When Lloyd’s of London found problems in its IT systems in October, the 300-year-old insurance market took some of them offline temporarily, fearing it had suffered a cyber attack. After a thorough investigation, cyber specialists found nothing amiss and life returned to normal after a week or so.
But, even if there had been an attack, Lloyd’s would have been covered — its management has cyber insurance in place to deal with the costs.
It is a form of cover that seems an obvious purchase for an organisation running a global market. However, for other companies, a decision on whether, or how much, cover to buy is a much tougher one — despite the rising profile and costs of ransomware attacks.
Premiums for cyber insurance have soared over the past few years. According to Sarah Stephens, head of international cyber insurance at broker Marsh, prices started rising in late 2019.
Marsh’s market index shows that the cost of cyber insurance in the US was rising at a rate of more than 100 per cent year-on-year by the end of 2021, although that had moderated to 79 per cent in the second quarter of this year and 48 per cent in the third.
John Neal, chief executive of Lloyd’s, says higher prices are a reaction to both an increase in claims and a long period of falling prices between 2010 and 2018. Since then, the cost of cyber claims has been pushed up by a sharp rise in the number and cost of ransomware attacks, in which criminals disable a company’s systems and demand a ransom — often millions of dollars — to put them back online.
Cyber insurance, says Neal, “had become underpriced” and insurers were making losses on the products in 2018 and 2019. Prices needed to rise, he argues, “to more sensibly reflect the exposure”.
Nevertheless, says Stephens at Marsh, some clients have become “very frustrated with the process”, adding that many companies that had only recently started to buy cover found it “particularly jarring” to be hit with big price increases so soon.
On top of that, cyber insurers have become pickier about the business they will take on, insisting on reams of information about the security clients have in place, and excluding some types of incident from the cover they offer.
Andreas Wuchner, of cyber security monitoring group Panaseer, says that some insurance buyers are now asking questions about the value of the product.
“Lots of organisations say it’s not worth the money in cyber insurance, and it’s better to invest in compensatory controls,” he says. “That’s very valid.”
Combine that with cost pressures elsewhere as inflation rises, he adds, and some companies are deciding to buy less insurance and hold on to more of the cyber risk themselves.
Stephens says that only a “very small percentage of clients” have stopped buying cyber cover entirely, although she adds that some have taken a hybrid approach: buying less insurance and making more use of so-called captive insurers, in-house insurance companies that many big corporations own as a way of cutting their insurance costs.
Insurers argue the benefits of their products go well beyond paying out money for a claim. They point out that also provide services to help companies deal with cyber attacks when they happen — from rescuing data and systems to negotiating with attackers, and dealing with customers and staff who have been affected.
More stories from this report
“It’s a very unique, stressful situation to have a cyber event, particularly ransomware,” says Paul Bantick, head of global cyber and technology at insurer Beazley. “You want to have people by your side that have done that a lot of times, who know the drill, who can advise you and help you think through your options. If you don’t have someone who can help you with that, it’s a real challenge.”
Preparation is all and insurers can advise on controls, he notes. “The one thing that will always ring true is that the better you are at responding and the processes and controls you have to mitigate this, the less likely it is that you will have to pay a ransom.”
Bantick says that, although it is “not a great conversation” when insurers explain price rises to their clients, many of them understand the rationale. “What clients are massively aware of — more so than ever — are the threats.”
Despite the price increases and the growing cost pressures companies are facing across their businesses, the insurance industry expects demand for cyber cover to rise.
According to Neal at Lloyd’s, the global cyber insurance market is likely to grow from $12bn worth of annual premiums today to $60bn over the next five to 10 years as threats increase.
“Companies need to look at the risks they are facing,” he says. “[They have to] get under the skin of their own protection and risk management measures.”