According to a recent US Government Accountability survey, Marsh McLennan, one of the world’s largest insurance providers, reported that nearly half of their insurance clients took on cyber insurance in 2020. That 47 percent take-up rose from 26 percent in 2016. Large insurance brokers also told the agency they saw a 10 to 30 percent increase in premiums in late 2020. The report said that insurers began to stray away from including cybersecurity as part of package plans as well. Now, they offer more standalone policies dedicated solely to cyber risk.
What are Ransomware Attacks?
These spikes in demand and pricing are largely due to ransomware attacks. Ransomware is especially lucrative for the criminals perpetrating the attacks and is devastating for the victims. All a hacker needs is for one worker to click a malicious link, and then they’ll be able to access the entire company’s network. The malware encrypts files, locks up the network and takes it hostage. To unlock the files, the victim must have a decryption key, which only the hacker knows. After the attack, the hacker sends a message demanding a ransom in exchange for the key. The list of victims seems endless, and ransom demands are getting higher. Hackers attacked electronics conglomerate Acer, demanding $50 million, the highest reported cyber ransom. According to Bloomberg, CNA Financial, one of the largest insurance companies in the US, paid hackers $40 million after a ransomware attack locked up the company’s network and stole its data. Food giant JBS paid $11 million in ransom, while the Colonial Pipeline paid out $4.4 million in demands (though the FBI recovered $2.3 million).
Cyber Insurance Pays Out Big Ransoms
According to blockchain research firm Chainalysis, ransom payments increased 337 percent to over $400 million in 2020. So far, it’s showing no signs of slowing down in 2021. Online extortionists have already taken more than $81 million this year alone. As these are reported figures, Chainalysis suggested these estimates could be on the low end. Real numbers including unreported incidents could be much higher. “Given that the average cost of a ransom has gone up year over year, I’d say that it will continue to be one of the biggest threats to organizations,” Zach Atya, vice president of Zeguro, a San Francisco-based cyber insurance firm said. “I suspect that frequency will also increase as malicious actors pivot from ‘quality’ to ‘quantity,’ targeting smaller and mid-sized companies.” If a company is properly covered, insurers have to foot the bill for many of these payments. And losses are steep. A recent cyber readiness report by Hiscox showed insured cyber losses of $1.8 billion in 2019, up 50% year over year. One in six firms said the attacks threatened their businesses’ survival. Hiscox also reported that more cybercriminals were active now than in 2019. AM Best, a credit rating agency for insurance providers, said insurers need to reassess their practices if they’re going to survive in the future. The prospects for the sector “are grim,” according to its June report. Analysts said the loss ratio for cyber insurance in 2020 rose to nearly 68%, up from about 45% in 2019. The increase in losses wasn’t limited to a few insurers, as loss ratios rose for 15 of the 20 largest cyber insurers, they said.
What is the Average Cost of Cyber Insurance?
A recent report from AdvisorSmith found that the average cyber insurance premium in the United States was about $1,500 per year. That number is for $1 million in liability coverage, with a $10,000 deductible. The more coverage you need, or more revenue your business brings in, the higher your premium can go. These numbers were based on companies with a medium level of risk.
Average premium: $1,485 per year Range of premiums: $650 to $2,357 per year
According to IBM, companies in the U.S. spend almost $4 million dollars on average to respond to data breaches. Small businesses can pay an average of $36,000 to recover from a data breach, a First Data report said (update editorial team: data report isn’t found online anymore). For small and midsize businesses, the cost could reach $86,000, according to a Kaspersky report. Large businesses can expect around $860,000 for each breach or attack. Like any insurance coverage, cyber insurance varies from business to business, depending on a range of different aspects. The nature of your business and its size, your security risk, how many confidential records you keep, the type of insurance you need, and your business’s physical location are all taken into consideration. Here are some other things that may affect your insurance premium:
First-party vs. third-party coverage
Insurers provide two types of cyber insurance to deal with data breaches:
First-party insurance helps you cover your own costs associated with a data breach. This could be ransomware payments, credit monitoring for affected victims, or reimbursing companies for business losses that occurred during the data breach. Third-party insurance helps pay for lawsuits caused by data breaches on your client’s networks and systems. If a client sues your business over the data breach, third-party insurance would cover court costs and lawyer fees.
Nature and size of the business
If you’re a small manufacturing business with a limited number of clients, you’d be considered low risk. If you’re a small restaurant that handles some sensitive details through online orders, you could be considered medium risk. Of course, if your business stores large amounts of credit card numbers and other sensitive information for clients and customers, you’d fall into the high-risk category. Generally, the larger a business is, the bigger a target you’ll be for hackers and phishing schemes.
How much data the business stores
If your business stores lots of sensitive employee and client records, you’d be considered higher risk. Energy companies, utility providers, hospitals and healthcare facilities are considered high risk due to the huge amounts of sensitive data they keep on clients and patients. Online retailers, too, are considered high risk, as they keep customers’ private details, credit card numbers, and other banking information on file. Companies like these would get a higher premium than a local company with a small customer base.
Security measures taken
Insurers will also take the security status of the company into consideration. For example, whether the business uses multi-factor authentication for transactions or not. Some insurers may require that companies use a Virtual Private Network (VPN). If a company has put a lot of effort into training staff and implementing cyber security measures, premiums could be lower.
History
Whether or not the business has already experienced data breaches and hacks, or filed prior cyber insurance claims, could also be a factor. Insurers might need to assess how and why the attacks happened.
Do Small Businesses Need Cyber Insurance?
While the largest businesses have the biggest targets on their backs, smaller and medium-sized businesses could be future ransomware targets too. Hackers are attracted to large payouts from big companies like Colonial Pipeline, JBS, or Acer, but they might find smaller businesses with lax security lucrative as well. As larger organizations amp up their security measures, attackers could move to a quantity over quality model, Zach Atya of Zeguro said. Attacking smaller businesses could be easier than bagging one giant. “There just isn’t as much awareness around ransomware affecting small and mid-sized businesses, when compared to the headline-grabbing that takes place when it is a large corporation,” Atya said. “The fact of the matter is that a [small or medium-sized business] is more likely to be a victim of a ransomware attack than a large corporation.” According to a study from Infrascale, almost half (46 percent) of the small businesses surveyed were targeted by ransomware attackers. Of the companies that experienced those attacks, 73 percent paid a ransom. Almost half of the ransom payers paid between $10,000 to $50,000 ransoms, while a small percentage paid more than $100,000. Of those who paid, only 17 percent got their data back. For more information on how to protect small businesses from cyber attacks, check out our guide here.
Formation of a Mega Company
Perhaps some of the biggest players in the insurance industry are collaborating to tackle the growing problem of cyber attacks. Top cyber insurers AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance, and Travelers formed a new company called CyberAcuView. They released a statement that said the company “will compile and analyze cyber-related data to enhance value and service to policyholders and help ensure a competitive market for cyber insurance.” “The cyber landscape continues to evolve with coordinated attacks becoming more frequent and disruptive,” CEO Mark Camillo said. “Combining resources from across the insurance industry will allow us to better understand cyber trends, anticipate and potentially mitigate future attacks, and help improve overall cyber resilience.”
Ransomware Not Going Anywhere
As hackers have become more sophisticated and set their sights on more targets, they’ve also changed their motives. AMBest said claims regarding data theft and identity fraud are now far outweighed by ransomware claims. First-party ransomware claims were up 35% in 2020, and now account for 75% of all cyber claims. “The recent Colonial Pipeline hack—for a multi-million-dollar ransom—is an example of first-party claims that have become so prevalent,” AM Best analyst Christopher Graham said in a statement.