Cyber Coverage Hits Landmark, but Challenges Remain
Underwriters are not matching the superiority of hackers versus their clients’ cyber protection systems.
- Lance Ewing
- October 2022
Three engineers, one electrical, one chemical and one computer, were riding in a car when it suddenly stopped running. The electrical engineer recommended stripping all the electronics out of the vehicle to fix the problem. The chemical engineer suggested flushing the fuel line. The computer engineer said, “Let's just turn off all the systems, wait two minutes, and start it back up again.” Or so the story goes.
Today's computers, laptops, phones and electronic devices are so technologically sophisticated that they come with a plethora of protective software and firewalls to defend the device and hopefully the network the device is using.
This insurance coverage celebrates its 25th year of existence in 2022, dating to 1997 when the American International Group issued its “internet security liability policy” that spring. Not only have the policies changed dramatically over those 25 years but so have the exposures, the risks, the claims and the premiums. The average cost of a data breach globally averages to US$4.35 million in 2022, according to the Ponemon Institute.
Along with these increases the cost of cyber insurance premiums has skyrocketed. These increases reflect the numerous claims that have occurred and affected not just major corporations, but middle-market and even small businesses. According to the U.K.-based cybersecurity company Sophos, cyber insurance rates for 2021 had risen the most in the following industries: energy/oil/gas and utilities; media/leisure/entertainment; professional services; IT/technology/telecoms; financial services; and public sectors. These industries have become the higher target for hacker and ransomware attacks, which in turn has been driving higher cyber premiums.
However, there are insurance carriers who also bear some responsibility for the most recent staggering premium increases. Underwriters are not matching the superiority of hackers versus their clients' cyber protection systems. Not asking deeper and probing questions in the submission applications and then having the consequences of this omission become the root of the ransomware claim. This has led to substantially higher claims reserves and claim payouts reaching new altitudes. Thus the increase in premiums, lower limits, higher required deductibles and an escalation of exclusions in policies—and, even in some cases, denial of coverage, as well as the now-voluminous underwriting submission package.
With these changes, boards of directors, C-suite executives, chief information security officers and risk managers discuss larger cyber insurance premiums, higher deductibles, fewer limits and the risk appetites and cyber hygiene of their companies for this coverage. Some good news in 2022 are indications that the cost of cyber insurance premiums may have begun to flatten slightly. While welcome news for clients, is it too late for the carriers who took a harder line in the hard cyber market?
Businesses have begun to look at and embrace alternatives to the traditional cyber “pay and pray” (pay the high premiums and pray nothing happens during the policy year) approach. Putting cyber exposures in captives, risk retention groups, cyber parametric bonds, and self-funded cyber capital reserves are just a few of the financial risk alternatives that are being explored and implemented by clients. Some privately held entities are even considering going naked instead of paying the premiums even if their renewal is flat or a slight reduction.
The cyber insurance market may be celebrating 25 years of existence, but the aging process has been anything but a smooth ride. Let's see what the next 25 years will bring.
Best’s Review columnist Lance Ewing is vice president, enterprise risk management and operations for the San Manuel Band of Mission Indians. He also is a former president of the Risk and Insurance Management Society. He can be reached at email@example.com.