Where From Here?
Over the past few years, cyber insurance has evolved rapidly.
It began as an outgrowth from professional liability policies for software and online media in the 1990s, covering perils such as errors in data processing or media liability for libel or violations of intellectual property rights. It started to develop into its own product in the early 2000s, adding coverage for unique cyber risks, such as unauthorized access, data loss, and virus-related claims.
An FBI report put the average cost of a data breach globally in 2022 at $4.35 million.
A growing body of loss-trend data is helping carriers set more realistic rates.
Eligibility requirements for coverage get more demanding as loss prevention takes center stage.
These early policies focused mostly on insuring against third-party liability. Cyber-insurance policies began to resemble their current form in the mid-2000s, expanding further to include some first-party coverages like cyber-related business interruption, cyber extortion, and network asset damage.
The cyber market grew further in the 2010s, driven by a number of costly high-profile data breaches, such as the Target data breach in 2014, in which 40 million debit and credit card numbers were stolen, and the Anthem breach in 2015, when cyber criminals stole more than 78 million records. That same year at least 11 healthcare providers’ systems were breached. Cyber attacks continued to increase, and by 2020, multiple major surveys of executives showed companies considered cyber attack one of the top risks they faced in terms of likelihood to occur and severity of impact.
Then the pandemic hit. Quarantines worldwide meant that an unprecedented number of people were now working remotely, which in turn caused companies to use more digital tools. “By the end of 2022, nearly 65% of the global GDP will be digitized,” says Shawn Ram, head of insurance at cyber MGA Coalition. “The shift to digital has made it possible to create, run and scale businesses faster and easier than ever before, but the shift to digital technology has also created a new class of digital risks that are constantly evolving and strike faster—and often with more severity—than traditional risks.”
Indeed, a report by the FBI in 2021 showed that cyber crime had risen by more than 300% since the pandemic began. According to the report, the average cost of a data breach globally has increased by nearly 13% since the beginning of the pandemic, coming in at $4.35 million in 2022, compared to $3.86 million in 2020. This rash of cyber crime, new vulnerabilities from the digital transformation during the pandemic, and the steadily climbing cost of a data breach have triggered a sea change in the market, the full effects of which have yet to be understood.
Frequency and Severity Drove Premiums
Ransomware is widely viewed as the main culprit behind the increased premiums. “Ransomware has definitely been the headliner in the last couple of years,” explains Patricia Kocsondy, head of U.S. cyber and tech at Beazley. “Frequency and severity have been up significantly.”
Ram agrees. “In 2022,” he says, “we’ve seen a significant uptick in the severity of ransomware claims with a number of factors that contribute to it. Ransomware is a thriving business. Threat actors earn more income from ransomware attacks than other forms of cyber attacks.”
While ransomware was perhaps the most popular way for cyber criminals to attack organizations, it was not the only cyber risk that companies had to contend with in the midst of the pandemic. Dara Gibson, alliance manager at third-party cyber-risk management firm Avertium, says that, besides ransomware, she has seen “a lot of bitcoin wallet stealing and a lot of business email compromise. There have also been investigations on disgruntled employees,” referring to employees who cause data breaches as a form of retaliation against employers they feel have treated them unjustly.
Reasonably enough, the losses stemming from ransomware have pushed premiums up as carriers act to maintain surplus and profitability. For example, according to results from The Council’s Q2 2022 P&C Market Index, cyber-insurance premiums have increased by more than 25% for five consecutive quarters, and respondents to the index survey for the past year have all pointed to the increased frequency and severity of cyber claims as the main reason for the rapid premium increases.
“There’s a lot more pricing discipline evident in the marketplace,” says Phil Edmundson, executive chair and chair of the board of cyber insurer Corvus. “The most important thing now is not about growing top line; it’s loss ratio. There is a lot of concentration on making sure that underwriting includes a buffer for a cyber catastrophe load in pricing.”
Underwriting Evolution
Some say the high pricing is simply the result of underwriters’ better understanding of how complex and expensive cyber risk really is. “It is natural as the product develops and the potential for systemic risk comes to the fore that premiums rise to meet the identification of risk,” says Chris Storer, head of the cyber center of excellence at Munich Re. “There is a trend to see this as being in response
to ransomware, but this is only part of the story. There is undoubtedly a growing maturity in the cyber insurance market which is driving an increase in security requirements simply to be eligible for insurance cover.”
Edmundson notes that the new underwriting posture shows itself through a requirement for new types of IT security. “There’s a greater awareness, both from brokers and policyholders, of the need for those more robust IT security controls,” Edmundson says, “like multifactor authentication and software systems and email systems that are kept up to date.”
While these new security requirements can be an extra burden for insureds, especially for small and midsize enterprises (SMEs) that may not have the resources or personnel to implement cyber protections in a timely manner, they are nonetheless crucial. “These improvements in security will increase insurability of companies over time and improve the stability of the cyber insurance market,” Ram says. “Many security improvements can come at little to no cost. Therefore, education is key. Cyber risk isn’t exclusively a technology problem. It’s a risk-management problem.”
Dynamic Data Collection
In the past, the cyber insurance industry has struggled with a lack of historical data for underwriting. But Edmundson says there is increasing use of loss trend data to identify causes and types of loss. “This is particularly important in cyber,” he says, “because, unlike most of the other major types of property and casualty insurance, the causes of loss and the types of loss are much more dynamic. Cyber criminals are acting in an entrepreneurial way to find new vulnerabilities.” In Edmundson’s view, the sharing of loss-trend information between carriers and brokers in a timely manner is crucial to keeping pace with the ever-changing nature of the risk.
