Marsh Q4/2021 Update: Cyber Insurance Prices double Y/Y, Higher Ransomware Demands, Strong emphasis on Security Controls by Carriers

Marsh has recently released its Q4/2021 Report (). In the third quarter of 2021, the cost of cyber insurance in the United States rose by an average of 96 percent year-over-year as firms and insurers have faced an onslaught of cyberattacks daily. The highest single quarter rate increase since  2015, prices for cyber insurance soared in Q3 of 2021 by 40%.

Figure 1: Increase in US Cyber Insurance rates 

The rise in rates is inline with what we have seen from other market players and is mainly due to the usual suspects: High losses especially by ransomware,  systematic risk concerns, and a lack of reinsurance and or other available capital. 

The report also provides great insights into the still increaseing Ransomware demands and payments by insurers. In 2021, there has been a great increase in the demand and payment of ransom with the average ransom demanded  exceeding $10 Million for the first time (see Figure 3 and 4). YOY the median demanded ransom increased by roughly 40% in the first three quarters of 2021.

Figure 2: Increase in Ransom demands and payments 

The present market volatility is  leading companies to deploy a range of meassures, including adjustments to retentions and limits to address concerns about price, available limitations, and the terms and conditions of the policies (see Figs 3 and 4). Several insurers are lowering their policy limits, in part because of increasing rates, but also because they have a little stomach for risk in areas where specific security measures and corporate governance appear to be absent or inadequate. This “stomach pain” is caused by new or enhanced cyber exposure (e.g. through Silent Cyber), or they have a better awareness of the extent of the existing risk. While this may not be the case for all clients in terms of capacity, most assume more significant retentions to control expenses or maintain insurance market support.

Figure 3: Increase in Cyber Insurance Rates

Figure 4: Increase in US Cyber Retentions

In-Depth Defense

Attrition losses have shun some light on the connection between specific cyber security controls and associated cyber incidents.  An understanding of the technical and organizational measures firms should take to achieve cyber resiliency has been gained through root cause analysis and the ongoing evaluation of essential data points by the underwriting community, brokers, and other stakeholders. Insurers are increasingly demanding that enterprises implement security controls that can quantify their exposure to cyber risk to be eligible for coverage. Organizations are putting more attention on authorities than ever before because of the threat of insurability.

Figure 5: Top cybersecurity controls

Five elements have been found to have the best effect on lowering cyber risk exposure (see Figure 5).

As identified by the report, the following five controls have been found to be the most critical:

  1. Multi-Factor Authentication (MFA)
  2. Endpoint detection and response (EDR)
  3. Secured, encrypted and tested backups
  4. Privileged Access Management (PAM)
  5. Email filtering and web security 

Adopting and properly implementing these security policies are of course not a guarantee, but they can add a layer of protection to help prevent or minimize common threats. Even without their positive influence on cyber losses, these controls will see rapid adaption in the future, even if it is just as a necessity to obtain cyber insurance.


Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.