Cyber­se­cu­ri­ty is no longer an emerg­ing risk but a clear and present one for orga­ni­za­tions of all sizes, pan­elists on a pan­el at Triple‑I’s Joint Indus­try Forum (JIF) said. This is due in large part to the fact that cyber­crim­i­nals are increas­ing­ly think­ing and behav­ing like businesspeople.

“We’ve seen a large increase in ran­somware attacks for the sen­si­ble eco­nom­ic rea­son that they are lucra­tive,” said Mil­li­man man­ag­ing direc­tor Chris Beck. Cyber­crim­i­nals also are becom­ing more sophis­ti­cat­ed, adapt­ing their tech­niques to every move insur­ers, insureds, and reg­u­la­tors make in response to the lat­est attack trends. “Because this is a lucra­tive area for cyber bad actors to be in, spe­cial­iza­tion is hap­pen­ing. The peo­ple behind these attacks are becom­ing bet­ter at their jobs.”

As a result, the chal­lenges fac­ing insur­ers and the cus­tomers are increas­ing and becom­ing more com­plex and cost­ly. Cyber insur­ance pur­chase rates reflect the grow­ing aware­ness of this risk, with one glob­al insur­ance bro­ker find­ing that the per­cent­age of its clients who pur­chased this cov­er­age rose from 26 per­cent in 2016 to 47 per­cent in 2020, the U.S. Gov­ern­ment Account­abil­i­ty Office (GAO) stat­ed in a May 2021 report.

Pan­el mod­er­a­tor Dale Por­fil­io, Triple‑I’s chief insur­ance offi­cer, asked whether cyber is even an insur­able risk for the pri­vate mar­ket. Pan­elist Paul Miskovich, glob­al busi­ness leader for the Pan­go Group, said cyber insur­ance has been prof­itable almost every year for most insur­ers. Most cyber risk has been man­aged through more con­trols in under­writ­ing, changes in cyber­se­cu­ri­ty tools, and mod­i­fi­ca­tions in IT main­te­nance for employ­ees, he said.

By 2026, pro­jec­tions indi­cate insur­ers will be writ­ing $28 bil­lion annu­al­ly in gross writ­ten pre­mi­um for cyber insur­ance, accord­ing to Miskovich. He said he believes all the pieces are in place for insur­ers to adapt to the chal­lenges pre­sent­ed by cyber and that part of the industry’s evo­lu­tion will rely on recruit­ing new talent.

“I think the first step is bring­ing more young peo­ple into the indus­try who are more facile with tech­nol­o­gy,” he said. “Where insur­ance com­pa­nies can’t move fast enough, we need part­ner­ships with man­ag­ing gen­er­al agents, with tech­nol­o­gy and data ana­lyt­ics, who are going to bring in data and new information.”

“Rein­sur­ers are in the game,” said Cather­ine Mul­li­gan, Aon’s glob­al head of cyber, stress­ing that rein­sur­ers have been doing a lot of work to advance their under­stand­ing of cyber issues. “The attack vec­tors have large­ly remained unchanged over the last few years, and that’s good news because under­writ­ers can pay more atten­tion to those par­tic­u­lar expo­sures and can close that gap in cybersecurity.”

Mul­li­gan said rein­sur­ers are com­mit­ted to the cyber insur­ance space and believe it is insur­able. “Let’s just keep refin­ing our under­stand­ing of the risk,” she said.

When think­ing about the future, Milliman’s Beck stressed the impor­tance of under­stand­ing the busi­ness-dri­ven log­ic of the cybercriminals.

If, for exam­ple, “insur­ance con­tracts will not pay if the insured pays the ran­som, the log­ic for the bad actor is, ‘I need to come up with a ran­som schema that I’m still mak­ing mon­ey’,” but the insured can still pay with­out using the insur­ance contract.

This could lead to a sce­nario in which the ran­som demands become small­er, but the fre­quen­cy of attacks increas­es. Under such cir­cum­stances, insur­ers might have to respond to demand for a new kind of product.

Orig­i­nal­ly post­ed on Insur­ance Infor­ma­tion Institute