Businesses can expect cyber insurance to become more costly as insurers respond to “unsustainable losses” and regulators seek to hold companies accountable for breaches, according to Axa XL.

Insurers have already taken a number of actions to reduce their underwriting exposure, Product Leader Cyber Risk APAC Max Broodryk says.

These actions include cutting policy limits, increasing retentions, restricting offerings to specific clients or industry segments. A few insurers have decided to quit the market entirely after several large losses globally last year and this year.

“Many companies should prepare for the likelihood that their expenses for managing and mitigating cyber risk will go up,” Mr Broodryk said.

“Hence, it is essential for the collective community of clients, brokers, insurers and cyber-security experts to continue sharing expertise, best practices and lessons learned.

“Only by working together, increasing security, and reducing or eliminating the proceeds of crime (like ransom payments), it is possible – not assured, but possible – we will get to the point where cyber-crime becomes yesterday’s problem.”

Even as demand for cyber protection increases, insuring against the risk presents multiple challenges for insurers and underwriters.

Digital adversaries are continually creating new tools and methods, seeking to exploit any IT weaknesses for financial gains. The risk of being caught is fairly low, which makes it attractive to criminal gangs, some nation-states and opportunistic amateurs.

“The unpleasant fact is that cyber-crime today is profitable,” Mr Broodryk said. “It doesn't require much upfront capital. Payoffs from five to over eight-figures are not uncommon.”

While increased enforcement from regulators should benefit companies by pushing them to take cyber security more seriously, these actions could further compound the difficulties insurers face in determining a fair and sustainable rate for cyber insurance.

“In particular, as regulators take a more proactive role in holding companies accountable for their cyber-security systems and procedures, that could impact the ‘tail’ on cyber policies because penalties and third-party claims for compensation are usually levied long after these events occur,” Mr Broodryk said.