Claims severity is back for Ransomware Wave Two
Back in July, I wrote about the return of ransomware, and the impact on the global cyber market.
At the time, the frequency of attacks was back with a vengeance, following a lull thought to have been induced by the onset of war in Ukraine.
Back then there was the suggestion that there had been a rise in ransomware claims frequency, but not necessarily in severity – or at least, it was a mixed picture.
Since then, the picture has developed. Ransomware claims severity is back, and some in the market believe it is exceeding the levels of Ransomware Wave One.
Data from MGA Coalition, published in September, showed that ransomware claims severity reached a record high in the first half of 2023.
This marked a 117% increase year on year and a 61% rise from H2 2022.
Recent conversations with sources suggest concerns that severity in ransomware claims is continuing to rise into the second half of the year.
Experience is varying widely by carrier so far, and it is tough to get a clear idea of how much severity is spiking on average.
However, from a quick canvass of cyber market participants, a number of players suggested that the cost components of first-party claims were up between 30%-50% on that seen during Ransomware Wave One, which started to show in 2018.
A handful of outliers said they were seeing greater increases than that, while others said they had not seen that kind of severity yet, but had heard instances of it at others.
There are a few reasons for this increased severity.
For one thing, broad-based inflation is driving up the cost of the response services to get victims back up and running.
Hackers' tactics are also changing. Data infiltration is now more standard– meaning that a ransomware attack is no longer just focused on denial of access to systems, but hackers are additionally extracting key data and threatening its release if a ransom is not paid.
All of which means longer downtimes, potentially higher BI values and the incentive to pay higher ransoms. If data is indeed released, the costs associated with data breach claims then come into play.
Testing the remediation
This is all happening at a time when rates are continuing to tumble.
The direction of travel on pricing has not altered much since my last ransomware piece in July. Low double-digit rate decreases are still happening – particularly in excess layers – and softening is also occurring in primary layers.
Brokers have been calling for lower deductibles and putting increased pressure on carriers to improve terms for buyers – often with some success.
Reinsurers I have spoken to have talked of downward revisions in 2023 premium targets at cedants, suggesting that rates have fallen faster than expected. Insurers also privately admit they are missing budgets.
And now, given the changing loss picture, questions are being raised around whether the remediation has worked for the longer term.
It is true that cyber hygiene has improved dramatically at insureds, which overall has been of benefit to the claims picture.
But it’s not entirely clear whether wordings imposed during the hard market to control ransomware losses have resolved the question of how to tackle the risk – although it is difficult to ascertain how many of these wordings have fallen away as a result of broker pressure and increased competition.
The market’s capitulation on the sub-limiting of ransomware will certainly hurt in a world of increased severity.
What it does underline is that risk changes more rapidly in cyber than in other classes. The market cannot necessarily rely on the ransomware claims trends (and the corresponding loss picks) of even three years ago to guide how it underwrites the risks of today.
It’s too early to tell if there will be a pricing reaction based on what carriers are seeing on the ransomware claims side. Certainly, after several years of compounding rate, some will argue there is enough fat in the book to allow for a little pricing erosion.
Long-time players in the cyber market have often said that the short-tail nature of cyber risk and the closer dialogue with insureds on their cyber security and needs, means the class can adapt more quickly to what it is seeing. As a result, in theory you should expect faster reaction times and shorter pricing cycles.
Should the increase in ransomware frequency and severity continue, it will be a good test of that theory.