Others, however, are not as optimistic. In 2021, it was estimated approximately US$ 6tn. Additionally, as ransomware events continue to garner headlines, organizations have made more deliberate efforts to steel themselves from the effects. Attackers rely on a mix of tried-and-tested methods as well as their own expanding repertoire of tactics and approaches. 8 Information sharing between the private and public sector will continue to be critical in the fight against cybercrime of all varieties. As underwriters gain more confidence in pricing cyber coverage following a period of adjustment, there is increased competition and interest from new entrants, increasing the likelihood of rate moderation,the report said. "Top FBI Official Advises Congress Against Banning Ransomware Payments," The Hill, July 27, 2021. Our offering increases our insureds resilience and improves the protection of digital business models. In the analogue world, it took 15 years for the provision of safety belts in German cars to be made mandatory, and many more years for them to be accepted and fastened by users in every-day life. The isolation that Russia now faces has the potential to create a perfect safe haven for cyber criminals.9. We are also witnessing both vendor- and event-specific exclusions and additional underwriting scrutiny tied to specific software platforms connected with widely reported exploits, and vendors who are associated with nation states that are alleged to be less than U.S.-friendly. In collaboration with various industry participants and in consultation with Munich Re, the Lloyds Market Association (LMA) has published four standard clauses to exclude cyber war from coverage. To achieve this, the industry must ensure a balance between offering customers attractive solutions and maintaining the necessary sustainability and profitability in the volatile cyber business. The needle is always moving, and, regrettably, many education and government agency risks will find themselves without a viable cyber insurance option. Munich Re sees cyber premiums worldwide standing at US$ 9.2bn (beginning of 2022) and estimates that they will reach a value of approximately US$ 22bn by 2025. 3Segal, Edward. Alongside the findings from our research, it includes interviews with Andreas Wuchner and David Fairman, both experienced CISOs and board members. These clauses, substantially equivalent in terms of content, will be used in policies going forward to meet specific cyber risk requirements. Demand for cyber insurance is currently growing more steadily than the capacity on offer. If they want cyber insurance coverage, they have to comply with minimum standards which are far more in-depth than before. 1"The CrowdStrike 2022 Global Threat Report," PDF file. The 2021 attack on Kaseya, a software service provider for remote monitoring solutions, resulted in malicious code with ransomware being distributed to approximately 1,500 clients. In view of current political conflicts, this trend is not expected to wane this year. For admitted coverage, the increases rolled out more incrementally throughout the U.S. as state filings were reviewed and subsequently approved. It reveals the factors driving increases in insurance premiums, what insurers look for when assessing risk, and how confident they are in the underwriting process. "Optio MGA Ascent Withdraws from Cyber Market in Failed Binder Renewal," Insurance Insider, March 31, 2022. Munich Re continues to offer capacity, and our goal as market leader is clear: to jointly develop innovative, datacentric cyber solutions with our clients and partners. Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business. Almost one-third of total Marsh cyber claims stem from healthcare, communications, media and technology companies. Cybersecurity Ventures estimates global spending on cybersecurity in 2021 to have be US$ 262.4bn in 2021. With a large team of cyber insurance experts across the entire U.S., exclusive products and broad market representation, RPS stands ready to assist our retail agency partners to ensure the best outcome for our mutual clients. Other systemic risks however, are not insurable in the private sector. At Munich Re, the development of know-how on data analytics and tools for processing relevant internal and external data is long underway. Within the legislation is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The range of cyber products still needs to be made better publicised and the additional benefits of those products (i.e. Our experts continually refine our internal models on the basis of our own and third-party data, and with a particular focus on accumulation risks. In January, we witnessed significant ransomware attacks on a community college and a large western county affecting operations well beyond mere computer networks. The early approach whereby attackers specialised decryption and later on exfiltration of stolen data is evolving to include multiple extortion schemes. Receiving less media attention was an attack in the US state of Florida in which a hacker attempted to tamper with the supply of chemicals at a water treatment plant and thus poison water supplies. 