Ransomware rattles cyber insurance market

Cyber insurance industry faced 'a reckoning' as ransomware attacks surged

Ransomware has become a business. And that’s having an impact on companies that provide cyber insurance.

The cyber insurance industry faced "a reckoning" in 2020 in the wake of a wave of ransomware incidents, according to a report from Fitch Ratings provided to FOX Business.

The direct loss ratio, a critical statistic for the industry, spiked in 2020 to 73%, compared with an average of 42% for the previous five years (2015–2019), according to a May 2021 Fitch Ratings report.

And the average paid loss for a so-called closed standalone cyber claim jumped to $359,000 in 2020 from $145,000 in 2019, Fitch said.

JBS USA paid an $11 million ransom to cybercriminals who temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply. (REUTERS/Paulo Whitaker/File Photo)


The latest report from Marsh, which offers insurance broking, indicates that U.S. cyber rates were up by 35% in the first quarter of 2021.

This is happening against a wave of ransomware attacks.

The number of organizations affected by ransomware has jumped 102% compared to the beginning of 2020 and "shows no sign of slowing down," according to a research note from IT security firm Check Point in May.

And the average ransom payment in 2020 is up 171% to $312,493 compared to $115,123 in 2019, according to a March report from Palo Alto Networks.

Driving this surge is the Ransomware-as-a-Service (RaaS) model, which leverages a partner program to execute cyberattacks.

Profits are the biggest draw, as demonstrated by recent high-profile ransomware attacks. JBS USA paid an $11 million ransom to cybercriminals who temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply. And the REvil ransomware gang is demanding $70 million to unlock computers in a July 2 ransomware attack.

Standalone insurance rising sharply

Standalone cyber insurance is growing faster than package insurance, Gerry Glombicki, director at Fitch Ratings, told FOX Business.

"On a standalone I have to write profitability," he said, adding that package insurance profitability does not hinge on a single category and is much broader coverage that applies to a package of risk scenarios.

Historically, cyber insurance has been very profitable but that could be changing because of ransomware and the move to more standalone coverage, Glombicki said.

Data breaches are still the primary source of cyber claims exposures but losses tied to ransomware attacks have become more prominent in the last two years, the report said.


"While cyber insurance premium rates are rising sharply, concerns remain that underwriters can successfully price this business longer term, given constantly evolving risk exposures and sources of loss," the Fitch Ratings report said.

And the fact that ransomware is morphing into a big business has had a profound impact on companies seeking cyber insurance.

"It shifted from an IT problem to a business operations problem," Glombicki said, adding that it became a question of the survivability of a business.

"They don’t want to be put out of business," he said. 

Insurance companies also a target

Recently, ransomware criminals have targeted at least three North American insurance brokerages that offer policies to help others survive, according to an AP report.

Cybercriminals typically try to learn how much cyber insurance coverage the victims have. "Knowing what victims can afford to pay can give them an edge in ransom negotiations," the report said.

But now these companies have become victims too. 

CNA Financial Corp., the seventh-ranked U.S. cybersecurity underwriter last year, was hit in March and reportedly paid a $40 million ransom, according to a Bloomberg report.


FOX Business has reached out to CNA for comment.

"A vicious cycle exists in which increasing demands lead to increasing levels of insurance coverage and, the more coverage companies have, the bigger the ransoms they’re willing and able to pay," Brett Callow of Emsisoft, a cybersecurity firm, told Fox Business.