Insurers wary of providing cyber coverage amid ransomware surge

Cybercriminals are switching their targeting of healthcare facilities and municipalities to manufacturing and logistics companies.
The interior of the Lloyd's of London building in the City of London financial district, 16 April 2019.
The interior of the Lloyd's of London building in the City of London financial district, 16 April 2019.

Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home working drove a surge in ransomware attacks that left them smarting from hefty payouts.

Faced with increased demand, major European and US insurers and syndicates operating in the Lloyd's of London market have been able to charge higher premium rates to cover ransoms, the repair of hacked networks, business interruption losses, and even PR fees to mend reputational damage.

But the increase in ransomware attacks and the growing sophistication of attackers have made insurers wary. Insurers say some attackers may even check whether potential victims have policies that would make them more likely to pay out.

"Insurers are changing their appetites, limits, coverage, and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved — where people were offering £10 million ($13.5 million), nearly everyone has reduced to five."

Lloyd's of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, industry sources say on condition of anonymity. Lloyd's declined to comment.

US insurer AIG also said in August it was cutting cyber limits.

Ransom software works by encrypting victims' data, and typically hackers offer victims a passcode to retrieve it in return for cryptocurrency payments.

It has become the attack of choice for cybercriminals, who previously favoured stealing data and selling it to third parties.

Suspected ransomware payments totalling $590 million were made in the first six months of this year, compared with the $416 million reported for the whole of 2020, US authorities said in October.

In one of the biggest heists, a ransomware attack on Colonial Pipeline in May shut the largest fuel pipeline network in the US for several days.

US cyber insurers' profits shrank in 2020, insurance broker Aon found. Combined ratio — a measure of profitability in which a level of more than 100% indicates a loss — climbed by more than 20 percentage points from 2019 to 95.4%.

While insurers struggle to cope, companies are underinsured.

"It's very unlikely people are getting the same limits — if they are, they are paying an extraordinary amount," David Dickson, head of enterprise at broker Superscript, said.

Dickson said one technology client had previously bought £130 million of professional indemnity and cyber cover for £250,000. Now the client could only get £55 million of cover and the price was £500,000.

Insurers who issued $5 million cyber liability policies last year have scaled back to limits of between $1 million and $3 million in 2021, a report last month by US broker Risk Placement Services (RPS) found.

As profitable as cocaine

An EU report released in October said the COVID-19 pandemic and rise of home working had enabled cybercriminals to flourish.

Meanwhile, cybersecurity firm Coveware likened the 90%-plus profit margin from ransomware attacks in 2021 to the gains Colombian cocaine cartels made in 1992.

Where hackers previously took a scattergun approach with methods such as sending out thousands of phishing emails, they have become more targeted, reading balance sheets, and focusing on specific sectors.

Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, said attacks were moving away from healthcare facilities and municipalities — which have weak IT controls but also little money — to manufacturing or logistics companies.

Such firms have deep pockets and cannot afford extended outages to fix their systems, so would rather pay ransoms, especially if they have insurance to cover them.

"We advocate to everyone you don't disclose your insurance because that's crucial to your business," Scott Sayce, global head of cyber at Allianz Global Corporate & Specialty, said.

Premium rates have almost doubled in the US and jumped by 73% in the UK as a result of the frequency and severity of ransomware attacks, insurance broker Marsh said. RPS said rates for some policies had risen by as much as 300%.

Where ransom payments were typically $600 a few years ago, they now are as high as $50 million, said Michael Shen, head of cyber and technology at insurer Canopius, and insurers are sometimes asking policyholders to pay half of the ransom.

The US and France are among countries particularly concerned about ransom payments, industry sources say.

The FBI says it does not support paying ransoms, while a few US states are considering banning ransomware payments by municipalities.

But insurers, while less willing to provide large amounts of cover, say failing to pay ransoms could backfire.

"Of course no one wants to pay criminals," Adrian Cox, CEO of insurer Beazley told Reuters. "At the same time, if you ban it ... you could cripple a lot of businesses whose systems have been disabled."

(Editing by Barbara Lewis)