It’s early in 2024 but underwriters are already predicting an increase in cyber insurance premiums, following a sharp rise in ransomware in 2023. Although premiums last year were reported to have decreased in response to less ransomware activity in 2022, the tides have changed once again as ransom claims are now matching 2021 levels.
Woodruff Sawyer, an insurance brokerage and consulting firm specializing in cyber liability, published a new survey of a diverse range of insurance carriers that forecasts both higher risk and higher premiums in 2024:
- 56% of underwriters believe cyber risk will increase significantly in 2024.
- 63% of underwriters ranked ransomware as the number one threat.
- 81% of underwriters believe cyber insurance premiums will increase slightly.
- 69% of underwriters expect self-insured retentions to stay the same.
- 75% of respondents believe cyber policy coverage will remain the same.
“A perfect storm of good trends and facts combined to create a soft cyber insurance market—still-elevated after a two-year hard market, reduced claim experience due to a lull in ransomware throughout 2022, and improved cybersecurity controls at the insured company level driven by insurance underwriting mandates,” Woodruff Sawyer Cyber Specialist Dan Burke said.
Underwriters ranked the most concerning threats companies face, and ransomware was the most significant, with supply chain attacks and privacy violations among the top three.
Woodruff Sawyer’s survey found that while a smaller share of companies are paying ransoms, the payments were far higher. Attacks have also been increasingly relying solely on data exfiltration, instead of network-encrypting malware. The threat of publicly announcing the hack and releasing the data has been enough to spur companies to pay the ransom. The report notes that this attack strategy may not hold for long as the Securities and Exchange Commission(SEC) has imposed stricter disclosure requirements, which are often instant fodder for the news circuits.
More prolific RaaS groups have extorted large sums from high-profile targets throughout 2023, but new ransomware gangs pop up every day to get a piece of this increasingly lucrative criminal enterprise.
Historically, companies have paid ransoms for a multitude of complex reasons, which drives up the demand for cyber insurance. However, the sentiment around paying ransoms may be changing.
“Countries agreed in 2023 at the Counter Ransomware Initiative that governments should not pay ransoms,” Intel 471 Chief Intelligence Officer Michael DeBolt said in a forecast given to SC Media. “Australia has said that banning the payment of ransoms at some point is ‘inevitable.’ Some U.S. states have taken this step and banned their governments from paying ransoms. We expect more countries to look at the ransom angle as one way to bring cybercrime to heel.”
Insurance carriers are redefining their responses to nation-state cyber attacks due to ongoing global conflicts and their potential to affect the “War Exclusion” common in insurance policies. Attacks like Not-Petya and SolarWinds, attributed to Russian military intelligence, demonstrated how private companies can become the unintended victims of targeted nation-state attacks, making them more costly to insure. Payment of ransoms to sanctioned entities also constitutes a violation of the US Treasury Departments’ Office of Financial Assets Control (OFAC), which incudes insurance companies that often facilitate these payments.
Woodruff Sawyer’s survey reports 81% of underwriters forecast cyber insurance premiums to increase slightly over the next 12 months, with 19% expecting premiums to remain unchanged and 0% predicting them to decrease.
Despite the prevailing forecasts of premiums increasing, Woodruff Sawyer Cyber Specialist Dan Burke recommends carriers do not respond with sharp increases in pricing:
Insurance carriers have pointed to statistics on ransomware activity reverting to 2019 levels to argue current pricing is unsustainable—but the median pricing level remains nearly three times higher than in 2019. This suggests that while rates may level off soon, carriers should not react as dramatically to the increase in ransomware activity. Said more bluntly: carriers have more premium on the books to negate this rise in claims costs and a dramatic increase in rates like we saw in 2021 and 2022.
Overall, insurance carriers surveyed in the report expect underwriting scrutiny to increase in 2024, which may lay an increased burden on buyers to meet additional requirements when applying for cyber insurance. A comprehensive security strategy for preventing ransomware and supply chain attacks, privacy breaches, and other liabilities will be more commonly required as underwriters seek to mitigate the risks.