Surprises continue in the 2023 cyber insurance market
The cyber insurance market is stabilizing thanks to improved insured behaviors, higher pricing, judicious limits and more.
If the cyber insurance market in 2022 were to be remembered as a song lyric, the line “What a long, strange trip it’s been” from the Grateful Dead song Truckin’ might be appropriate. As the year opened, the ransomware epidemic continued to churn, rates continued to rise, and capacity continued to shrink. The news of the day was usually bad, and questions about market sustainability loomed.
Then, things began to change.
As is always the case in cyber, old threats remained and new ones emerged, but a slowdown in frequency from the number-one threat occurred. Much has been written about the reasons why ransomware attacks began to slow down. They include everything from improved baseline controls by insureds (in part driven by increased underwriting requirements to get cyber coverage) to the war between Russia and Ukraine, forcing an entire geographic hotbed of ransomware activity to shift its focus away from American interests.
Regardless of the reasons, the fact remains that this combination of improved controls by insureds, higher pricing, more judicious limits deployment, higher retentions, selective industry focus from insurers and, yes, fewer claims, created a shifting market dynamic: one that suggested greater stability. At least for now.
The changes have been so stark that it is interesting to take a look back at RPS’s State of the Cyber Market Quarterly Update from Q4 2021. This before-and-now chart demonstrates a few key changes over the past year.
Underwriting Trend | 2021 Q4 State of the Cyber Market | 2023 Q1 State of the Cyber Market |
Premium trends — Primary | Premium increases 30-150%. Certain classes exceeding 400%. | Premiums flat to 20%. Some decreases in the 5% range on more favorable classes. Carriers are more aggressive on new business. |
Premium trends — Excess | 100%-120% ILF | Excess cover easier to obtain and significantly less expensive. 65%-80% ILF. |
Retentions/deductibles trends for middle market and Risk Management (RM) clients | 10x not uncommon | Stable/flat |
Co-insurance | 10-50% for certain carriers, both specific to ransomware event specific and across the board. | New entrants to the market are typically not employing co-insurance. There’s often a reduction in use and percent among those who previously did. Application is often industry specific. |
Systemic risk event/exploit specific exclusions | Just being introduced: Log4j, SolarWinds, Microsoft Exchange, Accellion, specific CVE rating exclusions |
|
MFA | Required, or no coverage for vast majority of markets | Limited easing for more favorable SME classes, but still required from all markets for middle market and risk management accounts. Some MFA vulnerabilities are well publicized. |
Scans | Increased use, beyond insurTechs | Same, but willingness to waive on SME accounts without websites. |
War/terrorism | Not specifically referenced | An increasingly edited coverage due to armed conflict with Russia/Ukraine. Many carriers are scaling back previously wide grants of cover for electronic acts to mitigate loss when associated with a physical war between two nation states. |
Reduction in limits deployment | $10M limit first to go, then $5M limit | $5M limit returning in limited pockets, with talk of $10M limit among a few, for favorable classes of business. Still uncommon. |
Admitted vs Non-Admitted | Shift from Admitted to Non-Admitted, allowing more nimbleness in premium adjustment and coverage T&C | Markets with an admitted product are also seeking a non-admitted version. Many who were exclusively non-admitted are filing admitted versions of their form, recognizing demand for admitted coverage by independent agents, particularly on SME risks. |
Manufacturing, Construction, Wholesale Distribution, Public Entity, Education | Many markets moving away from these classes completely due to loss frequency and severity | Restrictions largely remain, but increased underwriting in Manufacturing, understanding more closely the IT/OT relationship and protections in place, allowing some room for discussion. Carrier specific. |
The two reports present a picture of a market that has undergone significant change in a year. We view this change as largely positive, creating a path for insurer profitability, buyer pricing stability and availability of coverage to meet the growing demand of a corporate world that recognizes the importance of cyber insurance in their risk management portfolio. A recent corporate risk survey from Allianz showed that large and small-to-midsized enterprises (SMEs) still identified cyber as their No. One threat. As a result, it’s important that products are available, priced appropriately and uniquely written to cover the risks today’s businesses face.
