Demystifying cyber’s first hard market

Cyber insurance is a relatively new line of business in Canada and so it hasn’t seen any hard markets historically — until now, that is. And it seems that insurers have ransomware to thank for that.

“I think it is indeed the first hard market we have seen in cyber,” Tim Zeilman, vice president and global product owner of cyber at Hartford Steam Boiler (HSB), said in an interview recently with Canadian Underwriter.

And while some may point to our increased digital reliance during the pandemic, as well as vulnerabilities due to a decentralized workforce, as the main reasons for the cyber losses, Zeilman sees a different primary culprit.

“COVID may have had something to do with it, but what I’ve seen is that it mostly has to do with ransomware,” he said. “Certainly the trend of ransomware being the major driver of losses started maybe 18-24 months ago, but it’s really accelerated this year.”

The reasons for the increasing severity of ransomware claims are two-fold, Zeilman believes. “One is, higher ransom demands, and that’s paired with more sophisticated ransomware that’s more damaging.”

iStock.com/erhui1979

Not only are criminals asking for more money, but they are increasing their leverage over their victims by encrypting backups and doing more reconnaissance on the system. Once they are into the system, Zeilman said, they start to figure out what kind of animal they are dealing with. For example, how big is the organization, and how much money can they extort from their victims?

“When they get into the system, they even try to figure out if someone has cyberinsurance, and that figures into their planning,” Zeilman said. “Criminals are being more discriminating, more sophisticated, and they are figuring out where they can demand more. They are moving more within systems, they are encrypting more devices, they are grabbing personal information and threatening to release that. Not only are they encrypting data and not releasing it until you pay, but there is the added threat of potentially releasing confidential information if a ransom isn’t paid.”

The financial result for insurers has been gigantic loss ratios over the course of the first half of 2020. In its 2020 Q2 results, reflecting only a portion of claims incurred during the COVID-19 pandemic, Canada’s solvency regulator reported a loss ratio of 498% by federally regulated cyber insurers. MSA Research, in a recent report that covered just the three first months of COVID, reported that Canadian cyber insurers posted a 1,100% loss ratio.

Those are hefty losses in a cyber market that has grown from a net premium base of $24.4 million in Canada just four years ago to $111.5 million last year. In some areas of Canada, cyber is now the largest-selling kind of insurance, as identified in the Canadian Underwriter 2020 Stats Guide.

Zeilman noted the current hard market in cyber is affecting different segments of the market differently. “The increase in the size of the demands and the severity of the losses seem to be impacting larger insureds more than smaller insureds.”

And so how are carriers doing business in cyber going to respond?

iStock.com/JuSun

Naturally, there is a lot of discussion in the industry about rate increases and withdrawing capacity from the market. But Zeilman expects the responses by carriers will be more nuanced, depending on where they play in the cyber marketplace.

“Our business, both in the U.S. and Canada, tends towards the smaller business, so we have seen an increase in loss ratios, certainly, but not as severe as the players on larger risks have,” Zeilman said. “From our perspective, it’s been more of a reconsideration of, ‘Are we charging enough? Are we selecting the right risks?’ But we’ve had no major changes in how we underwrite the product itself in coverage terms or coverage limits.”

Zeilman noted that cyber carriers have certainly become more selective when it comes to classes of business that have been particularly affected by ransomware. “Carriers have become more careful about underwriting particular risks, about sublimits, that kind of thing,” he said.

Cyber carriers have also become more aware of the dynamic and volatile nature of writing cyber risks, which can appear and disappear in a hurry, depending on the interplay between technology, criminal behaviour and regulation. Knowing the market is potentially more volatile than other nascent markets, cyber insurers may find themselves trying to save more for a rainy day later.

“In the long run, [cyber] carriers will realize that loss experience goes up and down,” Zeilman said. “Even in the years where your loss experience is good, you will need to know that next year might be a bad year, so you will keep rates maybe a little bit higher than otherwise.”

Feature image by iStock.com/Media Trading Ltd