Dive Brief:

• Demand for cyber insurance has surged as companies respond to high-profile cyber attacks, increased regulatory scrutiny, mounting reputational risk and the need for protection against vulnerabilities among supply-chain counterparties, according to Moody’s Investors Service. “Cyber insurance has become an important component of companies’ risk management programs.”
• At one large insurance broker, the “take-up rate” — or proportion of eligible organizations buying cyber insurance — rose to 47% in 2020 from 26% in 2016, Moody’s said in a report, quoting data from Marsh McLennan. Cybercrime costs worldwide will likely total $6 trillion this year and annually rise 15% during the next five years, Moody’s said, quoting Cybersecurity Ventures estimates.
• “Ransomware attacks have grown more sophisticated, with attacks becoming more invasive and often disabling networks and exfiltrating sensitive data,” Moody’s said. “Increasingly digitization and remote working arrangements have added to the criminal attack surface.”

Dive Insight:

The Securities and Exchange Commission (SEC) this year has intensified its focus on cyber risk, pursuing several enforcement actions and adding “cybersecurity risk governance” to its rulemaking agenda.

“This is a critical area that we're challenged with, not just around public companies but throughout our economy, throughout our official sector,” SEC Commission Chair Gary Gensler said Tuesday at a webcast hosted by New York University Law School.

SEC staff are drawing up a proposed mandatory rule for cyber risk disclosure, laying out when a company should consider an attack material and subject to disclosure, and how such disclosure should be made, Gensler said.

Damage from a cyberattack can change the price of a company’s debt or equity security, “so it’s relevant to investors,” Gensler said.

Many attacks go unreported, former SEC Commissioner Robert Jackson said during the webcast. “Relatively few companies that have been the subject of successful hacks properly disclose that information to investors.”

In addition to requiring cyber risk disclosures, the SEC is also considering ways to ensure investment management firms pursue “cyber hygiene” and protect confidential information, Gensler said.

The SEC announced in August that eight broker-dealers and/or investment advisors will pay penalties for cybersecurity failures after hackers took over email accounts and gained access to the personal information of thousands of customers.

“Cybersecurity will continue to be a priority area for the SEC,” Skadden, Arps, Slate, Meagher and Flom said in a report, noting that the agency has stressed the importance of timely, complete and accurate descriptions of cyber attacks.

“SEC staff also has warned that companies should not understate the nature and scope of cyber incidents or overstate the company’s cyber protections,” the law firm said. “Issuers and other SEC-regulated entities should continuously monitor their cybersecurity protections and disclosure controls.”

The cyber insurance market is booming. Cyber insurance premiums rose to $2.5 billion last year, a 103% increase compared with 2016, Moody’s said, citing data from U.S. regulators. It estimated that worldwide premiums total around $10 billion.

The number of policies in force rose to more than 3.6 million in 2019, an increased of about 60% since 2016, the Government Accountability Office (GAO) said, citing analysis of data from S&P Market Intelligence and the National Association of Insurance Commissioners.

Still, “several industry associations, regulators, and participants said that many entities, particularly smaller businesses, may underestimate their cyber risks and the cyber coverage needed to mitigate those risks,” GAO said.

The surge in ransomware attacks has eroded insurance company revenues, Moody’s said. “Rate increases began to accelerate in 2021 in response to ransomware trends, with double-digit rating increases across the board for coverage.”

“Losses will likely increase in 2021 for insurers,” Moody’s said.