Cyber Claims: Increasing Frequency & Severity
The darkening mood among the cyber insurance underwriting community over the past year was rooted in significant increases in cyber claim frequency and severity. Several 2019 cyber claim studies revealed a sharp uptick in ransomware and social engineering attacks. According to Beazley’s May 2019 Breach Insights Report, the number of ransomware attacks increased by 105% in the first quarter of
2019 when compared with the first quarter of 2018. It also reported a 93% increase in the amount of ransom demanded over the same period, with the hackers requesting $224,871 on average to release data. Several high-profile attacks against municipalities, schools, manufacturers and healthcare facilities served to increase concerns. While some victims caved into hackers’ demands and paid six- and seven-figure ransom payments, others refused and chose to recreate data and systems that housed it. The latter choice almost always led to even greater costs than the original extortion payment requested by hackers. In fact, Coveware’s 2019 Ransomware Marketplace Report revealed that business interruption costs were typically 5 to 10 times greater than the average ransom demand.
Ransomware was not the only concern. In April 2019, the FBI reported that cyber losses were driven by social engineering attacks, specifically business email compromise. These attacks doubled in 2018, compared with 2017 figures, and amounted to $1.3 billion in costs. AIG validated the trend in its July 2019 Claims Intelligence Series, where it reported that business email compromise claims accounted for 23% of all cyber insurance claims the company received in Europe, the Middle East and Africa in 2018. AIG reported a staggering increase in overall cyber claims frequency as the number of claims nearly doubled between 2017 and 2018. In fact, it received more cyber insurance claims in 2018 than in 2016 and 2017 combined.
The increase in cyber claims frequency may also be driven by the regulatory risk landscape. Cyber claim reporting requirements mandated by the EU’s General Data Protection Regulation (GDPR) may have played a part as they came into play in 2018. Failure to comply with the GDPR’s strict claim reporting requirements could lead to significant financial penalties and may have driven the increase in claims reporting activity. We continue to watch data privacy regulation spread to the U.S. as the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. The CCPA has compliance requirements similar to those called for by the GDPR. However, while it may also drive frequency and severity of cyber claims in 2020, it may also pose additional challenges to companies that fall victim to hackers. It allows the plaintiff’s bar to pursue a private right of action against organizations without having to prove harm to the affected individuals. CCPA paves the way for plaintiffs to collect statutory damages of $100 to $750 per affected individual, which could lead to a material impact to bottom-line figures when data breach claims affect a significant number of people. Other states will likely follow California with similar regulations, which will compound compliance requirements and the potential for increased litigation and settlements.
It is worth noting that according to the NetDiligence 2019 Cyber Claims Study, the severity of cyber claim costs was largely dependent on the size of the organization impacted. In this study, small- to medium-size enterprises, categorized as those with less than $2 billion in annual revenue, averaged $178,000 in data breach- related costs. By contrast, large companies, categorized as those with $2 billion or more in annual revenue, averaged $5.6 million in data breach-related costs.
Cyber Insurance Premiums
We are cautious not to state that we have definitively moved to a hard cyber insurance market for all organizations in all industry sectors. However, there is clear evidence that the cyber marketplace is taking a harder stance with some of the larger and more complex risks.
We expect larger organizations to see cyber insurance carriers seek premium increases in the 5% to 15% range, with certain isolated instances of even greater increases. The retail and healthcare sectors are expected to be at the highest range of the premium range increases. Minimum premiums between $5,000 and $10,000 per $1 million in primary or excess coverage should be expected for all sectors. In 2019, we saw the first signs of a trend of contracting capacity as at least one carrier exited the large client market altogether. While we don’t expect a mass exodus from the market, we do foresee some cyber insurance carriers to begin reining in capacity to a $5 million policy limit. Insureds should also expect greater scrutiny from underwriters as they assess data protection controls and compliance to emerging regulatory compliance requirements. Lastly, the trend of expanding coverage terms will slow as underwriters take a more conservative approach to these risks.
The cyber insurance market hardening trend will not likely flow to the small- and medium-size enterprises that seek coverage. Insurance underwriters have not penetrated the market for smaller and less sophisticated risks as much as anticipated and will continue to pursue market share. Most premiums are expected to stay flat with some markets seeking low-single-digit increases. Many will offer $1 million limits, and some will offer limits up to $5 million.
Increased Use of Cyber Reinsurance Markets
Year over year, as more devices become part of the IoT ecosystem, cyber insurers have been forced to address mounting aggregation risk. We expect that as they take a more conservative approach to assuming cyber risk they will turn to the reinsurance markets more than they have in prior years. We should see increased usage of reinsurance strategies as more carriers apply some combination of quota share and aggregate stop-loss solutions.
“Silent cyber” risk involves the potential for noncyber policies being exposed to cyber-related losses when they were not specifically designed to cover cyber risk. Disagreements and confusion between insurers, brokers and insureds as to whether property, general liability, error and omissions, kidnap and ransom, crime and other policies should cover cyber-related losses gained the attention of European regulators. In January 2019, the Prudential Regulation Authority requested a more formalized management of silent cyber exposure. As a result, effective January 2020, Lloyds underwriters are now required to clarify whether first-party property policies either affirm coverage or exclude cyber losses. Later in 2020 and into 2021, liability and treaty reinsurance will also require the same clarity. We expect U.S. regulators and the markets they oversee to follow Europe’s lead into 2020 as well.
Looking Ahead to 2020
In summary, the cyber insurance market has reached an inflection point. Hackers have proven that their business models work. They will continue to pursue an expanding attack surface with advanced versions of traditional attack methods in social engineering and ransomware. State, federal and international regulators have raised privacy liability concerns. They will continue to empower data subjects, tighten data collection compliance standards and ultimately give the plaintiff’s bar additional avenues to litigate. The cyber insurance market has taken notice and will begin to move premium prices higher to reflect these cyber risk realities.