Risk Replacement Services (RPS)
The U.S. cyber insurance market is in a standoff, with increased demand, but low supply.
The insurance companies are willing to write less coverage, but at a significantly higher rate.
Over the past year, the COVID-19 pandemic, increasing frequency and severity of ransomware attacks have put pressure on the U.S. cyber liability market, creating an imbalance between coverage supply and demand.
Using technology in the workplace has broadened and deepened cyber exposures, and data breach notification laws have increased the demand for cyber coverage.
Data breach notification laws brought this exposure front and center for many companies and the cost per record for data breach notification was one of the most common coverage questions we would receive.
Business email compromise is a popular type of social engineering that typically asks employees to pay an invoice or change their payment method.
In 2014, the FBI's Criminal Crime Complaint Center received a total of 1,495 complaints. By 2019, there were 19,369 complaints and $1.8 billion in losses.
Cyber insurance claims continued to grow as more data was exposed. However, the claims were relatively modest.
In 2020, insurance companies realized that ransomware claims would impact their bottom line. Cyber loss ratios jumped from 44.8% in 2019 to 67.8% in 2020.
Claims for cyber-induced business interruption (BI) started to soar, and capacity restrictions started to grip the market.
Cyber liability loss ratios were climbing, and some insurance companies found they could no longer purchase reinsurance from their reinsurers.
Insurers that issued $5 million cyber liability policies in 2020 now issue $1-3 million policies and agents are scrambling to build cyber liability coverage towers.
Cyber liability exposures continue to evolve, with ransomware attacks multiplying significantly and becoming more targeted.
The days of botnets and demands for hundreds or thousands of dollars are over; today's attackers are more targeted and sophisticated.
Ransomware has become a viable target for small to midsize companies because they are willing to pay to get access to their critical data.
Paying ransom for decryption keys is only one part of the cost of ransomware; hackers also demand payment to prevent the release of customer data.
The FBI requested a $40 million increase in its cybersecurity budget for 2021, in response to the Colonial Pipeline attack.
In response to the market conditions, cyber insurance underwriting has become more strategic and reflects the current cyber exposures.
Insurance companies now ask detailed questions about a company's information security practices through supplemental application forms, including questions about biometric information, IT vendor vetting process, and cybersecurity training for employees.
Advanced technology has made manufacturing companies more productive and globally competitive, but it has also increased entry points for hackers.
Insurance companies are setting IT infrastructure minimums to qualify for cyber coverage, but many companies didn't have time to implement those controls before their policy renewal date.
MFA requires that a user provide a password and a device to gain remote access to applications, servers or networks.
Although insurers simply won't underwrite a cyber policy without multi-factor authentication, they may also impose sublimits or even exclusions on cyber extortion and BI resulting from ransomware events to control their loss ratios.
Insurance companies are using scanning technology to assess security and develop a metric-based estimate for a potential cyber attack.
Even with the right controls in place, organizations are unable to secure cyber insurance at 2020 rates. Carriers are increasing premiums, and lowering coverage limits in industries that have been hit by cybercrime.
The COVID-19 pandemic and its related office closings caused millions of U.S. employees to work from home, which widened the number of entry points for hackers.
Small businesses were hit by BEC related to the federal Paycheck Protection Program. Perpetrators used publicly available information to identify PPP loan recipients and sent emails requesting sensitive information.
Wire fraud and social engineering are more likely to occur with workers at home, as they lack the safeguards created by casual interactions with colleagues.
In the current market climate, the outlook for cyber insurance is grim, but most insurance companies will be able to maintain a steady cyber book in the future.
Solano agrees that insurance companies need to continue to offer cyber coverage in the long run.
Insurtechs have entered the cyber insurance market and are starting to follow traditional carriers in incorporating technology into their underwriting process.
Behr advised insurance companies to become better at determining what a good risk is and write that business.
If the balance between capacity supply and demand returns to equilibrium, sublimits on ransomware will continue to exist. These sublimits will act as a deterrent as well as a means of controlling loss ratios.
Insurance agents need to keep up with the constantly changing nature of technology, and cyber policies are becoming more complicated.
Agents should become familiar with application language such as MFA, RDP, and proper back-up procedures. They can also tap into available expertise by working with colleagues.
Smaller organizations and those in sectors like construction and manufacturing, need to put a greater focus on network security. Nick Carozza (RPS Area VP) recommends that small businesses and organizations either consider outsourcing their network security to a third-party provider, or at least augment their existing staff with outside expertise. Employee education is another critical area for organizations to address.
The current state of the cyber liability market is actually a functioning market and the challenges we are experiencing are an opportunity for agents to help their clients reduce their risks.
Many insureds need to take more active roles in protecting their organizations' information security.
There is no question that the cyber liability market is challenging. The partnership between IT, government, insurance and private enterprise will need to remain strong to continue to innovate in this increasingly critical coverage area.
RPS cyber experts have helped businesses across a broad range of industries find coverage for cyber exposures of any size.
RPS is a specialty insurance products distributor offering clients solutions in wholesale brokerage, binding authority, programs, standard lines, and nonstandard auto.
In this business, we handle so much sensitive personal and private financial consumer information that we have to be vigilant about staying on top of cyber security. From phishing attempts to identity theft to ransomware attacks — everyone is a viable target and should be prepared. Check out the 2022 Issue 1 of Smart Choice Magazine for tips on protecting yourself and your clients from cyber threats.