Ukraine tempers ransomware frequency - Howden

Higher loss frequency and severity from ransomware have caused such an extreme supply-demand imbalance in the cyber insurance market that today’s average cost of cover is more than double what it was last year.

Publicly available data help to explain why this is the case, with the annualised number of global ransomware incidents up 235% in 2021 compared to 2019 and average US ransom payments rising by 370% over the same timeframe.

Having hit a peak in the second quarter of 2021, there was a moderation in the number of ransomware incidents towards the end of the year, with this trend continuing into early 2022.  

Shay Simkin, Global Head of Cyber, Howden, commented: “Market conditions remain difficult, but two potential tailwinds may help companies and insurance carriers as this year progresses.

“The first is off the back of more favourable ransomware trends following underwriting and risk management actions taken in response to increased ransomware frequency and severity. Companies are more resilient to ransomware attacks today than they were this time last year.

“The second, the war in Ukraine, is a lot more unpredictable, but it appears the conflict has so far dampened cyber frequency further as both warring sides focus their efforts on conventional warfare.

“This could of course change in an instant – for example, a ceasefire, a large-scale cyber attack, pressure on Russia’s government to find new revenue streams as economic sanctions bite – but for now insurance claims are down compared to last year. All of which raise important questions around the prioritisation and efficacy of cyber operations during wartime.”

Cyber pricing

How these dynamics play out for the rest of 2022 will be instrumental in shaping the pricing environment. For the best part of a year, cyber has experienced the most extreme rate increases across the entire insurance market, as reflected by Howden’s real-time, global cyber insurance pricing index, which includes average year-on-year rate movements, dating back to 2014.

The last two full quarters saw average annualised increases in excess of 120%.

David Rees, executive director, Howden, added: “The last year has been characterised by price corrections, contracting capacity and restrictive terms – classic hard market territory.

”Whilst the value of cyber insurance continues to prevail for the vast majority of buyers, pricing is now approaching the limits of economic viability for some. Compounded increases from here are not sustainable, which, assisted by the more favourable claims environment that appears to be manifesting this year, is likely to moderate or even stabilise pricing. Improved insurer performance should also help attract new capacity into the market.”

Market maturity

The ingredients for a more mature cyber market are now in place. Hardened cyber defences have left companies less vulnerable to prolonged disruption in the event of an attack or breach, and the cost of cover is now more commensurate with loss costs.

Strong demand and the prospect of more capacity looks set to drive significant market growth over the medium term. If this is at a CAGR of 25%, as predicted, this would see gross written premiums exceed $25 billion by 2026. 

The report forecasts that the US will remain the biggest market for cyber insurance, although Europe is expected to close the gap somewhat over the next few years.

Cyber fluidity

Cyber continues to live up to its dynamic reputation. Just as companies and insurers have been adjusting to the new reality of ransomware, the war in Ukraine brings uncertain implications, both within and beyond the conflict zone.

The array of groups operating in the cyber battlefield complicates distinctions between state-sponsored attacks and those carried out by non-state actors.

Whilst the conflict appears to have reduced cyber frequency in the near-term as both warring sides (which host some of the worst offending ransomware gangs) refocus their efforts, the situation remains highly volatile and a lot can still change.

The applicability of sanctions and ransom payments is also under scrutiny. Even if ransomware incidents return to their pre-war trend, any potential Russian-linked ransom payment claim could be prohibited by economic sanctions.

The scope of cyber coverage and war exclusions have also been the source of considerable debate since the start of the conflict.

Building resilience

The risk transfer sector has been an important enabler of resilience by working with companies to adopt better risk postures in order to access insurance capacity.

From a technology perspective, this includes endpoint detection and response (EDR), next generation anti-virus deployment, multifactor authentication (MFA) for remote network access, data encryption and protection, regular backups and patching of critical systems / software.

The report advises companies take a holistic approach to cyber hygiene that embraces process improvement too. This involves training and educating employees, engaging with third parties, conducting table top exercises, testing business continuity and disaster recovery plans, having experts at the ready and knowing who to call should the worst happen.

But even the best prepared companies cannot eliminate the risk of a successful attack entirely, and here expert advice is available to help firms mitigate their risks and recover from incidents.

Cyber experts have contributed to the report to offer insights into what companies need to do to improve their risk postures, reduce vulnerabilities and contain impacts in the event of a successful breach.

The paper also analyses cyber security at a time of war in Europe to help clients unpick the deep complexities that exist in what remains a highly unpredictable environment.