Cyber insurance: Risks and trends 2021
The developments of 2020, with all of its drastic effects, were anything but predictable. Clearly in terms of the pandemic, but also in regards of the cybersecurity landscape. Not only is this reflected in many statistics, surveys and trend observations but, unfortunately, it also could be seen in the frequency and severity of cyber-attacks over the past year. Some experts have even classified Covid-19 and its effects as “the largest-ever cybersecurity threat”.
Munich Re Global Cyber Risk and Insurance Survey
Covid-19 accelerated exploitation of vulnerabilities
Covid-19 is accelerating digital transformation. In this context, it is important to acknowledge that the threats and vulnerabilities are not entirely new. Some of them were there all along and were being exploited long before the pandemic occurred. For example, a Google survey found that 65% of people reuse passwords across multiple or all accounts. Another statistic revealed that 18% of all Windows PCs still use the outdated Windows 7 operating system. That means that in Germany alone, about 4 million devices may not be supported anymore. According to data from Munich Re, these given examples of inadequate cyber security can already lead to significant cyber incidents.
Covid-19 and the necessity to digitise business operations and processes brought on a dramatic acceleration of criticality and attack surfaces. Besides, it mercilessly showed the bandwidth of threats and how these may be exploited. The FBI reported a 300% increase in reported cybercrimes in April 2020. In March alone, ransomware attacks increased by 148%. Between February and April 2020, phishing was up 600% and, in April, Google blocked more than 18m Covid-19 related phishing mails each day.
Munich Re is observing that remote work still leaves organisations unprepared to monitor or identify threats and vulnerabilities – with unauthorised remote access, weak passwords, unsecured networks, and the misuse of personal devices to name just a few. Likewise, more successful attacks on virtual private networks (VPNs), that are used by more than 400 million businesses and consumers across the globe, can be expected. A further spike of insider threats, with attackers increasingly offering employees with privileged access financial incentives to share or “accidentally” leak their credentials is also anticipated.
A deeper look at the top cyber risks
Similar to previous years, ransomware attacks, data breaches and fraudulent activities like business e-mail compromise (BEC) topped the list of cybercrimes again. The total global economic damage of cybercrime is a controversial issue. Cybersecurity Ventures estimates global economic cybercrime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025. In 2021, the number is expected to be $6 trillion up from $3 trillion in 2015. This is no surprise as the cybercriminal world is advancing at a fast pace, for example by collaborating or by using automation and artificial intelligence in order to create synergies for a better exploitation of weaknesses as fast and as gainful as possible.
Apart from cybercriminal activities, nation states never have been more active and there is no sign that this development will slow down any time soon. To that respect, the pandemic will play a significant role since companies, research institutes and governmental agencies involved in COVID-19 vaccine and treatment will be under heavy fire by criminals and nation states.
Munich Re is well aware of the threats that may derive from nation states. As recent alleged nation-state sponsored cyber-attacks have shown, traditional war exclusions may require tailoring for Cyber (re-)insurance. We have engaged with our clients and other industry working groups such as the Geneva Association and the London Market Association to support the development of specific Cyber War exclusions. Munich Re is taking an active role in these discussions and providing extensive feedback to ensure that any new clause addresses our areas of interest, notably impact and attribution. We are hopeful that a market standard will emerge within 2021.
Like the years before, the world witnessed data breaches in which hundreds of millions of pieces of data were affected in 2020 as well. In its risk assessments, Munich Re is not only observing a growing number of personally identifiable information at the risk owner´s sites, but also an increasing criticality of data – with financial, healthcare, children-related or biometric data being most relevant. IBM reported that, in 2020, the average time to identify a breach was 280 days, even though the average savings of containing a breach in under 200 days was $1m – concluding that the global average total cost of a data breach in 2020 was $3.86m. As the world will store roughly 200 zettabytes of data by 2025 (according to Cybersecurity Ventures) there is no sign of stress relief.
It is expected that the rapid growth of ransomware will continue in the future. This will not only happen with encryption, but also with more and more exfiltration of data. With higher frequency, ransom demands are also increasing exponentially - IBM Security X-Force is seeing extortion amounts of more than $40m in some cases.
Costs due to downtime can be as great as the ransom paid. In 2020, the average downtime cost totalled $283,000. That’s an almost 100% increase from 2019. Munich Re estimates that the cost of recovering from ransomware attacks may further increase. The mentioned “decrypt and delete” business coming along with a public “leak and shame” tactic will also contribute to this development. Ransomware will also continue to escalate since IT systems increasingly converge with critical infrastructure and operational technology systems. Munich Re is concerned that there will be more data, devices, and even human lives at risk when resources like power grids, medical systems or transportation management are successfully targeted. Such a scenario was already observed in the case of a hospital in Düsseldorf that was unable to accept emergency patients after a ransomware attack in 2020. A patient, who needed to be re-routed to another facility 20 miles away, lost his life. For this very reason, we are becoming even more active and are even more selectively compiling our portfolios and expect the highest security standards from our customers or support them with integrating appropriate precautionary measures.
Business Email Compromise (BEC):
Fraudulent activities like BEC scams are further on the rise: According to figures from the Anti-Phishing Working Group, the average loss for a BEC was $80,183 in Q2, up from $54,000 in Q1. Even more cost intensive examples occurred in 2020 when Puerto Rico lost more than $4 million in three separate BEC attacks on government agencies or when criminals managed to steal $10 million from Norway’s state investment fund in a BEC scam.
