Insurers shy away from ransomware cover as losses mount

LONDON • Insurers have halved the amount of cyber cover they provide to customers after the coronavirus pandemic and home working drove a surge in ransomware attacks that left them smarting from hefty payouts.

Faced with increased demand, major European and United States insurers and syndicates operating in the Lloyd's of London market have been able to charge higher premium rates to cover ransoms, the repair of hacked networks, business interruption losses and even public relations fees to mend reputational damage.

But the increase in ransomware attacks and the growing sophistication of attackers have made insurers wary. They say some attackers may even check whether potential victims have policies that would make insurers more likely to pay out.

"Insurers are changing their appetites, limits, coverage and pricing," said Mr Caspar Stops, head of cyber at insurance firm Optio. "Limits have halved - where people were offering £10 million (S$18.3 million), nearly everyone has reduced to five."

Lloyd's of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, industry sources say on condition of anonymity. Lloyd's declined to comment.

US insurer AIG had said in August that it was cutting cyber limits.

Ransom software works by encrypting victims' data and typically hackers offer victims a passcode to retrieve it in return for payments in cryptocurrency. It has become the attack of choice for cyber criminals, who previously favoured stealing data and selling it to third parties.

Suspected ransomware payments totalling US$590 million (S$809 million) were made in the first six months of this year, compared with the US$416 million reported for the whole of last year, the US authorities said last month.

In one of the biggest heists, a ransomware attack on Colonial Pipeline in May shut the largest fuel pipeline network in the US for several days.

US cyber insurers' profits shrank last year, insurance broker Aon found. Combined ratio - a measure of profitability in which a level of more than 100 per cent indicates a loss - climbed by more than 20 percentage points from 2019 to 95.4 per cent.

While insurers struggle to cope, companies are under-insured.

"It's very unlikely people are getting the same limits - if they are, they are paying an extraordinary amount," said Mr David Dickson, head of enterprise at broker Superscript.

He said one technology client had previously bought £130 million of professional indemnity and cyber cover for £250,000. Now the client could get only £55 million of cover and the price was £500,000.

Insurers who issued US$5 million cyber liability policies last year have scaled back to limits of between US$1 million and US$3 million this year, according to a report last month by US broker Risk Placement Services (RPS).


A European Union report released last month said the Covid-19 pandemic and rise of home working had enabled cyber criminals to flourish.

Meanwhile, cyber-security firm Coveware likened the 90 per cent-plus profit margin from ransomware attacks this year to the gains that Colombian cocaine cartels made in 1992.

Where hackers previously took a scattergun approach with methods such as sending out thousands of phishing e-mails, they have become more targeted, reading balance sheets and focusing on specific sectors.

Mr Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, said attacks were moving away from healthcare facilities and municipalities - which have weak IT controls but also little money - to manufacturing or logistics companies.

Such firms have deep pockets and cannot afford extended outages to fix their systems, so would rather pay ransoms, especially if they have insurance to cover them.

"We advocate to everyone that you don't disclose your insurance because that's crucial to your business," said Mr Scott Sayce, global head of cyber at Allianz Global Corporate & Specialty.

Premium rates have almost doubled in the US and jumped by 73 per cent in Britain as a result of the frequency and severity of ransomware attacks, said insurance broker Marsh. RPS said rates for some policies had risen by up to 300 per cent.

Where ransom payments were typically US$600 a few years ago, they now are as high as US$50 million, said Mr Michael Shen, head of cyber and technology at insurer Canopius, and insurers sometimes ask policyholders to pay half of the ransom.

The US and France are among countries particularly concerned about ransom payments, industry sources say.

The Federal Bureau of Investigation in the US says it does not support paying ransoms, while a few states in the country are considering banning ransomware payments by municipalities.

But insurers, while less willing to provide large amounts of cover, say failing to pay ransoms could backfire. "Of course no one wants to pay criminals," Mr Adrian Cox, chief executive of insurer Beazley, told Reuters. "At the same time, if you ban it... you could cripple a lot of businesses whose systems have been disabled."


Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on November 30, 2021, with the headline Insurers shy away from ransomware cover as losses mount. Subscribe