No industry is immune from ransomware, and as these attacks become more expensive and crippling for organizations of all sizes across sectors, cyber insurance providers doubly feel the pressure.

Major insurers themselves have suffered losses from ransomware attacks. At the same time, the industry struggles with higher-than-ever insurance payouts to policy holders hit by ransomware and grapples with how to handle this growing risk. One insurer, AXA France, recently announced that moving forward, it won’t reimburse ransomware payments for new policy holders within the country.

“We’re at this precipice of what the future of cyber insurance will look like and whether or not cyber insurance has a future,” Forrester senior analyst Alla Valente said in an interview with SDxCentral. She also co-authored a Forrester blog post about the issue and said a growing number of clients have questions about rising premiums and policy renewals.

“This is not a nonprofit space,” she said. “Insurance companies are in the business of making money. They’ve priced these policies in a way that they thought would be profitable, but they didn’t consider that these policies would be coming due all at once.”

She compares the current cyber market to the home insurance market after a major hurricane or wildfire. Insurers make predictions based on historical data and price policies accordingly. “They write these policies thinking it’s OK if they sustain one or two or three hits, but nobody writes policies thinking in 2020 or 2021 everyone is going to be capitalizing on these polices. And that’s what insurance companies are faced with right now.”

The industry is feeling the pressure from the ransomware surge, but it’s also taking steps to make sure cyber insurance remains a viable, long-term product, CyberAcuView CEO Mark Camillo said.

CyberAcuView is a new consortium of cyber insurers that aims to drive cyber risk mitigation efforts across the insurance industry. In addition to Camillo’s former employer, AIG, its member insurance underwriters include AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance, and Travelers. Joining forces will help the industry better understand cyber trends and risks and help policy holders improve their cyber resilience, Camillo said.

And, of course, right now ransomware remains one of policy holders’ biggest threats.

“You’re seeing the market respond, and it’s not just premium increases,” he said. “You’re seeing a combination of a curtailing of some of the coverage. You’re seeing, perhaps, a drawdown in some of the some of the limits, or perhaps, higher retentions or deductibles.”

The cyber insurance industry has been around for a couple decades, and with or without insurance, there are organizations that will deploy security controls and proactively manage their risk — and there are others that won’t, Camillo said. While ransomware may be the most recent cyberthreat, it’s not the first and it won’t be the last. Camillo points to the growing threat from internet of things devices, which also have the potential to cross over from cyberspace into the physical world and affect critical infrastructure, factory floors, and hospitals. “It impacts not just the cyber insurance world, it can almost impact almost every insurance policy that insurers write,” he said.

Camillo, who spent 20 years at AIG, most recently serving as head of cybersecurity for the Europe, Middle East, and Africa region, before being appointed CEO of CyberAcuView, said it's been interesting to see how attacks have evolved.

“When you look at the initial cyber insurance when it came out over 20 years ago, the focus was really on protecting personally identifiable information and credit card data, and it’s been interesting to see how these bad actors, depending upon where they can make the most money, they tend to move, and they tend to adapt their strategies,” he said.

Back when cyberattackers were primarily interested in stealing credit card numbers or hospitals’ patient data, demand for cyber insurance primarily came from companies that had access to this type of sensitive information: banks, retail, technology firms, health care organizations. But that all changed with WannaCry and NotPetya, Camillo said. And over the past couple years, ransomware has pushed the needle even further in turning cybercrime into an equal-opportunity sport.

“And what we’ve seen is that with these increasing attacks, both in terms of the frequency of attacks and the severity of these claims, is that insurers have had to adapt their underwriting strategies,” Camillo said. “So we’ve seen almost every insurer introduce some type of ransomware supplemental application.”

This is in addition to the standard application, and it should give the insurer a better idea about how the company manages its security posture and how well prepared it is for a potential cyberattack.

“A lot of insurers did a deeper dive to understand what was causing these ransomware attacks, and where certain security controls failed, to understand where organizations needed to enhance their cybersecurity maturity,” Camillo said. “So that’s why you’re seeing these ransomware applications really focus on those areas.”

Additionally, insurance companies are starting to underwrite different policies for — or even decline to insure — organizations with average or below average security controls, he added.

“You’re also seeing things like coinsurance and sub limits being added,” Camillo said. This means that a company with a $10 million insurance policy and a 50% sub limit would only receive a $5 million payout in the event of a ransomware attack, he explained. Along these lines: a business with 50% coinsurance would share the loss due to ransomware 50-50 with the insurer.

“A lot of these initiatives are really trying to incentivize policyholders to adopt those [security] controls,” Camillo said. “Otherwise, they share in the risk until they’re able to improve those controls to have acceptable defenses against ransomware attacks.”