Cyber insurers are taking a “multi-pronged” approach to ensure they can actually make money off the product.
More carriers are expanding their offerings to include cyber, more commercial clients are buying cyber coverage and more insurance buyers are aware of cyber threats, said Annamaria Landaverde, senior vice president and cyber team lead for Munich Re U.S.
But cyber risk can be frustrating for underwriters, Landaverde said during a webinar hosted by Oldwick, N.J.-based A.M. Best Company Inc.
“The frustration is, you can’t nail down the exposure. Cyber threats will continue to evolve. “There have been years where the loss costs come from data breaches or from specific events and it just keeps on changing,” said Landaverde.
The factors affecting cyber risk are changing much more quickly than traditional property risks, such as water and fire damage, said Tim Zeilman, vice president and global product owner for cyber at Hartford Steam Boiler.
“The things that were risks to start a fire 100 years ago are largely the same as today,” Zeilman said during the A.M. Best webinar, What Insurers Need to Know About Next-Gen Cyber Threats.
A lot of underwriters are “mandating minimum security controls in order for risks to be eligible for cyber insurance. Before even quoting the business, those controls need to be in place,” Landaverde said in October during the webinar.
“Cyber insurers are going in a direction of taking a multi-pronged approach to ensuring long term profitability,” said Landaverde.
Cyber insurers need to manage their loses by setting maximum limits and sub limits to a point where the insurer can manage systemic events, she observed. They also need to raise rates as the loss ratio increases.
“There is no one silver bullet. There are several approaches that need to be taken simultaneously to ensure the sustainability of this market.
A lot of underwriters are “mandating minimum security controls in order for risks to be eligible for cyber insurance. Before even quoting the business, those controls need to be in place,” said Landaverde.
One major risk is ransomware, which either prevents or limits users from accessing their system, KPMG explained in an earlier report, quoting Trend Micro. Ransomware either locks the system’s screen or locks the users’ files unless a ransom is paid.
“As ransomware has grabbed headlines, sometimes it gets lost that these are not just teenagers in hoodies like all the images on the news. They are criminal organizations,” said Brendan Rooney, managing director of cyber incident response vendor Tracepoint [acquired in September by McLean, Va.-based Booz Allen Hamilton], during the A.M. Best webinar.
In the “early days” of ransomware – before 2018 – cyber criminals were “kind of testing the business model” of ransomware, said Zeilman. So miscreants were stealing confidential information and making relatively small demands.
“What cyber criminals found in (the 2017-18) period of time was (ransomware) really works. They can make money hand over fist with this and the likelihood of getting caught is much lower than it was with the breach-of-personal-information business model,” said Zeilman.
“I think their primary objective is to get paid more for each attack and in order to do that, they have explored different ways to get more leverage out of their victims.”
Criminals are getting more leverage, Zeilman continued, by becoming more sophisticated and “by going deeper and broader with their encryption.”
Cyber criminals who use ransomware are sometimes threatening to make their victims’ confidential information public.
They are “trying to figure out where that tipping point is – where they are demanding too much for the leverage they have and what are the ways they can move that tipping point,” said Zeilman.