Skip to main content

Marsh India Newsletter | February Edition

Cyber Insurance: Pricing, Claims Trends and Insights

In this release, we discuss the current pivotal trends in Cyber Insurance claims, and the market pricing highlights seen by clients of Marsh India in 2023.

The rapid digitisation of business processes has led to organisations across all industries finding themselves at a critical conflux of cyber expansion versus cyber risks. Our clients across industries experienced perturbing cyber-related incidents which left them exposed to prolonged consequences in 2023.

Organisations in the IT/Technology industries witnessed bulk of cyber-related incidents making up for more than half of all the cyber claims witnessed in the past year as evident from Figure 1.

During the first quarter of 2023, in India the average weekly attacks rose by 18% in comparison to the corresponding period in 2022[1]. Revolution in cyber technologies have seen parallel innovations in cyber-related incidents making it more crucial than ever for organisations to take a hard look at their digital ecosystems and remodel their cyber capabilities to reduce impact from fatalistic cyber-related incidents. This has translated into organisations becoming better at dealing with the aftermath of cyber-related incidents due to which 97% of organisations hit by a ransomware attack were able to decrypt some of the encrypted data[2].

In this release, we discuss the current pivotal trends in Cyber Insurance claims, and the market pricing highlights seen by clients of Marsh India in 2023[3].


 Reference:

[1] Check Point Software- Cyber Security Report-2023, https://shorturl.at/dhoD3

[2] Sophos The State of Ransomware 2023 Report, https://www.sophos.com/en-us/content/state-of-ransomware

[3] We have taken into account Marsh India Cyber Claims data from January 2022- March 2023

Cyber Insurance Coverage

According to Marsh and Microsoft’s ‘The State of Cyber Resilience Report 2022’[4], over 75% of organisations worldwide have experienced a cyber-related incident in 2022. A comprehensive cyber insurance policy can provide companies balance sheet protection for first-party costs such as legal expenses, forensic costs, data and hardware restoration and repair related costs, reputational harm expenses, and financial losses resulting from business interruption as well as third- party costs such as regulatory fines and penalties (subject to policy conditions and exclusions).

Cyber Insurance Claims Trends

As per a Marsh Global Report[5], Ransomware demands continued to remain the top reason for cyber-related incidents [Figure 2].

Marsh India’s clients too witnessed complex ransomware attacks in 2022-23 as captured in Figure 3.

Incident Costs

In India, our clients incurred incident costs ranging between USD 70,000 to USD 5 million with an average cost of around USD 2.5 million. Majority of these costs were incurred in engaging forensic experts, breach counsels, public relations agencies, credit monitoring agencies etc., to mitigate the cyber-related incidents.

In 2022-23, Marsh India has also seen its clients suffering steep business interruption losses with the largest being USD 3 million. The costs incurred varied depending on the seriousness of the incident, the size of the company, the criticality of the data involved, jurisdiction of the cyber-attack, regulatory requirements etc.

Ransomware & Data Restoration

Apart from the ransomware incident costs, a company may incur costs to recover or restore the encrypted data. Ransom payments are just one element of overall costs when dealing with ransomware events. Organisations reported an estimated mean cost to recover from ransomware attacks of USD 1.82 million[6]. These expenses may vary and depend on factors like client’s readiness and availability of backups to restore data, whether company paid ransom and got the data back, or use of other means to get data back. Backups were the most common approach used by companies who suffered a ransomware attack in 2022, to recover their data. Figure 4 shows that over 73% of the total affected organisations used their backups to restore data elucidating the need for more robust cyber systems in organisations.


 

Reference:

[6] Sophos The State of Ransomware 2023 Report, https://www.sophos.com/en-us/content/state-of-ransomware

7. Other means would include for example manual replication or recreation of the lost data

8. Sophos The State of Ransomware 2023 Report

Cyber Insurance Pricing Trends for Communication, Media and Technology (CMT) Companies

The cyber insurance landscape is experiencing a paradigm shift characterised by market hardening, diminishing capacity and escalating premiums. The stabilisation of rates reflects a consensus that necessary corrections have positively impacted insurer profitability. Notably, a portion of Marsh India clients have opted to expand their coverage limits, while a smaller percentage have reduced 

Self-Insured Retentions. However, aggressive growth targets and a return to discussions about broadening coverages indicate a flow of capacity into the insurance market.

Driven by a surge in cyberattacks, particularly ransomware and supply chain attacks, the landscape is marked by increased claims payouts, prompting insurers to tighten underwriting standards. Reinsurance costs have surged due to the rising frequency and severity of cyber claims, leading to higher premiums for policyholders. Regulatory scrutiny is intensifying, making insurers more cautious in underwriting practices, further reducing capacity and pushing up prices. Market hardening manifests as insurers become more selective and demand stricter cybersecurity controls, potentially making cyber insurance inaccessible or prohibitively expensive for businesses with weaker cybersecurity postures. Diminishing capacity is evident as insurers exit the market or reduce coverage amounts, posing challenges for businesses, especially those with larger risks. Additional trends include a heightened focus on risk mitigation, leveraging cybersecurity as a competitive advantage, and exploring alternative risk transfer mechanisms. In this evolving landscape, businesses need proactive strategies to manage their cyber risk effectively.

Conclusion

As companies evolve, so do the cyber-related incidents. Organisations need to conduct a thorough risk assessment of their processes, identify the potential impact of these risks and implement adequate risk mitigation tools to safeguard their systems.

An influx of large and complex claims, and increasing costs incurred in a cyber-related incident, have further complicated the claim-related discussions with the insurers. Introduction of the new privacy laws such as The Digital Personal Data Protection Act, 2023 which will be enforced in due course contains provisions relating to data governance, processing of digital data and holding companies accountable for data related incidents, does indicate further tightening of the underwriting standards.

The discussions with underwriters continue and we wait to see how the dynamics change for the Indian Cyber market. Marsh has an unparalleled team with cyber expertise which has handled claims across industries and continues to render subject matter expertise and solutions to its clients.


Reference:

9. The outcomes and observations are basis the calculation of the primary and excess Rate On-Line (ROL) which is the premium charged for a policy limit of USD 1 million. For our observations, we filtered these by revenue sizes categorised as large (>USD 1bn), mid-size (USD 200mn to USD 1bn) and small (<USD 200mn) and the number of claims per policy, client or revenue segment. The data used to arrive at these outcomes and observations are our internal data collected from clients across India * expressed as USD per USD 1 million

10. The outcomes and observations are basis the calculation of the primary and excess Rate On-Line (ROL) which is the premium charged for a policy limit of USD 1 million.  For our observations, we filtered these by revenue sizes categorised as large (>USD 1bn), mid-size (USD 200mn to USD 1bn) and small (<USD 200mn) and the number of claims per policy, client or revenue segment. The data used to arrive at these outcomes and observations are our internal data collected from clients across India 

11. The outcomes and observations are basis the calculation of the primary and excess Rate On-Line (ROL) which is the premium charged for a policy limit of USD 1 million.  For our observations, we filtered these by revenue sizes categorised as large (>USD 1bn), mid-size (USD 200mn to USD 1bn) and small (<USD 200mn) and the number of claims per policy, client or revenue segment. The data used to arrive at these outcomes and observations are our internal data collected from clients across India