The hacks came one right after another, sowing chaos at hospitals, idling America’s biggest gasoline pipeline, crippling a huge meat supplier and devastating hundreds of companies over the July 4 weekend.
Now, insurers are reassessing the cyber business.
With cyberattacks on the rise and demand for coverage surging, the $3 billion industry of protecting companies against hackers is at an inflection point. Wrestling with higher costs and more risk, insurers are tightening standards, boosting prices and slashing how much they’re willing to pay for a breach.
Making coverage harder to get may expose more companies to greater financial risk. Insurers are re-evaluating how to profit from cyber policies amid a broader debate about who should be on the hook when hacks occur — like those against Colonial Pipeline Co. and JBS SA — and what roles the government and private industry should play.
“The ways of the past no longer work into the future, but never has this coverage been needed more,” said Joshua Motta, co-founder and chief executive officer of insurer Coalition. “People went a little over their skis, so right now there’s been a bit of a contraction.”
Cyber policies are relative newcomers to the centuries-old insurance industry. The sector has exploded in the past decade — with premiums more than doubling since 2015 and totaling $3.15 billion last year, according to the National Association of Insurance Commissioners.
Now, some insurers are changing course. Hiscox Ltd. is “refining” its appetite for the business and focusing on smaller U.S. customers, the U.K.-based firm said in a statement.
Meanwhile, some firms are charging more for less coverage. Clients paid 35% more for cyber coverage in the first quarter than they did in the same period last year, according to broker Marsh McLennan. Demand for standalone policies surged 24% last year.
Tougher Questions
Insurers are also changing underwriting standards as they seek to reduce risk, according to Tom Reagan, who leads Marsh’s U.S. cyber practice. That often includes requiring companies to beef up their own protections.
Following an uptick in ransomware losses, American International Group Inc. recently started asking companies tougher questions about their security measures as part of its underwriting process and requiring clients to employ certain safety measures, Tracie Grella, AIG’s global head of cyber insurance, said in an interview.
This kind of extra scrutiny means companies are waiting longer to get coverage, according to Kristen Peed, director of corporate risk management at CBIZ Inc.
“Carriers are asking a whole lot more questions,” Peed said. “And it’s taking them a lot longer.”
Cyber insurance typically covers costs associated with a hack, such as money spent to investigate and notify consumers their data has been compromised. It can also cover ransom payments.
For years, insurers have had to imagine worst-case scenarios and their consequences — some of which are turning out to be fairly accurate. When Colonial was attacked, it was forced to shut operations on the biggest U.S. fuel pipeline and paid $4.4 million in ransom to the hackers.
Exploiting Weakness
Cyber risks are global, and often crimes of opportunity. When a hacker finds a weakness, they’re likely to exploit it. That makes assessing risks especially complicated. And insurers aren’t immune, either. CNA Financial Corp., which offers cyber coverage to clients, was said to have paid $40 million in March to regain control of its network after a ransomware attack.
Unlike other types of insurance, cyber is developing in real time. Insurers have had to make changes whenever a breach occurs, according to Sam Levine, a senior vice president at broker CAC Specialty.
And some argue that cyber risks can be so catastrophic that the government should step in to to backstop the market, similar to what the U.S. did with terrorism risk in insurance policies after the Sept. 11 attacks.
“Cyber security in general, by definition, should be collaborative,” said Jennifer Rothstein, who’s head of insurance and legal at security firm BlueVoyant. “Private sector should work with law enforcement, and work with a lot of different sectors, because the risks are so severe.“
Meantime, as the cyber market adjusts, remaining providers stand to gain. Some even see more opportunity to profit.
“Cyber insurance will stay,” CAC Specialty’s Levine said. “We’ll see this pullback and restriction of coverage, and then we’ll see a right-sizing of the premiums, and then the organizations and the insurers will start to be profitable again.”