8"President Biden Signs into Law the Cyber Incident Reporting Act, Imposing Ransomware Requirements for Cyber Incidents and Ransomware Payments," National Law Review, Volume XII, Number 101, April 18, 2022. This is also evident from Munich Res global Cyber Risk and Insurance Survey 2022. Previously he built automated trading systems and advanced cybersecurity detection systems for global financial institutions at BAE Systems Detica. Some carriers have designed exclusionary wording broad enough to contemplate future events, in an "Insert new vulnerability here " fashion. Still, details such as the ability to determine attribution and the definition of "war" are among the topics that contribute to a sense of ambiguity, and insurers are seeking to provide additional clarity in their wordings.11 We continue to monitor changes in in this area. According to ENISA, the number of supply chain attacks quadrupled in 2021 compared with 2020. This trend is concerning, because the level of technical understanding in the insurance community needs to increase if organizations are to be properly informed of the cause-and-effect impact of policy revisions such as these. The results show a further increase in the potential for integrated solutions from insurers in the market. While insurers do not closely scrutinize the adoption of specific technology, they want to understand how companies craft risk management strategies using existing technology and internal standards. The GAO called on the Cybersecurity and Infrastructure Security Agency to work with the Federal Insurance office to assess whether critical infrastructure risks to cyberattacks and the potential financial fallout warrant a federal insurance response. It was noted that these provisions, by affecting 16 defined critical infrastructure industries, will likely "apply to businesses in almost every major sector of the economy, including healthcare, financial services, energy, transportation and commercial facilities." An increase to just over US$ 300bn is expected in 2022. New York, By signing up to receive our newsletter, you agree to our, What cyber insurance companies want from clients, Latest Marriott breach shows a human error pattern. Increasingly sophisticated threat actors and costly ransomware attacks are having the biggest impact on rising premiums. Critical vulnerabilities grew significantly in 2021, with an increase of approximately 20% (Tenable). This process continues into 2022. For the government in particular, its terrorism risk insurance may only kick in if an attack can be clearly defined as "terrorism.". Andreas Wuchner is a recognised cybersecurity and Risk expert with more than 25 years experience as a business owner, board advisor and investor operating within complex global business environments. The coverage limits with regard to the resilience of portfolios are mapped in accumulation scenarios, continuously monitored and, if necessary, adjusted. For insurers, a single attack can trigger losses with a great many insureds. Prominent losses feature in the news cycle and continue to raise awareness of the threat of cyber attacks. This is an encouraging sign, although we have thus far only seen these results in isolated circumstances and don't expect it to become a trend any time soon. 2022 Cyber Insurance Market Trends Report thank you, 2022 Security Leaders Peer Report thank you, Continuous Controls Monitoring for Enterprise Security, Metric of the Month: On-demand panel discussion, Panaseers 2020 Financial Services Security Metrics Report thank you page, Panaseers 2020 GRC Peer Report thank you page, The CISOs guide to: Creating an effective ransomware board report Thank you, The Seven Sins of Security Metrics- thank you page, Webinar: Continuous Controls Monitoring What to measure, Webinar: The Time is Ripe for Proactive Security, Whitepaper: 451 Research Pathfinder Report The Time is Ripe for Proactive Security thank you page, Data Protection Statement GDPR Compliance, Briefing: Modern CISOs use Data to Improve Enterprise Cyber Hygiene and Reduce Risk, Forrester report: Misplaced confidence in security controls is putting organisations at risk thank you, The case for CCM: mergers and acquisitions thank you page. Most cyberattacks come from ransomware, email compromise, Data breach costs spread downstream, IBM says, T-Mobile agrees to $500M settlement for 2021 cyberattack, Relentless vulnerabilities and patches induce cybersecurity burnout, Stave Off Cyber Attacks During Mergers With These Tips, How is Anonymous attacking Russia? There is debate in some circles as to whether actions such as banning ransom payments will help or hurt in the fight against these pervasive threats. beyond pure risk transfer) better explained to potential insureds. In addition to providing a better understanding of cyber risks, these methods and tools are used to develop innovative, datacentric solutions that go beyond pure risk transfer. One thing that caught the cyber insurance industry unaware is the sudden increase in ransomware attacks, Manyem said. Munich Re experts assume that three factors in particular will characterise the threat landscape in 2022: ransomware, supply chain and critical infrastructures. Risk transparency is essential for risk management by companies and organisations. Subscribe to Cybersecurity Dive for top news, trends & analysis, The free newsletter covering the top industry headlines, NINJIO Partner Program Enables Solution Providers to Deliver Cybersecurity Behavior Change, Major gains made in CNAPP space for customers, says Runecast, Continuous Compliance and KSPM further simplified with Runecast, Industry Dive to be acquired by Informa PLC, Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to, research from global insurance firm Marsh, Half of Marsh's U.S. clients purchased standalone cyber insurance policies in 2021,almost double the 26% of clients in 2016. Some theorize that the increased attention to the ransomware pandemic from the Biden administration3, and a heightened news focus, have led to at least a temporary slowdown in activity of this nature. Shorter windows afford them more time to incorporate relevant exclusions in their wordings, whenever they feel it is appropriate. The risk transfer associated with services is an essential element of risk management for companies. 