Category Archives: Technology

Invest in Technology — But Don’t Forget
to Invest in People

A recent survey of insurance underwriters found that 40 percent of their time is spent on “tasks that are not core” to underwriting. The top three reasons they cited are:

  • Redundant inputs/manual processes;
  • Outdated/inflexible systems; and
  • Lack of information/analytics at the point of need.

The survey – conducted by The Institutes and Accenture – also found that underwriting quality processes and tools are at their lowest point since the survey was first conducted in 2008. Only 46 percent of the 434 underwriters who responded said they believe their frontline underwriting practices are “superior” – which is down 17 percent from 2013.

“While underwriters believe technology changes have improved underwriting performance, 64 percent said their workload has increased or had no change with technology investments,” Christopher McDaniel, president at The Institutes Catastrophe Resiliency Council, told attendees at Triple-I’s Joint Industry Forum.

The survey’s findings with respect to talent may shed some light on this. The number of organizations viewed as having “superior” talent management capabilities for underwriting fell 50 percent since 2013 across almost every measure of performance evaluated.

“Training, recruiting, and retention planning had some of the biggest drops, particularly for personal lines,” McDaniel said. About a quarter of personal lines underwriters said they view their company’s talent management programs as deficient.  That rate rose to 41 percent for talent retention; 37 percent for in succession planning; 33 percent for in training; and 30 percent for recruiting

“While technology investment may have improved underwriting performance” in terms of risk evaluation, quoting, and selling, McDaniel said those improvements “appear to have come at the expense of training and retaining underwriting talent,” McDaniel said.

Even before the pandemic and “the great resignation,” insurance faced a talent gap.  Part of the challenge has been finding replacements for a rapidly retiring workforce, as the median age of insurance company employees is higher than in other financial sectors.

McKinsey study that assessed the potential impact of automation on functions like underwriting, actuarial, claims, finance, and operations at U.S and European companies found that as underwriting  becomes more technical in nature it also will require more social skills and flexibility. Respondents to the McKinsey survey said automation and analytics-driven processes will produce a greater need for “soft skills” to shape and interpret quantitative outputs. Adaptability will also become more important for underwriters to stay responsive to changing risks and learn new techniques as technology changes.

“Underwriters will not become programmers themselves,” the McKinsey report said, “but they will work extensively with colleagues in newer digital and data-focused roles to develop and manage underwriting solutions.”

NFT & Insurance: Is It “A Thing”?

Non-fungible tokens (NFTs) are a hot topic, gaining attention from pop culture to the business press. Most of this notoriety has been associated with the buying and selling of digital collectibles, but the underlying blockchain technology and this specific application of it have implications for tangible assets and for insuring both digital and physical properties.

For this reason, the Institutes RiskStream Collaborative – the risk-management and insurance industry’s first enterprise-level blockchain consortium – recently launched a free educational series about NFTs.

What are NFTs?

“Non-fungible” means an object is unique and can’t be replaced with something else. A dollar is fungible – you can trade it for another dollar bill or four quarters or specific numbers of other coins, and you still have exactly one dollar.  An individual bitcoin is fungible. A one-of-a-kind trading card isn’t fungible – if you trade it for a different card, you would have a different thing, and you would lose possession of your original card.

NFTs are unique digital markers that can be associated with an asset to identify it as one-of-a-kind.

Want to understand more? Watch the first episode.

Insurance potential

In the second episode, the RiskStream Collaborative brings in Jakub Krcmar, CEO of Veracity Protocol, to discuss the concepts of computer vision, digital twins, and NFTs of physical products. The ability to create a unique digital twin of exact replicas – like identical baseball cards or identical automobile gears – to create an NFT may have major insurance implications. One example was the potential for NFTs to be associated with high-value physical objects to demonstrate authenticity of ownership and reduce or eliminate fraud opportunities.

Episode three features Natalia Karayaneva, CEO of Propy, who explains the potential for NFTs in real estate transactions. She highlights some of the benefits of the NFT approach, underscoring the efficiencies brought to primarily paper-intensive processes. The potential for insurance also is discussed.

In episode four, Kaleido CEO Steve Cerveny wraps up the series by describing the tokens themselves. He highlights the ability to create NFTs to represent any asset. These tokens are programmable “things” on a blockchain, which can help with business processes. Blockchains are basically ledgers or databases. Like any ledger, they record transactions; unlike traditional ledgers, however, blockchains are distributed across networked computer systems. Anyone with an internet connection and access to the blockchain can view and transact on the chain.

