In 2020, the global pandemic created near-perfect conditions for cybercriminals. Unsurprisingly, we have witnessed a dramatic spike in cybercrime, but what is driving this threat and what are the implications for cyber insurers in 2021?
Increase In The Cyber 'Attack Surface'
The shift to remote work and the large-scale dependency on personal devices and residential networks have expanded threat actors’ attack surface — the number of different points through which an unauthorized user can access or extract data from an environment.
At the same time, businesses have been digitizing operations at a record pace to adapt to remote working trends, increased virtual consumption and the need for contactless services.
The net effect has been a mass increase in potential targets for criminals to exploit and an unprecedented expansion of company networks beyond their external firewalls.
Cybersecurity in these conditions has proved extremely challenging. Businesses were forced to move entire organizations to remote environments rapidly and with little preparation, exposing insufficient information technology infrastructures, immature data governance and inadequate security controls.
Explosive Growth In Ransomware
In parallel, ransomware proved devastating in 2020 with incidents becoming more frequent, targeted and automated. Global ransomware attacks rose by 40% in the first three quarters of 2020 compared with the same period in 2019, and payments more than doubled in size since the start of 2020.
Increasingly sophisticated and AI-enabled tactics have seen large businesses become more and more vulnerable. For example, criminals have not only accessed companies’ core systems, they are successfully infiltrating backup systems as well. Criminals have also started extrapolating data from hacked networks and threatening to release it as part of the extortion scheme.
Meanwhile, the explosion of “ransomware as a service” has lowered the barriers to entry for aspiring cybercriminals, enabling less sophisticated actors to cause significant harm.
Cyber Insurance Demand Grows While Loss Ratios Climb
The spike in cybercrime has driven demand for cyber insurance, and prospective buyers are requesting higher limits. Price and capacity remain notable barriers, however, and it is too early to say if demand will translate into sustained market growth.
At the same time, underwriting cyber has become more challenging. Three years ago, cyber was a highly profitable line of business with loss ratios as low as 10%-15%. Rising claims pushed this figure up to nearly 50% in 2019, and anecdotal evidence suggests cyber loss ratios today hover well above 50%.
Not surprisingly, insurers have become increasingly nervous about the deteriorating risk landscape, and some mainstream insurers have withdrawn from the class altogether. Rates are increasing, but a further hardening may be needed to restore confidence.
Despite the challenging landscape, there are reasons for optimism. First, enterprises are more aware of the importance of purchasing cyber coverage. Second, advances in data analytics mean insurers can more accurately price cyber risk and tailor their portfolios to the changing risk landscape. For underwriters equipped with the latest tools in advanced analytics, there is a real opportunity to outperform their peers.
2021 Predictions And What They Mean For Insurers
Cyber hygiene will be crucial. In 2021, macro conditions will once again work in favor of cybercriminals as the attack surface continues to expand. Even if the global pandemic recedes, remote working will persist for some time, and digitization will continue to accelerate.
The rollout of 5G networks will drive the proliferation of connected devices, which already exist in the billions and are largely unmanaged. While 5G will enable a truly digital society, it opens an even greater number of entry points for attackers to gain unauthorized access.
The good news is that the anticipated threats are largely knowable and preventable and do not require exotic security measures. In most cases, the cure is relatively basic and mostly centered on improving employee awareness and behavior rather than increasing technical capability.
Indeed, businesses that achieve robust cyber hygiene (such as regular patching and password updates) will differentiate themselves from their peers. Similarly, most attacks are initiated by social engineering. Educating employees who are working from home (and are therefore less able to verify the legitimacy of email requests with colleagues and IT teams as they would in the office) will reduce susceptibility to phishing and fraud tactics.
For insurers, having access to tools to monitor behavioral indicators of cybersecurity compliance will be key to achieving excellence in underwriting. For example, the turnover of an IT security team, the patching cadence for software, and the presence of unused services are powerful proxies for whether an organization is fully in control of its cybersecurity.
Authorities will intervene in ransomware. The forces driving ransomware are unlikely to change in the short term, for two primary reasons. First, ransoms remain the most lucrative means of monetizing data breaches and, second, businesses continue to pay, believing that the economic and reputational costs of not paying outweigh the price of the ransom.
Regulators and government authorities will be forced to intervene either in the payment of ransoms, or the use of cryptocurrencies, to slow the vicious cycle.
In the United Kingdom, the former head of the National Cyber Security Council, Ciaran Martin, has called for “urgent” action that includes a change in law to prevent businesses from paying ransoms and to make ransomware risks a board-level problem.
In the U.S., the government is tightening its grip, issuing guidance in October reiterating its position that cyber insurers that make ransom payments to certain threat actors are in violation of the law.
Insurers must watch these trends closely. Experience in the kidnap and ransom market tells us that if governments succeed in making ransoms harder to collect, criminals will shift their tactics to achieve payment via alternative channels. Demand for indemnification will continue to exist, but insurers must actively monitor changes to criminals’ modus operandi and continuously assess the relevance of their cyber insurance products.
Portfolio resilience will take the spotlight. In 2021, the focus will turn to portfolio resilience as insurers and regulators take a growing interest in the scale of cyber accumulation risk and its impact on capital. This will drive demand for cyber insurance.
There has yet to be a cyberattack large enough to become a rating event, but the potential is there. Models run by Lloyd’s and Guidewire indicate that a single cyber event such as a major cloud service provider hack could cause losses as large as a major hurricane — with the potential to increase industry loss ratios anywhere between 19% and 250%.
For insurers to expand capacity to meet demand, they must think more carefully about potential balance sheet impacts from a catastrophe-scale event. The technical pricing of individual policies will remain important but understanding the potential for aggregated losses is now vital.
In particular, it demands closer cooperation between underwriting and capital management teams and the use of accumulation tools to deepen the industry’s understanding of portfolio dependencies.
The cyber environment is being propelled by two underlying dynamics. The first is obvious: we live in a world that is increasingly reliant on technology. The second is less understood: the way in which the technology is deployed is driven by human factors. Analysis of the causes behind recent cyber claims has demonstrated that behavioral factors are valuable tools for predicting future cyberattacks, as well as for understanding cybercriminal tactics.
Ransomware has been the cybercrime story of 2020 but understanding the human drivers behind it will be key to unlocking our understanding – and ability to successfully insure – this risk in 2021 and beyond.
Paul Mang is chief innovation officer at Guidewire, a leading provider of predictive analytics, risk insights and business intelligence solutions for the property/casualty insurance industry. He is the former global CEO of analytics at AON. He may be contacted at [email protected].