Financial firms rethink after cyber insurance premium spike

Banks and other financial firms have been struggling with a switchback from insurance providers over cyber risk insurance, as earlier generous underwriting standards have tightened dramatically over the past two years. Some firms are now deciding whether to cut their coverage and invest more heavily in cyber security instead.

Brokers say there are signs the sharp rise in premiums and exclusions is abating. But the increasing number of cyber attacks, together with a shift from data breaches to ransomware, all mean that a return to the easier environment pre-2021 now looks unlikely. And there could be a further systemic change on the horizon, with the rise of quantum computing potentially redrawing the landscape for cyber security (see Quantum of malice box below). 

Adam Lantrip, head of insurance broker CAC Specialty’s cyber practice, says premiums at renewal increased 25-50% on average, with a peak in July 2022—and the rise could have been as much as 300% for individual clients.

“A minimum premium might have been $5,000 per million of coverage three or four years ago. That same layer might have gone for $20,000 or $25,000 per million,” he says.

[Now insurers] have some loss history to learn from, they recognise their guesses regarding coverage and premiums weren’t right, so they’re making some adjustments

Jack Jones, RiskLens

“For clients buying several hundred million in limit and spending tens of millions of dollars on their insurance, those increases could be significant.”

Banks and market infrastructure firms say they felt the financial pain, and, in some cases, could not obtain the cover they wanted. The head of non-financial risk management at a European bank says pricing, availability and depth of coverage have all worsened over the past few years. The head of operational risk management at a second bank complains cover is capped and cannot be obtained at the levels sought.

Jordane Terrasse, head of group risk transfer at London Stock Exchange Group, says 2021 was “noticeably more difficult in terms of cover and cost—the cover we took out cost substantially more than in prior years”.

In 2022, LSEG increased its coverage, and premiums continued to rise, although less sharply than before. The firm typically purchases cyber insurance for risks such as software malfunction, ransomware, business interruption and loss of revenue due to cyber attacks. The cover extends to forensic costs for mitigating and fixing issues, costs associated with regulatory requirements to notify clients if data is compromised, as well as defraying the expense of public relations.

Insurers are also demanding substantially more information to assess the cyber risk of clients. Insurance buyers are confronted with questionnaires asking as many as 150 questions, requiring considerable time for technology teams to compile.

Costing a king’s ransom

Experts say the huge increase in pricing and reduction in coverage in 2021 and 2022 is not surprising. Over the past decade, high-profile cyber attacks prompted financial institutions to enlarge their use of cyber insurance, resulting in explosive growth in affirmative cyber cover—policies that explicitly include coverage for cyber risk.

But around six years ago, fierce competition among underwriters led to a watering-down of checks on buyers’ cyber defenses. Underwriters at the time countered that banks were rejecting the intrusion of large-scale IT audits.

Regulators also intervened, with the UK’s Prudential Regulation Authority urging insurers in 2017 to monitor their exposure to ‘silent’ or non-affirmative cyber underwriting, in which cover is implied in policies, but not specifically included or excluded.

Jack Jones, co-founder of consultancy RiskLens and creator of the Fair (factor analysis of information risk) framework for cyber risk analysis, says the insurance world had “mostly been guessing” about what coverage and premiums should be, and had no idea how to accurately gauge the efficacy of cyber-security programs.

A minimum premium might have been $5,000 per million of coverage three or four years ago. That same layer might have gone for $20,000 or $25,000 per million [in 2022]

Adam Lantrip, CAC Specialty

“Now that they have some loss history to learn from, they recognize their guesses regarding coverage and premiums weren’t right, so they’re making some adjustments,” he adds.

According to the Center for Strategic and International Studies research organization, the number of cyber attacks with losses of more than $1 million increased rapidly, from 41 in 2016 to over 100 in every year since 2018. The infamous 2020 SolarWinds hack involved Russian hackers breaching the internal servers of government and businesses, and may also have compromised financial entities.

As long ago as 2015, cyber insurers believed they had enough historical data to develop effective pricing models. But the threat landscape changed significantly around 2018 to 2019, according to Tom Draper, UK head of insurance at research firm Coalition. Ransomware became far more prevalent, replacing data breaches as the main threat.

In his annual letter to shareholders in April 2022, JP Morgan chief executive Jamie Dimon noted that “the cost of ransomware has increased dramatically”. He had already announced a $600 million a year investment in cyber security three years earlier.

The challenge for underwriters is that ransomware is a very “binary” event, says Draper. When a data breach happens, the biggest costs typically result from litigation, and are defrayed for years until class actions are settled, during which time insurers can earn investment income. But ransomware requires a substantial upfront payment to be made very quickly. Draper says he would be surprised if many insurers made profits from cyber insurance in the period from 2017 to 2020.

As losses hit the cyber insurance market going into 2020, says Draper, providers “made a major pricing correction, because they started to see the speed of the losses”. This led to “a period of retrenchment”, which translated into “premium increases, reduction in capacity, retention increases and coverage restrictions”.

US cyber-security firm SonicWall found over 623 million ransomware attacks happened globally in 2021 alone, an increase of 105% year on year. In that year, CNA Financial paid what was believed to be the largest disclosed ransom, $40 million.

“As ransomware became a big problem, it became difficult for [insurers] to outrun their claim payments by adding new premiums on the front end of the year,” says CAC Specialty’s Lantrip. “It’s more sustainably priced now, and they are in a much better capital position.”

But satisfying criteria to gain coverage is more onerous and clients must demonstrate very specific technical controls, back-up procedures and recoverability, he adds.