For the same reason, the use of real-time data for cyber-risk underwriting and management is also becoming much more popular. “Relying on historical data and static forms to predict current and future risk creates gaps in insurance coverage,” Ram says, “especially for businesses that have yet to face an attack and might be perceived as less vulnerable.”
Ram contends proactive monitoring and data sharing are paramount when it comes to protecting insureds and helping them respond to cyber risk. “The use of technology to better understand cyber risk is a trend that will continue,” he says. “Brokers and policyholders will utilize technology to have underwriting information available at greater speed with greater depth than ever before, and technology will hasten the claims process and deliver greater insights to improve underwriting.”
One of the tools policyholders can make use of today is automated patching and software upgrades to ensure their systems are protected. On the underwriting side, access to non-invasive assessment tools that scan the network for vulnerabilities and determine whether necessary protections for the network, such as for distributed denial-of-service attacks, are implemented, allowing underwriters to form a more complete picture of the insured network.
Edmundson says real-time digital interaction with policyholders, helping them prevent hacks (and thus claims), is one of the most important trends to follow in the future, since such help can benefit both risk management and underwriting. “The nature of cyber risk, being as dynamic as it is, requires ongoing review of IT security, awareness of security threats, and ongoing communication with policyholders,” Edmundson says. “It involves embracing digital tools. They’re really, really powerful.”
A Risk Management Problem
Despite the improvements in underwriting and greater understanding of cyber risk within the industry, among insureds there remains a significant knowledge gap. A Munich Re survey showed that 50% of respondents who did not have cyber insurance policies said they either did not understand the policy or did not know cyber insurance existed. Undeniable progress has been made in raising awareness of cyber insurance. For example, Edmundson notes the number of people who did not understand the cyber policy or did not know cyber insurance existed used to be 75%. But the industry can still do more. As Ram notes, “This statistic follows what we’ve been seeing, where the uptake rate for cyber insurance is still extremely low, particularly for SMEs.”
Brokers know this is an opportunity to provide value to their clients, Edmundson says. But he adds, “We as carriers have a responsibility to equip those brokers with information, which can be helpful to a broker who doesn’t have typically as much data to consolidate as an underwriter may have. We each have our role in this process.”
Ram echoes the need for open communication in cyber-risk management. “Both brokers and insurers have a responsibility and the ability to educate policyholders on the evolving risk landscape and the available resources that can protect insureds and go beyond traditional insurance policies,” he says. “Brokers and insurers need to have open lines of communication to exchange resources to help educate policyholders and to grant insight into specific risk exposures insurers should be aware of.
“The insurance industry as a whole needs to position cyber security not as a technology problem but as a risk-management problem, where risk transfer and insurance play a critical role in how you approach it just as much as mitigation and prevention. You can mitigate the risk, but that won’t eliminate it. That’s why cyber insurance is becoming a necessary outlet for businesses, particularly SMEs.”
Storer says insurers need to clarify what is insured. “Companies need transparency in terms of coverages and risk selection and a thorough explanation of the product,” Storer says. This deeper understanding of cyber risk, he says, will highlight for insureds the dimensions of the risk they face as well as the critical function proactive risk-management plays in concert with cyber insurance.
Kocsondy nods to the deep marketplace expertise many brokers have developed to better serve their clients in terms of cyber risk. “Agents and brokers in the U.S. have spent a lot of time developing their staff and expanding relationships to be able to offer cyber insurance solutions to their customers,” she says. “Cyber insurance is a sophisticated area of coverage. It’s not uniform, and each carrier has a slightly different approach to coverage. Agents and brokers can advise clients about the breadth of coverage that one carrier is offering and how other carriers measure up.”
Government Backstop?
Aside from cyber criminals looking to profit from their attacks, nation-states also engage in cyber attacks worldwide, as indicated in a recent report by the Center for Strategic and International Studies and cyber-security service provider Trellix. Of the more than 800 IT security professionals across the globe interviewed for the report, 86% said they believe their organization has been targeted by a group acting on behalf of a nation-state.
In addition, because businesses and infrastructure are so dependent on interconnected technology, it’s possible for a cyber attack to inflict damage far outside the scope of insurability. “If there occurred large-scale cyber attacks on critical infrastructure, for example, we would possibly be dealing with a catastrophic situation that affects society as a whole,” Storer says. “For such a threat, there needs to exist a contingency plan that is accepted by all stakeholders, and that can only be ensured by government involvement.”
Kocsondy agrees. “Many in the cyber insurance industry feel that makes sense,” she says. “There are some loss scenarios where there’s just not enough money in the insurance sector to cover those losses.” Even still, Kocsondy calls it a “legislative leap to think that the U.S. government would pass a backstop for cyber insurance similar to TRIA, unless something truly devastating happened.”
Edmundson also supports a government backstop, but he warns of the complexities. “There’s an assumption that a lot of cyber-criminal activity is conducted by nation-states, and that does complicate the matter,” he says. “There are legal conflicts around the question of things like war exclusions. But we really don’t expect to see any clarity on those issues, because it crosses into a geopolitical question that involves much more than cyber insurance. I don’t think we’re going to get a lot of clarity from the United States government around whether or not a given cyber event is an act of war.”
Storer, however, says a government backstop could do more than just protect against extreme systemic risk. “We also believe that this could reduce the industry’s uncertainty over certain extreme tail events, which currently limit the capacity in the market,” he says.
The industry can evolve in its ability to underwrite and price risk, Storer says, by developing “a better understanding and modeling of systemic risk and clearly identifying where to draw the line between insurable and uninsurable sources of risk. Uninsurable risks with potentially catastrophic consequences for the whole market—like cyber war—need to be very clearly excluded. Where considered insurable, other systemic exposures need to be underwritten on a conscious basis.”