London | Cyber insurance premiums are set to ease after a wild few years, but only for companies that have put in the work to protect themselves against ransomware and other cyber threats.
“The good news is that this correction has now taken place. And now we’re seeing a flattening of premiums,” says Kelly Butler, who has just moved to London from Melbourne to head up insurance broker Marsh McLennan’s UK cyber practice.
“But you have to demonstrate very strong cyber maturity to continue to have cyber insurance.”
The insurance industry was hit by a ransomware epidemic in 2021, which sent premiums through the roof. The cost of buying cyber insurance more than doubled, and the pressure continued into last year.
It was a “painful” time for both insurers and their customers, Ms Butler said.
“Insurers understood very quickly that they weren’t pricing the risk itself correctly, and that was obviously reflected in their loss ratios,” she said.
“We learned a lot from the claims that were coming in, we understood what the costs associated with an incident looked like. And [they] were a lot higher than what the premiums were at the time. So we saw a very sharp and rapid correction.
Although premiums are leveling off – a recent report by broker Howden says they fell 10 per cent in the year to 31 July – Ms Butler says the correction has made insurers cautious.
Insurers will have a checklist of things they need to see, a bit like the cyber equivalent of having deadlocks on the doors and windows for your household insurance.
“If you can’t demonstrate that you have these controls in place, you may be able to get cyber insurance, but it won’t be the cover you need. And the premium will be significant.”
Ransomware shift
The biggest threat to businesses is ransomware, which occurs when criminal gangs – often operating in Russia and Eastern Europe, but able to strike globally – cut off a company’s access to its data and the criminals demand it be returned.
However, the gangs’ tactics have changed.
“The latest is to exfiltrate data from systems and hold that for ransom as well,” says Ms Butler.
Cyber insurance works a bit like travel insurance, in that if an attack happens, there is real-time support to deal with the aftermath. Most policies now include access to a crisis response team.
But Ms Butler says Marsh has found that many clients “buy this policy and then put it in a drawer and forget about it and don’t know how to use it until there’s a crisis”.
“We’ll sit down with the security team, the risk team, the legal team, the communications team, and we’ll talk to them about what the policy is and how it responds,” she said.
“So at the time of the crisis, it’s ready to go, and the costs associated with it are already agreed with the insurers in advance.”
Now that the industry is starting to get a grip on the cyber threat, Ms Adams’ fear is that governments and their security and enforcement agencies underestimate what insurers have to offer.
“They don’t really appreciate the level of detail that we have, particularly in terms of the incidents themselves and how they play out – the pain points, what ‘good’ looks like in terms of responding to an incident. And we see it every day, we’re in the trenches,” she said.
“There could be a closer partnership. I feel like we’re the missing piece, and we have such valuable data to share. And the collaboration would be to the benefit of everybody.”