10 Top Things to Know About the Cyber Insurance Market

By: | August 5, 2021

Kelly Geary is a Managing Principal with EPIC Insurance Brokers and Consultants based in the New York City area. She serves as the National Practice Leader – Executive and Cyber Risk as well as Coverage Counsel & Claims Leader for Lemme, a division EPIC.

Cyber insurance first emerged as an insurance product in the late 1990s; however, it did not gain any real momentum until about 2010.

Between 2010 and 2020, the cyber insurance market entered its first real growth spurt. Most insurance carriers recognized cyber insurance as an emerging new product and began establishing cyber teams and launching new cyber policies. In what appeared to be a race to gain market share, cyber underwriters broadened coverage and worked to simplify and limit the information needed for underwriting.

During this time, there was ample supply of the product — supply that far exceeded the demand — and there were new carriers entering the market frequently.

Cyber insurance was easy to obtain and based on very little underwriting information. Coverage was broad and negotiable. Premiums were reasonable. These were the “glory days!”

In late 2019 and throughout 2020, we began seeing more and more signs that the glory days of the cyber insurance market were coming to an end. And, in late January 2021, the cyber market abruptly changed.

Increasing frequency, severity and the sophistication of cyber crime — specifically ransomware — pushed the market into a sudden tailspin.

Below are the top 10 things you need to know about today’s cyber insurance market:

1) Rate, Rate and More Rate: Increasing Premiums

Today, companies and firms are experiencing premium increases at renewal of upwards of 50%, depending on company size, industry and security risk profile. In many instances, the increases are in the double digits — 100%+.

If an organization or firm has multiple layers of cyber insurance (primary layer + excess layers), the overall cost for the insurance program will likely be even more significant.

During the glory days of cyber insurance, underwriters offering excess coverage typically applied an “increased limit factor” (ILF) of approximately 60% of the premium of the underlying layer to arrive at a rate for their layer or limit of insurance.

Today, ILFs are coming in at a minimum of 85%, and often even higher. If a company or firm has multiple layers of insurance, that increase adds up quickly.

It is important to note, these increases are not impacted by having strong security controls and no prior claims. Strong network security and data privacy controls are becoming a baseline requirement for obtaining cyber insurance — this is an expectation, not a basis for a discounted premium.

2) Skin in the Game: Increasing Retentions Connected to Revenue

In addition to increasing premiums, underwriters are also using retentions and deductibles as a way of spreading or sharing the risk with the insured.

We are seeing underwriters thoughtfully set retentions based on the annual revenue of the insured organization.

Companies may not be able to use large retentions/deductibles as a way of reducing premium, unless the retention/deductible being requested is in line with the organization’s annual revenue.

Underwriters want to be sure the retention/deductible set is one the company could actually pay in the event of an incident — or multiple incidents within a single policy period.

3) Backing Away on Limits: Decreased Capacity

For the first time since the introduction of cyber insurance, we are seeing markets backing away on the limit they are willing to offer.

Today, most markets will only offer a maximum limit of $5,000,000 on a primary layer of insurance. Organizations and firms that currently have a primary layer of $10,000,000 in cyber insurance may need to restructure that limit or their entire insurance tower into layers of $5,000,000.

We are also seeing more markets readjusting their appetite in general.

Fewer carriers are willing to assume a primary layer on a large tower of insurance (see point 5) and many will no longer take multiple layers on the same insurance program.

4) Exit Stage Left: Carriers Exiting the Market

In stark contrast to the glory days of the cyber market when we saw carriers entering the market frequently, today we are starting to see carriers exit the market.

5) Not As Hungry: Changing Underwriting Appetite

In the glory days of cyber market, carrier appetite could be described as insatiable.

There were “high risk” classes of business — health care, financial institutions, retail, etc. — but even in those areas, most carriers were still “interested” in the business.

Today, carriers are reevaluating their appetite in multiple ways. We are seeing more industry verticals being classified as “high risk.”

For example, most companies operating in the “critical infrastructure” space are likely to be considered high risk today. More specifically, manufacturing and energy.

6) MFA, MFA, MFA (Multi-factor Authentication): Enhanced Underwriting

In the early days of cyber insurance, the underwriting process was rigorous.

Applicants/insureds were required to provide extremely detailed information about network security controls and “security calls” (calls where the underwriter would interview the Head of IT for the organization) were routine.

