Cyber Insurance Is Back From the Brink After Onslaught of Ransomware Attacks (bloomberg.com) 9
The cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage. From a report: Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh's cyber practice leader. The reversal would follow a wave of digital intrusions that dominated the work-from-home era and forced insurers to recalibrate both how they write policies and their risk appetites. Those attacks also pushed their clients to adopt stronger cybersecurity measures. The brutal conditions in the market have let up since then, with claim frequency declining in the fourth quarter of 2022 even as severity remained elevated, according to Marsh.
"What we're left with is a very, very, very different market than what we went into two or three years ago," said Paul Bantick, the global head of cyber risks at London-based insurer Beazley. "We have a mature market that has stood up against a huge test." The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers. Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.
"What we're left with is a very, very, very different market than what we went into two or three years ago," said Paul Bantick, the global head of cyber risks at London-based insurer Beazley. "We have a mature market that has stood up against a huge test." The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers. Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.
Money, the universal fix-all. (Score:1)
Can't be arsed to properly secure your "cyber" systems. Can't bother to keep sensitive data off-line. But can always simply throw money at insurers and hope they'll mop-up the inevitable mess.
Hell of a Recovery (Score:4, Interesting)
Re: (Score:2)
Important to read the fine print. They'll take your money but expect a lot in terms of IT (where if you do all of those things you don't really need insurance), and will cover very little in the end. Sure, you bought insurance and only catastrophe will tell if you can count on it. So why bother?
Re: (Score:2)
Well, Zurich Insurance is a _major_ insurer, incidentally around place 100 on the list of the largest corporations on the planet. I will take the statement of their CEO over what Bloomberg says any day.
bogus industry (Score:3)
I find the whole idea of ransomware insurance suspect. A company offering fire insurance will insist that your protected properties meet the Life Safety Code [nfpa.org], which requires all sorts of expensive precautions to limit the damage caused by fire. If, after a fire, it turns out that your property did not meet code, you don't get reimbursed for your loss.
I expect the same is true of ransomware insurance. The company will demand that you implement all sorts of information security procedures, but they won't check that you actually did until you file a claim. They will then audit you, and find you lacking. An important difference between fire insurance and ransomware insurance is that there is no generally-recognized ransomware equivalent to the Life Safety Code, so the insurance company has to make one up. You can be sure it will contain vaguely-worded requirements which the auditor can decide you have not met, even if you have been paying premiums for years.
A manager who buys ransomware insurance but does not budget for information security is fooling himself.
Re: (Score:2)
Well, you're stating guesses as if they were facts, but they're plausible guesses. You may be right, but it doesn't seem to merit the degree of certainty that you put behind your conclusion.
Re: (Score:2)
Well, you're stating guesses as if they were facts, but they're plausible guesses. You may be right, but it doesn't seem to merit the degree of certainty that you put behind your conclusion.
Stating speculation as though it were fact is a rhetorical device, though I did preface my second paragraph with "I expect". Even if you disregard that paragraph I think my conclusion is correct: if you don't invest in information security, you are just fooling yourself by buying ransomware insurance.
Re: (Score:2)
When that rhetorical device is used intentionally, rather than by accident, I typically call it lying. It's the kind of thing anyone can do in the heat of argument, but doing it with intent is intentional deception whether successful or not.
Re: (Score:2)
When that rhetorical device is used intentionally, rather than by accident, I typically call it lying. It's the kind of thing anyone can do in the heat of argument, but doing it with intent is intentional deception whether successful or not.
So you regard a "plausable guess", stated as though it were a fact, in a paragraph that starts "I expect" as a lie? You have very high standards.