Case Study 1 — The Cyber Insurance Reckoning: How Ransomware Hardened a Whole Line (2020–2021)

A real, public, industry-wide event, told with public facts only. Where exact figures vary by source, this study keeps them qualitative — the pattern is what matters, and the pattern is well documented.

Background

For most of its first two decades, cyber insurance was a quiet, profitable, fast-growing afterthought. The early product was built around data-breach privacy — the fear, after a string of high-profile retailer and health-system breaches, that a company would lose its customers' personal records and face notification costs and class actions. Carriers wrote it loosely: applications were short, prices were soft, limits were generous, and underwriting attention was thin, because the losses were modest and the line was growing beautifully. Cyber looked like one of the great new opportunities in commercial insurance, and capacity poured in to chase it.

Then the threat changed shape. Over the late 2010s and into 2020 and 2021, ransomware industrialized. Criminal groups — some operating like franchised businesses, some tolerated or sponsored by hostile states — shifted from stealing data to encrypting it, locking victims out of their own systems and demanding payment to restore access. The economics were brutal for insureds: a company hit with ransomware did not merely risk a privacy lawsuit someday; it could be unable to operate tomorrow. Hospitals diverted patients. Manufacturers halted production lines. Local governments went dark. And the attackers escalated — adding "double extortion" (steal the data and encrypt it, then threaten to publish it), hunting for and destroying victims' backups first, and demanding ever-larger sums.

For the insurers who had written all that soft cyber business, the bill arrived suddenly and steeply. This was the moment the line discovered, the hard way, the lesson at the center of this chapter: that cyber is a catastrophe peril and a non-stationary peril at the same time, and that it had been priced as if it were neither.

The insurance and underwriting issue

The reckoning exposed several underwriting failures at once, and each maps to a concept from the chapter:

  • The loss data had been a poor guide to the future. Carriers priced cyber off historical experience that was dominated by the older, milder privacy losses. When the peril evolved — when ransomware overtook data breach as the dominant loss — the historical base was worse than useless; it was misleading. The non- stationarity the chapter warns about (§24.4) was not a theoretical caveat. It was the whole problem.
  • The losses were correlated. A single widely-exploited vulnerability, or a single prolific ransomware group, could generate claims across many insureds at once. Carriers who thought they had a diversified book of independent risks discovered they had bought into a shared, accumulating peril — the cyber analogue of coastal catastrophe accumulation (the lesson Part V drives home for property).
  • The controls had been under-underwritten. The early applications barely asked about security posture. Carriers had been insuring soft targets and hard targets at similar prices, when the difference between them — between a company with MFA and tested backups and one with neither — turned out to be the difference between a survivable incident and a catastrophic one.
  • Adverse selection was running unchecked. As awareness of ransomware grew, the companies most worried — often the least protected — rushed to buy, while the soft underwriting did nothing to sort them. The pool filled with exactly the risks the chapter's §24.5 trap describes.

What it shows

The market's response, over roughly 2020 and 2021, is a textbook demonstration of a line hardening and of underwriting discipline reasserting itself under loss pressure. Several things happened more or less at once:

  • Prices rose sharply and capacity tightened. Renewals came back with large rate increases, reduced limits, and higher retentions. Some carriers pulled back from the line or from the hardest segments altogether. This is the underwriting cycle (Chapter 3) compressed into a single peril and a short window: soft market, losses arrive, hard market.
  • Underwriting became controls-first. The short application was replaced by detailed ransomware supplemental questionnaires probing exactly the controls in this chapter's checklist (§24.5). MFA on email and remote access became, for many carriers, close to a hard requirement — no MFA, no quote. Tested offline/immutable backups, endpoint detection and response, patch management, and incident-response planning moved from nice-to-have to price-of-admission.
  • Structure tightened. Carriers introduced and lowered sublimits on ransomware and extortion, imposed coinsurance on ransom payments (so the insured shared the cost and the incentive to restore rather than pay), and scrutinized business-interruption waiting periods.
  • Verification entered the workflow. Outside-in security scanning and follow-up technical underwriting spread, precisely because self-attested controls could no longer be taken on faith — the §24.5 discipline of treating the application as claims to verify.

Outcome

The hardening was severe enough to be felt across the economy: buyers faced higher prices, tougher terms, and in some cases difficulty obtaining coverage at all without first improving their controls. But it also did something underwriting is supposed to do — it changed behavior. To qualify for coverage at a tolerable price, huge numbers of organizations implemented MFA, fixed their backups, and bought endpoint protection they had been deferring. Insurers, in effect, became a force pushing the whole economy toward better security hygiene, because they made the controls a condition of the coverage. Over the following period the line stabilized as the new discipline took hold; rates moderated from their peak as controls improved and underwriting matured. The peril did not go away — it continues to evolve, which is exactly the point — but the line emerged underwritten as what it is: a controls-driven, catastrophe-exposed, continuously-changing risk.

Lesson

The cyber reckoning is the clearest modern illustration of three of this book's themes at once. Pricing follows risk — and when a peril is non-stationary, last year's data is not a safe basis for this year's price; the discipline is to underwrite the current exposure and the controls, not the rear-view mirror. Adverse selection is the enemy — soft underwriting let the pool fill with soft targets, and only a controls-first discipline could sort them. And the combined ratio tells the truth — the line looked wonderfully profitable right up until the losses it had been quietly accumulating arrived all at once. For the working underwriter, the operational takeaway is the §24.5 model: when a peril is preventable by knowable controls, you underwrite the controls, you verify them, and you write the soft target small, narrow, or not at all. That is exactly the discipline you will apply to Harbor Steel's modest cyber add-on and, far more demandingly, to the Tindall Stores post-breach submission.

Discussion questions

  1. The chapter argues cyber violates all three of the law of large numbers' requirements (independent, similar, stable). Walk through how the 2020–2021 ransomware surge demonstrated each of the three failures in turn.
  2. Insurers made MFA and tested backups effectively conditions of coverage. In what sense did the insurance market act as a security regulator for the wider economy? Is that an appropriate role for underwriting to play, and what are its limits?
  3. A carrier that had grown rapidly in cyber before 2020 was, on paper, a great success story. Using the combined ratio and the underwriting cycle (Chapter 3), explain why rapid premium growth in a softly- underwritten line is a warning sign, not a triumph.
  4. Compare the cyber hardening to a property-catastrophe hard market after a major hurricane (Part V). What is genuinely similar about the two events, and what is fundamentally different about a peril that adapts to your defenses versus one (the weather) that does not?
  5. After the reckoning, a post-breach applicant arrives with a detailed remediation story: MFA everywhere, rebuilt clean, independent assessment, tested backups. Argue both sides — why this insured might now be a better risk than a never-breached competitor, and why you would still underwrite it carefully.