CYBER INSURANCE

Has the first hard market come and gone?

By Joseph S. Harrington, CPCU

Inquiring minds want to know: When will cyber insurance become like other lines of insurance?

One might be tempted to think that’s what occurred in 2021 and 2022 when, in the wake of severe ransomware losses and the rapid implementation of risky work-from-home arrangements, a line that had been hungry for buyers suddenly saw rates soar, conditions tighten, and capacity strained.

“Policies continue to be all over the board. There’s nothing really standard when it comes to stand-alone cyber coverage, and I believe it will be a long time before policies even become similar to each other.”

—Victoria Dearing

Senior Vice President, Professional Liability and Risk Management

Breckenridge Insurance

According to A.M. Best and the NAIC in the Report on the Cyber Insurance Market, the loss ratio for cyber insurance (both stand-alone and package coverage) more than doubled, rising from 32% in 2018 to 66% in 2020 and 2021, before falling to 43% in 2022.

Over the same period, direct written premium for the line also grew more than 100%, from $3.2 billion to $7.2 billion, with the share captured by surplus lines insurers now amounting to nearly 60% of all cyber premium, according to the recent Best’s Market Segment Report on cyber.

In response, “Some renewals started to see 300% to 400% increases in rates and premium, and most saw increases of at least 100%,” according to Victoria Dearing, senior vice president of professional liability and risk management for Breckenridge Insurance.

“This had a disproportionate impact on smaller insureds because carriers started to raise their minimum premiums,” she adds. “Carriers were renewing with lower limits, higher retentions, and requirements for much more underwriting information and security controls. It was common to see a small enterprise go from a cyber premium of $1,500 to $5,000 at renewal.”

Thanks to enhanced data on exposures and causes of loss, Dearing says, “We are seeing a slight stabilizing of the market,” but cautions that “it may be short-lived if the data is not accurate in predicting losses.”

“Although we are still seeing some rate increases, major increases now seem to reflect the actual risk rather than just industry hardening.”

—Mike Smith

Founder and President

Axis Insurance Services

Mike Smith, founder and president of Axis Insurance Services, also credits improved data with stabilizing pricing and supply in the cyber insurance market. “The industry now has data to identify where claims are arising,” he says. “In past years, rating was largely subjective. However, with today’s data, carriers are actually able to underwrite risks.

“Although we are still seeing some rate increases, major increases now seem to reflect the actual risk rather than just industry hardening.”

“The first hard market years in cyber were 2021 and 2022, due to high demand and limited competition in the wake of the pandemic,” says Caroline Thompson, senior vice president of underwriting at Cowbell Cyber. “Since then, the market has softened again, and cyber insurance providers need to find a balance between appropriate pricing and coverage.”

“I would actually characterize this as a soft market,” says Brian Thornton, CEO of ProWriters. “The market hardened in 2021 and 2022, but by the end of 2022 rates started coming down and have continued to fall while terms and underwriting requirements have loosened. There is abundant capacity for most risks.”

Thornton cautions, however, that the market may harden again in late 2023 and 2024. “The pendulum swung quickly to a hard market and swung back quickly. I expect to see continued volatility due to the rapidly changing nature of the risk,” he says.

Losses

Thornton also detects shifts in causes of cyber loss.

After several years when ransomware claims were a growing concern of cyber security professionals, ransomware loss frequency and severity levelled off or declined in 2021 and 2022, according to Thornton. “From what we see, insureds are less likely to make ransom payments because they have better backup systems and are better prepared to recover from an attack.”

Smith generally concurs with that view. “Ransomware is becoming more manageable,” he says. “Although ransom demands remain high, our clients are better able to recover from them after updating their systems, installing safeguards, implementing security protocols, and educating employees. Now, for most of our clients, ransomware is more of a nuisance and expense than a true risk for loss of data.”

Improved precautions and defenses against ransomware are no reason to let down your guard, however. Ransomware is still among the most prevalent and costly cyber threats, according to Theresa Le, Cowbell’s chief claims officer.

“In the case of ransomware, we see more threat actor groups and increasingly complex attacks,” Le says. “These groups are not only attacking large organizations but also small and medium-sized enterprises, which are generally less equipped to withstand such an attack.

“The need for SMEs to augment their cybersecurity with a robust cyber insurance policy has never been greater, as a cyber policy provides the appropriate incident response teams and expertise to quickly evaluate and manage a cyber incident.”

Policy provisions

As cyber exposures, losses, and market conditions evolve, so do the policy forms used to define coverage.

“There has been significant development of cyber insurance policies over the last few years,” Thompson says. “Stand-alone cyber policies have adapted limits and coverages to market conditions. They’ve also adapted to the cyber risk landscape with provisions to address specific types of events, and by implementing sub-limits or exclusions to manage loss.”

That said, cyber insurance policies still tend to be highly non-standardized.

“Policies continue to be all over the board,” says Dearing. “There’s nothing really standard when it comes to stand-alone cyber coverage, and I believe it will be a long time before policies even become similar to each other.

“Without standardized terms, it is confusing for insureds who need help demystifying the policy language,” she says. “For example, most policies cover ‘data restoration,’ but only a few cover ‘data recreation,’ which is an entirely different coverage.”

Dearing adds that most cyber policies have no provisions that define, cover, or exclude losses to or caused by artificial intelligence. “That is starting to change,” she says. “It is very important that agents read and compare policy provisions, as I predict cyber will be the next large area for agent E&O claims.”

“In the case of ransomware, we see more threat
actor groups and increasingly complex attacks. These groups are not only attacking large organizations but also small and medium-sized enterprises, which are generally less equipped to withstand such an attack.”

—Theresa Le

Chief Claims Officer

Cowbell Cyber

According to Smith, among the most common and significant variations in cyber policies is their approach to addressing losses arising from outdated software and from outsourced and/or dependent systems.

“Our carriers increasingly want to limit or exclude claims relating to outdated software, as it presents a morale hazard to insureds,” Smith says. “The reasoning is, if companies don’t spend the money to keep systems up to date, they shouldn’t have insurance to cover that risk.

“Additionally, as software as a service (SaaS) becomes the prevailing means for providing software, carriers struggle with how to underwrite risks using systems a carrier can’t underwrite,” he adds. “As a result, we’re seeing significant sub-limits for dependent systems coverage and for dependent systems business interruption.”

Looking ahead

“New vulnerabilities and attack methods come into view every day,” says Le. “With that, we see vast opportunities to provide coverages and services that evolve as quickly as the cyber threat landscape.

“Brokers and agents can help their clients by educating them on the value of a cyber policy and promoting partnerships with specialized cyber insurance providers that stay abreast of cybersecurity best practices while providing policyholders with risk engineering services.”

For Thornton, the biggest opportunity in cyber insurance is in the market for small and medium-sized enterprises.

“Most of those companies either do not have coverage or have inadequate coverage within a businessowners or general liability policy,” he says. “The challenge is making sure we educate brokers, agents, and their clients so that they fully understand cyber risks and policies. This will boost demand when there is adequate supply.”

If there’s any danger for producers in today’s cyber insurance market, Thornton says it lies in failing to suggest the coverage or placing inadequate coverage without thoroughly understanding it. “We are seeing more E&O claims against insurance agents for not offering proper cyber coverage,” he says.

For more information:

Axis Insurance Services

www.axisins.com

Breckenridge Insurance

www.breckis.com

Cowbell Cyber

www.cowbell.insure

ProWriters

www.prowritersins.com

The author

Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.