Reacting to the Hardening Cyber Insurance Market
For the first time since cyber insurance developed into separate stand-alone policies, the market is seeing price increases for this class of cover.
However, to fully understand the rising costs of cyber insurance we need to look beyond stand-alone policies. The high cost of claims relating to ransomware and other cyber incidents is pushing rates through the roof. Today, hackers are more organised and are more frequently targeting specific organisations, planning attacks that blend hacking and social engineering to defraud both public and private sector organisations. Insurance Journal, claims the total costs of ransom payments doubled through the first six months of 2020, according to a report from Lloyd’s insurer Beazley Plc. Further, according to a recent article in the Sunday Times, UK firms have been forced to pay out more than £200m in ransom demands over the past 12 months, fearing the repercussions of fines, lost data and damage to their reputations. Concerned by public embarrassment, companies are showing signs of “more willingness to pay ransom” experts claim, allowing criminals to make an estimated £19 billion a year worldwide.
However, in a Deloitte survey, insurers looking to provide coverage that was formally bundled in standard policies, are failing to properly address risk management in their stand-alone policies. One-third of non-buyer respondents claimed they previously bought stand-alone cyber policies and that coverage was insufficient. In the Deloitte article, speakers from various cyber underwriters and brokers at Advisen’s Cyber Risk Insights Conference, explained that carriers still rely on market rates driven by what the competition is charging. Speakers at the conference considered that such policies are not equipped to protect against today’s fast-paced cyber risk landscape, and reliable pricing should consider evolving threat actors and aggregation risks with the potential of cyber catastrophe.
If carriers continue to sell stand-alone cyber through competitive rates, they leave themselves at systemic risk of paying out on multiple, steep claims later. Policy pricing must factor in progressing and evolving ransomware, privacy breaches, business interruptions and the growth of group actions. As claims grow, insurers may reassess their position in the cyber market and we may see a reduction in capacity, that would lead to further price increases.
STORM Guidance CEO, Neil Hare-Brown says “It is clear that there are serious flaws in the assessment of risk in this class. Standard underwriting and actuarial approaches are not so well suited to understanding the complexities of cyber risk. Many risk vendors misadvise insurers in this regard attempting to oversimplify highly technical controls whilst missing the real picture which would help insurers; board-level cyber risk management strategy. Furthermore, arms-length online scanning is, on its own, not enough for insurers to both learn and help their clients manage cyber risk effectively. There has to be more client engagement in more accurate risk assessment.”
Deborah O’Riordan, Risk Solutions Manager at QBE Insurance explains:
“Part of the problem is that businesses don’t always understand where the exposure comes from – whether that’s their business model and product or service delivery mechanisms, their clients, suppliers, employees or the assets they hold. And that is before we get into the technical controls needed to mitigate the risks. Regardless of the hazard, those businesses with a good approach to risk and a sound risk culture will never be averse to independent scrutiny. It is a strong investment that can pinpoint the flaws, by those who really understand how attackers will target your business. Whether that is with STORM, or another trusted adviser or critical friend, it is well worth the investment and demonstrates to insurers that you’re taking the risk seriously and doing what can be done to improve your defences”.
The lack of buyers is also an issue for insurers, as the premium pool is not growing quickly enough through more businesses buying stand-alone cyber cover (and not enough of those that do, buying adequate limits). One of the basic principles of profitable insurance is that insurers have a good spread of risk.
With the rise of data breach compensation claims in recent years and group action claims gaining traction in the UK, the stakes are growing. Newsworthy data breaches such as British Airways, Marriott and Ticketmaster fill our news feeds and consumer distrust over data protection quietly hums in the background. Whilst we patiently wait for the UK Supreme Court’s decision on the Lloyd vs Google case, is it time to prepare for an influx in mass data privacy claims?
Addressing the widening gap in knowledge surrounding the hardening cyber market is an obvious step forward.
