Underwriters have curtailed the limits they are willing to write in the absence of additional checks such as remote desktop protocol port scans, and are looking at new ways to control the escalating costs of cyber breach response.
“Anything over $5mn [limit] we require three extra controls to be in place. Either these additional controls are in place, or we cut the limit to $5mn,” one source said.
The tightening underwriting controls follow mounting challenges for the previously highly profitable segment. Rates moved into positive territory last year amid a broader market tightening, and accelerate from +3% in Q4 2019 to +7% in Q2, according to Marsh data.
Carriers are hoping that enhanced scans and additional checks on which third parties have access to an insured’s network will help cut their exposure to ransomware claims, which have risen since about July, and according to sources have surged in September. These new increases follow significant increases in ransomware claims that first began in early 2019.
“What’s really hurting us in terms of ransomware right now is those $10mn limits on the $250mn-$1bn accounts,” one said noted.
“Last week we saw more attacks that deployed the Ryuk malware virus, which we hadn’t seen since a lot earlier in the year.”
One breach response vendor told Inside P&C that the third week of September had been the busiest of the year for his business, and was aware of at least four double-digit-million demands by hackers issued to insureds in the previous fortnight.
Co-insurance?
Amid rising losses, underwriters are understood also to be turning to co-insurance wordings – a type of clause that allows carriers to share a certain percentage of notified ransomware claims with the policyholder – in order to prevent delays in notification, which can escalate the final loss quantum.
“Some clients just assume their insurers will pay the ransom and they will get their data back, but this isn’t the whole story. If the client actually has skin in the game [with co-insurance] they will likely notify us quicker,” one underwriting source explained.
Co-insurance wordings have not yet been introduced to policies, but multiple underwriting sources said they were actively considering pushing such clauses – which tend to be resisted strongly by insureds.
Another area in which cyber carriers are seeking to control rising ransomware claims is through stricter controls on the use of “on panel” breach response vendors.
Multiple sources described instances in which claims had escalated because insureds turned to firms without the technical skills needed to fully remove malware from the entire systems of a company under attack, or which failed to communicate effectively with C-suite stakeholders about the need for a rapid response.
At least two markets surveyed by this publication are offering clients multiple quotes, in which either the premium or limit changes, depending on whether or not the insureds agree to use pre-specified law firms and cyber consultants in the event of the breach.
“This allows us to do the proper due diligence in advance, and have certainty that the client will receive the best, fastest response.”
“By holding a relationship with these expert breach-response firms and using them for every account we can also leverage discounted fees,” one underwriting source explained.
Ransomware surge
Broking sources told Inside P&C that they were also anticipating the introduction of such wordings by carriers, and in some circumstances this may improve communication between insurers and their clients.
The reported surge in claims follows an uptick in ransomware losses, which Beazley has said began at the start of 2019, and has remained elevated since.
A study by Cyber MGA Coalition said ransomware losses accounted for 41% of claims reported over the period.
Email and phishing scams were the attack techniques used in 54% of cases, according to the study, while remote access was used as a technique in 29% of claims.
AIR vice president and director of cyber risk Scott Stransky told Inside P&C that the modeling firm was most concerned about so-called systemic ransomware such as Wannacry or NotPetya, which is released by bad actors in the hope of causing indiscriminate damage.
“They both cause billions of dollars of ground up loss to companies,” he said. “These events again are systemic meaning they only had to impact one or two companies and then worked their way to others from there.”
Inside P&C provides unparalleled market intelligence on the entire US P&C market – from small commercial and personal lines right through to reinsurance and Bermuda. Redeem your complimentary 14-day trial for more premium content from Inside P&C.
Scan here to download the app