4Rooney, Brendan. Further underscoring the unpredictability of the current cyber insurance market, as we track increasing rates on the vast majority of our book, we have simultaneously witnessed for the first time in three years flat rates for certain insureds. It falls on companies to turn to security basics to try to keep cyber insurance rates in check. If 2018 brought about a furious stretch of cyber insurance product innovation, 2022 is ushering in a retraction in terms and conditions at a similar pace. Demand for cyber insurance has grown greatly in recent years. In the first quarter, we have seen additional legislative activity on the federal side as well. In Munich Res opinion, 2021 was not an exceptional year from a cyber perspective. Insurance companies can probably control their losses through limits, deductibles, reinsurance [and]so on, so they have strategies to control their financial losses, Manyem said. With an insurance coverage as dynamic as cyber, it is helpful to look at updates through several lenses: claims trends, market movement, regulatory landscape, geopolitical influence and coverage dynamics. These attacks disrupted the functionality of heating, cooling and ventilation systems, and lighting and security systems, including locking mechanisms and video surveillance in a corrections institution. 7Miller, Maggie. The cybersecurity service provider Gartner estimates that, by 2025, 60% of companies will deem cybersecurity to be a key component in their IT procurement evaluation process. "Kaspersky Blacklisted by FCC alongside China Telecom and China Mobile," ZDNet, March 27, 2022. David Fairman is an experienced CSO/CISO, board member, investor and coach. The latest incident at Marriott is relatively minor compared to major breaches in late 2018 and early 2020, but it signals a pattern of neglect. The heightened errors and omissions (E&O) exposure for insurance agents who are not well-informed about the frenetic pace of change in this market is extensive. Reg in England and Wales with the company registration 09098199 Reg address: Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ UK, Terms & Conditions | Privacy Policy | Data Protection Statement | Unsubscribe. Whats left to watch is how insurers will adapt to the increase. The increased public focus on cybersecurity is a positive sign: democratic governments are very much aware of the priority and urgency of the task of improving cybersecurity and are addressing this politically, infrastructurally and legislatively, as the examples of the improvement in national cyber resilience in the USA and the EU Cybersecurity Strategy illustrate. The rate increases are still terrible, said, Marsh officials are optimistic the cyber insurance industry, as it matures, can level off. Cyber product offerings reached significantly more decision-makers in 2022 than in the previous year (42% received an offer, compared with 34% in 2021). All industry sectors are interested in cyber insurance. Marsh clients filed more than 200 cyber claims in Q1, in line with the high number of quarterly claims across 2020 and 2021. Cybersecurity and incident response firm Tracepoint adds, "Business email compromise activity has remained consistent, especially as the deadline for personal tax filings in the US draws closer and given that a number of organizations are filing for extensions on the corporate tax deadline which passed on March 15th."4. 5th Floor, Insurers understand that increasing rates alone will not ensure the cyber insurance market's sustainability. The implementation of adequate cyber security requires increased investment. Security professionals are burned out. In order to ensure the sustainability of cyber insurance, applicants must provide proof of their security standards. Nik Whitfield founded Panaseer in 2014. In 2021 alone, the Conti group of hackers the most lucrative service provider extorted or earned at least US$ 180m from victims (Chainalysis). 2022 Risk Placement Services, Inc. All Rights Reserved. Ransomware claims typically trigger multiple insuring agreements in a cyber insurance policy beyond extortion, including business interruption, data restoration, forensics, legal and notification expenses, when the claim also involves unauthorized access to personally identifiable information. A June report from the U.S. Government Accountability Office questioned whether insurance, . Market contraction, the Russian invasion of Ukraine and an uptick in nation state cyberthreat activity all contributed to an unbalanced market. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. The close of the quarter brought news of a once-prominent MGA's withdrawal from the cyber market after unsuccessful attempts to renew approximately 80% of its binder5. This example lends itself to comparison to the digital world: despite growing awareness, the actual implementation of cybersecurity still leaves a lot to be desired. That rate increase dropped to 107% in March and 90% in April. Get the free daily newsletter read by industry experts. Attackers often plan their attacks for the long term and maximise the impact by targeting supply chains and industrial or automated processes. To get lower rates, clients have to demonstrate a mastery of cybersecurity basics, with strong controls in place, according to Marsh. More businesses understand the financial risks of a. While insurers do not closely scrutinize the adoption of specific technology, they want to understand how companies craft. Member of the Munich Re Board of Management. Experts predict that the increasingly agility and professionalism of cyber criminals will allow them to earn more than the global drugs trade.