The cyber markets simplified the underwriting process to make cyber insurance a more approachable and obtainable product for small and mid-size organizations.

Today, the markets are moving back to the more rigorous approach to underwriting cyber risk. Organizations are now required to provide detailed information around network security and their approach to data privacy.

Most markets have multiple supplemental applications that must be completed by applicants/insureds.

The ransomware supplement has become almost standard for most carriers. In addition, many markets are relying on external security scans of the applicant/insured network — looking for open ports and other potential vulnerabilities.

Security calls will be required by underwriters, or may be highly recommended by insurance brokers, on large and mid-size companies, especially those in high-risk industry sectors.

As mentioned in point 1 above, there are some basic controls that underwriters now “expect” to see.

To name just a few: multi-factor authentication, network segregation/segmentation, regular/frequent data backups, backups stored in more than one location, regular/frequent security awareness training for employees, and endpoint detection and response (EDR).

The list is long, varies from carrier to carrier, and is (of course) always subject to change.

7) Just Say No: Declinations More Frequent

As mentioned in various points above, the approach to underwriting cyber risk changed drastically in the early part of 2021. Underwriters are no longer racing to gain market share. In most cases, they are engaging in comprehensive, technical and strategic underwriting. The result is more declinations.

Underwriters are far more risk adverse than they were during the glory days.

Declinations could be based on change in carrier appetite, poor network security controls (perceived or actual), loss history or fear of systemic risk impact to the underwriter’s book. The bottom line is that the underwriters are far more willing to just say “no” today.

8) Perfect Storm: Market Saturation

The current state of the cyber insurance market means most insurance brokers are conducting a full marketing exercise on most all accounts.

When insurance brokers “fully market” an account, they send the company’s application for insurance to as many markets as is reasonable. The cause and effect of this trend is obvious.

The cyber insurance markets are overwhelmed with a flood (maybe tidal wave) of applications. To add insult to injury, basic demand for cyber insurance has increased as well.

So, cyber markets are seeing more volume in general — more renewals applications, more new business applications and requests for more limit.

Cyber underwriters have more work today than they ever had before! Add increased volume to enhanced underwriting (point 6) and you have the perfect storm.

The entire process around getting cyber insurance today is a bit like walking through waist deep water with two 20-pound weights tied to your ankles.

9) Tighten the Belt: Coverage Tightening

As mentioned, the current market conditions for cyber were triggered, largely, by a significant increase in frequency, severity and sophistication of cyber crime attacks — specifically, ransomware.

The increase in ransomware attacks began to build in 2019 and 2020. The global pandemic and abrupt move to remote work environment has greatly accelerated the risk and resulted in a significant increase in ransomware claim activity.

During the glory days of the cyber market, coverage was incredibly broad. Today, cyber markets are working on reining it in.

Step one for most cyber insurers has been to impose co-insurance and/or sub-limits on coverage for ransomware attacks. Some markets will apply one or the other; some markets will impose both.

In either instance, the limitations on the coverage extends to all areas of the cyber policy that are triggered by a ransomware attack – cyber extortion coverage, breach/incident response coverage, business interruption coverage, etc.

10) Pressure: Breach Responders Under Pressure

As noted in point 8 about market saturation, the increase in frequency and severity of claim activity is taking its toll on front-line responders: claims professionals, breach coaches, cyber extortion negotiators, computer forensic vendors, PR firms and more.

Anyone involved in the initial response to a cyber incident is inundated right now with sheer volume. To complicate matters further, ransomware attacks and other cyber crime incidents are becoming more and more sophisticated and complex.

Organizations and firms should be vigilant about overseeing the claims process to ensure nothing slips through the cracks. A strong claim advocate is key — whether that individual is an internal resource or external, broker claim advocate or consultant. A cyber incident of any kind that is not actively and precisely managed can result in a significant increase in financial and reputational harm to the organization or firm.

The bottom line: The glory days of the cyber insurance market are gone; at least for now.

Today, the demand for cyber insurance is stronger than it ever has been, but the supply is constricting. The current market is challenging and rapidly shifting. And, unfortunately, the cyber-related risks faces by all companies, large and small, are at pandemic levels. &

More from Risk & Insurance

More from Risk & Insurance