Public awareness of digital vulnerabilities has heightened with the growth in number of serious attacks and losses. However, there is still a lot more to be done to achieve increased cybersecurity and progress has been slow up to now. This is also evident from Munich Re’s global “Cyber Risk and Insurance Survey 2022”.
Digitalisation is advancing in every area of the economy and society. For the insurance industry, it is therefore vitally important to continue to tailor the range of cyber products to customer requirements and increasing digital dependencies. Insurers offer protection and thereby support the productivity and capabilities of insureds. To achieve this, the industry must ensure a balance between offering customers attractive solutions and maintaining the necessary sustainability and profitability in the volatile cyber business.
"Cyber insurance is fundamental for the successful digitalisation of the economy. Munich Re continues to offer capacity, and our goal as market leader is clear: to jointly develop innovative, datacentric cyber solutions with our clients and partners. Our offering increases our insureds’ resilience and improves the protection of digital business models. Munich Re significantly contributes to a sustainable market, which is essential for our clients."
Member of the Munich Re Board of Management
Challenges posed by the dynamics of cyber threats
In Munich Re’s opinion, 2021 was not an exceptional year from a cyber perspective. The risk situation remains extremely dynamic. Not every successful attack is immediately known to or comprehensively understood by the victim. Critical vulnerabilities grew significantly in 2021, with an increase of approximately 20% (Tenable). In view of increased vulnerabilities, it is crucial for companies and organisations to have a clear understanding of the threat landscape and one’s own weaknesses. Only then can they protect themselves through targeted risk management.
Munich Re experts assume that three factors in particular will characterise the threat landscape in 2022: ransomware, supply chain and critical infrastructures.
We continue to see ransomware attacks as the number one cyber threat. Criminal extortion in cyberspace is becoming ever more professional and complex and is often carried out by agile, coordinated criminal networks.
Ransomware business reached a new peak last year and is attracting more and more criminals. Extortionists obtained ransoms averaging US$ 118,000 per successful attack (as compared to US$ 88,000 in 2020 according to Chainalysis). CNA Financial alone paid a record sum of US$ 40m to members of the “Phoenix” hacker group. According to Cybersecurity Ventures, a ransomware attack occurred every 11 seconds in 2021. Attackers rely on a mix of tried-and-tested methods as well as their own expanding repertoire of tactics and approaches. The early approach whereby attackers specialised decryption and later on exfiltration of stolen data is evolving to include multiple extortion schemes.
By sharing their tools and expertise, criminal groups enable other perpetrators with little know-how of their own to carry out ransomware attacks and thereby help to finance established ransomware groups. For example, ransomware programs can be rented on the dark web for US$ 40 a month. In 2021 alone, the Conti group of hackers – the most lucrative “service provider” – extorted or earned at least US$ 180m from victims (Chainalysis).
Munich Re supports government and private-sector initiatives to curb ransomware, such as the Ransomware Task Force (RTF) initiated by the US Institute for Security and Technology, and is also a member of the EU-wide “No More Ransom” initiative.
Attacks on supply chains
Threat actors are increasingly resorting to supply chain security attacks with the potential for widespread impact. Global supply chains and industry sectors that typically make extensive use of software and hardware from various providers are among those particularly exposed. The 2021 attack on Kaseya, a software service provider for remote monitoring solutions, resulted in malicious code with ransomware being distributed to approximately 1,500 clients.
The challenges for companies are enormous. It is extremely difficult to manage all hardware and software components from multiple providers, each potentially with its own requirements or security standards and to adequately assess the resulting risk from or through the supply chain. The cybersecurity service provider Gartner estimates that, by 2025, 60% of companies will deem cybersecurity to be a key component in their IT procurement evaluation process. Realistically, however, this will not be easy for all suppliers to fully implement, though common security standards, strict risk management in the supplier segment and good documentation of critical dependencies in the supply chain will help reduce the risks. The European Union Agency for Cybersecurity (ENISA) recognised and analysed the increased risk from cyber-attacks on or via supply chains in its “Threat Landscape for Supply Chain Attacks” report. According to ENISA, the number of supply chain attacks quadrupled in 2021 compared with 2020.
The general consensus among experts appears to be that criminals and state-motivated actors will continue to exploit the potential of these attack vectors and the criticality of supply chains. For insurers, a single attack can trigger losses with a great many insureds. Munich Re budgets for particularly critical digital dependencies, e.g. the usage of cloud services of major providers, in its accumulation scenarios.
Digital attacks on energy providers, food providers, hospitals, administrative bodies and other areas of critical infrastructure reached a new peak last year. In view of current political conflicts, this trend is not expected to wane this year. And it is not only in Germany that the situation is “tight to critical” (BSI). Cybersecurity authorities in the USA, the UK and Australia are also seeing a worldwide increase in the threat to critical infrastructure.
Attackers often plan their attacks for the long term and maximise the impact by targeting supply chains and industrial or automated processes. Following one such attack on Colonial Pipeline, fuel shortages and panic buying temporarily paralysed regional infrastructure on the US East Coast and made headlines worldwide. Receiving less media attention was an attack in the US state of Florida in which a hacker attempted to tamper with the supply of chemicals at a water treatment plant and thus poison water supplies. The cyber-attack was discovered in time, so the population of the town of Oldsmar, near Tampa, was ultimately not in danger. Both incidents show that, “big game hunting”, i.e. targeted attacks on particularly lucrative extortion targets like pipelines, is not the only risk and that attacks on smaller and medium-sized government service providers or companies are also possible. This was a trend also observed by Munich Re in the past year. Particularly noticeable was the fact that smaller companies and government institutions often continue to be inadequately protected and are therefore more at risk overall.