This open, consensus-based nature of blockchain – with everyone on the chain checking the validity of every transaction according to an established set of rules – enables conflicts to be resolved automatically and transparently to all participants. This dispenses with the need for a central authority to enforce trust and allows participants to build in automation through smart contracts.

The Riskstream Collaborative is the largest blockchain consortium in insurance, with over 30 carriers, brokers, and reinsurers as members who lead governance and activity. An “associate member ecosystem” is beginning to be established, and RiskStream is inspecting use cases in personal lines, commercial lines, reinsurance, and life and annuities.

As Cybercriminals Act More Like Businesses, Insurers Must Think
More Like Criminals

Credit for all photos in this post: Don Pollard

Cybersecurity is no longer an emerging risk but a clear and present one for organizations of all sizes, panelists on a panel at Triple-I’s Joint Industry Forum (JIF) said. This is due in large part to the fact that cybercriminals are increasingly thinking and behaving like businesspeople.

“We’ve seen a large increase in ransomware attacks for the sensible economic reason that they are lucrative,” said Milliman managing director Chris Beck. Cybercriminals also are becoming more sophisticated, adapting their techniques to every move insurers, insureds, and regulators make in response to the latest attack trends. “Because this is a lucrative area for cyber bad actors to be in, specialization is happening. The people behind these attacks are becoming better at their jobs.”

As a result, the challenges facing insurers and the customers are increasing and becoming more complex and costly. Cyber insurance purchase rates reflect the growing awareness of this risk, with one global insurance broker finding that the percentage of its clients who purchased this coverage rose from 26 percent in 2016 to 47 percent in 2020, the U.S. Government Accountability Office (GAO) stated in a May 2021 report.

Panel moderator Dale Porfilio, Triple-I’s chief insurance officer, asked whether cyber is even an insurable risk for the private market. Panelist Paul Miskovich, global business leader for the Pango Group, said cyber insurance has been profitable almost every year for most insurers. Most cyber risk has been managed through more controls in underwriting, changes in cybersecurity tools, and modifications in IT maintenance for employees, he said.

By 2026, projections indicate insurers will be writing $28 billion annually in gross written premium for cyber insurance, according to Miskovich. He said he believes all the pieces are in place for insurers to adapt to the challenges presented by cyber and that part of the industry’s evolution will rely on recruiting new talent.

“I think the first step is bringing more young people into the industry who are more facile with technology,” he said. “Where insurance companies can’t move fast enough, we need partnerships with managing general agents, with technology and data analytics, who are going to bring in data and new information.”

“Reinsurers are in the game,” said Catherine Mulligan, Aon’s global head of cyber, stressing that reinsurers have been doing a lot of work to advance their understanding of cyber issues. “The attack vectors have largely remained unchanged over the last few years, and that’s good news because underwriters can pay more attention to those particular exposures and can close that gap in cybersecurity.”

Mulligan said reinsurers are committed to the cyber insurance space and believe it is insurable. “Let’s just keep refining our understanding of the risk,” she said.

When thinking about the future, Milliman’s Beck stressed the importance of understanding the business-driven logic of the cybercriminals.

If, for example, “insurance contracts will not pay if the insured pays the ransom, the logic for the bad actor is, ‘I need to come up with a ransom schema that I’m still making money’,” but the insured can still pay without using the insurance contract.

This could lead to a scenario in which the ransom demands become smaller, but the frequency of attacks increases. Under such circumstances, insurers might have to respond to demand for a new kind of product.

Learn More about Cyber Risk on the Triple-I Blog

Cyberattacks on Health Facilities: A Rising Danger

Cyber Insurance’s “Perfect Storm”

“Silent” Echoes of 9/11 in Today’s Management of Cyber-Related Risks

Brokers, Policyholders Need Greater Clarity on Cyber Coverage

Cyber Risk Gets Real, Demands New Approaches

Executive Exchange: Pandemic Lockdown Speeds Insurance Digitization Growth

The global pandemic accelerated many technological advances that were already underway in the insurance industry – changes that are likely to pick up speed as COVID-19 recedes, according to Rohit Verma, CEO, Crawford & Co.

Triple-I CEO Sean Kevelighan recently spoke with Verma about the dramatic changes taking place as virtual interactions became more necessary and expected by consumers – especially in the early stages of the COVID-19 crisis. Crawford is a global provider of claims management solutions. 

