With every headline, every locked system, every demand, ransomware becomes more of an unwieldy beast — but one that the cyber risk and insurance industry feels it can still tame with a blend of risk management, collaboration, and risk-reflective rates.
You don’t have to look far for evidence of the explosive rise – and the deepening severity and scope — of ransomware events. Just this week, Universal Health Services’ hospital system with over 250 facilities fell victim to an attack. Scores of schools, businesses, and municipalities have faced attacks. Earlier in September, ransomware hit a hospital in Düsseldorf, Germany, leading to a women’s death.
Ransomware represents a major problem, logistically, financially, and ethically. But it’s not uninsurable, according to industry experts, and it’s a risk that many observers say helps illustrate the fundamental value of cyber insurance.
“We’re at a critical moment in how insurers are going to respond to this,” said John Coletti, chief underwriting officer for AXA XL. “But it’s not so catastrophic or so rapid that there’s nothing to do about it. There’s a multi-faceted approach that insurers are taking with the increase in ransomware attacks.”
Higher premiums that reflect the cost of the risk is underway, with reported average increases ranging from 5% in the first half of 2020 up to 20% in the last two to three months. Ransomware has emerged as a significant threat to the longtime profitability of cyber insurance, but cyber extortion as a coverage has been underpriced for years, say observers. Now with costly events happening on a weekly, if not daily, basis, the flexibility of the market on pricing comes into play.
“You could write a policy in September and have the limit completely eroded within days,” said Coletti. “That’s why you’re seeing the immediacy. The premiums need to be adjusted to account for the severity and the increasing frequency of these attacks.”
He added, “The question now is, for how long will those increases last? How long depends on what can be done to mitigate the attacks themselves. Have we reached our peak?”
Threat data and loss trends suggest otherwise. There have been “unreal amounts of ransomware just in the last few weeks,” said Lindsay Nickle, partner with Lewis Brisbois. When the COVID-19 pandemic first began to spread, many threat actors indicated a willingness to hold off on some attacks.
“As the world is starting to reopen, all bets are off,” she said. “They’re reopening just like everybody else is.”
Between 2018 and 2019, ransomware costs have risen 250%, with extortion demands four times what they were in past years, according to Paul Bantick, global head of Beazley’s cyber and technology team. The length of downtime associated with ransomware attacks also increased significantly and it falls to the insurance industry to come up with appropriate solutions, he told Advisen.