Sep 9, 2022 - Technology

Rising cyber insurance premiums haven’t scared away most companies

Data: Fitch Ratings; Chart: Axios Visuals

Despite rising cyber insurance premium costs and shifting coverage areas, companies are still seeking out and renewing their policies, experts tell Axios.

The big picture: Cyber insurance provides financial assistance following a cyberattack to help cover ransom payments or the costs to rebuild data storage systems. But as attacks have increased, so have premium prices.

  • Furthermore, to offset growing financial losses, some providers have changed what attacks they cover.
  • Between 2019 and 2021, total U.S. cyber insurance premiums more than doubled from $1.6 billion to $3.2 billion, per a report from Fitch Ratings.

Brokers tell Axios they haven’t seen companies’ appetite for cyber insurance get smaller — despite changing requirements and coverage.

  • Marc Schein, a risk management consultant at Marsh McLennan Agency, tells Axios that clients are still purchasing cyber insurance plans despite increasing cost.
  • Policies are still helping companies with two of the most prevalent types of criminal cyberattacks: ransomware and business email compromises, which include phishing emails and total account takeovers of high-level executives' inboxes, Schein said.

At the same time, experts say the days of sharp premium increases are over — holding off fears that companies will ditch insurance before premium costs grow out of reach.

  • Cyber insurers have found an "equilibrium" in their pricing and underwriting strategies, says Mario Vitale, president of cyber insurance firm Resilience.
  • Providers averaged a loss ratio of 65% last year, compared to 72% the year before, per Fitch Ratings.

To bring down the losses, insurers have been turning to a couple strategies: Requiring tougher cyber hygiene practices from potential buyers and changing what cyberattacks these policies cover.

  • Lloyd’s of London, the world’s largest insurance market, recommended in a bulletin last month that its insurer groups exclude all state-backed cyberattacks from coverage in their policies.
  • Chris Hallenbeck, CISO at cybersecurity company Tanium, tells Axios cyber insurers are asking his firm more specific questions about what personal data it collects and about its overall cybersecurity practices before approving a policy renewal.

Yes, but: Some companies appear to still be rethinking their cyber insurance needs.

  • Hallenbeck warns that increasing cyber insurance rates could be "a major driver" for companies dropping coverage.
  • JPMorgan Chase reduced the amount of cyber insurance it buys, The Information reported last month.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Editor’s note: This story has been updated to remove a reference that said 63% of Marsh USA’s clients said they planned to keep their cyber insurance policies. This number actually referred to the number of clients who increased their self-insured retention in the month of April.

Go deeper