According to Munich Re cyber risk specialists, spotting scams like BECs will become more difficult in a remote work environment. In addition, the supply of technology will contribute to this as well, for example, when deep-fake audio and video are utilised in tandem.
Cyber insurance demand will grow further
The dynamic of the above-mentioned transitions as well as the rising frequency and severity of cyber incidents will become manifest in an increasing demand for cyber insurance. Munich Re expects the global cyber insurance market to reach a value of approximately USD $20bn by the year 2025. This widely held assumption could still be exceeded as a result of the boost to digitalisation. Munich Re expects that especially small and mid-sized companies will disproportionally suffer from cyber incidents and therefore drive the demand.
Healthcare, professional services, retail, manufacturing, governmental agencies (including educational institutions) as well as financial services are expected to be the most exposed industries. This is why a big portion of the demand for cyber insurance will also very likely continue to originate from these industries. In addition to this business-driven demand, Munich Re is also expecting growth in cyber insurance for individuals and families.
Besides digitalisation and losses, regulation will also remain a key driver for cyber insurance. In 2020, data protection law enforcement made headlines with new records on levies against offenders. Overall, 315 fines were imposed for violating EU´s General Data Protection Regulation (GDPR). The GDPR fine for Google of €50 million was confirmed by France´s top court in 2020 - the largest EU-fine so far. Other fines were significantly reduced in 2020 due their economic impact on the respective companies and affordability. Tightening law enforcement is to be expected all around the world since 128 out of 194 countries have put legislation to secure the protection of data and privacy in place whereas 154 countries have enacted cybercrime legislation (United Nations, as of December 2020).
While data protection regulation has been widely adopted, the world of connected devices and Internet of Things still is underregulated. Due to the importance of this aspect, Munich Re is supporting respective regulation alongside a classification scheme that may help customers to better assess the quality of connected devices or cybersecurity services.
Complexity of risks requires top class expertise and a clearly defined risk appetite
“Large scale events like a pandemic underpin the importance of risk management. This is also true for cyber. We take this as confirmation of our efforts to tackle important topics like accumulation control, data analytics, silent cyber and many others. It is important to have a clear understanding of the underlying risks and what is and can be covered. Therefore, we see ourselves reaffirmed in continuing to invest in cyber expertise and partnerships and to intensively support our clients in order to ensure effective risk management” states Jürgen Reinhart, Chief Underwriting Officer Cyber at Munich Re, emphasizing the necessity to continuously re-assess the exposure and the respective risk appetite. Furthermore, Jürgen Reinhart also expects hardening market conditions for 2021 as one effect of increasing claims and increasing demand. This could be already seen in the second half of 2020.
Due to the predicted rise in frequency and severity of losses, the market will unavoidably show heightened underwriting discipline with a strong focus on ransomware events that can trigger several heads of cover. In addition, ransomware claims in particular may lead to decreasing line sizes since an insurance carrier will re-assess their risk appetite.
Monitoring cyber accumulation is a key task for the entire industry. Munich Re has an effective cyber risk management process in place and relies on its own sophisticated accumulation models. Nevertheless, it is important to monitor the market and seek external expertise from different vendors in order to assure state of the art accumulation management. The accumulation models being used by insurers are rapidly improving and the current situation underlines the importance to further invest.
Another important issue for insurance carriers and their clients will be to advance the objective to carve out “silent” coverage for Cyber from their portfolio and to largely convert such “silent” coverage to affirmative. In traditional Property or Casualty policies excluding undesired cyber exposures may foster growth and transparency for all market participants. Particularly in Europe, some regulatory authorities are already requesting qualitative and quantitative information from insurers regarding “silent” or “non-affirmative” cyber exposure in their portfolio In addition, regulators are obliging insurers to take action to exclude or affirm cyber coverages . There is a positive momentum in most markets and LoB’s with ongoing discussions at varying levels of sophistication. We expect that this trend will continue in 2021.
With regards to Property, there are already established clauses that clarify the coverage of cyber exposure. New LMAs clauses are being adopted more frequently in the markets. In December 2020, several cyber exclusions have been published for the liability lines of business in the London market. Munich Re is observing an increasing impetus for these clauses from UK-based lead reinsurers, cedants and brokers.
Expanding portfolio with cyber solutions at Munich Re
Munich Re’s approach addresses the complexity of risks and the need for risk-adequate pricing. This requires top-class cyber teams cooperating across industries and markets. We have invested significantly from the very beginning into building up the know-how and expertise, internal processes, tools, networks and clear guidelines in order to manage these risks. Along with risk transfer by way of insurance, the range of offerings is rounded off with risk management services and security measures. With these measures, Munich Re clearly underlines its ambition to be a global leading cyber insurance and solution provider.
“Cyber is a strategic growth field for the entire Munich Re Group”, says Torsten Jeworrek, Reinsurance CEO of Munich Re. “Accelerated digitalisation and the risks that come with it confirm our approach and strategy to contribute to tackling the cyber challenge from the very beginning. Our cyber portfolio has continued its profitable growth trajectory over the last years. Provided the insurance industry continues to draw the right conclusions from the momentum witnessed, we expect to not merely meet but even to exceed the current growth potential for the coming years.”
Together with our clients and partners we are expanding the boundaries of insurability while focusing firmly on sustainable and profitable growth.