How cybercrime is impacting the insurance industry

Cybercrime is one of the most serious and growing threats to the global economy and security. According to a report by Cybersecurity Ventures, cybercrime is projected to cost the world $10.5 trillion annually by 2025, up from $3 trillion in 2015.

The insurance industry, which provides coverage for various types of cyber risks, is not immune to the effects of cybercrime. In fact, cybercrime poses significant challenges and opportunities for insurers, as they face increasing demand for cyber insurance and higher exposure to cyber losses.

Ransomware: A major driver of cyber losses

One of the most prevalent and damaging forms of cybercrime is ransomware, a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption. Ransomware attacks can disrupt the operations and reputation of businesses, governments and individuals and cause significant financial losses. According to a report by Cybersecurity Ventures, ransomware damages are expected to reach $42 billion in 2024, up from $20 billion in 2021.

Ransomware attacks have also affected the insurance industry, both directly and indirectly. Directly, insurers themselves can be targeted by ransomware, as they hold valuable and sensitive data, such as customer information, claims records and financial transactions.

For example, a ransomware attack on CNA Financial, one of the largest U.S. commercial insurers, caused a network outage that lasted for several days and ended with a $40 million ransom — the largest to date — being paid.

Indirectly, insurers can incur losses from paying claims to their policyholders who suffer ransomware attacks. In 2017, a ransomware attack on the U.K.’s National Health Service (NHS) resulted in an estimated $100 million in claims paid by the NHS’s cyber insurer, Lloyd’s of London.

How ransomware affects loss ratios and premiums

The increasing frequency and severity of ransomware attacks have negatively impacted cyber insurers’ loss ratios and premiums. The loss ratio is a measure of an insurance line’s profitability, calculated as the ratio of claims paid to premiums earned. A higher loss ratio indicates lower profitability and vice versa. Premium is the amount of money that an insurer charges a policyholder for providing coverage.

According to a report by Fitch Ratings, the loss ratio for the U.S. cyber insurance market increased from 43% in 2022 to 44% in 2023, mainly due to ransomware claims. The report also noted that some insurers reported loss ratios above 100% for their cyber insurance lines, meaning that they paid more in claims than they collected in premiums.

As a result, some insurers have reduced their cyber exposure, increased their underwriting standards and raised their premiums. According to a survey by Aon, the average premium rate for cyber insurance increased by 26% in 2020, compared to 5% in 2019.

How insurers are responding to cyberthreats

Besides facing ransomware attacks, insurers also face other forms of cyberthreats, such as data breaches, denial-of-service attacks, phishing and malware. These threats can compromise the confidentiality, integrity and availability of the insurer’s data and systems and expose them to legal and regulatory risks.

To address these challenges, insurers need to enhance their cyber resilience, which is the ability to prevent, detect, respond to and recover from cyber incidents.

One of the initiatives that aims to improve the cyber resilience of insurers is the National Association of Insurance Commissioners (NAIC) Cybersecurity Model Law, which was adopted in 2017. The model law provides a set of standards and best practices for insurers to follow in order to protect their data and systems from cyberattacks and to notify regulators and consumers in the event of a breach. The model law also requires insurers to conduct risk assessments, implement security measures and oversee their third-party service providers.

As of September 2023, 23 states have enacted legislation based on the model law, and several others are considering it.

Cybercrime in perspective

Cybercrime is a serious threat to the insurance industry, and ransomware is one of the most challenging forms of cybercrime. Ransomware attacks have driven up the loss ratios and premiums of cyber insurers, making cyber insurance less profitable and more expensive.

However, cyber insurance also offers opportunities for insurers, as the demand for cyber coverage is expected to grow in the future, along with the development of new technologies and regulations.

How Wipfli can help

Insurers need to adopt effective strategies to manage their cyber risk, such as improving their cyber resilience, enhancing their data analytics and collaborating with other stakeholders. Our team of dedicated cybersecurity professionals has the experience necessary to help fortify your business against the growing threat of cybercrime. Contact us today to get started.