The recent increase of ransomware attacks is upending the cyber insurance industry, pushing up the requirements and cost of coverage just as more companies need it. According to blockchain research firm Chainalysis, ransom payments from companies increased 341 percent to a total of $412 million during 2020.
That is pushing insurance carriers to take a look at how much coverage they can afford to offer and how much they have to charge clients to do so. Underwriters are demanding to see detailed proof of clients’ cybersecurity measures in ways they never have. For example, not using multifactor authentication, which requires a user to verify themselves in multiple ways, might result in a rejection.
Increase in prices of cyber insurance
The majority of insurance companies are raising premiums for plans that cover damage from hacks, including ransomware attacks. Prices for at least half of insurance buyers went up 10 percent to 30 percent in late 2020, according to a survey cited by the U.S. Government Accountability Office.
New Cybercriminal groups are getting into ransomware attacks to go after what they see as an “endless pot of money” facilitated by insurance companies, Turgal said. “I’ve worked cases where they’re actually providing a snapshot of your cyber insurance cover page from your own system showing you, ‘Hey, you have cyber insurance, so there’s no reason not to pay.’ ”
Chainalysis data shows the average ransom payment has increase from about $12,000 at the end of 2019 to $54,000 at the beginning of this year.
More underwriters are now partnering with outside cybersecurity firms to vet companies’ protocols and security readiness, said Erica Davis, global co-head of cyber at global risk and reinsurance company Guy Carpenter.
Even if insurers are willing to offer coverage, many are declining to take new clients or are capping amounts at about half of what they used to be for some clients. Many carriers will now offer up to $5 million in coverage for midsize clients in some industries, Lantrip said, compared with about $10 million in years past — although higher caps could be available to companies with strong cybersecurity controls.