Comment: Insurers won the war against piracy; will history repeat itself with cyber?
By Arthur J. Gallagher & Co’s cyber broking team
The insurance market plays an important role in supporting clients to evaluate the effectiveness of their risk management: it measures the return on investment (ROI) from risk mitigation by recognising where clients have demonstrated good practice and lowering premiums accordingly.
Insurance losses explode in a particular area when risk management doesn't match the threat currently posed. The subsequent premium hikes increase the ROI of mitigation and resilience projects – they become cheaper than buying insurance. Consequently, losses decrease and, eventually, premiums follow suit.
Insurers’ reaction to pirate groups targeting international shipping in the waters of the Red Sea and the Gulf of Aden over a decade ago brought attacks down to a level close to zero. Ultimately, this led to a drop in premiums, permanently affecting the threat environment. Is the same pattern emerging for cyber?
The rise and fall of Somali piracy
The dominant form of modern piracy in the Gulf of Aden resulted from the collapse of military ruler Siad Barre in Somalia in the early 1990s. Somalia soon became a failed state, and other nations took advantage, fishing illegally in its waters. Piracy may have initially re-emerged in response to this and continued to develop to its peak between 2009 and 2012.
While the number of attempted hijackings by Somali pirates increased to 237 in 2011 from 219 in 2010, the number of successful hijackings declined to 28 in 2011 from 49 in 2010, according to the International Maritime Bureau’s Piracy Reporting Centre.
At its height, piracy cost shipowners and governments between $6.6bn and $6.9bn, according to One Earth Future Foundation data, published in 2011. Fuel and rerouting cost shipowners $3.4bn; security equipment and armed guards $1.1bn; and insurance $635m.
Piracy is generally covered by a war risks policy, with K&R also playing a part. As piracy peaked in the Gulf of Aden, claims soared, with the industry reportedly paying out $300m in 2009-2010 in ransoms alone. Following an extended hijack, there was normally also considerable damage to the vessel, not to mention any cargo it may have been carrying.
Insurers took action against the mounting threat in several ways; they charged higher premiums for any vessels transiting in High Risk Areas (HRA), as classified by Lloyd’s Joint War Committee. They also identified a set of security requirements called BMP 4, which included fitting barbed wire to vessels and hoses to prevent assailants climbing aboard. The UK’s legalisation of the use of armed guards upon vessels in the HRA in 2011 prompted many insurers to demand shipowners employ this protection in order to gain cover.
A cottage industry of maritime security companies mushroomed as a result, with its own trade body, the Security Association for the Maritime Industry (SAMI). SAMI developed standards for the private maritime security industry, including ISO/PAS 28007. Companies endeavoured to legitimise their operations and distance themselves from their early ‘guns for hire’ reputation.
Somali piracy decreased, partly due to the work of international navies, but mainly because of insurers’ risk management requirements, most importantly armed guards. The losses started to drop off, and consequently, the premiums began to fall. In 2016 SAMI said it has been a “victim of its own success” and went into voluntary liquidation after its membership more than halved from its peak of 180 members. Insurers had changed the threat landscape by increasing the industry’s risk management to deal with mounting losses.
Is the same thing happening in cyber?
At face value, there are certainly similarities: new threat, seismic losses, and vast increases in premium. The rapidly changing cyber threat landscape has precipitated massive losses and extensive changes in how organisations protect themselves. These same losses have led to a doubling, tripling, or more of insurance premiums to allow insurers to develop reserves against potentially systemic exposures.
This same cycle occurred recently in the D&O insurance market, a cycle which took six years to come to fruition. In cyber, the cycle took just six months. The role of cyber insurance also changed as a result: it went from being the type of attritional insurance policy that picked up small, regular losses to something resembling a ‘catastrophe class’. In layman’s terms, organisations went from buying the digital equivalent of home and contents insurance to attempting to indemnify against a hurricane.
Insurers have set expectations for cybersecurity. Businesses have reacted by upscaling their cyber risk management to meet these requirements, but are losses decreasing as a result? And if so, will premiums start to level out as well?
Attritional losses have certainly quietened down. But is this solely in response to increased retention in the hard market and the global cyber insurance market pushing minimum security requirements on their clients?
The severity claims are still present, but conditions are improving and the market is in much better shape than 18 months ago. Using rates and capacity as an example, in the last four months alone, at least seven new insurers have entered the market. Syndicates that have shied away from cyber are now considering changing tack because of the increased security requirements and bolstered minimum premiums, and this sentiment is increasing competition.
The risk landscape could have also been influenced by the war in Ukraine. Russian cyber hackers may be focused on the current conflict and have, therefore, had less time to launch attacks against the West.
The market is continuing to adapt at pace. We anticipated 80 - 90% rate increases towards the end of this year, with a possible plateau at the beginning of 2023. However, in the last month, for organisations that can demonstrate a high level of information security posture, Gallagher has seen rate increases drop to between 20-40% on average. When clients demonstrate good cybersecurity, we can generate healthy competition and drive the premiums down. However, clients not exhibiting robust risk management in this area are heavily penalised.
The future for cyber
Cyber risk is constantly evolving. The controls in place now will not be obsolete in a year, but there will have been significant progression. Underwriters will be asking new questions and demanding a higher level of requirements. Over the last 18 months, Gallagher’s risk consultancy question set has tripled, but the depth of underwriting depends on the size of the client.
There is alignment with piracy in the Gulf of Aden – the risk management curve is identical. Yet the divergence comes as Somali piracy didn’t evolve to overcome the risk management measures that were established. We didn't see pirates successfully deploying new weapons, systems or tactics against the advent of armed guards on vessels.
With cyber, the trillion-dollar question is, unlike Somali pirates, could cyber attackers continually adapt their tactics, techniques and procedures? Is cyber the outlier - does continuous technological change at exponential rates mean that data on attack vectors and losses becomes outdated as soon as it’s modelled?
Another problem with cyber is the human factor. A business can install the most sophisticated security and have a significant IT expenditure, yet its employees are still, and always will be, its weakest link.
Any and all improvements the cyber insurance market has pushed and clients have adopted can be undone by human error. Unfortunately, that still remains a significant problem without an obvious solution other than education. How firms are managed and how they train their people continues to come under underwriting scrutiny.
Insurers have undoubtedly influenced clients’ response to cyber risk in a similar way to piracy a decade ago. Yet the parameters for cyber are not the same. If all the above is true, it means the market will be in continuous flux, regardless of how well insurers try to manage it through premium, exclusions and other tools. How will the market respond to quantum computing threatening the cryptographic protocols that underpin most methods of data encryption? What happens when a cloud infrastructure-as-a-service provider experiences an outage? Only time will tell, but for now, it’s clear that heightened information requirements and expectations for risk management will remain long after the threat of current ransomware variants has passed.
