Cybersecurity insurer Coalition’s 1H20 Cyber Insurance Claims Report details a dramatic increase in the cost of cyber breaches in 2020, driven by a big increase in the costs of Ransomware attacks. Coalition reports that Ransomware claims were on average 2.5x as costly as other breaches, and that the average ransom demand increased by 100% in 1Q20 from 2019, and another 47% from Q1 to Q2 2020 to an average $338,669.
Ransomware the most common cyber incident experienced by Coalition’s customers, at 41%, followed by Funds transfer fraud (27%) and Email compromise (19%). Email/phishing accounted for 54% of attack techniques, followed by Remote Access (29%) and social engineering (6%). Coalition reports that most of the breaches and losses it examined could have been prevented by basic cybersecurity controls, and no/low-cost controls such as multi-factor authentication and regular systems backups.
The National Association of Insurance Commissioners (NAIC) reports that 6.2% of US companies with cyber insurance reported a claim in 2019, up from 4.7% in 2018.
2020 is quickly becoming defined as ‘the year of ransomware’ in cybersecurity. The risks to companies of not giving this threat the attention it deserves is resulting in meaningful financial losses for companies that find themselves victims. Carnival and Brown Forman are just the latest examples. For Carnival, it was the second significant breach in the past year, and the economic and financial costs will only start to become apparent in the next quarterly earnings. The Cognizant CEO’s remarks during its July 29 earnings call in reference to its own ransomware attack given an insight into the long tail of damage caused by ransomware, “...we’ve also begun what we expect will be a multi-quarter initiative to refresh and strengthen our approach to security.”
Though instructive, the data points about the increase in cyber insurance claims are not the most important story. The more important issue related to cyber insurance are the fundamental flaws in the market itself and the resulting financial risk exposure to companies as a result. As we wrote about in May, as more companies increasingly rely on digital technology to operate, it will also likely fuel continued growth in the cyber insurance market in 2020. That’s clearly happening. Per a recent WSJ article, Bob Parisi, U.S. cyber product leader at Marsh & McLennan Cos.’ Marsh business said, “There isn’t one tool that provides a thorough estimate of the cost of cyberattacks…”
One of the biggest insurance players in the market highlights what is well known but little discussed: no insurance provider currently offering cyber insurance is applying an accurate risk pricing model. As a result, there is a growing gap between the economic and financial impact of breaches and coverage provided by insurance providers. Though companies will often indicate in public statements that they “have cyber insurance coverage to cover most of the anticipated costs of the breach”, that is rarely the case.
This places greater emphasis on the need for more accurate cyber risk pricing: a model that only Cyberhedge has transparently proven to have. Until insurers begin adopting a proven risk pricing model, there can be no effective risk transfer and companies like Marriott, Norsk Hydro, ISS World, Pitney Bowes, and many others will continue to be left with significant and sometimes debilitating cost crunches post-breach that have to be covered through existing cashflows.
The discrepancy between actual economic and financial impact of breaches and cyber coverage is what deserves more attention than the simple rise in ransomware attacks and the increase in those demands.