The market for cyber insurance has begun to stabilize after a surge in ransomware attacks in recent years propelled a steep rise in premiums, observers say.
Cyber insurance can pay ransoms to hackers who lock company technology systems, or it can help offset the cost of responding to data breaches. Now, the premium increases of recent years seem to be slowing, if not halting entirely, as insurers get better at evaluating risks, new market entrants begin offering coverage, and supply and demand assert themselves.
“Things are looking better,” said Jason Krauss, head of North America cyber product coverage for insurance brokerage WTW. “It’s amazing, right, that I would tell you that a 20% increase [in premiums] isn’t bad. But it’s seen as a good thing.”
The cyber insurance market has been going through a “hard” period, according to industry insiders, with rising premiums and less flexibility from insurers in terms of offerings. Premium prices on average rose more than 34% in the fourth quarter of 2021, according to data from the Council of Insurance Agents & Brokers, and some businesses have reported far steeper rate increases.
“It was painful,” said Kristen Peed, director of corporate risk management at professional services company CBIZ Inc. and a board member of the risk management society RIMS. Some colleagues in risk-management saw increases as high as 200%, Ms. Peed said.
“We’ve had two painful renewal years with increasing deductibles, restrictions and…increases in prices,” she said.
The insurance itself remains relatively niche—insurer Munich Re Group estimated the global value of cyber insurance premiums at $9.2 billion at the outset of 2022, compared with hundreds of billions of dollars spent in the U.S. alone for commercial insurance, according to the Insurance Information Institute—but events spurring premium increases have become familiar.
The 2021 attack against Colonial Pipeline Co. led to a $4.4 million ransom payment, one of several recent multimillion-dollar ransomware attacks. U.S. financial institutions flagged ransomware-related transactions totaling more than $1 billion last year, a stark increase from previous years, according to Treasury Department data. But that is a figure barely scratching the surface of the crime’s economic scale, experts say.
With higher payouts by insurers came premiums rising at steeper rates. “It was kind of nasty there for a little bit,” said Robert Parisi, North American head of cyber solutions for Munich Re. He described a hockey stick-like rise in premium pricing over the past two years. The increases mark a correction for premiums, which for years were arguably too cheap, he added.
“The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look,’” Mr. Parisi said. Meanwhile, prices, while not dropping, are rising less quickly than in recent years, he noted.
Insurance companies have toughened underwriting standards that come with issuing new policies and have begun reviewing the defenses companies are putting up to thwart cyberattacks. Companies are asked about their cybersecurity systems and may have their arrangements with popular cloud hosting companies examined, Mr. Parisi said.
Businesses have tightened security, with phony phishing emails to test for inattentive workers and multifactor authentication becoming commonplace. And more organizations are prepared to respond to insurers’ questioning, said Brent Rieth, U.S. practice leader for cyber solutions at broker Aon PLC. “They have more appropriate controls in place,” he said.
New underwriting demands haven’t been welcomed by businesses trying to get insurance, however. “Across the board, our clients have been lamenting on the new requirements that need to be met to be insured or even reinsured,” said Richard Peters, a cybersecurity expert and a managing director at consulting firm Berkeley Research Group.
For small and midsize clients, enhanced demands are costly and time-consuming. Insurers have expected some to conduct expensive security risk assessments, Mr. Peters said.
Roberta Sutton, a partner with Potomac Law Group who advises businesses dealing with insurance companies, said all her clients have been asked to complete more detailed applications for ransomware insurance.
Some businesses have opted against the insurance, said Ed McNicholas, co-leader of the cybersecurity practice at the law firm Ropes & Gray LLP. But not all companies can, as some must have cyber insurance to work with partners, Mr. McNicholas said. Proposed government regulations around breaches could also drive businesses to turn to insurance companies to unload some risk, he said.
Stricter underwriting, somewhat lessened demand, and more carefully crafted insurance policies are all likely contributing to lower prices, which observers generally are hopeful will fall further.
But insuring evolving cyber risks remains challenging, because cyber insurance providers don’t have much actuarial data for such risks, and even if they did, it probably wouldn’t be “terribly insightful,” Munich Re’s Mr. Parisi said.
“We’re all worried about ransomware now and rightly so,” he said. “The cyber insurance community has to be fairly nimble and flexible in how it looks at risk.”
Write to Richard Vanderford at Richard.Vanderford@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8