“We have a self-service app which had probably a seven to 10 percent adoption rate,” Verma said in the conversation, which you can watch in full below. “Within the first three months, that adoption rate went up from seven to 10 percent to about 35 to 40 percent.”

Verma said he expects further acceleration of digitization in insurance, with start-ups partnering with larger, established companies to transform how insurance is done. The biggest obstacle, as he sees it, is the question: “Do we approach problems with a viewpoint of how we do solve them digitally, or do we approach them on how we solve them traditionally?”

Verma will be one of five senior executives participating in the C-Suite Panel on Resilience at Triple-I’s 2021 Joint Industry Forum on Thursday, Dec. 2, in New York City.

This Just In:
Insurance Isn’t Boring

I just learned that November 3 is National Cliché Day. Who knew?

So, what better time than now (before it’s too late!) to bust the cliché that insurance is a boring industry.

The cliché might be rooted in the idea that insurance is all about remaining cozily in some imaginary “safety zone”.  Or maybe in the fact that the industry’s visual surface tends to be one of dull-looking paperwork full of fine print.

But think about it: the entire industry is rooted in risk!

Automobile accidents and other forms of property damage are only the start of it. There’s liability risk – the risk of being sued: product liability, professional liability, employment practices, directors and officers, errors and omissions, medical malpractice – the list goes on, and insurance professionals have to understand these areas of risk intimately to price policies, set aside appropriate reserves, and pay claims in a timely fashion.

Is climate-related risk keeping you up at night? You’re not alone. Insurers have been working on that one for decades, empowered by sophisticated modeling and analytics capabilities.  They aren’t just worrying about extreme weather and climate – they’re partnering with other industries, communities, and governments to do something about it.  

And, speaking of sophisticated technology – what about cyber risk? The average cost of a data breach rose year over year in 2021 from $3.86 million to $4.24 million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. These kinds of numbers add up quickly. Unlike flood and fire – perils for which insurers have decades of data to help them accurately measure and price policies – cyber threats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.

These are just a few of the risks types insurance professionals look in the eye daily, working with a wide range of experts across industries and disciplines to meet them.  From the individual and family level to businesses large and small to the global economy, insurers play a critical role as both risk-management partners and financial first responders.

Keep these things in mind next time you catch yourself stifling a yawn at the mention of insurance!

Cyberattacks on Health Facilities: A Rising Danger

By Max Dorfman, Research Writer, Triple-I

As cyberattacks have increased in recent years, one area of particular concern has been those that target hospitals and health systems. These attacks have affected not only private information but also threatened the lives and well-being of patients.

A major shift

Hospitals rely more than ever on computerized systems to manage their information and systems. With the added complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only worsened.

“It’s part of a trend we’ve seen building over the last couple years, even before the pandemic,” said Scott Shackelford, chairman of the IU Cybersecurity Risk Management Program. Unfortunately, health-care providers are very much in the crosshairs. Not only do they often have insurance and deep pockets, but doctors need access to patient information to perform procedures and provide required services.

Because of this vulnerability and urgency, Shackelford said, “They are more likely to pay up.”

“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020, and there’s been a 45 percent uptick in that rate since last December,” Shackelford added.

One recent attack, on Johnson Memorial Health in Franklin, Indiana, disabled its computer system. Although the hospital said it could still manage its patient intake, the loss of computer capabilities slowed operations down dramatically.

“We’re used to sending lab orders via computer, sending prescriptions to pharmacies via computer, so we’re going back to a real reliance on paper again,” Johnson Memorial President and CEO David Dunkle said. “We’re using more human runners, people taking lab recs between the ER and the lab.”

Hospitals have been slow to respond

Although there have been major technological advancements in the medical field, not all health systems have provided robust IT teams or thorough safety protocols. One area of note is with new medical devices, which take years to earn FDA approval and can come with outmoded software and operating systems without the latest security mechanisms.

This has given hackers the ability to disable medical imaging devices like MRIs. They can then shut down or interfere with machines.  A recent study by McAfeeEnterprise’s Advanced Threat Research Team uncovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change medicine doses remotely.

And while traditional phishing attacks require a user to open a corrupted file — a trend that is now on the decline — new attacks can use so-called Zero Click malware, which can infect a system merely through receiving a text or email.

