Businesses face a panoply of perils. Cyber-risks are the worst of all, according to this year’s list of global business threats drawn up by Germany’s Allianz. Attacks are multiplying. The cost of insuring against them is soaring too. It more than doubled in the US in the fourth quarter of 2021 alone, according to insurance group Marsh.
The cost of cover is being driven up because of rising claims, combined with falling capacity. Some insurance companies have decided to stop writing cyber insurance altogether.
Their caution is understandable. The threats have been rammed home by their own vulnerability. Last year US-based CNA and Paris’s Axa were targeted. Ransomware attacks occurred every 11 seconds in 2021, according to Cybersecurity Ventures. Their ubiquity is linked to the emergence of ransomware-as-a-service. Criminals with little technical knowhow can locate ransomware programs on the dark web and lease them for as little as $40 a month. They can then extort large sums, using cryptocurrency to help evade detection.
Many insurers have too little data to be confident in their pricing. They are particularly uneasy about the liabilities accumulated when an attack snowballs to affect huge numbers of businesses at once. The resulting claims can break the mutualisation principle at the heart of the insurance model.
Not everyone is pulling back. In mid-2021, London-based insurance provider CFC launched a new insurance syndicate that will focus on cyber and other emerging risks. Last week, Beazley, also based in London, said it was excited about the opportunities. It put its ability to swim against the tide down to expertise and ability to help clients improve their resilience.
Working with clients to improve controls is crucial but may not be enough to prevent a deluge of claims. Advances in quantum computing that allow hordes of stolen encrypted data to be unlocked is just one nightmarish scenario. Ultimately, some kind of public-private partnership might be needed to provide a backstop. In the meantime, businesses should expect insurance, if they can get it, to be increasingly costly.
The Lex team is interested in hearing more from readers. Please tell us about your own experiences with cyber risks and insuring against them in the comments section below