Comingled incidents and new attacks pose challenges

Adoption of bring your own device (BYOD) policies combined with wider acceptance of remote and hybrid work during the past several years have reduced the digital divide between work data and home.

While these trends have created greater convenience for employees and generated several advantages for businesses, they have also blurred the lines between personal and business cyber incidents. That comingling of risk has evolved into a major issue for insurers — which is only expected to grow in complexity during the coming year.

Cybercriminals can more easily access corporate data by attacking the personal networks and devices of employees, which often do not have the same cyber defenses as the company. When such claims are made on a cyber policy, it can be a challenge to determine liability and coverage.

Another murky coverage area involves evolving trends related to financial fraud incidents. The sophisticated social engineering techniques now used by criminals are extremely effective at convincing employees to send company funds. While fraudulent payments made by employees may appear to be covered by a traditional errors and omissions (E&O) policy, that’s not necessarily the case. In fact, TransUnion’s analysis indicates 92% of all commercial claims denied in 2023 were rejected because of a lack of commercial social engineering coverage.

How to improve insurer and policyholder experiences

To handle such instances of financial fraud, claim specialists must analyze incidents and decide payouts based on potentially ambiguous terms and exclusions. If the insured party has multiple policies with several insurers, the waters become even muddier.

For the claims specialist, insurer and policyholder, the entire experience becomes less than ideal. By incorporating the following practices into their cyber programs, insurers can help ease the pain:

• Review cyber policies annually: Make sure cyber endorsements and riders are up to date. For too many, the packaged policies were developed a decade ago and don’t cover risks such as ransomware, the top claim type made in 2024. Similarly, limits have often not kept pace with the ever-increasing costs of cyber incidents, let alone reflect recent inflation costs. The good news is insurers have a model for frequent updates to cyber policies. Because carriers’ product and sales teams are incentivized to maintain marketplace relevancy for standalone cyber policies, these products are less likely to fall behind. Insurers should consider applying the same annual assessment process common in standalone policies to cyber endorsements and riders.

• Develop blanket cyber policies: Insurers historically have benefited from blanket policies with competitive advantages, improved customer retention, enhanced risk management and premium revenue. Cyber insurers can gain similar advantages by covering multiple people, businesses or accounts under a single limit instead of covering each individually.

• Eliminate unambiguous language: Transparency helps earn the trust of policyholders, so insurers should be explicit about what is covered and what is not. Overly broad language can confuse and worry policyholders who fear there may be too many threats not covered by any grey areas in a cyber policy.

• Promote ancillary services: Aside from reimbursing policyholders for financial losses, the best cyber insurance policies include support before, during and after an attack. For pre-incident services, Munich RE found policyholders most seek firewalls, anti-malware tools, system backups and password managers. After an incident, they want data restoration support, 24-hour hotlines, legal services and consultation in cases of extortion.

Clear expectations help breed cyber success

Convincing policyholders that cyber coverage is a strong and justified investment does more than help an insurer’s bottom line. It can also reassure personal and commercial lines policyholders they can withstand the cyber risks they face. Developing and strengthening your program with easy-to-understand products that address market realities can go a long way toward putting much-needed cyber protection in the hands of more individuals and organizations — while building the resiliency of your business.

For additional insights into how the latest trends are going to impact the cyber insurance market next year, read our new 2025 Cyber Protection Challenges and Opportunities eBook.