The cybercrime community is alive and thriving, and organizations of all shapes and sizes remain vulnerable. The most ubiquitous elements of our society — energy, water, health care, education, manufacturing, commerce and government — all are in the cyber crosshairs.
This is a continuation of what we saw in 2021. If we review last year’s major cyber events, there was no slowdown in data breach, system failure or ransomware events. Cyber incidents were also relatively indiscriminate by industry, stretching from media conglomerates to utilities suppliers.
Reports in early December of outages at a major web services provider had a cascading effect on prominent websites worldwide. And 2021′s parting gift — Log4J — sent reverberations through the cyber underwriting community with even more voracity.
The proliferation of the COVID-19 Omicron variant at the end of 2021 also slowed the push to get workers back into the office, thus increasing cybersecurity vulnerabilities. Remote working is directly tied to significant increases in ransomware attacks, as cited by “Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force,” prepared by the Institute for Security and Technology.
The most common cyber claims remain:
How is this ever-expanding risk environment affecting the cyber insurance market? Since the cyber market is still relatively young and is being forced to mature at warp speed, we continue to see significant developments in how policies are underwritten, structured and priced.
There are concerns about systemic or aggregate risk events — situations in which there is a high likelihood of a single security breach simultaneously affecting large numbers of cyber insurance policyholders. Highly publicized attacks against the nation’s supply chain in 2021 fueled an increased concern about systemic risk.
As a result, underwriters are apprehensive about policyholders’ exposure to networks and systems whose controls they cannot underwrite. Carriers are asking more questions about vendor management, single-source suppliers, business continuity planning and reliance on cloud-based applications and infrastructure.
The fear of paying large numbers of claims across an entire book stemming from a common event is the “hurricane” the cyber market is looking to avoid. As a result, once-generous business interruption coverage grants are now being excluded completely by some carriers, and, at minimum, significantly sub-limited by others. We’re also seeing a retraction in the expanded business interruption coverage triggers that were introduced at the end of the last decade to cover IT vendors and even non-IT suppliers.
Carriers are introducing the following measures to solidify loss ratios for stand-alone cyber insurance:
Additionally, some carriers are refusing to write new cyber excess coverage, and more than one carrier has exited the cyber market entirely.
There are also several industry-specific underwriting developments for 2022 renewals. Large public entity risks (> $100M in annual operating budgets) will pay significantly higher premiums for half their previous limits while assuming much higher retentions and more restrictive coverage grants — and this is for best-in-class risks.
Others will find securing coverage difficult or impossible. Pooled cyber risks with a shared aggregate limit are also becoming increasingly difficult to renew, much less create. Some cyber markets are moving away from the manufacturing, construction and wholesale distribution sectors altogether, as they’ve been particularly impacted by ransomware losses and the resulting business interruption costs.
In this continually evolving cyber market, it’s critical for brokers and agents to:
Cyber resilience is an ever-evolving process and the goalposts are constantly moving. Having a basic understanding of these changes will go a long way towards satisfying underwriting requirements in today’s challenging cyber market.
Steve Robinson ([email protected]) is Area President & National Cyber Practice Leader, Risk Placement Services.