Cyber: the case for increased rates
Cyber-crime is proliferating, and cyber insurance is now an integral component of many companies’ risk management programmes. However, insuring against cyber risk presents multiple challenges for underwriters. Max Broodryk, AXA XL’s Product Leader-Cyber Risk, APAC, has the details.
Working with clients on the frontlines of the war against cyber-attacks, I find myself expressing how it sometimes feels combating this scourge of the modern era with phrases like: “pushing water uphill with a rake”, “nailing jelly to a tree” and “stabbing mercury”.
Why is that? First and foremost, cyber-threats only continue to proliferate. Today, all firms are vulnerable to cyber-attacks. As are individuals, local/regional governments, universities, hospitals and non-profit organizations. Or, to put it differently, unless you are living entirely off the grid and never use an internet-connected device, the risk of a cyber-attack is ever present.
Second, cyber-criminals are continually creating new tools and methods to exploit vulnerabilities in the vast universe of essential systems and technologies that power our economies and enrich our lives. Patching faulty code may make an IoT device more secure, for instance, but that won’t prevent cyber-criminals from accessing a company's systems by duping employees with clever phishing scams.
Prevention then mitigation
While cyber risk is virtually ubiquitous, this article focuses on the challenges that cyber-threats present for our clients and in turn us. First, I want to stress that security remains the fundamental imperative. As with all risks, mitigation follows prevention. Considerable information and expert resources are available to clients—including from insurers' risk consulting teams—on how to secure different systems/applications while also lessening the possibility of being targeted. So, I urge clients to take the time to understand the cyber-threats to their organisations and to ensure their systems and processes are as secure as possible.
That said, mitigating cyber risks via insurance also is an option, and cyber coverages are now an integral component in many companies' risk management programmes. However, as I'll outline below, insuring against cyber risk presents multiple challenges for underwriters.
The global cyber insurance market, including Australia, experienced several large losses in 2019 and 2020 that significantly impacted insurers' overall profitability. In response, some insurers reduced their exposure to this class of business by cutting policy limits, increasing retentions, restricting their offerings to specific clients or industry segments, or some combination of these. A few insurers exited this market entirely.
A continuously evolving threat
The unpleasant fact is that cyber-crime today is profitable: It doesn't require much upfront capital; payoffs from five- to over eight-figures are not uncommon; and the risk of being caught is fairly low. That makes it attractive to criminal gangs, some nation-states and opportunistic amateurs, who then apply the lessons learned from past "campaigns" to devise ever more effective methods for extracting money from different types of organizations.
Ransomware in particular has emerged as perhaps the most concerning recent dimension in the evolution of cyber-crime. Before 2018, ransomware tended to be delivered in random and untargeted ways. In those early days of cyber-crime, attackers could only guess which organisations were more or less likely to pay and whether to set the demands high or low. In other words, they had to grapple with the same issues that companies face when launching new products or entering new markets; e.g., what types of organisations to target, and whether to focus on a few big wins or many smaller successes. Ransomware attackers soon discovered that if their demands were perceived as relatively modest, many victims would opt to pay the ransoms because the decryption processes were viewed as reliable as well as cheaper and faster than restoring system(s) from back-ups.
Based on these initial experiences, ransomware gangs are now moving “up market” by targeting larger entities and demanding much higher ransoms. Also, their attacks are more sophisticated and much more invasive, often exfiltrating sensitive data and disabling networks. Thus, over the last two years, the ransom demands, and subsequent amounts paid have increased exponentially along with, in turn, the costs of forensic investigations, data recovery, associated business interruption expenses and legal advice.
Regulators are getting involved
In a few high-profile cases, regulators have taken notice and levied substantial fines on companies after data breaches compromised confidential data. In Australia, for instance, the Securities and Investments Commission (ASIC) is seeking a civil penalty against an Australian Financial Services Licence (AFSL) holder for inadequate cyber-security systems. The Office of the Australian Information Commissioner is also said to be reopening old data-breach cases and asking for additional information, which suggests it is looking to take a more active enforcement approach in the future.
While these developments should benefit companies by pushing them to take cyber-security even more seriously, these actions could further compound the difficulties insurers face in determining a fair and sustainable rate for cyber insurance. In particular, as regulators take a more proactive role in holding companies accountable for their cyber-security systems and procedures, that could impact the "tail" on cyber policies because penalties and third-party claims for compensation are usually levied long after these events occur.
Then there is aggregation
Insurers invest considerable time and effort assessing and managing aggregation risk; the potential for a single event to affect multiple policies. However, unlike property insurance, where aggregation is limited to a specific locale or region, cyber risk could aggregate in various ways:
- Across different product lines, including products where cyber coverage is "silent"
- Across common vulnerabilities in a particular type of equipment, operating system or application exploitable by malware
- Via malware that is widely propagated
- Across common shared infrastructure—including cloud services, payment networks, navigation and timing systems—that suffers interruptions due to attacks, system failures, or simply human error
- Across supply chains using a common vendor that suffers a breach
- Across a particular industry
- Via the theft of passwords or other access credentials that can be re-used.
Because the aggregation risks with cyber are so diffuse, insurers must monitor their cyber portfolios carefully; the same challenges also apply in other lines where a cyber event could trigger coverage. And in some cases, insurers may opt to introduce more stringent underwriting controls to limit aggregation risks.
I have seen the future …
So, where do we go from here? Clearly, cyber risks will only continue to grow and evolve. In fact, the increase in remote working due to the Covid-19 pandemic has made many organizations even more vulnerable to cyber-attacks.
At the same time, for the reasons I've outlined in this article—plus some others I haven't touched on, e.g., the role of the capital markets and increased reinsurance costs—many companies should prepare for the likelihood that their expenses for managing and mitigating cyber risk will go up.
Hence, it is essential for the collective community of clients, brokers, insurers and cyber-security experts to continue sharing expertise, best practices and lessons learned. All crime, including cyber-crime, is an unproductive drag on society, and it is in all our interests to marginalize these activities as much as possible. Only by working together, increasing security, and reducing or eliminating the proceeds of crime (like ransom payments), it is possible—not assured, but possible—we will get to the point where cyber-crime becomes yesterday’s problem.
Max has been involved in cyber insurance for the last ten years and financial lines and other classes for twenty years prior to that in various underwriting, claims, portfolio management, operational and management roles in Australia, Asia, New Zealand and the Pacific Islands. He is based in Sydney and can be contacted at firstname.lastname@example.org