The insurance market is failing to meet the requirements of Airmic’s members regarding premium rates, scope of cover and capacity as premium rates rise to as high as 400 per cent, according to the association’s latest pulse survey. The survey, entitled ‘The harsh market with a focus on cyber’, was conducted in September 2021 and canvassed members of the Airmic leadership group of risk professionals. According to the survey responses, there is a perception that the cyber insurance market has adopted “inconsistent approaches” for the capture and analysis of data, which has led to a wide variety in the risk appetite for cyber cover. The pulse survey assesses the top two renewal trends to be high premium rates (60 per cent) and an increase in the information required by underwriters (52 per cent). Other renewal characteristics seen in 2021 include reduced insurer capacity, reduced programme capacity, and insurers taking longer to provide quotes. More than half (53 per cent) of respondents purchase cyber insurance, noting that although claims frequency remains low, all claims related to a ransomware attack had been paid. In a session at the Airmic conference, Arunava Banerjee, cyber risk consultant at Zurich, outlines the common gaps in cyber coverage, including a lack of proper asset inventory, weak identity and access management, lack of segmentation, and an emphasis on security at the expense of resiliency. Crucially, Airmic identifies that cyber risks are the most likely new risks to be financed by captives in order to address these coverage gaps. The evolution of cyber threats The pandemic greatly accelerated both the implementation of digital transformation programmes and the trend associated with these cyber risks. Almost half of respondents say they are more concerned about their organisation’s cyber security since the pandemic, while almost 20 per cent say they are significantly more concerned. Airmic’s themed report ‘Cyber threats: living with disruption’, produced in collaboration with Control Risks, cites that cyber threats are evolving into a form of disruption that organisations must learn to live with — specifically in terms of ransomware extortion and business interruption as a result of geopolitical technological rivalry and disinformation campaigns. Cyber criminals continue to evolve their extortion tactics to place pressure on their victims through distributed denial of service attacks, data-wiping attacks, and auctioning or selling stolen data to the highest bidder. Banerjee identifies five types of emerging cyber threats: insider threat, supply chain cyber attack, backdoor, data breach and targeted malware attack (ransomware). Ransomware Ransomware was identified as the number two concern among risk professionals for 2021 in Airmic’s annual survey, with almost 70 per cent of respondents citing ransomware as a high or very high concern. In another session, James Burns, head of cyber underwriting at CFC, says that ransomware has “solely transformed” the cyber market owing to the “astronomical increases” in the extortion amounts demanded in attacks over the last 18 months. The average demand amount is more than 20 times what it was at the start of 2018, while the average cost per ransomware claim has increased by a factor of 10. Burns adds that these trends in ransomware attacks have highlighted the extreme volatility in the market by pushing the cyber insurance industry into loss-making territory. In the themed report, associate director Joseph Buckley and senior analyst Stina Connor at Control Risks, say: “Ransomware has rapidly become the key cyber threat to organisations globally. It is no longer a matter of ‘if’ but ‘when’ an organisation will suffer a cyber attack.” The annual survey also names business interruption following a cyber event as the top front-of-mind risk for risk professionals, as a result of the dramatic acceleration in rate increases in cyber insurance and the emerging threat of disinformation. Next steps The pulse survey determines that although the market is still generally perceived as hard, there are some emerging ‘green shoots’ such as an easing back of premium rate increases and cover limitations. Airmic notes that although such progress is being made in cyber risk profiling, the cyber insurance market is likely to see further disruption as challenges surrounding programme capacity remain — in this context, the association emphasises the need for continued collaboration between insurers, brokers and Airmic members. Airmic also recommends that risk professionals and business leaders calibrate their risk management strategies to navigate the recent cyber threat trends, and manage IT and suppliers through governance and control. In terms of the impact on the underwriting process, Burns advises organisations to take a more robust approach in assessing and quantifying cyber risk. He emphasises it is important to not base the underwriting process on binary questions, as this does not consider the broader narrative of the cyber landscape. Control Risks notes that to address the evolving cyber threat landscape, organisations have strengthened controls, changed technological protection, strategically and globally reviewed hardware and software processes, purchased cyber liability insurance for the first time, and increased their focus on training and awareness. Buckley and Connor add: “For organisations, mitigation measures built on proactive, threat-led cyber security solutions and well-rehearsed, realistic cyber-crisis scenarios can prevent increasingly capable criminal threat actors from forcing your business into unnavigable situations.” The pulse survey concludes: “While insurers and brokers are under stress themselves, there is evidence that insurers and brokers are developing their relationships with Airmic members as sustainable partnerships. There are still reports however, that communication could be improved, although there are fewer examples of ‘just-in-time’ renewals.”