CYBER: PREPARING FOR A TOUGH STRETCH
Dose of market reality drives the need to understand true risks and how to manage them
By Josh Ladeau
Cyber insurers have largely “played the indexes” over the last six or seven years. By this I mean that the prevailing carrier wisdom has been to spread capacity over a wide range of industries with clients of varying size. Some markets were more focused on excess, others on primary, but the insurance industry had not yet established “no-fly zones.” Moreover, the policy language has not yet been standardized, so the type of risk and coverage can vary significantly across businesses and policies.
As a result, any client could buy cyber coverage with little verification in the way of underwriting/controls information. For insurers, capturing market share has appeared to overshadow common-sense restraint. Quality of risk wasn’t even an afterthought for several years, and that meant new competitors could enter the “cyber fray” with little to no technical expertise.
It’s quite likely that new capital diving in during the rising rate tide will just as soon be swept away by the building tsunami of loss.
Events like WannaCry and NotPetya, while not particularly impactful loss events in terms of dollar value, forced insurers to consider cyber aggregation risk more seriously. However, the effort to do so was largely outsourced to untested, internet-scale monitoring firms such as BitSight or Cyence.
Technical security expertise is and has always been expensive. For most insurers, it was more palatable to rent the expertise through these types of services. The current loss environment, however, would suggest that these monitoring platforms are not yet ready to shepherd the industry to sustainability.
The cyber “gold rush” continues
A key result of the “Twenty-Teens” cyber rush was rapid coverage expansion, with small and mid-market risks essentially inheriting coverage grants that were negotiated over the preceding five years by purchasers exhibiting greater levels of sophistication and cyber-security investment. The market had barely wrapped its arms around loss expectations associated with traditional breaches of sensitive data, yet found itself rushing into full-limits coverage for things like business interruption, triggered not only by direct attacks on the client, but also attacks directed at third parties on which a client happened to rely.
How could that exposure be underwritten or contained? It didn’t matter; cyber losses at the time weren’t considered significant and the growing premium base was too compelling. Despite the obvious technological complexity and rapid evolution of cyber concerns, carriers continued to extend themselves further in order to keep pace with the market.
Entering 2021, losses from 2018, 2019 and, in particular 2020, are mounting at an alarming pace. Carriers are responding severely and, while already excruciating for brokers and clients alike, early 2021 rate increases probably will prove woefully insufficient in terms of market sustainability. That means that even more increases that are dramatic are coming, self-insured retentions/deductibles will continue to balloon, and coverage contraction will accelerate.
Despite the obvious warning signs, we are already seeing new capital enter the market; the improved rates along with terms and conditions are too attractive and the cyber market growth potential is astronomical.
Can new markets hold on?
For clients and brokers, however, there are a number of key considerations to contemplate before partnering with a new market. Foremost, perhaps is how long the alternatives will be available. Sure, rates are up substantially, but the pace of increase went from late 2020 projections of perhaps 10% to 15% (reasonably accurate in January) to actual rate increases in the range of 50% by March. That type of variance suggests prior year losses are developing worse than expected, and it is commonly accepted that 2021 losses are outpacing the already-record 2020 loss year.
It’s quite likely that new capital diving in during the rising rate tide will just as soon be swept away by the building tsunami of loss.
Another consideration: What claims capabilities does a new writer of cyber have? There are only so many experienced cyber claims handlers currently in the business, and while new talent can be trained, it is doubtful many insureds want an unproven, inexperienced team handling a widely publicized outage or data event. These events can go from initially moderate to severe in short order, so insureds and brokers alike should consider heavily the availability of top-tier claims professionals before purchasing slightly broader or cheaper coverage.
Understanding the true risks and how to manage them
Can new capacity sources demonstrate a clear grasp of cybersecurity fundamentals in the underwriting process? Said alternatively, do the underwriters you’re working with genuinely understand the risk they’re taking on? If not—and as losses worsen—you might find yourself having to start anew next year. That could mean another full marketing effort, more form reviews, more negotiating of terms and conditions, and all without the benefit of an existing relationship and established premium bank.
Does a carrier have established alignment with top vendors? It may not be obvious prior to experiencing your first material incident, but a huge part of smooth cyber claims handling is the relationship a carrier has with key market vendors. Large, sophisticated enterprises typically have their vendors pre-selected; some even pay annual retainers in order to ensure vendor attention when needed most.
Many firms are ill equipped to deal with the cyber threats of today, and those threats are advancing at a pace most organizations can’t match, let alone catch.
While a growing number of law firms and response vendors claim deep benches and even deeper cyber expertise, there are relatively few that actually have the goods. Conversely, less sophisticated organizations tend to lack the wherewithal and resources to establish such relationships.
Vendor capacity is a genuine challenge in cyber. When widespread incidents occur, such as the recent Micro-soft Exchange vulnerability-related claims, the best vendors can be severely taxed. The “weight” a carrier has with vendors is naturally related to the money they’ve spent in the past and their likelihood to continue to funnel business to a vendor in the future. If vendor resources are strained, their largest and most loyal partnerships will likely get their attention first. Where does that leave insureds that partnered with a newly launched market, one that hasn’t had time to cement those key vendor partnerships?
With the direction that claims frequency and severity are headed, carrier-vendor relationships will become increasingly important. Brokers and clients should consider this aspect heavily, particularly if they have limited, internal resources with which to respond to an incident.
Consistency of terms and conditions (to the greatest degree possible), breadth of coverage, and availability of knowledgeable resources are critically important to the success of any cyber program. Long-term carrier partnerships should be the focus for your clients, at least for those who can demonstrate a genuine, organization-wide embrace of cybersecurity as core to the continued viability of their operations. If they have made the appropriate investments, they should be partnered with proven carriers that have exhibited long-term commitment, even if that means tolerating limited change.
Reinsurance support is becoming increasingly scarce in cyber, and direct insurers are searching for equilibrium between coverage grants, rates, and losses. Developing and maintaining strong relationships with premier cyber markets should be the focus for producers, as we are at the beginning of a tough stretch for cyber.
Threats advancing at alarming pace
Nothing has changed for small and mid-market business in 2021. Many firms are ill equipped to deal with the cyber threats of today, and those threats are advancing at a pace most organizations can’t match, let alone catch. Losses will continue to mount. Capacity will become scarcer in the next two to five years, despite some new (and likely temporary) capital infusion.
Just as many businesses are for the first time seriously considering the cybersecurity posture of their vendors and partners, they must consider the viability of their insurance partner-ships. The right carrier partnership can provide clients with cutting edge cybersecurity knowledge, support through shared investment in security, sound direction and advice in the event of loss, preferential access to top vendors, and sufficient coverage if, or perhaps more aptly when, a cyber event occurs.
The author
Josh Ladeau is Global Head of Tech E&O and Cyber at Aspen Insurance. He has participated as a panelist and moderator at various cyber-industry conferences, including NetDiligence, the New York State Bar Association, the Claims & Litigation Management Society, Defense Research Institute, Primerus, and Execusummit. He attended undergraduate and law school at Western New England College, majoring in Information Technology, and he maintains a Certified Information Systems Security Professional (CISSP) designation. For more information, visit aspen.co.