Cyberattacks are becoming more frequent, affecting both businesses and individuals.
The global cyber insurance market was valued at $7bn in gross written premiums (GWP) in 2020 and is expected to reach $20.6bn by 2025.
The market has recently identified and reacted quickly to the ransomware trend, in the process helping to improve the resilience of industry by driving best practices.
Jon Choi, principal consultant at CyberCube, explains that the insurance industry is much more prepared for a cyber catastrophe now than it would it have been a few years ago.
“Cyber catastrophe and cyber war clauses introduced over the past few months place carriers in a better position to mitigate the risk of such events than before. The market is continuing to develop with the first privately-placed cyber catastrophe bonds placed earlier this year.”
While the industry is more prepared for a cyber catastrophe, the level of sophistication of cyber attacks is increasing, according to Jelmer Andela, head of cyber underwriting for Liberty Specialty Markets (LSM).
“The cyber risk landscape continues to develop, and attacks have become more sophisticated. We’ve also noticed a change of tactics whereby attackers aim to get the highest results for the minimal effort,” says Andela.
“Several years ago, attackers were aiming to shut down the whole company, whereas now they have shifted their attention to getting sensitive data to extort companies,” says Andela. “Some of these criminal organisations are sophisticated operations, with numerous staff executing the attacks and trying to extract ransom payments.”
Martin Kreuzer, senior cyber expert at Munich Re explains that cybercriminals have developed an “as a service” business model to attract so-called “affiliates” to cash in on cyber extortion. Reconnaissance-as-a-service, is increasingly being offered for more targeted attacks.
“We need to be clear, only a few of the most sophisticated and impactful cyberattacks gain public awareness,” states Kreuzer. “One very visible example from 2022 was Costa Rica, which became the first country in the world to officially declare a national state of emergency after a ransomware attack.”
Munich Re’s Global Cyber Risk and Insurance Survey found 69 percent of C-level respondents found that a successful ransomware attack has led to an “immediate” or even a “severe immediate” impact on day-to-day business operations, with only two percent of those surveyed stating there was no impact at all.
Several years ago, attackers were aiming to shut down the whole company, whereas now they have shifted their attention to getting sensitive data to extort companies.
Ransomware attacks have become a growing concern for organizations, with the cost to the global economy currently over $1.5 trillion per year, with this figure expected to rise.
According to Kreuzer, the insurance industry has proven that it can be part of the solution. “The market has recently identified and reacted quickly to the ransomware trend, in the process helping to improve the resilience of industry by driving best practices,” he says.
“The major damage usually derives from business interruption, that can be insured under a cyber policy. In addition, other cost-intensive first-party expenses such as restoration of data and systems or reputational damage may also be transferred through cyber insurance.”
The industry is certainly taking steps to ensure policy wordings explicitly define what is and isn’t covered under cyber insurance policies, according to Choi.
“There have been recent developments with regard to how carriers define what is a widespread cyber catastrophe event along with potential exclusions and sublimits, Lloyd’s cyber war exclusions came into effect on 31 March 2023, and industry groups and working parties have come together to continue pushing these topics forward, explains Choi.
As the risk of a cyber attack is greater than, ensuring the right coverage is in place can help prevent losses, and according to Andela, the first step would be implementing preventative measures, such as an identity and access management strategy. “The expertise insurers have built up over time can help insureds to identify any gaps in their current cyber security maturity,” he states.
Furthermore, encouraging insureds to be prepared for an incident is one way to help mitigate cyber risks, explains Andela. “Assume an incident will happen, the question is when, not if. Business continuity plans play a critical role here to recover from an incident, a key element of this is to test these accordingly on a frequent basis.”
As the world becomes increasingly digital, technology plays a key role in preventing cyber attacks, and Kreuzer explains it’s a crucial part of most business operations. “Technology, connectivity and dependency on digital assets are progressing with great dynamics. Therefore access to data, connected devices, or digital services and infrastructure is key to most of today’s business operations,” says Kreuzer.
However, he explains the downside is that it offers new opportunities to threat actors.
Cyber catastrophe and cyber war clauses introduced over the past few months place carriers in a better position to mitigate the risk of such events than before. The market is continuing to develop with the first privately-placed cyber catastrophe bonds placed earlier this year.
“In general, enhanced connectivity, new applications and interfaces, convergence between IT and operational technology, as well as the proliferation of the metaverse will be abused by threat actors and broaden attack surfaces,” says Kreuzer. “Therefore, much will depend on whether adequate security controls and best practices will be fully implemented during early rollout phases.”
Choi also see the benefits technologies such as endpoint detection and response (EDR), multi-factor authentication (MFA) can bring in preventing a cyber catastrophe, noting “technology alone can’t fully protect businesses”.
Though technology can help prevent a cyber catastrophe, Andela explains that technology needs to be used in combination with people and processes within an organisation.
“You can have the best technology in place, but if not configured well, not maintained, or nobody is doing anything with it, the technology will fail,” says Andela. “Do employees know what to do? Who should they contact? What are the next steps? It’s too simple to state that technology will solve all issues, but it certainly does play an important role if applied in a correct manner.”
For organisations, investing in cybersecurity and technology and upgrading systems is key to safeguarding critical business operations and assets, explains Kruezer, adding that "even smaller companies must redeem a basic level of security requirements".
Though secure technology is one way to safeguard companies, Kreuzer stresses it is also significantly impacted by adequate processes and trained staff. “For that reason, policies, tested incidence response plans as well as cybersecurity awareness training are additional key elements for a minimum cyber hygiene,” he says.
As the cyber threat landscape continue to evolve, insurance companies have a vital role in ensuring their clients are protected.
“Insurers have and will continue to increase expertise across the globe and across all kinds of industries,” says says Andela. They can play a vital role in helping clients to better protect themselves and limit the impact of an incident by sharing expertise. They also have a unique position when it comes to claims data from all kinds of threat actors across the globe, this creates valuable insights that clients can benefit from.”
Furthermore, collaboration between different stakeholders will be key in preventing “the potentially catastrophic impact of cyber incidents,” says Keutzer. “Solutions and services offered by cyber insurers have proven to be very effective and the approach beyond the narrow financial risk transfer will endure, e.g. towards prevention and post-ident services.”
