A new report from the Geneva Association says that there is an important role for private re/insurers in helping combat the rising threat of ransomware.
The report says that cyber insurance does more than provide cover against attacks, covering also first- and third-party losses incurred by victims and providing support to business in avoiding and managing incidents; insists governments and regulators must work more to counter ransomware attacks; and advocates for not banning ransomware payments.
Jad Ariss, managing director of the association, said: “With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers. They control a critical lever with their ability to incentivise customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience.”
He added: “Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.”
The report was authored by Darren Pain, director of cyber and evolving liability; and Dennis Noordhoek, director of public policy and regulation. Both men work for the Geneva Association.
They wrote: “Ransomware attacks have been a significant factor in the notable deterioration in cyber insurers’ underwriting performance over the past two years. In aggregate, the loss ratio on US cyber insurance rose from 44.6% in 2019 to 66.9% in in 2020, with ransomware accounting for three quarters of claims according to credit rating agency AM Best. While the bulk of ransomware claims reflect recovery and remediation costs from an attack, including business interruption, the share associated with the reimbursement of ransoms has increased.”
Writing about ransomware payments, the pair wrote: “By paying ransoms, firms also potentially incentivise ransomware criminals and in the process amplify the risk of future attacks on themselves or others. While this economic externality exists whether or not the victim of a ransomware attack is insured, some external commentators have expressed concern that the presence of insurance could make the situation worse by encouraging targeted ransomware attacks on those with cover. Governments have also hinted at the unintentional impact that insurance may have on ransomware extortion, highlighting how the ransoms demanded are often tailored to the amount insured under the cyber insurance policy.”
The market remains, however, a smaller one in comparison to the rest of the industry.
Pain and Noordhoek wrote: “The cyber insurance market remains small but nascent. Premiums represent less than 1% of the global property and casualty market while some reports indicate that only around a third of small businesses purchase this kind of protection. To help the market develop further, policymakers should therefore avoid measures that could inadvertently discourage households and firms from buying cyber insurance. Instead, policies that aim to safeguard cyberspace, promote cybersecurity and undermine cybercriminals’ business models will help to counter malware attacks and increase re/insurers’ appetite to absorb cyber risks from those less able to deal with them.”