Additionally, sensitive data that health systems possess gives hackers the opportunity to sell this information online — or threaten to — with demands rising into the millions of dollars. After a 2009 U.S. law was passed that required Medicare and Medicaid providers to implement electronic health records, these risks have only accelerated.

Life and death circumstances

Hospitals are now not only seeing the financial risks with cyberattacks, but the threat to their patients’ lives.

In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled its electronic devices. This failure created dire circumstances for one infant, causing doctors to be unable to monitor the child’s condition during delivery. The infant died, and the hospital is being sued by the mother for malpractice—a charge Springhill denies.

Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman from an aortic aneurysm. What was supposed to be a routine pick-up turned into a nightmare, when the local hospital’s system was disabled by a ransomware attack, forcing the emergency department to turn away the woman and causing the ambulance to travel much farther. During this time, the patient’s condition worsened, and she eventually died.

How much worse can it get?

By the middle of August of 2021, 38 attacks on health-care providers or systems had interrupted care at approximately 963 U.S. locations. For all of 2020, only 560 sites were affected in 80 separate incidents, according to Brett Callow, a threat analyst at security firm Emsisoft.

With the vast amount of data and equipment at each of these health facilities—as well as the linked networks of many systems—the threat of cyberattacks in health care will only continue to grow unless more action is taken.

Insuretech Connect: Showcasing Innovation

Sean Kevelighan leads Climate Risk and Resilience panel. (Photo/videos by Scott Holeman,
Media Relations Director, Triple-I)

By Loretta Worters, Vice President, Media Relations, Triple-I

Insuretech Connect – the world’s largest gathering of insurance leaders and innovators – last week brought together insurance technology stakeholders to network, share insights, and learn about leading-edge technology across all insurance lines.

Conference participants included Pete Miller, president and CEO of The Institutes, who discussed risk mitigation through new technology. 

“Capturing data about the things we do and then allowing us to mitigate risk before we even get to the insurance function, that’s really where I think this industry is going,” he said.

One panel, Climate Risk and Resilience, focused on the importance of Insurtech and innovation to the success and sustainability of the industry. Moderated by Triple-I CEO Sean Kevelighan, the panel included Sean Ringsted, chief digital officer at Chubb; Christie McNeill, associate partner with McKinsey & Company and leader of ESG and Climate Change for the Insurance Practice in North America; Alisa Valderrama, CEO and co-founder of FutureProof Technologies, a venture-backed financial analytics software company specializing in climate risk; and Susan Holliday, Triple-I nonresident scholar and senior advisor to the International Finance Corporation (IFC) and the World Bank, where she focuses on insurance and Insuretech.

“Insurers are no stranger to climate and extreme weather,” Kevelighan said. “They have had a financial stake in it for decades.”

He noted that insured losses caused by natural disasters have grown by nearly 700 percent since the 1980s and four of the five costliest natural disasters in U.S. history have occurred over the past decade.

U.S. insurers paid out $67 billion in 2020 due to natural disasters. The insured losses emerged in part as the result of 13 hurricanes, five of the six largest wildfires in California’s history, and a derecho that caused significant damage in Iowa. 

This year’s Hurricane Ida is expected to cost insurers at least $31 billion and to push Hurricane Andrew out of the top five damaging storms. 2021 has been another record year for wildfires. January 1 to September 19, 2021 there were 45,118 wildfires, compared with 43,556 in the same period in 2020. 

The panelists talked about how insurers have long been aware of climate risk and – to the extent that existing data-gathering and modeling technologies allowed – considered it in risk pricing and reserving. As information storage and processing have vastly improved, the industry has not only gotten better at underwriting and reserving for these risks – it has identified opportunities in areas it once could only view as problems.

Improved modeling, for example, has increased insurers’ comfort with and appetite for writing flood coverage and spurred the development of new products. 

“Insurers are and always will be financial first responders, but there’s a growing realization that risk transfer alone isn’t enough,” Kevelighan said.  “Insurance is one important step toward resilience.  It’s well documented that better-insured communities recover faster from disasters.  But more is required to address increasingly complex global risks.”

Building a Robust
Cyber Insurance Market
Is Focus of Oct. 13 Panel

Triple-I CEO Sean Kevelighan will join a virtual panel on Wednesday, Oct. 13, at 11 a.m., ET, to brief public policymakers on ways to build a robust cyber risk insurance market.

