In late 2020, after years of soft market conditions, the cyber insurance market abruptly entered a hard market. A significant increase in the frequency and severity of ransomware attacks and cybercrime between 2019 and 2020 sent the market into a tailspin. Cyber insurers reacted swiftly in an attempt to stabilize loss ratios.
By January 2021, cyber insurance premiums were skyrocketing for companies of all sizes in all industry verticals. In addition to premium increases, retentions were doubling and tripling, capacity was reduced, coverage was tightened, and the underwriting of cyber risks became highly technical and complex. The cyber insurance market was in a dark place.
As we enter the last quarter of 2022, we are beginning to see some breaks of light. It would be far too ambitious to say the market is “softening,” but there are signs of stabilization. Here is what you need to know about the cyber insurance market today:
Rates Stabilizing… Sort Of
Although premium increases on primary layers still exist, those increases generally come in at lower levels than we have seen in the previous 18-24 months. Additionally, there is increased competition on excess placements, often leading to pricing decreases on excess layers.
It is crucial to remember that rate increases still vary widely based on company size, industry, claim activity, and the extent of security controls. Large organizations and certain industry sectors are still struggling with significant increases.
Still Looking for Skin in the Game
Most cyber insurers still rely on high retention and deductibles to spread the risk with the policyholder. However, today, high retention is more likely to be accompanied by a premium credit of some sort.
For the first time in almost two years, carriers are reemerging with offers of $10 million limits on primary layers, along with pricing that (in some instances) matches pre-hard market rates.
New players are emerging with unique approaches to cyber risk transfer and existing players are resurfacing and competing on excess layers more frequently.
Multi-Factor Authentication: Enhanced Underwriting
Technical underwriting has not changed one bit! In fact, underwriting questions are even more comprehensive and technical in nature. Basic security controls that became the standard for “insurability” two years ago are still very much a requirement. The good news is competition is heating up for risks that meet the “insurability” standard.
In addition to the emphasis on security controls, insurers are increasingly focused on less tangible criteria such as:
- Meaningful Security Awareness Training: How current is your training material? Does your security awareness training incorporate current tactics being used by cybercriminals?
- Incident Response Readiness: How prepared are you to respond to an incident? Do you have Incident Response Playbooks? Have you tested them?
- Data Privacy: Do your business practices comply with current data privacy regulations?
Market Saturation Intensifies
When cyber insurance first shifted to a hard market, most insurance brokers began conducting full marketing exercises on most accounts in an attempt to achieve the best possible price and terms for clients. At about the same time, the demand for cyber insurance increased significantly. Full marketing together with increased demand for cyber insurance, resulted in a literal tidal wave of applications directed at cyber underwriters. This is still the case today; however, the increase in competition on risks is creating even more strain on cyber underwriters given it takes more time to offer terms on a risk than it does to decline a risk.
Sharpening the Pencil on Coverage
Cyber insurance coverage is still relatively tight and getting even tighter. Cyber insurers are sharpening their pencils when it comes to coverage. Recent court decisions, coupled with global-political tension and instability are causing insurers (cyber and otherwise) to revise War Exclusions and exceptions for Cyber Terrorism. Many cyber insurers also seek to limit exposure to systemic risk by adding exclusionary or limiting wording to cyber policies. In addition, some insurers are slowly pulling away from certain “crime” related coverages such as Social Engineering Fraud.
Although the cyber insurance market is still quite challenging, we are seeing some peaks of light suggesting a level of stabilization that we have not seen in almost two years. Cyber risk is perhaps the most dynamic risk the insurance market has seen to date. The threat landscape evolves at an incredibly rapid rate. The rapid shifts in the risk environment push cyber insurers to pivot and frequently reassess underwriting requirements, pricing, and terms. No suggestion will change.
Kelly Geary, Esq., CIPP US, is a Managing Principal with EPIC based in the New York City area. In addition, she serves as the National Practice Leader – Executive Risk and Cyber/Professional Services and Coverage Counsel & Claims Leader for Lemme, a division of EPIC.