Ukraine war and cyber resilience combine to temper global ransomware activity
06 June 2022
A Hard Reset 2.0
- The fallout from the war in Ukraine remains highly uncertain, but its immediate effect has been to reduce cyber frequency worldwide as warring sides refocus their priorities and resources
- Companies’ risk management investments appear to be paying off: most recent (pre-war) ransomware frequency data shows notable moderation, albeit from elevated levels
- Cyber insurance rate increases (averaging 105% in April 2022) are expected to moderate or even stabilise later this year should these trends persist
Howden, the international insurance broker, has today released its second annual report on cyber insurance, titled “A Hard Reset 2.0”. The report looks at developments that have shaped the market in the past year – including ransomware trends (and vulnerabilities), risk aggregation, the Ukraine war, economic sanctions and the spectre of cyber warfare – and assesses how the insurance market has performed through this period of flux.
Howden’s report reveals that higher loss frequency and severity from ransomware have caused such an extreme supply-demand imbalance in the cyber insurance market that today’s average cost of cover is more than double what it was last year. Publicly available data help to explain why this is the case, with the annualised number of global ransomware incidents up 235% in 2021 compared to 20191 and average U.S. ransom payments rising by 370%2 over the same timeframe. Having hit a peak in the second quarter of 2021, there was a moderation in the number of ransomware incidents towards the end of the year (see Figure 1), with this trend continuing into early 2022.
Figure 1: Rampant but relenting ransomware (Source: Howden, SonicWall)
1 Data source: SonicWall
2 Data source: Coveware
Shay Simkin, Global Head of Cyber, Howden, commented: “Market conditions remain difficult, but two potential tailwinds may help companies and insurance carriers as this year progresses. The first is off the back of more favourable ransomware trends following underwriting and risk management actions taken in response to increased ransomware frequency and severity. Companies are more resilient to ransomware attacks today than they were this time last year.
“The second, the war in Ukraine, is a lot more unpredictable, but it appears the conflict has so far dampened cyber frequency further as both warring sides focus their efforts on conventional warfare. This could of course change in an instant – for example, a ceasefire, a large-scale cyber attack, pressure on Russia’s government to find new revenue streams as economic sanctions bite – but for now insurance claims are down compared to last year. All of which raise important questions around the prioritisation and efficacy of cyber operations during wartime.”
How these dynamics play out for the rest of 2022 will be instrumental in shaping the pricing environment. For the best part of a year, cyber has experienced the most extreme rate increases across the entire insurance market, as reflected by Howden’s real-time, global cyber insurance pricing index, which includes average year-on-year rate movements, dating back to 2014 (see Figure 2). The last two full quarters (4Q21 and 1Q22) saw average annualised increases in excess of 120%, according to Howden data.
David Rees, Executive Director, Howden, added: “The last year has been characterised by price corrections, contracting capacity and restrictive terms – classic hard market territory. Whilst the value of cyber insurance continues to prevail for the vast majority of buyers, pricing is now approaching the limits of economic viability for some. Compounded increases from here are not sustainable, which, assisted by the more favourable claims environment that appears to be manifesting this year, is likely to moderate or even stabilise pricing. Improved insurer performance should also help attract new capacity into the market.”
Figure 2: Howden’s global cyber insurance pricing index (Source: NOVA)
Other key findings include:
Cyber continues to live up to its dynamic reputation. Just as companies and insurers have been adjusting to the new reality of ransomware, the war in Ukraine brings uncertain implications, both within and beyond the conflict zone. The array of groups operating in the cyber battlefield complicates distinctions between state-sponsored attacks and those carried out by non-state actors. Whilst the conflict appears to have reduced cyber frequency in the near-term as both warring sides (which host some of the worst offending ransomware gangs) refocus their efforts, the situation remains highly volatile and a lot can still change.
The risk transfer sector has been an important enabler of resilience by working with companies to adopt better risk postures in order to access insurance capacity. From a technology perspective, this includes endpoint detection and response (EDR), next generation anti-virus deployment, multifactor authentication (MFA) for remote network access, data encryption and protection, regular backups and patching of critical systems / software.
Importantly, the report stresses that companies need to take a holistic approach to cyber hygiene that embraces process improvement too. This involves training and educating employees, engaging with third parties, conducting table top exercises, testing business continuity and disaster recovery plans, having experts at the ready and knowing who to call should the worst happen.
But even the best prepared companies cannot eliminate the risk of a successful attack entirely, and here expert advice is available to help firms mitigate their risks and recover from incidents. For the benefit of clients, pre-eminent cyber experts have contributed to the report to offer insights into what companies need to do to improve their risk postures, reduce vulnerabilities and contain impacts in the event of a successful breach. The paper also analyses cyber security at a time of war in Europe to help clients unpick the deep complexities that exist in what remains a highly unpredictable environment.
Insurers are reacting to fast moving risk developments, which in turn is driving a rigorous insurance placement process that involves deep scrutiny of clients’ cyber controls. Questionnaires are more detailed and demanding – the scope is far more technical in nature than last year and new questions are appearing on a regular basis. There is unlikely to be any let up in insurers’ probing of cyber security any time soon. Preparation and timing are therefore paramount in this market, and companies need to anticipate a prolonged and meticulous placement process.
The ingredients for a more mature cyber market are now in place. Hardened cyber defences have left companies less vulnerable to prolonged disruption in the event of an attack or breach, and the cost of cover is now more commensurate with loss costs.
Strong demand and the prospect of more capacity looks set to drive significant market growth over the medium term. If this is at a CAGR of 25%, as predicted, this would see gross written premiums exceed USD 25 billion by 2026. Howden’s report forecasts that the U.S. will remain the biggest market for cyber insurance, although Europe is expected to close the gap somewhat over the next few years.