Increasingly severe ransomware claims impact the cyber insurance market

As cyber claims costs are on the rise, policyholders need to enhance security measures and protocols to protect their systems and data in order to secure appropriate insurance protection at renewal.

The pace of change

The cyber insurance market is hardening at pace, with insurers’ rate-increase forecasts changing every quarter. Premium is going up while there is also pressure on limits and self-insured retentions. Underwriters are scrutinising insureds’ protocols, policies and security
more carefully.

Today’s cyber market is such that organisations which do not maintain enhanced security measures and protocols to protect their systems and data, may find that insurance is no longer available to them. The deployment of multi-factor authentication (MFA), for example, and next generation endpoint protection, have become minimum standards to some underwriters. The use of MFA is seen as the mandatory cyber equivalent of locks on doors and windows under domestic policies, while endpoint protection can be compared to sprinklers under a fire policy.

This renewed security focus by the cyber insurance market is a reaction to the dramatic increase in the frequency and severity of cyber claims during the latter part of 2019 and across 2020.

The changing nature of claims

Lockton's Global Cyber and Technology Team in London has worked closely with our Cyber Claims Team to provide some context around the frequency and severity of cyber claims.

  • During 2020, Lockton London saw a 144% increase in ransomware-related notifications.

  • Initial ransom demands increased tenfold, making a seven-figure
    demands the norm rather than the exception, with the largest being
    upwards of $30m.

  • Ransomware was the cause of about 7% of claims notified to Lockton
    in 2019, with the cost of these claims representing approximately 70% of
    total amounts paid by insurers. By contrast, in 2020 ransomware was the
    cause of about 15% of all notified claims, accounting for 95% of the
    paid amounts.

  • The total number of notifications to Lockton decreased in the last
    12 months by about 15%, but the costs of claims increased substantially.

However, cyber insurance claims typically take an average of 2-3 years to develop fully when accounting for the long tail aspects of the incident such as third party litigation and regulatory interest.

Applying a standard development pattern to the current claims incurred, we predict the 2020 paid claims position to be approximately 250% higher than in 2019. To put this into context, our Cyber Claims Team predicts that the total amount of claims paid in 2020 has the potential to reach $100m in the next 48 months.

Against this background, insurers have been applying increased premiums and greater underwriting scrutiny to protect their balance sheets and profitability. They are managing their exposure by reducing line sizes and/or applying sub-limits of liability; as well as by
increasing premiums and self-insured retentions. Often, these are applied simultaneously.

Data and regulatory breaches

Ransomware was under the spotlight in 2020, often due to the enormous ransom demands attached to such attacks. However, other “traditional” cyber events such as data breaches (and the ensuing regulatory implications) and denial of service attacks, continued to hit underwriters’ portfolios, contributing to the hardening of the market.

The increase in notifications under BIPA (Biometric Information Privacy Act) in Illinois is one particular trend that is raising concerns amongst the underwriting community. Statutory damages range between $1,000 to $5,000 per violation depending on recklessness of the act, potentially leading to some large claims. To put some context around the potential magnitude of these claims, in early 2020 Facebook paid $550m to settle a class action arising out of BIPA breaches.

Notifications of GDPR breaches are also on the rise. The number of daily breach notifications to European regulators increased by 19% in the last 12 months, according to DLA Piper, a law firm. The total number of breach notifications to the various EU and UK regulators is around
281,000 since the GDPR came into force in May 2018 but is increasing steadily. Whilst there is still uncertainty as to the insurability of GDPR fines and penalties, market-leading cyber policies will cover regulatory investigation costs. The potential impact of this additional exposure for cyber underwriters is evident.

Engaging early

Inevitably there will be some challenging discussions leading up to cyber renewals with potentially sharp increases in both premiums and retentions. Unfortunately, there will be insureds which have never had a claim in their history which will nonetheless be subjected to similar increases. This is a difficult message for brokers to deliver and for clients to digest. The best strategy is to prepare early for the renewal process, engaging in full and frank discussions. Doing so provides risk managers and chief financial officers (CFOs) with the time to understand, discuss and strategise with their stakeholders, avoiding last minute surprises.