Noteworthy causes and possible solutions
The rise of cyber in the US
The jurisdictional and regulatory landscape in the US is sector-specific, with healthcare, energy, and financial services, for example, each with its own regulators. Because of this, the privacy and security laws and regulations have developed over the last 10 years, ensuring US businesses are compliant. Many US regulators gain their revenue through fines and penalties and so are driven to enforce the law. This, together with increased US legal liability risk, drives more conscientious business practices; businesses are almost forced to be more litigious.
As a result, US businesses have recognised that Cyber Insurance is essential. Premiums grew by 14% in 2019, to $1.26 billion in premiums, while the previously favoured packaged cyber policies grew just 7%, to $988 million, according to the Insurance Journal and data collected by the National Association of Insurance Commissioners (NAIC).
In contrast, the Association of British Insurers found that only 11% of businesses had specific cyber insurance. However, although we see a healthier US cyber uptake, it is worth noting that this has been driven mainly by regulatory conditions, rather than the true picture of cybercrime. The drivers for purchase are only slightly influenced by accurate cyber risk assessment and more by regulatory burden.
The first problem was one of expectation. Many insurers assumed they would see the same take-up of Cyber Insurance in the EU, as they had seen in the US. Unfortunately, this was not to be the case. This expectation saw a vast capacity in the insurance market for Cyber and many insurers launched policies that remained on the shelf, gathering dust.
In efforts to remedy this, many insurers entered a ‘race to the bottom’ on price, which was not helped by ‘box shifter' brokers, largely ignorant in relation to cyber risk. Many brokers were ill-equipped to sell the policies, with vast cyber skills gaps becoming apparent. It would be unfair to discuss cyber insurance without highlighting its ever-changing and complex nature. It is a product that many brokers (especially regionals) were averse to investing the necessary effort and funds. However, this is no longer a new product and skills gaps must be plugged to have an effective team, equipped to sell cyber insurance, and advise their clients on the subject adequately and professionally.
With the pressure on insurers’ cyber teams to achieve US levels and find more channels to market, and on brokers to sell a complex product easily, there was an over-simplification of cyber risk and consequently, little effective proactive risk management.
Coincidentally, the invasion of digital technologies drove cyber risk into many other areas of insurance (Property - small buildings, Marine - smart shipping, etc.) and, worried about this ‘silent’ cyber risk, the UK financial regulators and Lloyd’s, decided to require insurers to clarify policy wording. Many decided to explicitly exclude cover in non-cyber policies and only provide cover under stand-alone cyber policies.
Improved risk management in cyber products
Over time, we have seen the creation of new cyber insurance products; some good and others not so. It has led to the selling of cyber insurance with low client friction, at the expense of establishing client cyber risk management maturity. Without determining specific or aggregate cyber risk, this has led to a spike in cyber claims, where those relating to ransomware are particularly costly. Some insurers have left the cyber markets.
Brokers and insurers share concerns over the inevitable increasing difficulty of selling cyber. Renewals discussions will be hard, however, this is an opportunity to correct the mistakes of the past. To encourage and even require insureds to manage cyber risks much more effectively, with the hope of re-positioning cyber as a necessary cover, priced at a more realistic level, which considers the true nature of cyber risk.
To set themselves apart and address the adequacy of policy limits, insurers are offering risk management services and assistance through external partners, as they do for other classes of insurance. With the reinforcement of these outsourced client services, support can be given as part of a policy, to prevent cyberattack and contain threats when they occur. With guidance from specialist cyber firms, brokers can assist their clients in mitigating risk, and as rates increase, negotiate better terms for their clients.
Our Cyber3: Rapid Risk Review service is ideally positioned as a cost-effective way to help insurers and brokers provide a better service to their clients, with cyber profiling and an ‘attackers eye view’ as part of the assessment process. As cyber markets harden, it is an opportunity for insurers offering high-quality products to properly assess cyber risk and to do so in a way that adds value and engenders client loyalty.
“Our clients really appreciate the Cyber3 process, in that it is focused, time-efficient, and provides a clear roadmap for future development. For those CISOs and CFOs arguing internally for budget, it creates a document the board must acknowledge; and for non-execs who cannot be expected to understand the ever-changing minutiae of cybersecurity, it can provide comfort and an assessment of where the organisation stands.” - Howard Pearson of Innovation Broking.