NAVIGATING A HARDENING CYBER INSURANCE MARKET
With risks increasing, insurers look at the broader book of business regarding cyber
By: Lori Widmer
Even the new kid on the block experiences growing pains. Such is the case with the cyber insurance market, which enjoyed rapid expansion and plentiful availability from its infancy through 2018. However, by 2019, carriers were beginning to feel the pressure stemming from more frequent and severe claims, according to a February 2021 Gallagher Market Conditions paper.
When 2020 sent businesses into remote mode, cyber thieves took advantage of the initial confusion and lax cybersecurity practices. According to an FBI Internet Crime Report, there were 791,790 reported complaints of suspected internet crime in 2020, with over $4.2 billion in reported losses. Global costs of cybercrime are projected to increase 15% annually from 2015 to 2025—from $3 trillion to $10.5 trillion, according to the EY 2021 Global Insurance Outlook.
Increased frequency and severity have many predicting tougher times ahead. Marsh & McLennan Agency data show that cyber rates skyrocketed in Q4 2020 by 80% and that, overall, rates increased 65% over fiscal year (FY) 2020.
“The industry was essentially ill-equipped to underwrite for ransom-ware,” says Shawn Ram, head of insurance at Coalition. “As the industry saw more claims than expected, the market began to harden, increasing premiums and reducing coverage. But I’ve seen other carriers pull back coverage and increase pricing anywhere from 40% to 60%.”
Ram explains, “Only entities who feel they can underwrite appropriately, especially when it comes to ransomware, are likely to prevail in the long term.”
The hardening market conditions, says Brian Thornton, CEO of ProWriters, has changed carrier appetites heading into 2021. Those changes, he says, have been driven primarily by claims. “We have seen a pullback in appetite as well as reduction in limits being offered by individual carriers. At the same time, we have seen a healthy focus on cyber risk management controls that clients need to have in place for a carrier to be willing to offer terms. We have also seen significant price increases on good risks with no claims.”
Little wonder, given the pressure on insurance carriers from heightened claims activity. “Cyber insurance is having to respond to the increased risk and cost related to ransomware,” says Ryan Smith, director of sales and customer success for Rigid Bits Cybersecurity. “While costs increase, underwriting is now requiring Multi-Factor Authentication (MFA), encryption, and backups, among other basic best practices to protect businesses from simple attacks. The New York Department of Financial Services released a Cyber Liability Framework earlier in 2021 that recommends a lot of the practices (like risk assessments) that cyber liability providers will need to start considering.”
What’s happening in the market overall? “Total chaos,” says Sheryl Christenson, CEO of Global Institutional Solutions. “There’s confusion and concern from the policyholder. There’s confusion from the agency level, and even from the carriers who are providing cyber. We’ve all been caught in this mixer, and people really are not sure what the best way to respond happens to be.”
But they know there has to be a response, she adds. That too brings plenty of confusion as cyber solution providers came then exited the market, Christenson says. Those vendors who provided a solution for a single event, she says, are missing the larger point—that cyber encompasses a broader landscape that requires a more comprehensive approach to mitigation.
Another reason for the exodus: lack of understanding of the market. Rotem Iram, CEO and co-founder of At-Bay, said prior to 2020, plenty of players were eager to enter the market—both insurers and solution providers. “But once the security issues appeared, many carriers realized they didn’t actually understand this,” he says.
That, Iram says, fed into the competitive pressure that continued to drive decreased pricing and increased coverage. As ransomware activity “doubled in frequency, tripled in severity” last year, Iram says many organizations made the decision to exit the market.
As for new players, Ram sees a dearth. “There have been very limited new entrants into the market,” he says.
Not that interest isn’t there. Ram sees more cybersecurity awareness in both public and private sectors driving demand. Pointing to the Colonial Pipe-line hack, Ram says “All of a sudden, the increased notoriety of cyber security and ransomware caused a lot of interest in purchasing cyber insurance.”
However, with risks increasing, insurers are looking at the broader book of business and making some modifications. As Thornton mentioned, more insurers are expecting better cyber risk controls from their clients.
The claims picture
Ah, but claims. A 2021 Coalition Cyber Insurance Claims Report shows that business email compromise incidents are up a staggering 51% over the first half of 2020. Funds transfer fraud is up 28%, and ransomware, which dipped slightly in the latter half of 2020, increased again in the first half of 2021.
The severity of claims is daunting: Coalition found that the average ransomware demand made to their policyholders in 2021 was $1.2 million, a 170% increase over the first half of 2020. Remote work has increased by 179%, and the amount of funds stolen during electronic funds transfers and remote desktop access points was the cause of a 29% to 40% increase in claims and a 103% increase in claim severity, according to Coalition data.
