Four years after NotPetya caused $10 billion in damages to the global economy, the malware shook up another industry: cyber insurance. In January 2022, a court ordered insurers to pay $1.4 billion to the malware’s biggest victim, Merck. The damage put the cyberattack in the ranks of hurricanes and pandemics as one of the most expensive disasters for insurers the world has ever seen. As the costs and frequency of cyberattacks increase, more organizations seek cyber insurance to mitigate their losses. But the cyber insurance industry has not received the same amount of attention in the policy world.

Cyber insurance offers a range of benefits, from helping organizations survive a costly cyber-attack to identifying and encouraging cyber risk management. An ideal cyber insurance market with expansive coverage and affordable pricing is often more effective than government regulation in incentivizing cybersecurity. However, premiums are becoming more expensive while coverage shrinks amid an ever-changing threat landscape.

This two-part series conveys the challenges facing cyber insurance and explores how the federal government can address these challenges. Part one introduces the current market conditions and cyber insurance’s effects on national cybersecurity. Part two examines policy options to improve the market and overall outcomes. 

Cyber Insurance Can Improve Cybersecurity

Cyber insurance covers losses related to cyber incidents, including first-party losses such as damages to digital assets and third-party losses such as lawsuits for data breaches, and can improve cybersecurity overall. Insurance payouts allow for quicker incident response and help companies survive the cost of attacks. For example, insurance helped Colonial Pipeline pay the $4.4 million ransom to restore operation in 2021, avoiding the substantial financial and social cost of delaying gas supply. In addition, insurers often have access to incident response resources that can help victims of a cyberattack lower the costs of an attack. In the 2019 attack against Rockville Centre School District, for example, insurers helped negotiate ransom payments down to half the original amount, saving the district $90,000 dollars.

Another major benefit of cyber insurance is that the underwriting process flags the lack of essential security safeguards and incentivizes good cyber risk management practices. Many insurers require basic security measures, such as multi-factor authentication or privileged access management tools, before issuing policies. Companies that lack basic security features face sky-high premiums or risk not getting a policy at all, while companies that invest in cybersecurity are rewarded with cheaper coverage in most cases. As a result, cybersecurity experts find that the risk evaluation process is crucial in helping management visualize the costs of bad security and convince them to increase cybersecurity spending.

A common critique of cyber insurance is that companies may cut cybersecurity spending after obtaining insurance since the costs of attacks have been transferred to the insurer, a phenomenon known as moral hazard. However, data shows that this is not always the case: forty-one percent of companies reported that insurers prompted them to adopt additional cybersecurity measures after enacting an insurance policy. In addition, some insurers take a proactive approach by probing an applicant’s network to assess risk or provide a comprehensive risk mitigation solution that bundles insurance policies with cybersecurity software. As these new models of insurance popularize, companies will no longer have to choose between coverage and cybersecurity investments.

The Current Market Dynamics

In the past two years, the market grew due to a sharp increase in ransomware attacks. In 2021, cyber insurance became the fastest-growing line of business in the industry, with the volume of policies purchased jumping 74 percent from the previous year to a total of $5 billion. However, profit margins remain tight as the insurance industry struggles with more accurate risk prediction in a highly volatile threat environment.

Demand for insurance rises as threat actors become more active. In a recent survey, 61 percent of respondents said their companies purchase some form of cyber insurance, a 30 percent increase from the same group of respondents in 2019. On the supply side, cyber insurance carriers are fighting against historical losses driven primarily by ransomware. Total claims and litigation costs for standalone cyber insurance have grown 300 percent since 2018. Insurers respond by reducing limits for ransomware-related coverage, excluding risky coverages such as attacks from nation states hackers, and increasing premiums across the board. The current market condition is hard—a term used to describe a period of elevated premiums and shrinking coverage—but insurers are largely able to stay afloat. The loss ratio, which measures the percentage of losses in total collected premium, decreased by 10 percent from 2020 to 2021, suggesting improved profitability.

Still, uncertainty remains the industry’s primary challenge. Ransomware operations have become more sophisticated with the emergence of ransomware-as-a-service and double extortion. Insurers are seeing a slight decline in ransomware-related claims, but are unsure if the relief will last. In the long term, unprecedented, large-scale cyberattacks remain a looming danger that prevents insurers from adding capacity to the market. The industry is actively tackling these issues with innovative underwriting technologies and new strategies to control risks but these changes will take time to be widely adopted.

Hard Market Poses Challenges for Nation’s Cybersecurity Efforts

While the cyber insurance market will continue to grow as demand increases, the decreasing capacity of insurers affects the nation’s cybersecurity. If capacity continues to decrease, insurers may cut or reduce coverage for sectors that face the highest risks. This presents a large problem for not only insurers, but also the nation’s cybersecurity. The issue can best be seen through the impact on small organizations and critical infrastructure.

Small organizations, including small businesses and local government agencies, often do not prioritize spending on cybersecurity. As a result, they tend to be less prepared when hit by a ransomware attack and are more inclined to pay ransoms. Unsurprisingly, cybercriminals increasingly target small organizations with moderate ransom demands for more likely payouts. Although smaller organizations are looking to insurance for help, reduced limits may force them to take on more risks or abandon cyber coverage altogether due to high cost or lack of availability. Without adequate resources to cushion the cost and respond to attacks, small organizations often go into bankruptcy, harming the nation’s economy.

Critical infrastructure faces even less coverage during a hard market because of technical vulnerabilities and potential costs to other parts of society in the event of an attack. As the Colonial Pipeline attack showed, insurance coverage is instrumental in helping critical infrastructure recover from an attack. Insurers, however, are concerned that a single cyber incident could “ripple across” multiple sectors and cause significant damage. A cyberattack disabling a regional electric grid, for example, could lead to a large sum of liability claims from all companies affected by the outage. Insurers are reducing limits for existing coverages and excluding coverage for attacks that are likely to cause large-scale disruptions, such as attacks from nation-state hackers. These measures may be a reasonable business decision, but a lack of insurance to increase rapid response capacity will place the burden of attacks on society.

There are, however, policy remedies for the problem. The core issue is the disconnect between profit-seeking market behaviors and affordable cyber insurance for vulnerable organizations. Policies that bridge the gap can help solve the obstacles facing the market while improving national cybersecurity.

Jeff Qiu is a research assistant with the R Street Institute’s Cybersecurity and Emerging Threats Team. He is pursuing a master’s degree in cybersecurity and public policy at the Fletcher School at Tufts University. Before joining R Street, he worked as a software engineer at U.S. and Chinese tech companies. He earned his bachelor’s degree in economics and computer science from the University of Chicago.

Image credit: Yurchanka Siarhei