The demand for cyber insurance continues to increase, but uncertainty around pricing, coverage and exposure abounds. The continuation of potential systemic risk has resulted in insurers reevaluating their exposure through stricter underwriting guidelines and coverage grants. With a market still developing, how can it continue to meet the demands of a growing customer base?
Safety National’s Director of Cyber Underwriting, Jeremy Schumacher explains the cyber risk insurance market’s emerging risks and how insurance carriers are adapting.
What led to the cyber risk insurance hard market?
This coverage is still relatively new with a constantly evolving threat landscape. Due to its infancy, there is significantly less data than other coverages, like property and casualty or workers’ compensation. When the threat landscape shifted from third-party loss-of-records events to first-party ransomware losses, it led to reported industry loss ratios that rose from 35% in 2017 to 75% in 2020. Pricing was inadequate for the coverage extended and the risks involved. While recent data indicates industry loss ratios are starting to decline, the risks to organizations are still substantial, and the coverage extended will need to continue to meet their needs.
The increase in pricing and breadth of coverage proved inadequate for two main reasons, which resulted in the market’s rapid turn. First, there was a major increase in ransomware frequency, especially for small and medium enterprises (SMEs) and middle market businesses. Threat actors shifted their focus from quality and size to quantity. Before the spike, hacking groups generally targeted large organizations in excess of $1 billion. However, large entities advanced their ransomware tools and ability to mitigate the impact of events, so the easier path for profit became smaller organizations — this eroded profitability for most of the cyber insurance market.
Additionally, the hardening of the cyber insurance marketplace was also a direct result of the need to fund aggregation events. A vulnerability in a significant IT provider or loss from a vendor could impact hundreds or thousands of insureds in a carrier’s book. Cyber carriers acknowledge this exposure now more than ever before and must begin allocating dollars for this exposure. While loss ratios declined and the market hardened extremely fast, the risk to organizations remains and has become more complex in many cases. Transferring risk through a cyber-insurance policy is a proven solution to protect an organization’s balance sheet and shareholder value.
How are insurers adapting to systemic risks or zero-day vulnerabilities that would lead to a catastrophic threat across the entire market?
Some insurance carriers have shifted to excluding these risks from policy coverage altogether. From an excess cyber coverage standpoint, we are mindful of known security vulnerabilities, like Log4j, Microsoft Exchange and Accellion. While an organization may have confirmed patches on these vulnerabilities, protecting against the next unknown security flaw can be difficult. The industry is becoming more creative in building policies around these risks and meeting the needs of insureds. Some insurers are developing pure exclusionary language with carve-back language or asking specific questions before binding coverage to avoid utilizing specific exclusions. Currently, insurance carriers are working with different types of data sets to understand exposure trends that actuaries can work through, which can assist in pricing the risk appropriately. By evaluating what controls are in place to prevent a loss throughout the underwriting process, the carrier can help determine a company’s overall risk posture.
As the regulatory environment intensifies, how will the cyber insurance industry adapt?
Understanding regulatory exposure is a piece of the cyber puzzle where carriers excel. Regulatory coverage in a cyber policy was one of the early coverage grants, so carriers understand what questions to ask and how much to charge from a premium standpoint. The legal landscape continues to be unpredictable, and navigating the different state, federal and international laws can be challenging. Significant data breaches, like those involving Target and Home Depot, led to increased governmental regulation and protection of individuals’ personal information. For example, some of the most impactful privacy framework laws, including the General Data Protection Regulation (GDPR) enacted in 2018 and the California Consumer Privacy Act (CCPA) enacted in 2020, were enacted to provide increased consumer protections as a response to data breach incidents. While Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, predates these regulations, the private right of action provided to individuals has spawned several recent class action lawsuits from this legislation’s damages provision. The regulatory environment is ever-changing, but the ability to comply with new regulations and to understand the triggers for a loss make this area of coverage a bit easier for carriers to adapt.