Ransoming the Insurance Industry
Although the number of ransomware attacks decreased roughly 10% in third quarter 2022 from the prior quarter, TechCrunch reported that, by the time it adds fourth-quarter ransomware attacks to full-year statistics, “2022 looks set to top  as the worst year on record.
Major ransomware attacks in 2022 included Bernalillo County in New Mexico, which shut down most government buildings; school website provider Finalsite; Maryland Department of Health, which stated that it did not pay the ransom demand; German defense contractor Hensoldt; and Japanese auto parts maker Denso, among many others. Altogether, from 2019 through February 2022, the number of ransomware attacks increased 232%, according to a report by SonicWall Capture Labs.
The growing frequency and severity of ransomware claims produced record-high loss ratios for many cyber insurers in 2020. Industrywide loss ratios in the United States reached 73%, up from 43% in 2016 and an average of 48% in 2018 and 2019, according to S&P Global Market Intelligence.
In response, cyber premiums catapulted an average 96% in third quarter 2021 on a year-over-year basis, Marsh reported in its fourth-quarter cyber market overview. Other adverse market reactions in 2021 included a 50% sublimit for ransomware losses, reducing by half the available financial limit. Overall limits of cyber insurance also decreased, and coverage terms and conditions tightened, with exclusions introduced for “known vulnerabilities,” policy wording signifying an insured’s substandard cyber security.
“In 2021, we saw a dramatic cut in capacity almost across the board, with the previous $10 million limits reduced by half,” says John Farley, managing director of Gallagher’s Global Cyber Liability Practice. “This past year was a bit better, with ransomware losses in terms of severity somewhat down, due to what I believe are the strict underwriting controls imposed on insureds in renewals, putting them on notice to bolster their IT networks and systems against wide-ranging attacks.”
Many insureds have done just that. Improvements in policyholders’ cyber hygiene are a major factor in the present moderating of the cyber insurance market. Nevertheless, a recent survey of risk managers by the Risk and Insurance Management Society suggests that companies cannot buy the limits of cyber insurance they desire. Nearly three quarters of the risk-manager respondents who purchased limits below $10 million said they would have bought limits above $10 million had the insurance been available for a reasonable premium.