Premium Hikes and Vetting Decrease US Cyber Insurance Losses

Declining Loss Ratios May Allow Insurance Premium Increases to Moderate in Late 2022

An improvement in loss ratios for cyber insurance providers in 2021 means the rapid rise in premiums might, at last, subside later this year.

The loss ratio, simply insurer payouts versus premiums earned, declined for the first time since 2018 despite the frequency and severity of claims filed for cyberattacks increasing yet again in 2021. The improvement was due to steep premium hikes and a significant increase in vetting.

The hope is that these factors allow for a slowdown in cyber insurance premium increases and allow the field to stabilize. The increased vetting has led to businesses needing to show proof of sufficient cyber security preparation to afford premiums or even simply obtain coverage.

Losses are High, But Premiums are Higher
Fitch revealed this week that the cyber insurance loss ratio in the United States declined from 72% in 2020 to 65% in 2021. Still, the cyber insurance loss ratio remains significantly worse than what the industry experienced from 2015 to 2019, when it never rose above 48%, according to Fitch.

Asking the Right Questions
Cyber hygiene is now central to the insurance underwriting process, with carriers refusing to cover businesses that don’t have multi-factor authentication, aren’t securing their endpoints, and don’t have an incident response plan in place. Providers have also pushed for cyber resiliency measures like network segmentation to stem the bleeding around incidents involving zero-day flaws.

The cyber insurance industry was historically focused on violations of data breach notification rules such as GDPR and started to see loss ratios rapidly accelerate as ransomware attacks became more pervasive over the past three years. Most cyber insurance providers aren’t auditing or pen testing policyholders but want to hear about the measures being taken to manage their attack surface.

Insurance carriers are focused on ensuring that customers have the following controls in place to effectively protect against ransomware attacks:

  • Multi-factor authentication,
  • offline regular backups,
  • micro-segmentation,
  • employee training and awareness,
  • end of life system management,
  • privileged access management,
  • data encryption,
  • an incident response plan, and
  • open remote desktop protocol

If you have questions about IT security, cyber insurance preparation, and the changing cyber-threat landscape, call ITPAC today.