Skyrocketing Cyber Insurance Premium Growth May SlowIncreased Competition and Capital Suggest Softening Market, Says Marsh Executive
The cyber insurance market shows signs of softening after eight quarters of back-to-back premium increases, an industry executive told a U.K. parliamentary committee investigating the effects of ransomware.
Spikes in ransomware attacks that began in 2018 resulted in "a steady price increase, year over year" in cyber insurance premiums, starting in the fourth quarter of 2019, said Sarah Stephens, head of Marsh's international cybersecurity practice. The average premium increase during the third quarter of 2022 compared to the previous year was 50%, she testified Monday before Parliament's Joint Committee on National Security Strategy. The average year-on-year premium increase in the second quarter was 70%, she added.
Stressing that she wasn't making predictions about the direction of premium rates, Stephens said that Marsh is seeing indicators of increased competition and capital in the cyber insurance industry - "signs that the insurance market might soften for this type of insurance."
The parliamentary committee in late 2022 initiated an inquiry into whether the United Kingdom effectively addresses the threats of ransomware (see: UK Companies Fear Reporting Cyber Incidents, Parliament Told).
Stephens also said cyber insurers themselves were successfully able to obtain coverage from reinsurance underwriters during the annual January renewal period. Called "insurance for insurance companies," reinsurance allows underwriters to diffuse risk into manageable levels (see: UK Insurers Mostly Withstand Cyber Stress Test).
Marsh nonetheless supports a government backstop in the event of catastrophic cyber events that threaten to cause more damage than underwriters can support. A backstop would give further confidence to reinsurance underwriters, in turn fueling growth of the primary cyber insurance market, she said.
During the hearing, a local government official told the committee that her Northern England borough couldn't afford cyber insurance ahead of a ransomware attack it experienced in 2020. "The cost of the insurance is massive," said Mary Lanigan, leader of the Redcar and Cleveland Borough Council.
Stephens said the sensitivity of data held by governments makes the public sector difficult for underwriters to insure. Other difficult sectors include communications and technology, healthcare, aviation, and the hospitality and gaming industry, she said. But the only completely uninsurable business Stephens could name was the pornographic industry.
Lanigan said she received assurances from the national government that her cash-strapped council would be made whole for costs of recovering from the ransomware attack. "Unfortunately, madam chair, that always doesn't work as you go down the line. They want to know, 'How much was this?' 'How much was that?'" Out-of-pocket expenses ended up costing the community of 136,000 about 8 million pounds after Westminster agreed to reimburse 3.68 million pounds of the total 11.3 million pounds in costs, Lanigan said.
"We lost everything. We lost connection to our telephone systems, child services and important data dating back decades. It was so catastrophic that it took us about eight months to recover," Lanigan said.