Cyber insurance: another victim of the hard market?

Rates for excess cyber insurance in Canada are on the rise.

“In Canada, I would say what we are seeing is excess cyber insurers increasing rates,” Brian Rosenbaum, national director of the legal and research practice at Aon Risk Solutions, said in an interview Thursday. “If you are a bad risk from a cyber perspective – if you’ve had a number of breaches, if you’ve had an acquisition, or if your situation has changed – sure, on a primary basis, your primary cyber insurance rates are going to go up. But if nothing’s happened — if you haven’t had any claims or incidents and you’re clean, but you’re buying excess insurance — you’re going to see an increase on the excess level.”

Rosenbaum made his comments following the release of NetDiligence’s 2020 Spotlight on Ransomware, a report released Wednesday in advance of NetDiligence’s Cyber Risk Summit in Toronto Friday. He was asked if Canadian cyber insurers (or those who write business in Canada) are increasing their rates.

NetDiligence is a privately-held cyber risk assessment and data breach services company based in the United States. Its report notes that “insurers are increasing rates for cyber insurance coverage for clients of all sizes.” In addition to charging higher premiums, some insurers are also looking to share the costs with their insureds.

One cyber insurer cited in the report even suggested that higher-risk victims of ransomware might be required to pay 20% to 30% of the cost of an event as an incentive to improve their defences.

“I know from my U.S. colleagues that they are seeing a more hardening market in cyber on a primary basis than we are in Canada,” Rosenbaum told Canadian Underwriter. “I think that’s part and parcel because of more litigation, although we are going to see some litigation in Canada come to the courts. There are a lot of cases now sitting there, and we are waiting for some settlements and decisions.”

NetDiligence’s report also noted that ransom amounts are increasing; sometimes even becoming disproportionate to the size of targets. Rosenbaum has seen this as well. “We still get what we would call a drive-by extortion, where they are just hitting as many organizations as they can and are looking for a couple thousand here and there,” he said. “They don’t really care which organization pays them and which doesn’t. If you are talking about targeted extortions, they are emboldened: They are asking for multiple million dollars, whereas you were not seeing those numbers before.”

The number of ransomware claims in NetDiligence’s dataset has increased dramatically over the past several years: Six in 2014, 19 in 2015, 92 in 2016, 210 in 2017, and 151 so far in 2018. “We anticipate seeing this trend continue in 2019,” said the 2020 Spotlight on Ransomware report. The company’s dataset does not yet contain claims for 2019, and the organization is currently collecting data for 2020.

James Burns, cyber product leader with CFC Underwriting, told Canadian Underwriter Thursday that “the cyber claims environment has developed significantly in the past 12 months and both frequency and severity of losses are up. Ransomware has been a contributor of this and we have seen extortion amounts increase substantially, including in Canada.

“But other types of claims are contributing too, including social engineering losses suffered by small- and medium-sized organizations, and major privacy events impacting larger corporations. All of these factors combined are leading to a hardening of the rating environment in cyber globally.”