“To allow businesses to operate safely in an increasingly interconnected world, insurers are working closely with their commercial customers to mitigate cyber risks and to make sure businesses have the right types, and amounts, of cyber insurance,” Kevelighan said.  “However, as we are seeing increasing uncertainty in the extensiveness of cyber risk, it is also essential that we better understand the role government needs to play in particular around law enforcement and international diplomacy.”

As previously noted in The Triple-I Blog, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for large terrorist acts prior to 9/11. Before those attacks, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act to stabilize the market.

“A balanced public-private partnership that recognizes where insurance can be a helpful financial responder, and how government is an essential preventative tool, will be critical to helping mitigate the ever-increasing cyber risks we are facing in the world,” Kevelighan said.

Presented by Indiana University’s Ostrom Workshop and Cybersecurity Risk Management Program in collaboration with The Institutes Griffith Insurance Education Foundation, the discussion can be viewed free of charge by public policymakers who register online in advance. It is one of three Cybersecurity Policy Bootcamp sessions the two organizations are co-hosting in October as part of Cyber Security Awareness Month.

The one-hour session will focus on Deepening Partnerships Between States, the Federal Government, the Private Sector, and Academia to Build a Robust Cyber Risk Insurance Market.

Along with Kevelighan on the panel will be three other subject matter experts:

  • Elizabeth Kelleher Dwyer, Esq., superintendent of Financial Services for Rhode Island Department of Business Regulation;
  • Scott J. Shackelford, JD, PhD, chair of the Cybersecurity Program at Indiana University, Bloomington; and
  • Douglas Swetnam, section chief for Data Privacy & Identity Theft in the Indiana Attorney General’s Office

Frank Tomasello, executive director for the Institutes Griffith Insurance Education Foundation, will be the panel’s moderator.

Learn More:

Article:                 Cyber Liability Risks

Video:                  Seven Cybersecurity Tips to Safeguard Your Business

Triple-I Blog:  

 Cyber Insurance’s “Perfect Storm”

 “Silent” Echoes Of 9/11 in Today’s Management of Cyber Risks

 Brokers, Policyholders Need Greater Clarity on Cyber Coverage

  Cyber Risk Gets Real, Demands New Approaches

Deepfake: A Real Hazard

By Maria Sassian, Triple-I consultant

Videos and voice recordings manipulated with previously unheard-of sophistication – known as “deepfakes“ – have proliferated and pose a growing threat to individuals, businesses, and national security, as Triple-I warned back in 2018.

Deepfake creators use machine-learning technology to manipulate existing images or recordings to make people appear to do and say things they never did. Deepfakes have the potential to disrupt elections and threaten foreign relations. Already, a suspected deepfake may have influenced an attempted coup in Gabon and a failed effort to discredit Malaysia’s economic affairs minister, according to Brookings Institution

Most deepfakes today are used to degrade, harass, and intimidate women. A recent study determined that up to 95 percent of the thousands of deepfakes on the internet were pornographic and up to 90 percent of those involved nonconsensual use of women’s images.

Businesses also can be harmed by deepfakes. In 2019, an executive at a U.K. energy company was tricked into transferring $243,000 to a secret account by what sounded like his boss’s voice on the phone but was later suspected to be thieves armed with deepfake software.

“The software was able to imitate the voice, and not only the voice: the tonality, the punctuation, the German accent,” said a spokesperson for Euler Hermes SA, the unnamed energy company’s insurer. Security firm Symantec said it is aware of several similar cases of CEO voice spoofing, which cost the victims millions of dollars.

A plausible – but still hypothetical – scenario involves manipulating video of executives to embarrass them or misrepresent market-moving news.

Insurance coverage still a question

Cyber insurance or crime insurance might provide some coverage for damage due to deepfakes, but it depends on whether and how those policies are triggered, according to Insurance Business.  While cyber insurance policies might include coverage for financial loss from reputational harm due to a breach, most policies require network penetration or a cyberattack before it will pay a claim. Such a breach isn’t typically present in a deepfake.

The theft of funds by using deepfakes to impersonate a company executive (what happened to the U.K. energy company) would likely be covered by a crime insurance policy.

Little legal recourse

Victims of deepfakes currently have little legal recourse. Kevin Carroll, security expert and Partner in Wiggin and Dana, a Washington D.C. law firm, said in an email: “The key to quickly proving that an image or especially an audio or video clip is a deepfake is having access to supercomputer time. So, you could try to legally prohibit deepfakes, but it would be very hard for an ordinary private litigant (as opposed to the U.S. government) to promptly pursue a successful court action against the maker of a deepfake, unless they could afford to rent that kind of computer horsepower and obtain expert witness testimony.”

