June 17, 2022
Cyber insurance has undergone continuous change over the past decade and evolved into one of the most complex and important coverages an organization can have in their toolbox. The cyber insurance market is challenging and volatile, however, with enterprise-wide adoption of proper protocols, an organization can weather the storm.
Policy Evolution
Initial protection for cyber-related risks was covered by “silent” cyber coverage buried in other insurance policies such as property, general liability, professional liability and/or kidnap & ransom.
As businesses’ reliance on technology grew, insurance carriers gained awareness of cyber-specific risk and silent cyber coverage were replaced by standalone cyber policies.
When standalone cyber insurance was first introduced insurers largely saw the revenue potential and focused on gaining market share. This created a competitive environment with overly broad policies and competitive pricing. What insurers may not have fully appreciated, or priced in, was how large and expensive cyber losses could be.
In recent years, as threats and incidents escalated so did cyber claims—in the form of more frequent and larger loss payments. Threat actors have been relentless as gains from their endeavors have increased. Insurers are taking corrective action on their portfolios by increasing premium rates, increasing retentions, adding restrictive language and carefully underwriting risks.
Growing Threats and Issues
The following issues are driving industry-wide change.
- Mounting Claims: Due to increased frequency and severity of ransomware attacks, cyber claims have rapidly grown in scope and expense.
- Regulatory Action: The regulatory environment and enforcement of associated fines/penalties continues to evolve, notably at the state level.
- Expanding Attack Surface: The shift to a largely remote workforce due to the pandemic created additional points of entry for threat actors.
- Systemic Risk Potential: Many businesses rely on similar third-party vendors for outsourced services. If a threat actor were to target a crucial vendor, like Amazon Web Services, that would have a widespread impact, potentially compromising thousands of businesses simultaneously.
Looking Ahead: A Reason for Optimism
Despite hardening market conditions in 2020-2021, there is reason to believe that rates may soon start to plateau for insureds who meet the carriers' standards and display ongoing cyber security efforts. In the fourth quarter of 2021, there was a slowdown in ransomware attacks. At the same time, many businesses were better educated about potential threats and implemented controls to mitigate such incidents. However, for businesses that do not meet the minimum standards or make the necessary investments, cyber insurance may no longer be a feasible option.
The stability of the market could be quickly derailed by a large-scale systemic event or the current Ukraine and Russia conflict.
Stay Informed, Stay Alert
The future of risk in the cyber landscape will require businesses to institute best practices, which will continue to change, and to continually educate themselves and their employees.
Any business that purchases cyber insurance should utilize the onboarding process with their carrier in order to understand the services at their disposal. By working closely with their broker and carrier, businesses can get the most out of their policy.
Stay informed, stay alert and stay tuned.
Want to learn more?
Find Rob on LinkedIn, here. Find Kathleen Curley on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk‐strategies.com
Email us directly at rrosenzweig@risk-strategies.com or kcurley@risk-strategies.com
Throughout 2022, Risk Strategies experts are exploring the evolving nature of risk in-depth, exploring predictions and considerations across industries. Join us as The Future of Risk series continues.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.