Cyber Insurers Raise Rates Amid a Surge in Costly Hacks | #government | #hacking | #cyberattack | #education | #technology | #infosec

Analysts say that the increase primarily reflects higher rates, rather than insurers significantly expanding the amount of money they are willing to cover.

“The amount of rate that is being generated in this market is quite astonishing, just in terms of the percentages that are out there,” said

Tim Zawacki,

principal research analyst at

S&P Global Inc.’s

Market Intelligence business.

The price bumps helped the U.S. cyber insurance industry pare back its direct loss ratio, or the percentage of its income that it pays out to claimants, to 65.4% in 2021 from a record of 72.5% in 2020. However, that figure is still far above 2019’s direct loss ratio of 47.1%.

The sometimes drastic rate increases reflect a realignment of a relatively new market that is maturing quickly, executives say, indicating that the insurance industry is getting to grips with pricing cyber risk.

“Cyber risk insurance premiums are being right-sized after many years of softer market conditions despite an evolution in cyber underwriting,” said

Jack Kudale,

chief executive of Pleasanton, Calif.-based insurer Cowbell Cyber Inc.

Part of the reset includes stricter criteria for those applying for coverage, an approach the White House has applauded as it makes a broader push to tighten private-sector security. Many carriers are now requiring potential clients to demonstrate that they practice at least basic cyber hygiene, including measures such as multifactor authentication.

“Now, if you can’t demonstrate certain baseline controls, the vast majority of the marketplace is going to say no,” said

Adam Lantrip,

senior vice president and leader of the professional and cyber solutions practice at insurance brokerage CAC Specialty.

The market turbulence kicked into high gear after the May 2021 hack of Colonial Pipeline Co., insurance experts say. The incident underscored a surge of costly ransomware attacks that disrupted businesses and spurred a wave of new cyber regulations from Washington.

In addition to bumping prices last year, Mr. Lantrip said, many carriers cut what their policies covered. That translated to companies needing more policies—and to complete more paperwork—to maintain the same dollar amount of coverage.

Mr. Lantrip’s firm now budgets four to six months for its clients to clear all the hurdles needed to renew their plans.

“It’s getting almost to a point where the deals never get put to bed,” Mr. Lantrip said.

As the insurance industry has adapted to the risk of criminal hacking groups in recent months, some carriers have also moved to clarify act-of-war exclusions for conflicts such as Russia’s invasion of Ukraine. Lloyd’s Market Association, a trade group, in November proposed new wording for excluding cyber threats from property and casualty policies.

The precise language of such exclusions—and how they are interpreted in court—could prove costly for insurers or companies as more armed conflicts extend into the digital realm.

While the war in Ukraine has included an array of mostly low-impact cyberattacks by Kremlin-linked hackers, security experts warn that operations by nonstate actors on both sides of the conflict could expand the legal gray area around what is and isn’t covered by insurance.

“It’s not always clear what a war is nowadays,” said

Jon Bateman,

senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. “There are varying appetites within the insurance community to how much exposure to state-sponsored cyber risk they’re willing to take on.”

Write to James Rundle at james.rundle@wsj.com and David Uberti at david.uberti@wsj.com