Ransomware is the gravest digital threat to American businesses today, representing an estimated 60% of all cyber insurance claims in the United States. The average ransom payment has nearly doubled in the past year, and the average total recovery cost for a single incident is now $1.8 million.
Loss ratios have nearly doubled over the past 18 months, and a high-profile attack on Colonial Pipeline in May 2021 disrupted a major supply of fuel to the East Coast, prompting significant action from the FBI and the White House. With no clear solution in sight, the industry’s response has been to increase premiums by 80% across the board, with some industries experiencing spikes of up to 200%, while simultaneously reducing coverage.
Cyber risk breaks two fundamental insurance assumptions. First is the notion that the risk of a business can be assessed once a year. Cyber risk is dynamic. Numerous new risks emerge over the course of an insurance year, most of which are impossible to anticipate and out of the control of an insured business. Second is that past cyber breaches are a good indicator of probabilities of future cyber breaches. Technology evolves rapidly, and insurance actuarial models have always lagged a year behind, which was rarely a problem until now.
