Ransomware re-emerges as hackers ‘make up for lost time’: Zywave Cyber Risk 2023


The re-emergence of ransomware as a major cyber threat, with actors displaying increasingly aggressive tactics, was a key theme at the Zywave Cyber Risk Insights Conference in London.

Source: Abbie Wood | Insurance Insider

At last week’s event, which attracted around 500 delegates, panellists discussed a recent steep resurgence of ransomware attacks, which came after a notable lull in the months immediately following Russia’s invasion of Ukraine in 2022.

In one session, Daniel Tobok, CEO of cyber security, ransomware, and digital forensics company Cypfer, said a significant slowdown of ransomware incidents in Q1 and Q2 2022 was “directly correlated to the conflict in Ukraine”.

He explained: “What we are seeing as of Q1 [2023] is a complete escalation of ransomware cases. They are making up for lost time, and there is a change in their behaviour, as they had a year to reconstruct and revaluate their operations.”

Tobok said these actors have also been harnessing their ability to bypass ransomware prevention measures and have “become more dynamic”, honing new tactics to perpetuate their crimes.

The attacking methods have gotten “very, very aggressive” according to Carolyn Purwin Ryan, partner at Mullen Coughlin, a law firm specialising in cyber security and data privacy. She highlighted a recent case in which an attacker identified and threatened the life of the targeted business owner’s granddaughter in the event of non-payment.

Tobok added that “the physical edge that is being brought to cyber attacks has never really been seen before.”

The resurfacing of ransomware incidents was among the major themes at Zywave’s conference, along with the ongoing effects of the Lloyd’s cyber war exclusions, pricing dynamics, and a rise of third-party claims in the US.

Risk Insight

Previously, a succession of frequent ransomware claims had been a key driver of hard market conditions in cyber, but a subsequent decrease has recently given way to a spike.

According to the NCC Group, January and February 2023 saw the highest number of ransomware hack and leak cases in the past three years. In March, ransomware victim numbers were the highest of any month during that period.

There was a 91% increase from February to March 2023, from 240 attacks to 459. This was also a 62% increase year-on-year from March 2022.


Canopius cyber claims manager Luke Johnson also warned that ransomware amounts are becoming much larger.

This issue for victims of ransomware demands relates partly to the soaring value of Bitcoin. Johnson pointed out that 10 years ago, one Bitcoin equated to $1,000. With Bitcoin now trading in the range of 27 times that value, the ransomware demand for the cryptocurrency carries a much higher payout.

Cyber war exclusions

While the re-emergence of ransomware was a prominent subject, cyber war exclusions from standard policies in the Lloyd’s market were also explored at the conference.

The policy – which took effect last month and has caused significant frustration across the market — mandates that Lloyd’s carriers insert clauses excluding losses arising from state-backed cyber attacks where policies don’t already have a separate war exclusion.

“What we probably didn’t do very well, and with hindsight could have done better, is engage a bit more broadly around the principles of what we were doing”

Patrick Davison, underwriting director, LMA, on cyber war exclusions

During a session, Patrick Davison, underwriting director at the Lloyd’s Market Association (LMA), conceded that the roll-out of the exclusions policy could have been run differently.

“We have published model clauses designed to stimulate debate, shall we say, and we’ve certainly achieved that. What we probably didn’t do very well, and with hindsight could have done better, is engage a bit more broadly around the principles of what we were doing,” he said.

Davison acknowledged that if conversations around principles and intent had been held earlier, it is possible that such discussions would have been less emotional and more constructive. He added that earlier involvement of brokers and stakeholders would also have been useful. He cited all these issues as “a lesson that we have learned and are looking to amend in the future”.

The debate over the policy and its wider consequences for cyber capacity in the Lloyd’s market has persisted, though it has become more nuanced. Munich Re board member Stefan Golling praised Lloyd’s for showing leadership over systemic cyber risk exposures.

CFC head of cyber strategy James Burns also wrote in a blog post that the exclusions have been “consistently misrepresented”. He argued it’s in the interests of brokers and their customers that “cyber war is specifically – and narrowly – defined so that coverage is crystal clear”.

Lloyd’s has also sought at times to explain its reasoning. While discussing Lloyd’s annual results last month, CEO John Neal said it was “self-evident” that underwriters should not “simply give cyber war cover carte blanche”, adding: “We cannot leave ourselves in a similar situation where, for example, with business interruption claims, we’re debating cover at the point of loss.”

There has been at least one sign so far which arguably suggests that the exclusions could be the mother of invention. This publication has previously revealed that Beazley was developing a standalone cyber war product in direct response to the Lloyd’s mandate.

“We can look at the last couple of years and ask, ‘Why did pricing go up so much?’ It was, of course, in response to the losses we all saw… but far more of it was the restriction on capacity”

Ian Newman, global head of cyber, Gallagher Re

Pricing and capital concerns

Capacity and pricing were also explored at the event. During a keynote in which he praised the cyber market for its product innovations, Howden Group CEO David Howden highlighted a more general challenge relating to reinsurance capacity.

Cyber insurance is heavily reinsured, with about 50% of all cyber risk being passed to reinsurers, according to Howden. He said: “In 2023, there is a shortage of global reinsurance capacity, and of course that’s in a number of areas. If it remains like that, it’s going to be very difficult for us to get the reinsurance capacity we need to remain relevant to our clients across all classes, particularly in cyber.”

As Insurance Insider recently reported, signs of capacity growth in this business line are emerging through WTW’s excess cyber facility, Brit’s plans to grow premiums written through its renewed cyber facility, and various new entrants.

Despite these signs and the possibility that the cyber market is already peering over a pricing precipice following a correction, one panellist at Zywave’s event denied that, saying it will be difficult for the cyber market to become “over-capitalized”.

During one panel, global head of cyber for Gallagher Re Ian Newman told the audience that cyber is different from other classes. In many other markets, over-capitalisation would cause a long-term softening until a loss happened again. Cyber, he argued, has a unique dynamic, in that it’s going to be very difficult to over-capitalise as a class of business for an extended period.

He explained that because penetration rates are so low, demand will increase based on the cyber market increasing supply by innovating with new products and increasing distribution.

On hitherto pricing trends, Newman said: “We can look at the last couple of years and ask, ‘Why did pricing go up so much’? Well, it was of course initially in response to the losses we all saw, but what really drove the pricing to the next level wasn’t the losses and the reaction. Far more of it was the restriction on capacity we saw. That was from retro to reinsurance all the way down.”

Biometric data dilemma

Among a multitude of topics covered at the event, one session involved a brief discussion on the regulation of biometric data management in the US. This comes in the context of legal verdicts across the Atlantic which could have huge implications for cyber insurers.

Cyber leaders at various carriers previously explained to this publication that landmark rulings relating to biometric data collection and use in the US could trigger class-action lawsuits that leave cyber coverage in effect uninsurable.

At the conference, Sandra Cole, focus group leader for London and international cyber at Beazley, highlighted that laws on biometric data and privacy are generally “unfit for purpose” and need to evolve.