Claims trends
Using the proprietary claims data collected from thousands of insureds throughout the year — primarily in the SME space — RPS previously reported on the decrease in ransomware claims frequency accompanied by an uptick in social engineering and fraudulent payment incidents. December’s monthly reporting results, based on RPS’s SME portfolio of insureds with standalone cyber insurance coverage, kept with these trends.
From an industry perspective, due to the array of industry classes insured, it’s more useful to look at the full-year claims results, rather than a monthly snapshot.
Regulatory landscape
In 2022, we began to see a slight increase in third-party claims associated with Illinois Biometric Information Privacy Act (BIPA) and the Telephone Consumer Protection Act (TCPA). It will be interesting to monitor third-party claims in the developing regulatory landscape that 2023 will continue to bring.
As reported by JD Supra, January 2023 ushered in new privacy laws in five states: the California Privacy Rights Act (CPRA), effective Jan. 1, 2023; the Virginia Consumer Data Protection Act (“Virginia Act”), effective Jan. 1, 2023; the Colorado Privacy Act (“Colorado Act”), effective July 1, 2023; the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“Connecticut Act”), effective July 1, 2023; and the Utah Privacy Act (“Utah Act”), effective Dec. 1, 2023.
Generally, these state laws give consumers the rights to delete and access data, rights to opt out of targeted advertising and non-discrimination rights for exercising these rights. The new laws also provide enforcement bodies, including the new California Privacy Protection Agency (CPPA), with resources and authority to enforce the laws. Only California provides a private right of action for consumers in the event of a data breach. Overall, 2023 will see increased regulatory activity in the privacy space.
From a federal perspective, the American Data Privacy and Protection Act (ADPPA) was the first federal online privacy bill to pass committee (House Energy and Commerce) by a vote of 53-2 on July 20, 2022. The bill was intended to regulate how businesses use and store consumer data and provides additional rights to consumers. However, even with bipartisan support, the bill has yet to pass and faces opposition from various legislators who cite enforcement concerns.
At the time of this report, it is too early to tell if the new requirements CPRA imposes will lead to increased third-party litigation.
What to expect in 2023
Unlike the predictable patterns of 2021 and 2022 that delivered drastically increased rates, intense underwriting scrutiny, shrinking capacity and a skittish approach from new entrants, the theme of 2023 is more appropriately described as “dynamic.” Carriers are taking varying approaches to profitably grow their cyber coverage portfolios in the new year. We’re seeing everything from premium reductions and an easing of the strictest underwriting requirements from 2022 for some small businesses to a continuance of the discipline applied last year, in an effort to establish longer-term profitability on books of business that had taken a significant hit since the rise of ransomware attacks.
The good news is, insurers appear better prepared to withstand losses, should ransomware activity return to more 2021 and Q2 2022 levels. After all, data suggests that insureds are better defended, recovery capabilities have been improved, and insurers generally have less exposure to the more frequently attacked industry classes.
Agents can expect to receive more proactively generated cyber insurance quotes from admitted markets that tapped the brakes during the more high-profile loss years. As you once again begin to receive cyber quotes automatically on crime renewals when you didn’t ask for them and low-cost “cyber” endorsements on package policies, be careful. These products will likely bear little resemblance to the ones you might have received in 2020. Industry losses since that time have necessitated significant changes in terms and conditions, the increased use of sub-limits and additional fine print that you may not be accustomed to looking for.
Now, more than ever, it’s imperative that you work with a specialist in the field of cyber insurance. The twists and turns of the last three years have provided great insight to those who place Cyber policies day in and day out. For those agents getting back in, you’ll find that the environment is different — and always changing.
Steve Robinson (steven_robinson@rpsins.com) is the National Cyber Practice Leader for Risk Placement Services.
Read additional thought leadership from this contributor: