Q2 Cyber Threat Report: Ransomware Season Arrives Early
In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled.
We can typically blame natural disasters or economic downturns for a hardening market, but cyber has naturally been able to evade most catastrophic risks that bring aggregated losses with them. Instead, our culprit is the current state of ransomware. Consider headline-worthy incidents, such as Kaseya, Colonial Pipeline, and SolarWinds.
This is an adjustment for those working in the cyber insurance industry. So what does it mean to be a broker in a hard market, and how do you succeed?
As defined by the International Risk Management and Insurance Society (IRMI), a hard market is: “the upswing in a market cycle, when premiums increase and capacity for most types of insurance decreases. It can be caused by a number of factors, including falling investment returns for insurers, increases in frequency or severity of losses, and regulatory intervention deemed to be against the interests of insurers.” In simpler language, a hard market is when insurers see falling (or negative) profits and “pull back” on the unprofitable lines — that is, they tighten underwriting standards or even stop writing them entirely. Since demand for those insurance products typically will not have fallen and the supply is reduced, the result is a rise in prices (premiums).
When discussing the current hard market in cyber specifically, we’ve seen ransomware cost insurers (and their insureds) a great deal. From our own data at Corvus, the average ransom payout falls around $142,637 for 2021. But according to Allianz Global Corporate and Security, accounting for an even broader aftermath of a cyber incident, the average total cost of recovery and downtime has doubled in the past year — from $761,106 to $1.85 million. Despite broad-based improvements to cyber hygiene, threat actors continue to have a strong hand — they can spend all of their time perfecting avenues into an organization’s infrastructure, while most companies don’t have unlimited schedules (or budgets) to safeguard themselves from attacks. Playing at a disadvantage has put both cyber insurers and organizations in a challenging position.
The most obvious place to look is rates. According to the latest Global Insurance Market Index, cyber prices are up 96% in the US. But for sectors hit hardest by cybercrime, premiums may be up 300% —with lowering coverage limits, reports the U.S. Cyber Insurance Market Outlook by Risk Placement Services.
The next indicator is availability. Some insurers are outright declining risks they had no issue writing in the past, and more insurers are factoring in key aspects of IT security in determining whether they will consider offering a risk. Many insurers, including Corvus, now include subjectivities on policy forms that require the adoption of certain security practices as a condition of binding the policy.
Brokers do not have it easy during a hardening market, especially in the constantly evolving and complex cyber landscape. On top of the rising rates and increase in declinations, there’s new cyber and privacy regulations to keep up with, which vary between states, introducing entirely new risks for businesses. And it appears that ransomware is going to continue to be an ongoing issue for the foreseeable future.
We believe the key to handling difficult conversations is keeping an open line of communication, between both clients and insurers. That means, first, getting word from underwriters before it’s time for renewals. That gives brokers more room to reach out to clients and update them on the situation, especially if there’s going to be bad news. If there’s going to be a premium increase, you’re going to want to have a clear explanation prepared ahead of time.
Below are some major takeaways for delivering bad news to clients, with advice from Anthony Dagostino and Jennifer Bolling in a webinar recorded last year just as the current hard market for cyber was beginning to take hold:
Most people aren’t upset about hearing news too early, and it might be a different story if you wait until the last minute. It’s human nature to want to avoid a difficult conversation, but the sooner you can prepare your client for what’s upcoming, the better. If before you typically started renewal conversations around 30 or 45 days out, make sure it’s at least 60 days moving forward — or longer. Before getting into the details of the renewal, start by having a conversation about the general market trends. This helps soften the sticker shock.
Some brokers on your team, with different levels of experience, may have never been through a hard market before. This can be an opportunity to educate not only clients but others at your brokerage.
Such as consults with cybersecurity experts and vulnerability alerts. Not only will this potentially help them with renewals by getting ahead of issues around missing controls that may end up being required for renewal anyway — it’s also always a value-add to help them along the path to improved cyber hygiene.
There’s a shared goal between brokers, insurers, and the insured — and it’s to reduce risk for everyone. During a hard market, collaboration is crucial. Brokers should consider taking extra time to get to know the insurers they work with, especially if they’re looking to understand cyber liability. The market is relatively young by insurance standards, and everyone is working to better understand the risk profiles. And getting to know cyber insurers means you’ll most likely be encouraged to inform your clients about risk mitigation for their organizations.
During the current hard market in cyber, the best way to ensure renewals (or new purchases) go smoothly for your insureds is confirming they have the modern IT security controls in place. Some of the most common IT security controls have become subjectivities insurers place on their policies. By proactively helping clients to prepare, brokers are saving future headaches and time-sensitive scrambles for everyone. Some key controls to look for:
Typically, carriers are going to expect that insureds have implemented MFA for remote, email, and administrative access. For more on MFA best practices, you can read our post here.
With ongoing concerns for ransomware in mind, a robust backup strategy is often the best way to mitigate risk and prevent catastrophic losses. For the full overview of an effective backup strategy, you can read more here.
EDR can be the most powerful tool for protecting your environment as a whole and, in the event of an incident, can help show how threat actors navigate through your systems. For more on why EDR matters, you can read our post here.
Most insurers will have resources to help your clients navigate the world of security controls and recommendations for how they can boost their cyber hygiene. For example, at Corvus, we offer vCISO Services to help organizations dig deeper into specific issues through free consultations and discounted services. There’s never a bad time to improve cyber risk controls, but during a hard market promoting these opportunities with trusted partners can be especially valuable in demonstrating your expertise and partnership. These risk mitigation tools can also be a powerful pull for many first-time buyers in the cyber insurance market.
As the cyber insurance market reconciles with more stagnant growth, there should be a collaborative effort to reduce losses and build stronger relationships across the board. We can develop strategies to make organizations safer against threat actors, collectively encourage the implementation of security controls, and come ahead of a hard market through critical communication.