Cyber insurance pricing is down by 9% in 2023 following an all-time high at the end of 2022, despite ransomware activity having increased 48% year on year (YoY).
The figures show the shock experienced by the cyber insurance market during 2020 and 2021 as ransomware frequency and severity escalated sharply. The result increased the cost of cyber cover more than double.
Things are more nuanced in 2023, according to a report published by the Howden Group. Activity relented in 2022 - accompanied by the implementation of mitigations and risk controls by companies - before surging again in 2023.
However, strengthened defenses have paid dividends and the report noted that “resurgent ransomware activity in the first half of the year has so far not been accompanied by a corresponding rise in losses or claims”.
RELATED RESOURCE
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
The effect of this is that despite the uptick in ransomware activity, cyber insurance premiums are remaining flat or even decreasing from their historic highs.
The report described the surge in ransomware during 2020 and 2021, attributed in part to the availability of low-cost ransomware kits, as “unlike anything experienced previously”.
At one point in 2021, ransomware incidents were up by 390% compared to a Q1 2019 baseline. The result was what the report described as a “major market correction”.
After 18 months of relative calm for the cyber insurance market, optimism around a drop in claims and a return to competition was tempered by an increase in global ransomware attacks - up 47% in the first quarter of 2023 compared to the same period in 2022.
The average US ransomware payment also went up by 55% YoY.
Ransomware gangs have been accelerating their activity after a year of comparatively smaller gains. Average ransom payments in early 2023 were nearly double those of the previous year. 40% of companies surveyed reported payments of $1 million compared to 11% in 2022.
Cyber criminal groups are paying more attention to an organization’s ability to pay versus the security measures in place, according to the report.
Mounting issues with cloud outages
Away from cyber insurance, the report also highlighted the potential for businesses to become more greatly exposed to spiraling losses due to interruptions in the digital supply chain, not necessarily only from cyber attackers.
Jonathan Hatzor, CEO at Parametrix Insurance, said: “The cloud goes down almost every day”.
He noted that the big three cloud vendors only tended to report major disruptions and that the most common reported cause of outages was human error.
The resulting financial and reputational costs from such incidents can be severe.
Estimates can vary depending on the research and the type of customer, but an organization’s financial loss as a result of a major outage at one of the big three hyperscalers could range between a few thousand dollars per hour and more than $300,000.
“Cyber supply chain risk is something that companies operating in all sectors and geographies need to measure, manage, and mitigate,” said Hatzor.
War exclusions
Finally, the war exclusions issue in cyber insurance has focused minds as positions are clarified on cyber warfare and buyers check that existing levels of protection will be maintained.
Earlier this year, cyber insurance provider Lloyd’s introduced ‘war exclusions’ to its policies, attracting criticism from the industry.
RELATED RESOURCE
Monitoring & alerting best practices guide
Best practices for smarter alerting, faster troubleshooting, and more proactive monitoring
The new wording from Lloyds and the broking community means losses will not be covered if they arise from a physical war, from a cyber attack carried out as part of a physical war, or "from a state-sponsored cyber attack that causes a major detrimental impact to the essential services required for the functioning of a sovereign state”.
While the clause might sound initially alarming, the report noted that “cyber insurers have confirmed that they do not consider any attack to date, including NotPetya, would be of sufficient scale to trigger the exclusion”.
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
CISOs are gaining more influence in the boardroom, and it’s about timeNews CISO influence in the C-suite and boardrooms is growing, new research shows, as enterprises focus heavily on cybersecurity capabilities.
-
Threat of personal liability has CISOs sweatingNews With increased scrutiny, boards need to ramp up support for CISOs
-
SOC modernization and the role of XDRWhitepaper Automate security processes to deliver efficiencies across IT
-
Crackdown on crypto needed to curb cyber crime, says expertNews Threat actors would struggle to generate money without the anonymity provided by unregulated digital tokens, but such a move would require worldwide buy-in
-
State of ransomware readiness 2022Whitepaper Reducing the personal and business cost
-
The board's evolving perceptions of cyber riskWhitepaper Behind the screens
-
Security consolidation is about improving results, not just cost savingsIndustry Insight Channel partners can play a key role in enabling businesses to consolidate security operations and bolster resilience
-
Teaching good cyber security behaviors with SeinfeldWhitepaper Overcoming the employee engagement challenge in security awareness training