The insurance industry is part of the solution
The increased public focus on cybersecurity is a positive sign: democratic governments are very much aware of the priority and urgency of the task of improving cybersecurity and are addressing this politically, infrastructurally and legislatively, as the examples of the improvement in national cyber resilience in the USA and the EU Cybersecurity Strategy illustrate. Munich Re expects these rules and regulations to be focused mainly to the issue of ransom payments and dealings with cryptocurrencies. Both legislators and the insurance industry should strive increasingly on setting minimum standards for cyber resilience in companies in order to ensure sustainable improvements.
Munich Re supports insureds and companies in developing their own resilience and responsiveness and thereby enables them to satisfy the preconditions for access to the cyber insurance market. The sustainability of the cyber insurance market can be further improved with better resilience and innovative coverage of residual risks.
"Our approach in cyber insurance is unchanged: disciplined in underwriting and stringent in risk management. Our experts continually refine our internal models on the basis of our own and third-party data, and with a particular focus on accumulation risks. We are in constant dialogue with our cedants and model providers regarding current cyber threats and accumulation scenarios to ensure that our approaches are state-of-the-art at all times. Volatile er insurance business can only be written sustainably and reliably for clients under these conditions."
Chief Underwriter Cyber
The implementation of adequate cyber security requires increased investment. Cybersecurity Ventures estimates global spending on cybersecurity in 2021 to have be US$ 262.4bn in 2021. An increase to just over US$ 300bn is expected in 2022. Not only large corporations recognise the value of effective security management; medium-sized companies, organisations, cities, municipalities and hospitals are likely to continue to invest.
Exacting cybersecurity standards must be defined and complied with by insurers and exposed industry sectors alike. Examples include the automotive cybersecurity standard ISO/SAE 21434, which will apply compulsory for all new cars from July 2022, and IEC standard 62443 on cybersecurity in industry and automation.
In the analogue world, it took 15 years for the provision of safety belts in German cars to be made mandatory, and many more years for them to be accepted and fastened by users in every-day life. This example lends itself to comparison to the digital world: despite growing awareness, the actual implementation of cybersecurity still leaves a lot to be desired.
Growing demand and great potential
Demand for cyber insurance has grown greatly in recent years.
Munich Re sees cyber premiums worldwide standing at US$ 9.2bn (beginning of 2022) and estimates that they will reach a value of approximately US$ 22bn by 2025.
Compared with the previous year, the survey shows that cyber insurance is becoming increasingly popular. The number of companies that already have cyber insurance increased by 20%. All industry sectors are interested in cyber insurance. With respect to the scope of cover under policies, respondents would like coverage to extend to data recovery services in an emergency, a 24-hour hotline, legal advice and forensic services. As to preventive services included in the policy, services in the area of network security, backup and password management were mentioned as priorities.
The results show a further increase in the potential for integrated solutions from insurers in the market. Cyber product offerings reached significantly more decision-makers in 2022 than in the previous year (42% received an offer, compared with 34% in 2021). The proportion of decision-makers surveyed who were still undecided about arranging cover remained unchanged at 35%. The range of cyber products still needs to be made better publicised and the additional benefits of those products (i.e. beyond pure risk transfer) better explained to potential insureds.
The sustainability of the insurance market
Risk transparency is essential for risk management by companies and organisations. With the increased use of new technologies and the continuous growth of digital dependencies, the prospect of new threat scenarios materialising in the future is a real one. The definition of insurability is key for the sustainability of the market, particularly as regards systemic risks and the extent to which these can be insured. The failure of cloud services or a multi-client data breach, for example, are covered. The coverage limits with regard to the resilience of portfolios are mapped in accumulation scenarios, continuously monitored and, if necessary, adjusted. Other systemic risks however, are not insurable in the private sector. Scenarios such as the failure of critical infrastructure (e.g. telecommunications or the power supply), as well as a possible cyber war, exceed the limits of insurability and are consequently excluded. These exclusions must be worded transparently and unambiguously. In collaboration with various industry participants and in consultation with Munich Re, the Lloyds Market Association (LMA) has published four standard clauses to exclude cyber war from coverage. These clauses, substantially equivalent in terms of content, will be used in policies going forward to meet specific cyber risk requirements.
To continue playing a leading role in shaping the market, Munich Re is pursuing a learning strategy and continuing to invest in dedicated cyber teams and expertise. Insurers will be focusing even more strongly on the targeted analysis and use of data. The objective will be to refine risk profiles, anticipate and classify trends and learn from claims data. At Munich Re, the development of know-how on data analytics and tools for processing relevant internal and external data is long underway. In addition to providing a better understanding of cyber risks, these methods and tools are used to develop innovative, datacentric solutions that go beyond pure risk transfer.
The goal in a sustainable market is to establish solutions for cyber risks as a long-term insurance offering, increase insureds’ resilience and thereby promote the protection of digital economic models. The risk transfer associated with services is an essential element of risk management for companies. In this market environment, we will be seeing more and more new players and participants covering risk: InsurTechs, managing general agents (MGAs) or alternative means of securitisation (ILS/ART), in which public-private partnerships may also engage in the future in order to protect areas of particular social relevance. All of these players will make use of expertise that has already been developed in the insurance market. Munich Re is one of the market and opinion leaders in the cyber insurance sector. Together with our clients and partners, we will continue to successfully and sustainably shape the cyber insurance market.