Times have certainly changed with respect to cybersecurity controls. Regardless of industry or organizational size, companies should expect to see a continued disciplined underwriting approach that remains laser-focused on data security controls, with rates continuing their upward trend. Organizations will need to grapple with more restrictive coverage terms, mandatory sublimits, and exclusionary language specific to certain global and widespread cyber incidents. Capacity questions have not been settled, and exactly how much will be available in the U.S. and global cyber markets in 2022 remains an open question.
Ransomware attacks continued to ravage the bottom lines of both their victims and insurance carriers. During the first six months of 2021, more money was paid in ransom payments than in all of 2020. Increased payment amounts may be due, at least in part, to the fact that hackers now routinely threaten to publicize their victim’s most sensitive data if their six and seven figure ransom demands are not met. However, extortion payments are just one piece of the cyber claim. The average downtime from a ransomware attack is 23 days, more than doubling the costs due to business interruptions. And when companies had to switch to remote operations, the costs of a data breach increased.
The cyber insurance market took four deliberate steps to combat increasing loss ratios in an effort to protect its bottom line.
Rate increases:
Cyber premiums increased across the board, regardless of the industry sector or size of the organization. Cyber underwriters are being cautious or even moving away from specific industries, including municipalities, higher education, technology, and manufacturing.
Coverage limitations:
Many carriers imposed sublimits and coinsurance provisions specific to ransomware claims. This often resulted in limiting coverage to 50% of the policy limit or less. Certain carriers had to add exclusionary language to specific known vulnerabilities; failure to remediate these could lead to a denial of coverage for losses attributed to them. Others revised coverage terms specific to regulatory claims with language that constricted risk transfer for regulatory risk.
Capacity constriction:
There were clear indicators that carriers wanted to limit their exposure through limiting capacity. The policy limits offered during prior renewals were routinely cut to half of that amount during the 2021 renewal cycle, both at the primary and excess layer level.
Greater underwriting scrutiny:
Almost all carriers asked for more details around data security control efforts. Not surprisingly, many questions focused on ransomware prevention and mitigation, with several carriers requiring ransomware supplemental applications consisting of dozens of questions to see how well insureds managed the threat.
Based on the past statistics and future predictions, the cybersecurity insurance market is changing.
Cyber Insurance Underwriters:
It has become clear that rate increases alone will not be able to solve the current and future cyber market challenges. There is a focus on changing coverage terms, which are trending to restrict coverage for systemic risk, where a single vulnerability may impact a majority of a carrier book of business. Carriers are beginning to address this in their policy forms by imposing sublimits and/or exclusionary language for these global cyber incidents, and it may impair the buyer’s ability to transfer cyber risk in the comprehensive way it did in prior years.
Reinsurers:
Expect markets to seek support from outside the traditional rated capacity market via collateralized reinsurance and Insurance-Linked Securities (ILS) transactions with the capital markets. This could also take the form of looking to different reinsurance structures and product development. Also expect continued cyber loss modeling tool development as the market pushes for further insights into the far-reaching threats of systemic cyber risk.
Cyber Risk Management Vendors:
The service providers that help prevent and mitigate the effects of cyber incidents play a role of growing importance and have become a fixture in today’s cyber marketplace. Buyers of cyber insurance will need to leverage these services one way or another, and the vendors that can provide efficient and cost-effective solutions for the needs of specific risk profiles will continue to emerge as a necessity.
Government:
Many are watching an increased effort by both the U.S. and international governments to work with and provide insight to the private sector in managing cyber threats, with a particular focus on the ransomware epidemic. Guidance around OFAC compliance, specific to whether or not ransom payments can legally be made, was provided in 2021, with aggressive action in sanctioning at least one cryptocurrency exchange. The private sector may be subject to severe penalties for noncompliance to government-mandated OFAC requirements. Also, law enforcement is to become more proficient at helping victim organizations recover ransom payments to threat actors, using a combination of cryptocurrency experts, computer scientists, blockchain analysts, and crypto-tracers in this effort. Finally, we expect law enforcement to embark on a more aggressive offensive strategy in disrupting ransomware as a Service (RaaS) affiliates.
The cybersecurity insurance industry has changed dramatically in the past 3 years and will continue as hackers become more sophisticated. Regulatory risk continues to evolve as privacy laws around the U.S. and international arenas expand. Data subjects, and the regulators that represent them, are more empowered than ever by the California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, Europe’s General Data Protection Regulations, and many other rules. These regulations follow a common theme that holds organizations to specific standards as they collect, store, process, and transfer consumer data. In some cases, noncompliance can lead to regulatory investigations, lawsuits, fines, and settlements and may provide a path for plaintiffs to pursue private rights of action.
Because of the highly nuanced nature of the cyber insurance market, it is imperative that your organization is working with an insurance broker who specializes in your particular industry or line of coverage. To effectively manage the underwriting process, it is essential that your cyber insurance company maintains a detailed working knowledge of the latest cyber insurance products and the requirements to qualify for them. Cyber insurance companies also need to balance renewal timelines with required data security control remediation efforts amidst potential budget limitations. Making sure your technology environment is up to speed with respect to reducing cybersecurity threats is paramount. In order to have effective cybersecurity insurance that permits your company to transfer the risk of a breach, companies must implement stronger cybersecurity internal controls.
Jim Doran, Area Vice President
Gallagher
(516) 622-2468
jim_doran@ajg.com
