Cyber-insurance underwriters and brokers are taking a beating

Cyber-insurance Underwriters and brokers are taking a beating due to flawed assessments and unanticipated losses after a sharp increase in ransomware attacks.

In a highly profound article by Daniel Woods, The evolutionary promise of cyber insurance, AIG had payouts totaling 10% in a $100 million cyber-insurance business in the year 2000.

Many other underwriters and brokers jumped on the bandwagon. However, assessing cyber risk is a highly complex endeavor, and customers would, as a result, shun underwriters and brokers who wanted to be thorough. Moreover, customers transferred most of their cyber-risk to their underwriters and did minimal security enhancements themselves.

Most cyber-insurance coverage involves asking simple questions around cash flow, asset values, penetration tests, number of servers, databases, results of penetration tests, etc. The number one determining factor regarding premiums was cash flow. The most common payouts revolved around covering litigation and infrastructure improvement. The medical industry cyber insurance would factor in higher litigation costs.

For cyber security professionals, risk assessment needs much more detailed information and much better modeling. Moreover, the information has to be timely, and security issues must be fixed. Unfortunately, the current paperwork-oriented methodology used by brokers and underwriters needs countless hours of expert information from executives, security heads, IT staff, security professionals, operations staff, etc.

Even though the information used to underwrite the policies was not perfect, underwriters kept on writing low premium policies because they were highly profitable.

However, the 170% ransomware growth in 2020 (Howden) changed the picture. The number of attacks, the profit margins that the hackers received, and the ease with which they got payouts sent the underwriters into a panic.

The losses mounted, and many underwriters got out of the market. Some underwriters put in exclusions like nation-state attacks, limits on payouts, increases in premiums.

The more astute ones started putting in language that would payout based on the sophistication of the customer’s cyber security defense.

Note that not a single underwriter nor broker has improved its security assessment methodology.

At TalaSecure, we can assess your ransomware risk and auto-fix your cloud infrastructure cyber-security vulnerabilities to lower that risk.

References

1. Daniel Woods: The evolutionary promise of cyber insurance

2. Howden: CYBER INSURANCE: A HARD RESET