Cyber insurance premiums are rising at a slower pace as ransomware claims are declining — a trend that is expected to continue over the coming year, according to Gerald Glombicki, a senior director in Fitch Ratings insurance group.
Cyber coverage is the fastest-growing segment of property and casualty insurance, with annual premiums of $8 billion to $10 billion projected to grow to $22.5 billion by 2025, according to a study by Fitch.
Insurance broker Marsh estimates that global cyber insurance pricing increases moderated to 28% in the fourth quarter of 2022, compared with a 53% increase in the third quarter. Until the first quarter of 2022, the rate of premium growth had not slowed since the fourth quarter of 2018, according to figures compiled by the Council of Insurance Agents and Brokers.
A key driver of the deceleration, according to some experts, has been a decline in claims involving ransomware, a form of malicious software used by criminals that prevents companies that own the computers from accessing their files, systems or networks, and demands the payment of a ransom to have such access restored. It can also involve a threat to leak sensitive data to the public internet.
Ransomware purveyors extorted about $456.8 million from victims in 2022, down from $765.6 million the year before, according to blockchain analysis firm Chainalysis Inc.
Glombicki, who has worked at Fitch for more than two decades, recently spoke to CFO Dive about some of these trends. He also addressed cyber spending challenges facing CFOs preparing for the possibility of a recession.
The following is a Q&A between Glombicki and CFO Dive’s Alexei Alexis. Remarks have been edited for clarity.
CFO Dive: Before we get into the outlook for cyber insurance, can you talk about how the industry has matured since its infancy?
Gerald Glombicki: When you look at the cyber insurance space, some people trace its beginnings back to the ‘90s or even the ‘80s, when you were protecting things like your mainframe or mouse or keyboard. But does that translate to cyber insurance as we know it today? I would argue that it doesn’t.
Then, fast forward to 2003, and I think that was the first shift toward cyber insurance as it exists today. At that time, California passed the first state privacy law in the U.S., and then you saw other states follow suit. Modern cyber coverage started to take shape, with policies covering things like data breaches stemming from lax security.
And then, in 2017, ransomware came on the scene, and that really changed the name of the game.
The question now is the whole issue of cyber warfare. To date, there hasn’t been a successful major-scale attack related to cyber warfare, thankfully. But, nonetheless, there certainly have been several attacks on critical infrastructure, particularly in areas of conflict, most notably Ukraine.
CFO Dive: Are you aware of any data indicating how many U.S. companies are covered by cyber insurance? And has there been an uptick amid the growth of cyber attacks, data breaches and related laws and regulations?
Gerald Glombicki: Insurance brokers have a metric called take-up rates, which refer to how many of their clients actually take them up on purchasing cyber insurance. A study published by GAO in 2021 cited data from Marsh showing that its U.S. clients’ take-up rates rose from 26 percent in 2016 to about 50 percent in 2020. That’s the last publicly available figure I’ve seen.
CFO Dive: How is the economy impacting cyber insurance spending?
Gerald Glombicki: With headwinds in the current macroeconomic environment, the question becomes: Where do you place the most dollars? Do you take a higher retention limit on your insurance policy? Do you buy less coverage? That’s what you’re starting to see people talk about right now.
CFO Dive: What are some trends you’re expecting to see in the year ahead?
Gerald Glombicki: First, I think you’re going to see premiums dissipating — still increasing year over year, but at a pace that’s a little bit slower. This is assuming, of course, that you don’t have any monumental catastrophic claim, which could certainly upset the apple cart.
Second, when you look at the claims environment, you’re starting to see ransomware go down. A recent Wall Street Journal article gave several possible reasons for this trend, including companies paying better attention to cyber hygiene and insurance underwriting standards getting tougher.
Third, I think the whole Russia-Ukraine conflict triggered some concerns about the potential for cyber warfare. And now, you’re starting to see insureds look at their cyber language to see if they’re covering that. That’s certainly an area where you could get caught up in risks that you didn’t necessarily think you had.
Finally, on the regulatory front, you’re starting to see more states with privacy laws. There’s long been talk about the possibility of a federal privacy law, but that hasn’t really gained traction to date. Also on this front, the Securities and Exchange Commission is expected to issue a cyber rule soon. One of things that’s going to do is raise cyber awareness at the board level.
CFO Dive: What advice can you share for CFOs and others in the C-suite who are facing tough decisions about cyber insurance spending at a time when, as you noted, dollars may be scarce?
Gerald Glombicki: The more that cybersecurity is talked about in the board room, the more that it’s talked about in terms of funding is certainly something that’s positive in terms of the overall environment of the organization. However, as budgets become tighter, the question is: where do you put those dollars? Cybersecurity budgets are not sacrosanct; they’re subject to scarcity of dollars just like other spending categories.
One thing to keep in mind is that a large cyber budget does not necessarily translate to better cybersecurity. A better measure of cyber security health is a qualitative assessment of a cybersecurity program. And a good security program includes a transparent culture with board and management oversight, employee accountability and training, as well as operational resiliency.
Engaging a well known cyber broker can help an organization understand their cyber risk profile and several strategies to mitigate and transfer their risk. But ultimate responsibility of the risk and strategy remains at the C-suite.