GAO), was a key contributor to the GAO May 2021 Report on Cyber Insurance.