Tokio Marine’s Ingerslev: 2022 lull in cyber threat activity was “anomaly”

Tokio Marine HCC’s Jacob Ingerslev said that the cyber market is going through a natural swing between hard and soft market conditions and called the lull in threat activity in 2022 an “anomaly”, predicting that conditions will become firmer.

The senior cyber executive spoke to The Insurer TV on the sidelines of NetDiligence’s Cyber Risk Summit in Miami Beach, Florida this week, against a backdrop of stabilisation in cyber price increases after years of hikes, and the beginning of loosening in limit deployment.

However, after a drop-off in threat activity in 2022 – which has been attributed to dynamics tied to the Russia-Ukraine conflict – cybercriminal behavior surged in 2023 to a level that many are saying is now at its highest in history.

“With a softening market, you're going to see price deterioration, less questions asked [by underwriters], higher capacity,” said Ingerslev, describing the softer cyber market conditions that set in throughout 2023.

“Those are all the traits of a softening market, and that's what we experienced in 2023. But there's still discipline in some areas and pockets,” he argued, while distinguishing between stabilisation in primary SME conditions and softening in excess conditions.

“So that's good. And I would call primary SME more ‘stabilisation’ last year than ‘softening’. But excess cyber certainly softened.”

Ingerslev contrasted cyber market growth in 2022, which he estimated was somewhere north of 50 percent, to conditions in 2023, where he said the market likely grew “somewhere in the single digits”.

“Ransomware, of course, has been around in a big way for four or five years. It seemed like it returned to normal [in 2023], if we can say that. 2022 was really the anomaly, [where] 2023 seems to look more like 2020 and 2021, or even worse in fact, if you look at ransom payments,” the executive highlighted.

Ingerslev flagged an industry statistic showing that ransomware payments topped $1.1bn in 2023, which would be an all-time high, while the volume of data breaches last year set records and the number of victims counted on leak sites was up “somewhere between 50 to 70 percent”.

“So all indications are that ransomware is up in a big way,” he noted.

“I think as what's typically the case with market cycle changes, you're going to see pockets of individual industry sectors that might have been hit disproportionately, or also certain insureds within certain revenue bands being targeted especially,” he added.

Ingerslev highlighted specifically the significant softening in the excess market, which he noted is typically the part of a program that has the least barriers to entry.

“You really just need one underwriter and an excess policy form, so that's what we've seen, [where] excess deteriorated a lot more in 2023 than primary.”

In contrast, carriers operating in the SME market have faced more limited headwinds brought upon by increased competitions.

“If you have a solid portfolio of SME business, a high policy count volume – that's difficult to get at; you need a lot of infrastructure to handle that business. So it'll take some time before things start deteriorating in that market segment,” he explained.

“But excess, certainly in the upper-middle market, there’s a good amount of change there,” he added.

Ingerslev also said the industry has observed “a big increase” in the number of threat actors, saying the scope of cybercriminal groups grew “pretty substantially” in 2023.

“That probably drove some of the increase in activity,” he pointed out, while also observing that with the maturation of the cybercriminal industry, threat actors are getting “better at their trade”.

“They use automation, they're able to do attacks in a scalable way. So we saw that with MOVEit and GoAnywhere MFT with hundreds or thousands of companies impacted by one attack or one exploit and I think the speed at which threat actors are able to get to software vulnerabilities for launching ransomware attacks… that's increased as well,” he said.

“So I think all of that contributed to this increase in ransomware activity last year,” Ingerslev explained.

Watch the full interview with The Insurer TV and Tokio Marine HCC’s Jacob Ingerslev to hear more on:

  • The growing deployment and sophistication of the cyber security and cyber insurance industry’s use of managed detection and response to thwart cyber attacks and mitigate the potential for breaches;
  • The increased level of education taking place among insureds, brokers, and carriers as cyber insurance continues to push its way into the mainstream;
  • How threat actors are in some cases growing increasingly desperate, unpredictable, and revealing an erosion of ethics in cybercriminality;
  • How breach victims are becoming more advanced in their breach response;
  • The growing tail of certain types of cyber claims;
  • And more…