When Lloyds of London discovered problems with its IT systems in October, it temporarily took the 300-year-old insurance market offline for fear of a cyber attack. After a thorough investigation, the cyber experts found no wrongdoing and life returned to normal a week later.
But, even in the event of an attack, Lloyds is protected – it has cyber insurance to cover its operating costs.
It’s a form of cover that looks like an obvious buy for a company operating in a global market. However, for other companies, the decision on how much to cover is tougher, despite the rising profile and costs associated with ransomware attacks.
Cyber insurance premiums have increased over the past few years. Prices started to rise in late 2019, according to Sarah Stephens, head of international cyber insurance at broker Marsh.
Marsh Market Index shows that the cost of cyber insurance in the US will increase by more than 100 percent by the end of 2021, but will decrease to 79 percent in the second quarter of this year. and third with 48 percent.
John Neill, Lloyd’s chief executive, said the higher prices were a response to both an increase in claims and a fall in prices between 2010 and 2018. Since then, the cost of cyber claims has increased significantly. The number and cost of ransomware attacks, in which criminals shut down company systems and demand a ransom — often millions of dollars — to bring them back online.
Cyber insurance, Neal said, is “low cost” and insurers have experienced losses on the products in 2018 and 2019. He argued that prices needed to rise to “more sensitively reflect exposure”.
However, some clients are “very frustrated with the process”, says Stephens at Marsh, with many companies that have recently started buying cover finding huge price increases “particularly scary”.
In addition, cyber insurers are selective about the business they undertake, insisting on retrieving information about security clients and excluding certain types of incidents from the cover they offer.
Andreas Wuchner of cyber security monitoring group Panaseer says some insurance buyers are now asking questions about the value of the product.
“Many organizations are saying that cyber insurance is not value for money and that they are better off investing in compensatory controls,” he says. “It’s very valid.”
Add cost pressures elsewhere as inflation rises, and some companies are deciding to buy less insurance and bear more cyber risk.
Stephens says only a “very small percentage of clients” have stopped buying cyber cover altogether, but some have taken a hybrid approach: buying less insurance and using more in-house insurance companies, known as captive insurance. Most large companies have insurance to keep their costs down.
Insurers argue that the benefits of their products are more than the money paid for the claim. They also point out that they offer services that help companies deal with cyber attacks when they occur, from protecting data and systems to negotiating with attackers and dealing with affected customers and staff.
