Cyber Security: Insurance Prices Level After Two Years of Brutal Increases
One expert, Tara Albin, Midwest cyber leader for a unit of broker Willis Towers Watson, says mid-sized contractors and government entities are bigger targets of hacks aimed at collecting ransomware,
Photo: Richard Korman for ENR
Satisfied that they finally have their arms around cyber-security risks and that construction company defenses are adequate for now, insurance carriers in 2023 ceased brutal cyber insurance price hikes, said brokers at the International Risk Management Institute's recent construction risk conference in Orlando, Fla.
Increases of 100% and 200% had been common in the past two years.
"Conditions have continued to improve," said Tara Albin, Midwest cyber leader for the FINEX North America unit of broker Willis Towers Watson. She said she now "sees 5% increases," and in some cases, renewals with premiums trimmed by that amount.
Albin said premiums reflect better controls by companies—multi-factor authentication for platform access, encryption where possible, regular software patching and rigorous review of subcontractor and vendor supply chain exposures—that cut risk.
"If controls are good, companies can recover more quickly from a cyber event without having to pay a ransom," she said. "I believe there was an over-correction in pricing last year which is the reason we are also seeing improved premiums this year," Albin added in an email.
Another insurance broker at the conference noted that once premiums quickly rose so high, modest increases or even slight premium cuts did not actually represent meaningful price relief for companies.
New insurers entering the market for cyber-security policies, such as Westfield Specialty, Vantage Risk and Bowhead Specialty, and competition among carriers, have helped turn the pricing trend around. Where insurers were often providing a payout limit of only $5 million, $10 million now is possible, Albin said.
The construction sector remains an appealing target for hackers, including mid-sized companies and government entities, and cyber security is a preoccupation of risk managers. Fraudulent wire transfers, through which a company is tricked into making a payment, are common. Ransomware attacks are especially costly, with an average of 22 days of business interruption costs. "That's a really long time," said Albin.
Most cyber insurance policies include business interruption coverage.
Cyber Insurance Evolution
Insurance involvement in cybersecurity has a history that was not part of the conference program.
The hard market began in 2020, when an unprecedented number and cost of ransomware attacks ended the reputation of cyber insurance as being especially profitable. Cyber criminals had become adept at inserting some malicious code into software, infecting all users, and poor security practices by a third party could compromise a company's own security system. Insurers became more cautious, according to a report to the property and casualty insurance committee of the National Association of Insurance Commissioners.
Companies have improved their cybersecurity, using multi-factor authentication for access and training employees not to fall for phishing emails.
Multi-factor authentication allows companies to have separate environments on a network, said Michelle Chia, Zurich North America head of professional liability and cyber insurance in North America.
In an interview last year, Albin described how cyber insurance has evolved. Coverage for missed bids during a ransomware attack was one new feature, as was coverage for stopped project work caused by a cyber breach. "We were able to get a small sub-limit for that," she said at the time.
But resourcefulness of cyber criminals also has improved, along with their knowledge of insurance for ransomware payments.
Albin said sometimes hackers seek a ransomware payment equal to the limit of a cyber-insurance policy. How do they know the limit? Because they have already read the policy while secretly exploring inside a company's electronic files.