Terrasse says the change of risk appetite from insurers meant that LSEG agreed to take on some of the ransomware risk on a quota share basis in 2021, but this was successfully removed in 2022.

Won’t get billed again

Underwriters are preparing tougher policy conditions to escape payouts if cyber attacks emanate from state-sponsored actors. Lloyd’s of London is preparing to implement a new requirement for members not to cover state-sponsored attacks, due to be applied from March 2023. Lloyd’s underwriting director Tony Chaudhry warned that without suitably worded exclusions, “losses have the potential to greatly exceed what the insurance market is able to absorb”.

However, a widely expected spike in cyber attacks following Russia’s invasion of Ukraine in February 2022 did not immediately materialize. In fact, the US Office of the Comptroller of the Currency found that ransomware attacks against US banks slowed down in the months that followed.

Brokers say the conditions in the cyber insurance market are also easing. The consultancy arm of insurance broker Aon has reported that the application of exclusions persisted and price increases for cover continued for cyber insurance in the third quarter of 2022, but that the pace of these trends has slowed.

“We’re not seeing a lot of new coverage restrictions, and some of the coverage restrictions that were imposed over the last two years are starting to maybe not come back in every single policy or for every single client,” says Lantrip. “For those with a good risk profile, the carrier is generally willing to entertain giving some levels of coverage they have not been willing to give in the last two years.”

According to insurance distributor CRC Group’s Redy Index, average year-on-year cyber cover renewal rates jumped by 70% in March 2022, with 83% of firms facing increases of more than 20%. By September, rates were still climbing, but the average was down to 26%, and more than half of all clients had seen their renewal price rise by less than 20%.

But for some financial institutions, the experience of the past two years has already precipitated a change of approach. Coalition’s Draper says firms may make a risk-based decision that the commercial market is too expensive, and invest instead in their own cyber defenses.

The head of operational risk at an Asian clearing house says that because it is not in the “custody business of holding customer money”, its resources are focused on preventing cyber intrusions, rather than buying insurance. Meanwhile, the head of risk at a second exchange says it does not generally consider insurance as a mitigation against cyber risk.

CAC Specialty’s Lantrip says some very large financial institutions “stopped buying coverage because it got really expensive, and they have enough capital to withstand a loss”. Other banks are so large that the amount of cyber insurance needed would “max out the marketplace”.

“They have so much data and money flowing on a daily basis, from a business interruption perspective, they would blow through the insurance really quickly,” he says.

Quantum of malice

Despite the experience of the past two years, Tom Draper at research firm Coalition thinks most major western banks still buy cyber insurance. Although it isn’t required by regulation, bodies such as the UK Financial Conduct Authority and Information Commissioner’s Office view obtaining cover as best practice. And insurers generally view banks as “very good risks”, he adds.

The consultancy Fortune Business Insights projects the value of the global cyber insurance market to continue growing rapidly, from $10.3 billion in 2021 to $63.6 billion by 2029, with financial services clients accounting for 28% of the total in 2020.

But there is a further radical change in the cyber-security landscape on the horizon—the growth of quantum computing.

Several banks including Barclays, JP Morgan and Societe Generale are preparing encryption algorithms to protect against hackers using quantum computing. Whereas current computers hold data in one of two states—a one or a zero—nascent quantum computers hold data in two states simultaneously, increasing calculating power. Experts say a quantum computer could break the prevailing form of encryption in 10-15 years, although it might happen within five years.

Insurer Marsh McLennan has stated that quantum computing represents the biggest threat to data security in the medium term.

In July, the US announced the penultimate stage of a competition among the world’s cryptographers to devise methods to resist future attacks from quantum computers.

Andersen Cheng, CEO of Post-Quantum, a cyber-security firm behind one of the algorithms under consideration in the contest, thinks there is “an opportunity” for the insurance industry to offer a new product in quantum insurance.

“An analogy is like in travel insurance, medical repatriation is a very rare event, but virtually everyone will buy that option as an add-on,” he says.

“These will be risk-free premiums that the industry can collect until quantum comes into existence.”

Cheng would expect underwriters to ask clients to demonstrate they have quantum migration plans, with at least a quarterly main board assessment.

However, Coalition’s Draper says such insurance would not be appropriate for all clients: “I don't think it’s going to be a click-and-go—probably it is the only the largest clients who buy it.”

Adam Lantrip at insurance broker CAC Speciality says he is not aware of any carrier that has an exclusion in a policy that would preclude them from paying a claim if it was determined that a quantum computer was used to crack an encryption code and break into a network. Hence, at present, there would be no need for financial institutions to request additional cover specifically against hackers using a quantum computer.

“Right now, if that were to happen, and a company had cyber insurance, I would expect the policy to respond to that,” he says.

However, Lantrip adds, once quantum-related losses start to occur, underwriting will be linked to measures that make the cyber security of financial institutions harder to breach: “The underwriters would much prefer to give capacity to clients who make it really hard to get into their networks.”

Scott Sayce, head of cyber at Allianz, says: “As organizations seek to improve their cyber defenses and assess their own vulnerabilities, any potential associated quantum computing risks will also need to play a part in that assessment.

“This assessment will also need to factor in the security of third-party service providers to ensure all potential weakest links are secured to the best possible level.”

Of course, every technology can be used for good as well as ill. Sayce adds that quantum computing “could also be utilized to aid cyber defenses”.

Swiss Re’s research institute suggested in a post in 2022 that the cyber insurance sector would first feel the risks of quantum computing, but that it could still become an opportunity later on: “The expectation is that risk pricing, for example, will be possible in real time, and that optimization calculations for underwriting and investments will also be very swift.”