Claims severity is back for Ransomware Wave Two
Insurance Insider US is part of the Delinian Group, Delinian Limited, 4 Bouverie Street, London, EC4Y 8AX, Registered in England & Wales, Company number 00954730
Copyright © Delinian Limited and its affiliated companies 2023

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

Claims severity is back for Ransomware Wave Two

rr ransom  wave bb copy.jpg

Back in July, I wrote about the return of ransomware, and the impact on the global cyber market.

At the time, the frequency of attacks was back with a vengeance, following a lull thought to have been induced by the onset of war in Ukraine.

Back then there was the suggestion that there had been a rise in ransomware claims frequency, but not necessarily in severity – or at least, it was a mixed picture.

Since then, the picture has developed. Ransomware claims severity is back, and some in the market believe it is exceeding the levels of Ransomware Wave One.

Data from MGA Coalition, published in September, showed that ransomware claims severity reached a record high in the first half of 2023.

This marked a 117% increase year on year and a 61% rise from H2 2022.

Changing tactics

Recent conversations with sources suggest concerns that severity in ransomware claims is continuing to rise into the second half of the year.

Experience is varying widely by carrier so far, and it is tough to get a clear idea of how much severity is spiking on average.

However, from a quick canvass of cyber market participants, a number of players suggested that the cost components of first-party claims were up between 30%-50% on that seen during Ransomware Wave One, which started to show in 2018.

A handful of outliers said they were seeing greater increases than that, while others said they had not seen that kind of severity yet, but had heard instances of it at others.

There are a few reasons for this increased severity.

For one thing, broad-based inflation is driving up the cost of the response services to get victims back up and running.

Hackers' tactics are also changing. Data infiltration is now more standard– meaning that a ransomware attack is no longer just focused on denial of access to systems, but hackers are additionally extracting key data and threatening its release if a ransom is not paid.

All of which means longer downtimes, potentially higher BI values and the incentive to pay higher ransoms. If data is indeed released, the costs associated with data breach claims then come into play.

Testing the remediation

This is all happening at a time when rates are continuing to tumble.

The direction of travel on pricing has not altered much since my last ransomware piece in July. Low double-digit rate decreases are still happening – particularly in excess layers – and softening is also occurring in primary layers.

Brokers have been calling for lower deductibles and putting increased pressure on carriers to improve terms for buyers – often with some success.

Howden global cyber insurance pricing index, 2014 to Q2 2023.png

Reinsurers I have spoken to have talked of downward revisions in 2023 premium targets at cedants, suggesting that rates have fallen faster than expected. Insurers also privately admit they are missing budgets.

And now, given the changing loss picture, questions are being raised around whether the remediation has worked for the longer term.

It is true that cyber hygiene has improved dramatically at insureds, which overall has been of benefit to the claims picture.

But it’s not entirely clear whether wordings imposed during the hard market to control ransomware losses have resolved the question of how to tackle the risk – although it is difficult to ascertain how many of these wordings have fallen away as a result of broker pressure and increased competition.

The market’s capitulation on the sub-limiting of ransomware will certainly hurt in a world of increased severity.

What it does underline is that risk changes more rapidly in cyber than in other classes. The market cannot necessarily rely on the ransomware claims trends (and the corresponding loss picks) of even three years ago to guide how it underwrites the risks of today.

It’s too early to tell if there will be a pricing reaction based on what carriers are seeing on the ransomware claims side. Certainly, after several years of compounding rate, some will argue there is enough fat in the book to allow for a little pricing erosion.

Long-time players in the cyber market have often said that the short-tail nature of cyber risk and the closer dialogue with insureds on their cyber security and needs, means the class can adapt more quickly to what it is seeing. As a result, in theory you should expect faster reaction times and shorter pricing cycles.

Should the increase in ransomware frequency and severity continue, it will be a good test of that theory.