Evolving Cyber Risk Insurance Trends in 2024

Cyber risk insurance carriers have become more sophisticated in adapting to market fluctuations, but instability runs the risk of creating another hard market. In last year’s trends, our experts discussed the possibility of pricing and terms stability, but did that come to fruition?

“Our expectations surrounding stability last year may not have happened, but we are optimistic that 2024’s trends will lead to a more neutral marketplace,” said Spencer Timmel, National Director of Cyber & Technology Insurance at Safety National. “However, as this market evolves, so do its risks, and insureds are facing significantly advanced threats. AI is on everyone’s mind, boasting incredible possibilities, but it also offers cybercriminals a gateway to exploit more vulnerabilities.”

Here, Timmel breaks down what changed last year’s expectations and what to expect for this year’s market.

How have 2023’s trends evolved?

Many in the cyber insurance industry expected some stability in pricing, terms, and conditions for 2023. However, that prediction was mostly turned on its head when considering that pricing favored insureds. A hard market in 2021 and most of 2022 forced many organizations to mature their cyber profile, focusing on strengthening cybersecurity, incident response, and data privacy compliance. This, coupled with a 23% reduction in ransomware, led to additional capacity from managing general agents (MGAs) and traditional insurance companies offering new products and redeploying limits they reduced in previous years. The reduction in ransomware is possibly due to the reallocation of Russian cybercriminals to impact war efforts against Ukraine. However, 2023 ransomware incidents have risen sharply, outpacing those of 2021 and 2022. The combination of the higher rate of incidents combined with price reduction and coverage expansions in 2023 may lead to a reduction in insurers’ profitability in 2024, forcing the pendulum to swing back in their favor.

As for war exclusions, major cyber reinsurers and the Lloyd’s Market Association (LMA) continue to stress and require redefined terminology that translates correctly to cyber risk insurance. What defines a cyber war versus a traditional war, and how should carriers exclude those exposures for the market’s long-term stability? Even with a possible definition change, a significant event would have to occur to recategorize coverage.

What new trends are expected in 2024?

Where ransomware is typically a short-term event involving hiring a forensic investigator and paying a ransom, long-term liability issues involving regulatory fines and penalties are a growing concern. Class action lawsuits in response to Health Insurance Portability and Accountability Act (HIPAA) violations and state-specific biometric privacy laws are also a significant long-tail risk. Many large healthcare organizations are grappling with this, particularly those using public-facing websites or patient portals with embedded pixel-tracking technologies that they may not even be aware are shared with technology companies like Meta. It may take time for the consequences to materialize for large healthcare groups, but digital-only health platforms have already had cases brought against them by the Federal Trade Commission (FTC). Both GoodRx and BetterHelp were banned from disclosing much of their customers’ personal information for any advertising use. There is an expectation that these privacy breach allegations will continue to extend to other industries.