Stephanie Snyder Frenier, VP Industry Solutions
If cyber insurance were a person, it would have only recently entered its 20s. Currently facing the stark realities of the cyber risk landscape—blighted by ransomware losses and technology supply chain disruption—cyber insurance has only recently started to mature. What’s next for cyber insurance, and how can the coverage remain both valuable to clients and profitable for insurers?
Born around the year 2000, cyber insurance spent many years as a fledgling product, purchased only by companies with data breach concerns, or those on the leading edge of the cyber maturity curve. The 2017 NotPetya attack was a tipping point for the cyber insurance market, as it caused significant business disruption losses for companies that had not purchased cyber insurance. Subsequently, companies with operational technology exposure sought out cyber insurance coverage to address business interruption, no longer relying on “silent” (non-affirmative) coverage for cyber losses under other property and casualty policies.
As ransomware losses began to grow in both frequency and severity during 2019 and 2020, the process for underwriting remained largely unchanged. Up to that time, it consisted of an application and/or an underwriting meeting, with high-level engagement from security leaders. But as ransomware attacks became more prevalent, many carriers began adding new data sources to their underwriting, including using increasing amounts of technology to aggregate external attack surface data available via the internet. Additionally, carriers introduced ransomware supplemental applications, which included detailed questions related to the attributed causes of ransomware claims. Cyber insurance was growing up.
In 2021, there has been significant changes to the cyber insurance market. The main challenge that carriers face is the changing nature of cyber risk, as the tactics and techniques employed by threat actors are constantly evolving. Taking ransomware attacks as an example, what was first a loss of access/use arising out of network encryption has now evolved to include threat of data exfiltration and disclosure, and even a triple extortion threat of a DDoS attack. Additionally, the expansion of coverage to include contingent business interruption and contingent systems failure coverages (broadly meaning that an insured’s supplier has a network interruption due to a breach or technology failure, which results in a network disruption to the insured) has triggered additional concerns for carriers from a systemic loss standpoint, as seen by numerous recent IT supply chain attacks.
These trends—and the associated claims—have resulted in premiums increasing between 30% and 100%. Carriers have also reduced the amount of capacity they will deploy on any one insured. If an insured has average or below average security controls, there is a possibility that they may receive a declination. Carriers are applying coverage restrictions for ransomware events and limiting coverage for systemic losses, such as technology supplier attacks.
As cyber insurance continues its maturation process, expect more change on the horizon:
- Hard market conditions will continue through 2022, as carriers continue to adjust the risk composition of their portfolios, as well as adjust capacity deployment and premium rates. The cost of capacity will continue to be reflective of the level of cyber resilience demonstrated by the insured through the underwriting process.
- Coverage will continue to become more restrictive, as carriers rationalize the scope of exposure to which they can comfortably underwrite. This can be viewed as an inevitability, given that so many coverage extensions were built into cyber insurance policies in the 2016-2020 period.
- Coverage extensions related to the supply chain will be limited to the underwriting data that carriers can obtain, in order to protect carriers from systemic loss. Data on the supply chain will become critical to the underwriting process.
- Brokers will continue to be a critical part of the placement process to ensure that the policy performs as intended. Cyber insurance policies lack consistency in terms of insuring agreements, definitions, and exclusions. Brokers will continue to ensure that insureds get the broadest possible coverage at the best possible price.
- The underwriting process will change to a more transparent and data-driven approach, that will require CISOs to have access to and understand the data. Carriers, in coordination with brokers, will utilize greater amounts of technology to look “behind the firewall” of organizations to conduct a more automated risk engineering review, supplanting the current underwriting submission process. This internal data set, combined with external data as previously mentioned, will allow for a greater understanding of exposure, which can benefit both insureds and insurers from a loss prevention standpoint.
With greater maturity, driven by data, cyber insurance will continue to be a valued part of cyber security risk management for years to come.