Ransoming the Insurance Industry

Strict underwriting may be helping with severity of ransomware claims.
By Russ Banham Posted on March 3, 2023

Major ransomware attacks in 2022 included Bernalillo County in New Mexico, which shut down most government buildings; school website provider Finalsite; Maryland Department of Health, which stated that it did not pay the ransom demand; German defense contractor Hensoldt; and Japanese auto parts maker Denso, among many others. Altogether, from 2019 through February 2022, the number of ransomware attacks increased 232%, according to a report by SonicWall Capture Labs.

The growing frequency and severity of ransomware claims produced record-high loss ratios for many cyber insurers in 2020. Industrywide loss ratios in the United States reached 73%, up from 43% in 2016 and an average of 48% in 2018 and 2019, according to S&P Global Market Intelligence.

In response, cyber premiums catapulted an average 96% in third quarter 2021 on a year-over-year basis, Marsh reported in its fourth-quarter cyber market overview. Other adverse market reactions in 2021 included a 50% sublimit for ransomware losses, reducing by half the available financial limit. Overall limits of cyber insurance also decreased, and coverage terms and conditions tightened, with exclusions introduced for “known vulnerabilities,” policy wording signifying an insured’s substandard cyber security.

“In 2021, we saw a dramatic cut in capacity almost across the board, with the previous $10 million limits reduced by half,” says John Farley, managing director of Gallagher’s Global Cyber Liability Practice. “This past year was a bit better, with ransomware losses in terms of severity somewhat down, due to what I believe are the strict underwriting controls imposed on insureds in renewals, putting them on notice to bolster their IT networks and systems against wide-ranging attacks.”

Many insureds have done just that. Improvements in policyholders’ cyber hygiene are a major factor in the present moderating of the cyber insurance market. Nevertheless, a recent survey of risk managers by the Risk and Insurance Management Society suggests that companies cannot buy the limits of cyber insurance they desire. Nearly three quarters of the risk-manager respondents who purchased limits below $10 million said they would have bought limits above $10 million had the insurance been available for a reasonable premium.

More in P&C

Protect Your Pet
P&C Protect Your Pet

Pet insurance has become a multibillion-dollar global industry, but it has plenty of room to grow.

P&C Premium Increases Flat to Down
The Council’s Commercial P/C Market Index for Q1 is here.
A Mosaic of an Insurance Claim
P&C A Mosaic of an Insurance Claim
The marine insurance industry can withstand Baltimore bridge catastrophe, expert...
Power Play
P&C Power Play
Insurers and insureds alike must face the glaring risks and vulnerabilities in t...
Property & Casualty Hard Market Turns 6
P&C Property & Casualty Hard Market Turns 6
It may not happen immediately, but signs point to softening ...
Small Business Cyber Risk Represents a Big Opportunity for Agents
P&C Small Business Cyber Risk Represents a Big Opportunity for Agents
Q&A with Joshua Parrish, Executive Vice President at RT Spec...
Sponsored By RT Specialty