Rate hikes moderate as carriers implement course corrections
By Joseph S. Harrington, CPCU
You could say that there was a “before and after” in the evolution of cyber insurance: before the emergence of ransomware, and after the onslaught of high-profile ransomware attacks in the years just before and during the coronavirus pandemic.
In the 30 or so years since cyber insurance first appeared, the line has been unique in that it principally addresses intentional damage or loss to intangible property. The ever-evolving nature of both cyber property and the risks to it—risks created by malicious individuals probing for vulnerabilities—quickly renders underwriting and rating criteria obsolete, as old threats are thwarted and new ones emerge.
“While we see insurers being selective in deploying capacity, we no longer expect to see rate increases of 90% or more, except for accounts with poor controls or adverse claims experience.”
National Cyber Liability Practice Leader
Ransomware has taken cyber exposure to an entirely new and expanded level. Data breaches, virus infections, and phishing attempts are mere bug bites compared to the venomous potential of ransomware to paralyze systems, hold information hostage, and empower extortionists to demand escalating ransom payments.
The near collapse of business activity during the coronavirus pandemic of 2020 brought no respite from ransomware attacks, which continued to escalate in frequency and severity. Cyber insurers responded with steep rate hikes, reductions in limits, and restrictions on coverage, raising the question whether the market is “on the brink of collapse.”
“We saw cyber rates increase substantially in 2021,” says Gregory Chambers, head of cyber for AXA XL’s central zone. “Many insureds saw triple-digit increases,” driven principally by the increased frequency and severity of ransomware attacks. “Today, depending on the risk, we are not seeing the same level of increases in 2022 as last year, largely because the market did a lot to correct itself.”
Those observations are shared by others in the business.
“The cyber market is starting to ease up a bit,” observes James Keane, vice president of SIAA, a leading alliance of independent insurance
agencies. “We are seeing some new capacity in the marketplace, and some old capacity returning.”
“Pricing has stabilized, but there are rate increases where warranted,” says Brian Thornton, CEO of ProWriters. “Over the last few years, carriers have pushed hard on internal controls and are driving improvement in cyber risk management.” As a result, he finds that “capacity is expanding for good accounts and shrinking for those with a lesser track record.”
Rob Rosenzweig, national cyber liability practice leader at Risk Strategies, says, “The market went through a period of significant corrective action over the last 24 months.” In the wake of that, “insurers are putting a premium on risk selection and being more strategic on when and how to deploy their capital.”
Still tough going
Peter Taffae, CEO of Executive Perils, sees things a little differently, emphasizing that the increased discipline and selectivity exercised by cyber carriers comes at a cost to insureds.
“It does not seem that capacity is expanding rapidly enough to meet demand,” he says. “We can still build towers up to $250 million on Fortune 500 accounts, but the rate per million is extremely high and does not decrease as sharply as in the past as you move up in layers.”
Taffae’s perspective is shared by Steve Robinson, national cyber practice leader at Risk Placement Services (RPS). He says that “capacity continues to be a challenge, driven by the combination of increased demand, two-plus years of significant premium increases, more judicious limits deployment, and the exit of some players from the market.”
Conditions in the market seem to be improving, at least for carriers, Robinson says.
“More prudent limits deployment over the past two years, along with a more disciplined underwriting approach, are contributing to improved loss ratios,” he says. Among other things, “common vulnerabilities and exposures identified as ‘high’ or ‘critical’ are increasingly subject to exclusions and carve-backs we used to see for acts of cyber warfare are being removed.”
Mirroring a trend seen in other liability lines, the experts say that agents and brokers need to tap more carriers to acquire the limits their clients are seeking. “It is rare to see $10 million limits offered from a single insurer, whereas this used to be commonplace as recently as 2019,” says Taffae.
Chambers concurs. “Where cyber insurers might have extended a liability limit of $10 million in the past, it is much more common now to see limits of $5 million per risk,” he says. “To build a cyber program with limits they are comfortable with, insureds often need to enlist more carriers than they needed a few years ago.”
“We are getting into the weeds. Cyber insurers are underwriting with higher levels of scrutiny,
especially as it relates to security controls.”
Head of Cyber, Central Zone
That’s possible, Rosenzweig says, because only a few carriers have left the market while some new entrants have come in, leaving substantial underwriting capacity in place.
