The frequency and severity of cyber incidents, particularly ransomware attacks targeting businesses and critical infrastructure organizations, have been on the increase and are unlikely to subside anytime soon. Higher claim counts and loss severity have led to significant and continuing increases in cyber insurance losses. Insurers have made up for this increased risk profile by passing the costs onto consumers in two ways—by both increasing premiums and attempting to narrow coverage.
Cyber insurance has become the fastest growing product for U.S. insurers. Fitch Ratings recently reported that cyber insurance direct written premiums grew by 74% in 2021 to over $4.8 billion, and premiums for standalone cyber coverage increased by 92% to over $3.1 billion for the year, according to statutory financial data submitted to the National Association of Insurance Commissioners. This data also indicates that reported claims rose by 100% annually in the past three years and payments furnished from closed claims grew by 200% over the same period. Although there has been a significant growth in claim frequency, price increases have reduced insurers’ direct loss ratio for standalone cyber insurance from 72% in 2020 to 65% in 2021.
Market interest in cyber insurance exploded in sectors that had previously seen relatively low uptake, such as the oil & gas industry, after the May 2021 ransomware attack on Colonial Pipeline Company. In May 2021, Colonial Pipeline, the largest fuel pipeline in the United States, suffered a ransomware attack. DarkSide, the hackers responsible for the attack, threatened to leak data unless their $4.4 million demand was paid. Colonial Pipeline paid the $4.4 million ransom to get its data back; approximately $2.3 million was later recovered by the U.S. Department of Justice. The ransomware attack resulted in a shutdown of the Colonial Pipeline, causing a domino effect that severely impacted the U.S. oil supply chain. The Colonial Pipeline incident was one among a surge of costly ransomware attacks that spurred government action. Just days later, President Biden issued Executive Order 14028 to improve overall cyber resilience, incident response, and business continuity for potential cyberattacks on U.S. critical infrastructure.
At this point, there is no denying the exposure. As Kinder Morgan, Inc., for example, stated in its 2021 Form 10-K: “There is no assurance that adequate cyber sabotage and terrorism insurance will be available at rates we believe are reasonable in the near future. These developments may subject our operations to increased risks, as well as increased costs, and, depending on their ultimate magnitude, could have a material adverse effect on our business, results of operations and financial condition or could harm our business reputation.”
Cyber insurance can be one option to address these risks, along with planning for cyber incidents and other risk shifting measures, such as requiring indemnification from third-party vendors. However, not all cyber insurance policies are created equal. Purchasing the right coverage requires a thorough understanding of your company’s risk profile and what coverage is available in the marketplace. Policyholders with a digital footprint should take a closer look and assess their exposure to cyber risks, closely watching the insurers’ attempts to narrow coverage—updates we will detail in a future post. Finding an appropriate policy is key to shielding companies from devastating impacts to their business after a cyberattack. Policyholders should work with experienced counsel to evaluate coverage and to assess what security measures can be taken to reduce cyber exposure.