Cyber insurance rates are going to increase dramatically in 2021, driven by more frequent and more severe insured losses, according to a recent industry study.
The report by global insurance firm Aon plc predicted that rates would jump by 20% to 50% this year due to two main factors:
1. Cyber attacks are becoming more frequent — While publicly disclosed data breach/privacy incidents are actually occurring less often, ransomware attacks are exploding in frequency.
When measured over periods of four quarters, ransomware incident rates rose 486% from the first quarter of 2018 to the fourth quarter of 2020. The comparable rate for data breach incidents fell 57% during the same period. The incident rates for the two types of events combined rose 300% over the trailing two years.
2. The costs of these attacks are growing — The average dollar loss increased in every quarter of 2020. Ransomware attacks are particularly severe — many of them result in eight-figure losses. Others may grow to that level as business interruption losses are adjusted and lawsuits against insured organizations proceed.
The combination of more frequent and more costly losses is a recipe for higher rates.
Cyber insurance rates continued rising last year, with increases between 6% and 16% in the final four months.
In January this year, most of the top 12 cyber insurance companies told Aon they were planning more drastic rate hikes. Nearly 60% reported that they would be seeking rate increases of 30% or more during the second quarter. None of them expected increases of less than 10%.
New underwriting criteria
When insurers evaluate a cyber insurance applicant, they will be particularly concerned with the organization’s overall cyber risk profile, its cyber governance and access-control practices, and its network and data security. Prior loss history will be less important because the frequency of attacks is growing so quickly.
Some insurers may also cap how much they will pay for ransomware losses, or even exclude them entirely. They may also increase the waiting periods before coverage begins to apply.
What businesses can do
To improve your organization’s chances of getting more favorable pricing and coverage, the report recommends that you focus on:
- Reducing the risk of cyber losses.
- Measures to keep data private.
- Building an internal culture of cybersecurity.
- Preparing for ransomware attacks and disaster recovery planning.
- How your contracts and insurance will respond to a supply chain security breach.
- Understanding primary and excess coverage terms and communicating primary terms to excess insurers.
Cybersecurity problems are getting worse, and that will make for a difficult environment for purchasers of cyber insurance.