“Insurers and reinsurers responded with greater underwriting and rate discipline, and now are better positioned for long term profitability,” he adds. “While we see insurers being selective in deploying capacity, we no longer expect to see rate increases of 90% or more, except for accounts with poor controls or adverse claims experience.” For most cyber accounts, he adds, the coverage remains “fairly broad.”
Make no mistake, however, “having more markets on a risk creates additional challenges in getting all the markets on the same page,” says Thornton.
A major reason for stabilization in the cyber insurance market—for now, at least—is that the epidemic of ransomware attacks appears to have abated, leaving ransomware as a serious but manageable exposure.
“If we compare 2022 to 2021, it appears ransomware claims are down,” says Chambers. “Over the last two years, it seemed as if there was a high-profile breach making the news every other week,” he adds. “This year, observers reported a drop in attacks between January and June.”
“The increase in ransomware attacks over the last few years seems to have come to a plateau,” says Isabelle Dumont, senior vice president for Cowbell Cyber. “We see more and more policyholders applying our recommendations and deploying backups and other security measures that put them in a better position when a cyber incident occurs.”
For their part, Dumont says, “insurance providers are being more selective and emphasizing good cyber hygiene before insuring accounts.”
That’s good news, but it does not relieve cyber insurers and their clients of the difficult task of deciding if and how to pay extortionists, something the U.S. government would prefer they not do, as ransom payments reward wrongdoers and encourage others to attempt the same.
“No business wants to pay ransoms,” Thornton says, “but sometimes it is the only thing a business can do to recover. It gets a lot of media attention, but that amounts to blaming the victim. We need to remember that these companies are victims of crimes.”
“Paying a ransom is always the very last option if there’s any alternative way of returning to normal,” says Taffae. “The U.S. government has always discouraged ransom payments, yet some organizations with no means of accessing or restoring their critical systems find themselves in the unenviable position of not having a choice.”
To make matters worse, Taffae notes, “cyber insurers are increasingly employing sub-limits, coinsurance requirements, and exclusions for ransomware events.”
Regarding extortion payments, Rosenzweig says “there are more compliance requirements than ever.
“If an insured elects to make a payment, its vendors must ensure that the prospective recipient isn’t on a sanction list of the federal Office of Foreign Assets Control (OFAC),” he adds. “If there is evidence that ties the threat actor to a sanction list, it becomes illegal for the insured or insurer to facilitate a payment. This underscores the importance of a good backup strategy to reduce the need of paying a threat actor.”
“It’s a client’s decision whether or not to pay [a ransom demand],” says Chambers. “They need to evaluate that cost against other costs, particularly business interruption. A lengthy shut-down could end up costing way more than a ransom.”
“Delivering value is critical. In addition to the coverage provided, a full cyber policy can also offer access to training, forensics, legal counsel, public relations specialists, and more.”
In the age of computers and the internet, perhaps no other line of insurance involves such detailed underwriting of day-to-day operations.
“We are getting into the weeds,” says Chambers. “Cyber insurers are underwriting with higher levels of scrutiny, especially as it relates to security controls. Previously, we might have relied on what was provided in an application. Today, we have multiple underwriting calls, often with our clients’ chief information security officers, to understand the risks they face and their security protocols.”
“Cyber insurance providers are paying a lot more attention to a business’s cyber hygiene,” says Dumont. “At Cowbell, we’ve experienced a positive reaction from policyholders who are paying more attention to their cybersecurity processes and protocols, especially when their insurance providers equip them with tools, advice, and relevant support to improve their cyber risk profile.”
“For carriers, sub-limits are continuing to mitigate risk,” says Keane, “but there is still concern about systemic risk from a breach of a cloud-based, widely used system. This could trigger a huge aggregate loss for carriers.” In light of that possibility, Keane counsels agents and brokers to watch for coverage restrictions or sub-limits to cap carrier exposure to cyber catastrophes.
“Delivering value is critical,” he says. “In addition to the coverage provided, a full cyber policy can also offer access to training, forensics, legal counsel, public relations specialists, and more.”
There’s no doubt that the complex and ever-changing nature of cyber risk and insurance makes purchasing a cyber policy one of the most challenging undertakings for agents, brokers, and their clients.
“Open market placements can take weeks due to the volume of submissions,” says Taffae. With that in mind, he says “it is critical to approach as many cyber markets as possible, as each carrier has its own underwriting guidelines, rating plan, and general approach.
“Every cyber carrier offers a policy similar to others in its basic construction, but with very different aggregate coverage being offered. Be sure to seek out the expertise you need.”
For more information:
Risk Placement Services
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.