“Ransomware has been a large driver of claims, but regardless of whether a business pays a ransom or not, a lot of the claims cost is related to IT forensics, legal costs, business interruption, and the costs related to data restoration,” says Thornton.
And ransomware is evolving, he says. Data exfiltration—copying data before demanding ransom—is emerging as a favored approach by hackers. “We have also seen a shift to ransomware as a service which means you may be dealing with a lesser known and less sophisticated group of hackers,” says Thornton. Outside of ransomware, he says, plenty of losses are coming from business email compromise, social engineering, malware, phishing, denial of service attacks, lost devices, and employee errors.
All of that activity has been heightened amid the pandemic-related remote work environment, according to Christenson, who says the biggest claim driver is remote work. “We see it daily. We see a lot of really inappropriate protocols in place around office devices and office tools because they’re wanting to take things home with them,” she says. Thumb drives, she adds, are still being used to transport data, yet cybersecurity measures on thumb drives are rarely implemented.
Thanks to the increased use of remote access tools by remote workforces, Smith says, cyber criminals have amped up their activity. “Phishing attacks and business email compromises are quite common and tend to be most successful when offices lack MFA or security awareness training of staff,” he explains. “This can be avoided by requiring proof of risk-based cybersecurity practices that help businesses identify key areas of risk and to establish a priority for mitigation efforts.”
Delivering a better risk portfolio
The added security risk associated with remote work is pushing insurers to require more from policyholders. That requirement is giving birth to insurance and cybersecurity firms that offer a combination of cybersecurity services and insurance. For instance, At-Bay provides active risk monitoring with every cyber insurance policy, and gives brokers access to a Broker Knowledge Center, a learning hub for cyber risks. Coalition offers a cybersecurity platform for 24/7 monitoring and cyber insurance protection. To help agents and brokers manage the sales cycle and risk management offerings, OneBrightly combines a customer acquisition platform with cyber risk mitigation, incident response, and management services.
“We’re looking at a combination of cyber technology: We’re looking at cyber services; we’re looking at the cyber policy as a bundle, and we’re looking at them from an integrated point of view,” says Philip Gow, managing partner at OneBrightly.
That, he says, is much different from even four years ago. Back then, Gow and his team examined 600 cyber tools. “Of the groups that we were looking at a few years ago, 85% of those companies are no longer in business,” he says. “There was this
great rush where everybody had a tool, but most of them didn’t survive.”
Not that they would survive today necessarily, adds Gow, who says commercial policyholders are more discriminating. “So, they’re really stepping back and saying, ‘We spent a lot of money on tools, and we’ve been breached like three times; what’s going on here?’ They’re asking better questions.”
Reducing claims from inside
They’re also seeking more help from agents and brokers on reducing their risks without tools. “The best way to avoid some of these claims is to get your clients prepared and focused on cyber risk management,” says Thornton. “It really takes organizational commitment to be protected and prepared to respond in the event of an incident.”
Preparations should include the basics, says Gow: nightly backups, encrypted data, multifactor authentication, and endpoint monitoring. Ram suggests that companies adopt some standard practices, including multi-factor authentication, ensuring that remote access is behind a VPN, user training, and updating software and systems regularly.
Selling and servicing cyber
For agents and brokers selling cyber insurance, the road is a precarious one. “Simply, an agent in his own camp—the field is too big,” says Christenson. An agent, she says, cannot become a cyber expert without support. With the right tools and support, however, she says agents and brokers can become “one of the greatest walls of defense on cyber war.”
That starts, says Thornton, with a basic understanding of what clients need. “First, get up to speed on the exposures and the controls needed to mitigate risk.Second, find good partners from vendors to brokers and underwriters that are willing to help. Understand that there is no single solution for cyber risk; the right services, vendors, and policies will vary.”
“Learn enough to educate the client on the areas of risk and factors that attribute to the likelihood and impact related to each risk,” says Smith. “Help them understand how cyber liability insurance can protect them as they work to reduce risk.” He also suggests connecting clients to cyber resources and security firms.
Iram suggests that partnering with specialty cyber insurance brokers can give agents a support team that clients can benefit from. “Partner with a great wholesale broker who knows this product through and through, knows all the markets and knows what policies and coverages are best out there and that can provide a great option for the insured.” He says it can also give insureds the understanding of cybersecurity and risk and help them make better decisions that appeal to underwriters.
Thornton suggests that agents dive in and actively sell the product to “every single client. You will quickly find that if you educate yourself and partner with the right people, selling this product is very easy.”