Third-party liabilities, increasing exposure to geopolitical cyber factors, and other emerging factors are shaping the industry’s actuarial approach

An annual business insurance industry survey of trends in claims for damages pertaining to cyber risk has announced that ransomware remained a top cyber risk for organizations globally while business email compromise incidents have been on the rise and will increase further in the ‘deep fake’ era.

Other emerging threats recorded in the claims include: the growing reliance on cloud services; an evolving third-party liability landscape that means higher compensation and penalties; as well as the impact of a shortage of cybersecurity professionals. Such a list of potential vulnerabilities means that today, a firm’s cybersecurity resilience is scrutinized by more parties than ever before, including global investors, meaning many firms now rank it as their major environmental, social, and governance (ESG) risk concern, the report noted.

Cyber insurance industry statistics

Industry data indicated a record 623m ransomware attacks in 2021, double that of 2020. Although frequency reduced by 23% globally during the first half of 2022, the year-to-date total still exceeds that of the full years of 2017, 2018 and 2019, while Europe saw attacks surge over this period. Also:

    • Considering that ransomware claims accounted for well over 50% of all cyber claims in 2020/2021, the industry forecasts that ransomware will be causing US$30bn in damages to organizations globally by 2023.
    • Double and triple extortion now the norm. Besides the encryption of systems, sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers or customers.
    • Supply chain attacks have emerged as a significant risk. Increasingly, ransomware gangs use the threat of disruption to pressure firms into paying ransoms, with manufacturing companies particularly vulnerable.
    • Ransomware severity is likely to remain a key threat for businesses, fueled by the growing sophistication of gangs and rising inflation, which is reflected in the increased cost of IT and cybersecurity specialists.
    • Business email compromise attacks continued to rise, totaling US$43bn globally from 2016 to 2021 according to the FBI, with a 65% spike in scams between July 2019 and December 2021 alone.
    • The war in Ukraine, together with wider geopolitical tensions, is a major factor reshaping the cyber threat landscape as it increases the risk of espionage, sabotage and destructive cyber-attacks against companies with ties to Russia and Ukraine, as well as allies and those in neighboring countries. State-sponsored cyber acts could potentially target critical infrastructure, supply chains or corporations. Although acts of war are typically excluded from traditional insurance products, the risk of a hybrid cyber war has accelerated efforts in the insurance market to address the issue of war and state-sponsored cyberattacks in wordings and provide clarity of cover for customers.
    • Third-party liability, including regulatory fines and penalties, is becoming more relevant with advances in technology. Almost any cyber incident — including double-extortion ransomware — can lead to litigation and demands for compensation from affected parties.

In response to a more complex risk environment and increasing cyber claims activity, the insurance industry is more diligently assessing companies’ cyber risk profiles. To ensure a sustainable business, industry players are increasingly “on integrating cyber risks into captive programs and other alternative risk transfer concepts.”

According to Scott Sayce, Global Head of Cyber, AGCS, which released the industry threat report: “Most companies will not be able to evade a cyber threat. However, it is clear that organizations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms. Although we see good progress, our experience also shows that many companies still need to strengthen their cyber controls, particularly around IT security training, better network segmentation for critical environments and cyber incident response plans and security governance. As a cyber insurer we are willing to go beyond pure risk transfer, helping clients to adapt to a changing risk landscape and raising their protection levels.”