As the cyber insurance market continues to change and evolve, looking at trends and influences happening in 2023 can help businesses better assess how to address ongoing risk, and plan accordingly.
Over the past two years, the cyber insurance market experienced large volatility with sometimes as high as triple-digit increases in premiums paid, driven by the growing demand for cyber insurance against higher loss ratios for cyber insurers. Cyberattacks throughout 2021 and 2022 included business email compromise, wire transfer fraud, and perilous large-scale ransomware events that left carriers facing unprecedented large payouts. In 2022, the addition of the uncertainty around unknown data threats that could possibly emerge from the Russian-Ukraine conflict added to tension regarding a global threat landscape. Post-COVID leftover supply chain woes and insufficient IT security staffing also added to the strain, as carriers faced concerns about systemic multi-tier loss exposure. Overall, for the past two years, rising demand for cyber insurance from organizations seeking protection from network security and privacy threats, particularly ransomware, rubbed up against large loss ratios and carrier concerns over the complexity of insuring against the moving targets placed by cybercriminals.
In 2023, we are seeing a shift from the pain of the last few years. Volatility in cyber is moderating as conditions begin to stabilize.
A number of positive factors have impacted this, including an increase in appetite strengthened by new capacity in the market. While industry experts expect cyber insurance price increases to continue, they have decelerated to the lower double-digit (and in some cases single-digit) range. Of note, carriers do not expect cyber threats to decrease—cybercriminals will continue to find new ways to monetize their efforts—but underwriters are further evaluating applicants with stricter requirements around cyber security protocols, more stringent cybersecurity posture expectations, and applying increased security in the underwriting process with additional technology solutions to validate control responses on insurance applications.
Other recent developments in cyber include retentions leveling off as insurers are expecting companies to take on some of the risk in a partnership approach to potential loss. Limit profiles are shifting as well, with carriers feeling comfortable with increasing their capacity and choosing to adequately price a risk for the exposure. We anticipate to continue to see many $5M limits, with potential for larger limit purchases at higher excess positions.
There has also been closer examination in the insurance arena of what would happen if a cyber breach is considered an act of war between nation states, which was very much a consideration in the uncertainty about possible far-reaching digital threats from the conflict between Russia and the Ukraine. In 2023, we saw the Lloyd’s Market Assocation begin to tackle these exposures with cyber war exclusions, and some domestic carriers have followed suit. In 2023, carriers continue to assess the threats of “cyber warfare” and “cyberterrorism”.
Concern over privacy is intensely monitored in the cyber market as data theft and breaches can endanger an organization’s survival and also result in consumer exposure and possible litigation. This is an area of continuing regulatory oversight as privacy laws are updated at the state level, making it extremely difficult and pertinent to appropriately comply with the various state requirements should an incident arise, as the state laws of the state for which each affected individual applies.
In 2023, carriers will continue to take a closer look at aggregated risk and systemic exposure, which may come into play when a security data breach, particularly in the case of a high-risk infrastructure such as a hospital or tech company, would have a waterfall effect and possibly cascade down to other companies.
While the changes in cyber can feel overwhelming, these developments are part of an important growth pattern. Cyber insurance continues to respond to claim activity and the sophisticated threat landscape to respond to increased demand and better protect clients. This maturation reflects a growing appreciation of the nature of risk, and the significant economic cost of cyberattacks.
Looking ahead to the rest of 2023, the cyber market will continue to evolve. The industry will navigate changing underwriting processes, coverage developments, and increased regulatory influence, as mentioned above. As the landscape changes, carriers may consider new exclusions, coinsurance, and changes to policy structure.
For organizations that want to protect themselves, addressing security and privacy exposure can be one of the most challenging aspect of the cost of doing business—understanding that today’s threat environment will be different than tomorrow’s. Ongoing vigilance is required. Simply put, successful organizations cannot afford to sit still.
How much cyber insurance is right for your organization? That depends on an individual assessment. Having cyber insurance coverage has become critical for many organizations, given ongoing cyberattacks and the potential financial impact. Cyber clients are assessed by carriers for having multiple security controls in place including multi-factor authentication, employee training, robust backup strategies, formalized patching cadences of critical vulnerabilities, and a documented and tested incident response plan (just to name a few).
Most important, however, is the understanding that an in-depth cyber risk assessment is a critical component of every company’s business continuity and recovery efforts. Being prepared for a worst-case scenario will ensure the protection and ongoing health of your organization.
We also recommend that you take our Graham Cyber Blueprint® – a quick questionnaire that will help you see areas for improvement and general recommendations for next steps to improve your company’s cyber liability posture. These recommendations come from subject matter experts in risk management, insurance, and technology.
If you are interested in hearing more about how cyber liability insurance can reduce your company’s risk regarding online threats, now or in the future, please reach out to your Graham Company service team.