Driven by ransomware attacks, the cyber liability insurance market has been hardening at a dizzying pace, with increased losses, rising rates, higher retentions, the imposition of sublimits and coinsurance requirements, limited capacity and insurers’ sometimes onerous information demands that must be met before coverage is provided.
While no significant players have left the market, limits have been slashed — often by half — and rates in some cases have as much as tripled. Insurtech cyber insurers have made up for some of the contraction, but there has been a net loss of capacity for cyber risks.
The situation has been exacerbated by the pandemic, with employees working from home potentially more vulnerable to ransomware attacks because of their less secure laptops, experts say.
Meanwhile, privacy regulation and litigation loom as an issue that will eventually demand more policyholder attention, observers say (see related story).
The cyber market’s hardening began in 2019, accelerated in 2020, continued into this year and is now “in the hardest place it’s ever been,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber liability practice.
Cyberattacks have not slowed, ransomware demands have become more expensive, and the frequency of attacks has accelerated, he said.
“The cyber market is a little bit like the Wild West right now,” said Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co. “There’s not a lot of rhyme or reason to what’s happening with rates and coverage from one account to the next.”
Ransomware’s explosive growth over the past 18 months is the primary reason for the upheavals in the market, experts say. Criminal gangs in eastern Europe are pursuing much bigger companies than they previously targeted, and it’s unclear when or if the pace of attacks will slow, said Brad Gow, Purchase, New York-based cyber product leader for Sompo International Holdings Ltd.
Last month, it was reported that four ransomware attacks had penetrated water and wastewater facilities in the past year, and federal authorities warned similar plants to check for signs of intrusions and take other precautions.
It is “kind of the 800-pound gorilla in the room,” said Tim Zeilman, Simsbury, Connecticut-based global cyber product owner at Hartford Steam Boiler Inspection and Insurance Co., a unit of Munich Reinsurance Co.
Cybersecurity company Sophos Ltd., based in Abingdon, England, said in an April report that the average cost of remediating a ransomware attack, which includes business downtime, lost orders and operational costs, grew from $761,106 in 2020 to $1.85 million in 2021.
“It has driven a higher frequency of claims and certainly driven a higher severity of claims for most carriers,” and risk aggregation has become “a big problem,” particularly in the technology industry, where an attack can affect all of a company’s clients, Mr. Burke said.
Experts say examples that illustrate ransomware’s systemic dangers include the December 2020 attack on SolarWinds Corp.
James Burns, London-based cyber product leader for CFC Underwriting Ltd., said the July attack on Kaseya Ltd., a major provider of software for small business, led to an uptick in claims.
The cyber liability market is in a period of transition and evolution and the challenging conditions make the process of obtaining coverage more complicated and dynamic, said Tom Reagan, New York-based U.S. cyber practice leader for Marsh.
Rates are increasing 50% or more and in some instances doubling, while retentions are also doubling or tripling, and cuts in limits to $5 million from $10 million have become “pretty routine,” said Kelly Geary, New York-based national practice leader for executive risk and cyber with EPIC Insurance Brokers & Consultants.
With sublimits and coinsurance applied, insurers may pay only 50% of a ransomware claim and may be sharing in the cost of that claim up to the sublimit, said Mr. Farley of Gallagher.
While no significant players have left the sector, some insurers have stopped writing entire classes of cyber business that they consider problematic, in addition to capping their limits, said Tom Srail, executive vice president, cyber risk team, for Willis Towers Watson PLC in Cleveland.
“Many insurers have effectively decided, if not officially, ‘We’re not going to take new business,’” he said.
Insurers are reconsidering coverage they offer, making sure wordings are clear and avoiding unwanted systemic exposure, or at least more consciously underwriting to reflect the systemic exposure, said Chris Storer, Munich, Germany-based head of the cyber center of excellence for Munich Re. They are also starting to look at the product’s longer-term sustainability, he said.
“Insurers now have more leverage in the marketplace than two, three years ago,” which has allowed them to be more careful about their underwriting and has given them the ability to ask more questions, said Mr. Zeilman of Hartford Steam Boiler.
They are demanding much more information before agreeing to bind the business and seeking assurances that companies have implemented updated cybersecurity measures, such as multifactor authentication and an incident response plan.
“We’ve been getting a lot of follow-up questions, which can consist of three or four sets of queries,” said Christopher Keegan, New York-based head of the cyber liability practice at Beecher Carlson, a unit of Brown & Brown Inc.
Mr. Keegan said Beecher Carlson recommends its policyholders look at the issue six months before their renewal date “to understand where the difficulties are going to be.” He added that “a considerable majority” of policyholders “still usually end up renewing with their incumbent.”
“We’re in for a bit of a bumpy ride” for the next 12 months, said Evan Taylor, Charlotte, North Carolina-based senior vice president at NFP Corp. Prices will continue to increase, capacity will contract, and sublimits and increased retentions will be more common, he said.
Mr. Farley said, however, that with underwriters asking some important questions and organizations becoming more cybersecure, “we may see the market respond in a positive way in terms of lower rates” and offering comprehensive coverage with more favorable terms and conditions.
Privacy regulations add to policyholder concerns
While much of the cyber insurance industry’s focus is on ransomware, privacy regulations also loom as a potential liability issue for policyholders, but they are not getting the attention they may deserve, observers say.
Ransomware has “become a bit of an echo chamber where everything’s about it,” said Kevin McGowan, Chicago-based senior vice president with insurtech Resilience Cyber Insurance Solutions’ cyber underwriting unit.
Significant and influential privacy legislation includes Europe’s General Data Protection Regulations, the California Consumer Privacy Act of 2018 and the Illinois Biometric Information Privacy Act.
GDPR imposes fines on those who violate the privacy and security standards; the CCPA gives consumers more control over the personal information businesses collect; and BIPA requires informed consent before the collection of facial recognition data.
Experts say particularly problematic for companies is the private right of action, which allows citizens to sue companies for their alleged violations, that the laws permit.
The private right of action “really hasn’t hit the insurance market yet in a meaningful way, but I do think it will, and to me there’s a lot of risk that exists for companies in that space,” said Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co.
“If I were an underwriter,” this would be the focus of “the next wave of risk we need to be on top of,” he said.
Pointing to the CCPA and BIPA, Tim Zeilman, Simsbury, Connecticut-based global cyber product owner at Hartford Steam Boiler Inspection and Insurance Co., a unit of Munich Reinsurance Co., said, “I think we’re going to see more of those kinds” of legislation across the United States, “the way we saw data breach” laws spread earlier. Laws like Europe’s GDPR will also likely be introduced, he said.
Lawsuits related to statutes are not yet significant causes of cyber liability losses, but that could change, Mr. Zeilman said.
“They’re a topic that can’t be ignored and cannot be forgotten,” because the focus has gradually shifted since GDPR went into effect in 2018, and has moved from data breaches and mandatory reporting to privacy, said Brad Gow, Purchase, New York-based cyber product leader for Sompo International Holdings Ltd.
GDPR and other laws “are starting to have some teeth, and regulators are starting to enforce them,” said Christopher Keegan, New York-based head of the cyber liability practice at Beecher Carlson, a unit of Brown & Brown Inc.
However, Anthony Dagostino, New York-based executive vice president, global cyber and technology practice, at Lockton Cos. Inc., said ransomware will remain the primary concern of cyber liability insurers.
“I don’t think the regulatory world will ever be” a concern to the extent ransomware has been, he said.