Insurers run from ransomware cover as losses mount
Send a link to a friend
 [November 19, 2021] By
Carolyn Cohn
LONDON (Reuters) - Insurers have halved the
amount of cyber cover they provide to customers after the pandemic and
home-working drove a surge in ransomware attacks that left them smarting
from hefty payouts.
Faced with increased demand, major European and U.S. insurers and
syndicates operating in the Lloyd's of London market have been able to
charge higher premium rates to cover ransoms, the repair of hacked
networks, business interruption losses and even PR fees to mend
reputational damage.
But the increase in ransomware attacks and the growing sophistication of
attackers have made insurers wary. Insurers say some attackers may even
check whether potential victims have policies that would make them more
likely to pay out.
"Insurers are changing their appetites, limits, coverage and pricing,"
Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have
halved – where people were offering 10 million pounds ($13.50 million),
nearly everyone has reduced to five."
Lloyd's of London, which has around a fifth of the global cyber market,
has discouraged its 100-odd syndicate members from taking on cyber
business next year, industry sources say on condition of anonymity.
Lloyd's declined to comment.
U.S. insurer AIG also said in August it was cutting cyber limits.
Ransom software works by encrypting victims' data and typically hackers
offer victims a passcode to retrieve it in return for cryptocurrency
payments.
It has become the attack of choice for cyber criminals, who previously
favoured stealing data and selling it to third parties.
Suspected ransomware payments totalling $590 million were made in the
first six months of this year, compared with the $416 million reported
for the whole of 2020, U.S. authorities said in October.
In one of the biggest heists, a ransomware attack on Colonial Pipeline
in May shut the largest fuel pipeline network in the United States for
several days.
U.S. cyber insurers' profits shrank in 2020, insurance broker Aon found.
Combined ratio - a measure of profitability in which a level of more
than 100% indicates a loss - climbed by more than 20 percentage points
from 2019 to 95.4%.
While insurers struggle to cope, companies are under-insured.
"It's very unlikely people are getting the same limits - if they are,
they are paying an extraordinary amount," David Dickson, head of
enterprise at broker Superscript, said.
Dickson said one technology client had previously bought 130 million
pounds of professional indemnity and cyber cover for 250,000 pounds. Now
the client could only get 55 million pounds of cover and the price was
500,000 pounds.
Insurers who issued $5 million cyber liability policies last year have
scaled back to limits of between $1 million and $3 million in 2021, a
report last month by U.S. broker Risk Placement Services (RPS) found.
[to top of second column] |
The interior of the Lloyd's of London building is seen in the City
of London financial district in London, Britain, April 16, 2019.
REUTERS/Hannah McKay//File Photo
AS PROFITABLE AS COCAINE
A European Union report released in October said the COVID-19 pandemic and rise
of home working had emabled cyber criminals to flourish.
Meanwhile, cyber security firm Coveware likened the 90%-plus profit margin from
ransomware attacks in 2021 to the gains Colombian cocaine cartels made in 1992.
Where hackers previously took a scattergun approach with methods such as sending
out thousands of phishing emails, they have become more targeted, reading
balance sheets and focusing on specific sectors.
Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, said attacks
were moving away from healthcare facilities and municipalities - which have weak
IT controls but also little money - to manufacturing or logistics companies.
Such firms have deep pockets and cannot afford extended outages to fix their
systems, so would rather pay ransoms, especially if they have insurance to cover
them.
"We advocate to everyone you don't disclose your insurance because that's
crucial to your business," Scott Sayce, global head of cyber at Allianz Global
Corporate & Specialty, said.
Premium rates have almost doubled in the United States and jumped by 73% in
Britain as a result of the frequency and severity of ransomware attacks,
insurance broker Marsh said. RPS said rates for some policies had risen by as
much as 300%.
Where ransom payments were typically $600 a few years ago, they now are as high
as $50 million, said Michael Shen, head of cyber and technology at insurer
Canopius, and insurers are sometimes asking policyholders to pay half of the
ransom.
The United States and France are among countries particularly concerned about
ransom payments, industry sources say.
The FBI says it does not support paying ransoms, while a few U.S. states are
considering banning ransomware payments by municipalities.
But insurers, while less willing to provide large amounts of cover, say failing
to pay ransoms could backfire.
"Of course no-one wants to pay criminals," Adrian Cox, CEO of insurer Beazley
told the Reuters. "At the same time, if you ban it ... you could cripple a lot
of businesses whose systems have been disabled."
($1 = 0.7406 pounds)
(Editing by Barbara Lewis)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
