The hacks came one right after another, sowing chaos at hospitals, idling America’s biggest gasoline pipeline, crippling a huge meat supplier and devastating hundreds of companies over the July 4 weekend.
Now, insurers are reassessing the cyber business.
With cyberattacks on the rise and demand for coverage surging, the $3 billion industry of protecting companies against hackers is at an inflection point. Wrestling with higher costs and more risk, insurers are tightening standards, boosting prices and slashing how much they’re willing to pay for a breach.
Making coverage harder to get may expose more companies to greater financial risk. Insurers are re-evaluating how to profit from cyber policies amid a broader debate about who should be on the hook when hacks occur—like those against Colonial Pipeline Co. and JBS SA—and what roles the government and private industry should play.
“The ways of the past no longer work into the future, but never has this coverage been needed more,” said Joshua Motta, co-founder and chief executive officer of insurer Coalition. “People went a little over their skis, so right now there’s been a bit of a contraction.”
Biggest Players
Cyber policies are relative newcomers to the centuries-old insurance industry. The sector has exploded in the past decade—with premiums more than doubling since 2015 and totaling $3.15 billion last year, according to the National Association of Insurance Commissioners.
Now, some insurers are changing course. Hiscox Ltd. is “refining” its appetite for the business and focusing on smaller U.S. customers, the U.K.-based firm said in a statement.
Meanwhile, some firms are charging more for less coverage. Clients paid 35% more for cyber coverage in the first quarter than they did in the same period last year, according to broker Marsh McLennan. Demand for standalone policies surged 24% last year.
Tougher Questions
Insurers are also changing underwriting standards as they seek to reduce risk, according to Tom Reagan, who leads Marsh’s U.S. cyber practice. That often includes requiring companies to beef up their own protections.
Following an uptick in ransomware losses, American International Group Inc. recently started asking companies tougher questions about their security measures as part of its underwriting process and requiring clients to employ certain safety measures, Tracie Grella, AIG’s global head of cyber insurance, said in an interview.
This kind of extra scrutiny means companies are waiting longer to get coverage, according to Kristen Peed, director of corporate risk management at CBIZ Inc.