Insurance market responds to systemic cyber-risk concerns

The cybercrime community is alive and thriving, and organizations of all shapes and sizes remain vulnerable. The most ubiquitous elements of our society — energy, water, health care, education, manufacturing, commerce and government — all are in the cyber crosshairs.

This is a continuation of what we saw in 2021. If we review last year’s major cyber events, there was no slowdown in data breach, system failure or ransomware events. Cyber incidents were also relatively indiscriminate by industry, stretching from media conglomerates to utilities suppliers.

Reports in early December of outages at a major web services provider had a cascading effect on prominent websites worldwide. And 2021′s parting gift — Log4J — sent reverberations through the cyber underwriting community with even more voracity.

The proliferation of the COVID-19 Omicron variant at the end of 2021 also slowed the push to get workers back into the office, thus increasing cybersecurity vulnerabilities. Remote working is directly tied to significant increases in ransomware attacks, as cited by “Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force,” prepared by the Institute for Security and Technology.

The most common cyber claims remain:

• Ransomware attacks;
• Ransomware as a service (RaaS);
• Double extortion (where demands are made for access to decrypted data with a threat of release of confidential information and/or a distributed denial of service attack);
• Triple extortion (adding the threat of attacks against victims’ customers);
• Business email compromise and social engineering; and,
• Hacking and malware attacks that lead to general data breaches

How is this ever-expanding risk environment affecting the cyber insurance market? Since the cyber market is still relatively young and is being forced to mature at warp speed, we continue to see significant developments in how policies are underwritten, structured and priced.

Carrier developments

There are concerns about systemic or aggregate risk events — situations in which there is a high likelihood of a single security breach simultaneously affecting large numbers of cyber insurance policyholders. Highly publicized attacks against the nation’s supply chain in 2021 fueled an increased concern about systemic risk.

As a result, underwriters are apprehensive about policyholders’ exposure to networks and systems whose controls they cannot underwrite. Carriers are asking more questions about vendor management, single-source suppliers, business continuity planning and reliance on cloud-based applications and infrastructure.

The fear of paying large numbers of claims across an entire book stemming from a common event is the “hurricane” the cyber market is looking to avoid.  As a result, once-generous business interruption coverage grants are now being excluded completely by some carriers, and, at minimum, significantly sub-limited by others. We’re also seeing a retraction in the expanded business interruption coverage triggers that were introduced at the end of the last decade to cover IT vendors and even non-IT suppliers.

Carriers are introducing the following measures to solidify loss ratios for stand-alone cyber insurance:

• 30%-150% premium increases, and sometimes higher. The magnitude is greatly dependent on the industry, loss history and information security controls of the particular insured. There’s speculation that increases may level out as early as the second half of this year but, as with anything cyber, future events (technological and political) will play a role.
• Large increases in retentions/deductibles. For middle-market and risk management business in certain industry sectors, a 10x increase is not unheard of. This hasn’t been as prevalent for SME businesses, with the potential exception of Social Engineering coverage.
• Co-insurance ranging from 10-50%, both ransomware event-specific and across the board.
• Introduction of event- or exploit-specific exclusions. Admitted carriers are introducing what we refer to as “Insert name of exploit here” exclusions to enable them to remain nimble within the confines of an admitted filing.
• Hard-line requirements that insureds have remote access Multi-Factor Authentication in force. Underwriters expect insureds to have implemented MFA before applying for coverage.
• Increased use of outward-facing network infrastructure scans and requirements that insureds demonstrate proper configurations of Remote Desktop Protocols (RDP) and secure email gateways.
• Sudden pauses (from some carriers) on all new business writing in response to exploit-specific developments like Log4J.
• A complete exit from new business and non-renewals on lower-performing industry classes, such as public entity/government, utilities, education, manufacturing and construction.
• Continued de-risking to reduce exposure to large-scale events. $10M coverage limits are much more difficult to obtain.
• A shift from admitted to non-admitted policy forms, giving carriers the nimbleness to quickly implement significant premium increases or changes in terms and conditions.

Additionally, some carriers are refusing to write new cyber excess coverage, and more than one carrier has exited the cyber market entirely.

There are also several industry-specific underwriting developments for 2022 renewals. Large public entity risks (> $100M in annual operating budgets) will pay significantly higher premiums for half their previous limits while assuming much higher retentions and more restrictive coverage grants — and this is for best-in-class risks.

Others will find securing coverage difficult or impossible. Pooled cyber risks with a shared aggregate limit are also becoming increasingly difficult to renew, much less create. Some cyber markets are moving away from the manufacturing, construction and wholesale distribution sectors altogether, as they’ve been particularly impacted by ransomware losses and the resulting business interruption costs.

How to prepare clients

In this continually evolving cyber market, it’s critical for brokers and agents to:

• Start renewal discussions early.
• Prepare clients for significant premium increases, higher retentions and sublimits, and new exclusions.
• Make sure clients take the application process seriously. If they have invested significantly in information security during the past year, make sure their investment is highlighted.
• For some markets, only the best submissions even get considered, so reviewing the applications with your insured before submitting can mean the difference between getting or not getting coverage.
• Check the fine print before releasing renewal proposals to your insureds. Important items like Business Interruption waiting periods, which may have remained static for years, are starting to increase, which could become a big deal in the wake of a ransomware attack that leads to business interruption loss.
• Be on the lookout for new exclusionary wording surrounding zero-day attacks, unsupported “end of life” software and the wrongful collection of data. These exclusions have been around for a long time in limited instances, but are becoming more widespread.
• Familiarize yourself with the nuances of how carriers may apply sublimits and exclusions on your renewals.

Cyber resilience is an ever-evolving process and the goalposts are constantly moving. Having a basic understanding of these changes will go a long way towards satisfying underwriting requirements in today’s challenging cyber market.

Steve Robinson (steven_robinson@rpsins.com) is Area President & National Cyber Practice Leader, Risk Placement Services.

Read more thought leadership from this contributor:

• For cyber insurance, it’s MFA or the highway
• How to keep your insurance agency’s data secure