This article was produced in partnership with McGill and Partners.
Desmond Devoy, of Insurance Business America, sat down with Ryan Griffin, partner – cyber, with McGill and Partners, about the potential to be found in investing in cyber insurance.
With fewer victims paying ransoms, tighter coverage, and higher premiums in recent years, Ryan Griffin sees a return to profitability well underway in the cyber insurance market.
During a recent interview Griffin, who is a partner in the cyber team at McGill and Partners in Chicago, cited interesting statistics from a 2023 Coveware blog showing a big shift in ransom victim behavior. Over the last four years, Coveware found that more victims are refusing to pay ransoms. Specifically, 85% of victims paid a ransom in the first quarter of 2019, and only 46% paid a ransom in the fourth quarter of 2022. And on an annual basis, 76% of victims paid in 2019, and only 41% of victims paid in 2022.
“Just a few years later, Coveware has shared record low pay frequency as the number of payments was nearly cut in half”, Griffin said. He recalls “In 2019, those claims were plentiful. When an event happened, it was going to result in a ransom payment from the insurance company. But huge investments in cybersecurity over the last three years have led to enhanced detection, prevention efforts, and faster recovery time for companies. Also in that time, premiums have skyrocketed to account for the losses.
“So with fewer ransom payments, narrower coverage, and two to three times more premium banked in the hard market – the math is there to swing loss ratios in a healthier direction” he said.
While the figures look impressive, Griffin would be the first to admit that bad actors have not gone away – instead, cyber threats have simply evolved.
“Criminal organizations that were making a lot of money in years prior will continue to find ways, as you are seeing a resurgence of big game hunting in the first half of 2023,” he said.
For example, he pointed to two recent ransomware attacks against fast-food giant, Yum! Brands which owns the likes of Taco Bell, KFC and Pizza Hut, and fresh-produce distributor, Dole Foods. Both reported downtime and have since been investigating the extent of data compromised. In a filing with the SEC this past January, Yum Brands said it had to shut down almost 300 restaurants in the UK to contain the problem. A month later, Dole foods temporarily shut down production plants in North America, and halted food shipments to grocery stores, according to CNN. “You hit firms like that, and you don’t really realize the ripple effects in how our global food supply chain works. I think that’s where threat actors are able to extract a lot of leverage.”
Yet crucially, companies have been heeding warnings from their IT departments to cautiously open external emails and avoid clicking links from unknown senders. Improved phishing awareness, adoption of least privilege, and prioritization of immutable backups became the non-negotiables to procure cyber insurance.
Griffin also feels that there has been an “over-weighting” of aggregation risk, and that the insurance industry’s natural conservative cautiousness may be behind the skittishness to return to the cyber market, using yesterday’s thinking for today’s problems.
“I think they underestimate the resiliency of company networks,” he said. “Cyber effectively borrowed property insurance concepts. But there’s a difference between a building burning down and a partial interruption of your metric operations. The impacts are far different and they’re far more difficult to measure.”
The future state of cyber insurance may include pricing plateaus and conservative coverage concessions to retain business. But layer on more defined war exclusions, infrastructure exclusions, possible coinsurance, etc. and the product could lose its value for catastrophic buyers. There is, however, a growing potential for cloud outage protections. But again, Griffin points out that more onus is being placed on the insured party, as there are now common vulnerability issue lists that are common knowledge.
“There are insurers who are saying that they are only going to cover half the loss. It’s a sliding scale. If you patch it within the first 30 days, you’re fine. If it’s 30 to 60 days, you effectively have coinsurance, and then all the way to almost no coverage if you go a year without patching them,” he said.
Cyber insurance, he suggested, can also learn a lot from how farm insurance, for example, handles unpredictable weather patterns.
“By using the property valuation methodologies and forensic accountants, that drags on for years. Clients hate it,” Griffin said. “It’s tough to quantify. One of the major selling points is that you’re buying it for a really bad outage. And I don’t think it’s really meeting the needs of what it means to be down for a period of time.”
Griffin suggested that a pre-set dollar amount for a payout might bring peace of mind to clients and insurers, even if it is less than the value of the actual loss.
With all this in mind, Griffin feels that – to borrow a baseball metaphor – investment is returning to the game, but that the game is at the top of the first inning, with only one man at first base.
But the investment is “inevitable,” Griffin said, since there is now a track record, showing clear metrics on downtimes, which show how often they happen, what types of events are most prevalent, etc.
“If there’s ever been a time to innovate in this market, and take the next leap forward, now is the time, when there is profitability,” Griffin said. Instead of moving premiums back down to where they were in 2019, “I believe that some buyers would continue to pay the prices they paid in 2020-2022, if the product continues to improve. I don’t think product stagnation and lower prices are worth another volatile cyber market. There’s so much room for improvement on the coverage and recovery side that I think buyers would be receptive to it.”