An exception might be wealthy celebrities, Carroll said, but they could use existing defamation and intellectual property laws to combat, for example, deepfake pornography that uses their images commercially without the subject’s authorization.

A law banning deepfakes outright would run into First Amendment issues, Carroll said, because not all of them are created for nefarious purposes. Political parodies created by using deepfakes, for example, are First Amendment-protected speech.

It will be hard for private companies to protect themselves from the most sophisticated deepfakes, Carroll said, because “the really good ones will likely be generated by adversary state actors, who are difficult (although not impossible) to sue and recover from.”

Existing defamation and intellectual property laws are probably the best remedies, Carroll said.

Potential for insurance fraud

Insurers need to become better prepared to prevent and mitigate fraud that deepfakes are capable of aiding, as the industry relies heavily on customers submitting photos and video in self-service claims. Only 39 percent of insurers said they are either taking or planning steps to mitigate the risk of deepfakes, according to a survey by Attestiv.

Business owners and risk managers are advised to read and understand their policies and meet with their insurer, agent or broker to review the terms of their coverage.

Cyber Insurance’s “Perfect Storm”

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

Increasing cybercrime incidents resulting in large losses – combined with some carriers retreating from writing the coverage – is driving cyber insurance premiums sharply higher.

Once a diversifying secondary line and another endorsement on a policy, cyber has become a primary component of any corporation’s risk-management and insurance-buying decisions. As a result, insurers need to review their appetite for the peril, risk controls, modeling, stress testing and pricing.

According to A.M. Best, the prospects for the cyber insurance market are “grim” for several reasons:

  • Rapid growth in exposure without adequate risk controls,
  • Growing sophistication of cyber criminals, and
  • The cascading effects of cyber risks and a lack of geographic or commercial boundaries.

While the industry is well capitalized, A.M. Best says individual insurers who venture into cyber without thoroughly understanding the market can put themselves in a vulnerable position.

“The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity, and carriers pulling back coverage,” according to Joshua Motta, co-founder and CEO of Coalition, a San Francisco-based cyber insurance and security company. “We’ve seen many carriers sublimit ransomware coverage, add coinsurance, or add exclusions.”

Worsening since the pandemic

A recent Willis Towers Watson study found primary and excess cyber renewals averaging premium increases “well into the double digits.” One factor helping to drive these increases, Willis writes, is the sudden shift toward remote work on potentially less-secure networks and hardware during the pandemic, which has made organizations more vulnerable to phishing and hacking.

The average cost of a data breach rose year over year in 2021 from $3.86 million to $4.24 million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. Costs were highest in the United States, where the average cost of a data breach was $9.05 million, up from $8.64 million in 2020, driven by a complex regulatory landscape that can vary from state to state, especially for breach notification.

The top five industries for average total cost were:

  • Health care
  • Financial
  • Pharmaceuticals
  • Technology
  • Energy

For the health care sector, the average total cost rose 29.5 percent, from $7.13 million in 2020 to $9.23 million in 2021.

Since the start of the year, cyber insurance rates have increased 7 percent for small businesses, according to AdvisorSmith Solutions. For midsize and large businesses, AdvisorSmith said,  those increases were closer to 20 percent.

Insurers’ reactions

AIG last month said it is tightening terms of its cyber insurance, noting that its own premium prices are up nearly 40 percent globally, with the largest increase in North America.

“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” CEO Peter Zaffino said on a conference call with analysts.

In May, AXA said it would stop writing cyber policies in France that reimburse customers for extortion payments made to ransomware criminals. In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment to regain access.

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back.  An IBM survey of 600 U.S. business leaders found that 70 percent had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20 percent paid more than $40,000. 

Two advisories last year from U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicated that companies paying ransom or facilitating such payments could be subject to federal penalties. These notices underscore businesses’ need to consult with knowledgeable, reputable professionals long before an attack occurs and before making any payments. 

More like terror than flood

Cyber risk is unlike flood and fire, for which insurers have decades of data to help them accurately measure and price policies. Cyber threats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.

Insurers and policyholders need to be partners in mitigating these risks through continuously improving data hygiene, sharing of intelligence, and clarity as to coverage and its limits.