Those seeking shelter from the cyber-risk storm can take some comfort. The insurance market is maturing. Underwriters have gathered enough loss data to select and price risks more granularly.

Coverage is expanding to include an ever-growing array of cyber exposures. Demand for cyber products has increased, especially after headline-making denial-of-service and ransomware attacks, and plenty of carriers are willing to offer capacity.

According to a 2019 market analysis by Grand View Research, the global cyber insurance market size was worth $4.3 billion in 2018 and may be valued at nearly $16.7 billion by 2024.

Despite this, the industry’s growth has been stifled by persistent lack of awareness of cyber exposures — especially among small- to medium-sized enterprises (SMEs) — and lack of appreciation for the value of a cyber policy. Efforts to correct this misconception have also been thwarted by the lack of a common lexicon.

Here’s a look at some of the ways the market has strengthened over the past few years, where it’s headed and what challenges stand in the way.

Exposures and Coverage Are Expanding

Ransomware attacks and resulting business interruption were not contemplated in early cyber policies. Cyber insurance was built to deal with privacy issues and costs stemming from breach of records, including notification, forensic investigation, credit monitoring and customer lawsuits.

And while data breach is still a significant exposure — the average cost of a data breach in 2019 was nearly $4 million, according to an IBM study, and nearly 4 billion records were exposed in the first half of the year alone — it is surpassed in frequency by ransomware attacks.

Through the first three quarters of 2018, 151.9 million attacks were reported, according to a report by cyber security firm Sonic Wall.

Cyber claims have shifted away from first-party privacy exposures and are now more likely to revolve around business interruption, contingent business interruption and related expenses.

“Insureds and their brokers have focused more on business interruption risks in recent years, with an increased scrutiny as to what their policies cover, as losses to insureds have shifted from privacy-related losses to business income-related losses,” said Terrence Tracy, managing director and executive vice president at Conner Strong & Buckelew.

“It really wasn’t until 2017 that we started to have business interruption claims, and they seem to be coming in more regularly than the large data breaches,” said Tracie Grella, global head of cyber risk insurance, AIG.

Evan Fenaroli, cyber liability product manager, Philadelphia Insurance

“Ransomware-triggered losses increased over the last two to three years, and that trend is continuing,” Grella added.

New loss drivers have also led to expansion of coverage.

“Terms and conditions have largely been broadened in favor of the policyholder — a result of the hypercompetitive SME market for the past several years,” said Evan Fenaroli, cyber liability product manager, Philadelphia Insurance.

“This [not only] includes the softening or outright removal of exclusions but also the addition of new coverage grants and enhancements, such as social engineering fraud, hardware replacement coverage and reputational damage.”

Demand and Limits Are Going Up

The ubiquity and well-publicized impact of ransomware attacks has had the positive effect of driving increased take up of cyber insurance. According to a recent report by Marsh & McLennan Companies, the take up rate among its clients doubled from 19% in 2018 to 38% in 2019.

“Securing a $100 million tower can now be accomplished with relative ease, and this wasn’t always the case several years ago. With the rise in ransomware severity, we are seeing demand for higher limits among all sizes of organizations,” said Steve Robinson, national cyber practice leader, Risk Placement Services Inc.

“As that demand continues to grow, more carriers have come into the market. Some have offered more capacity or built programs with reinsurers to offer larger blocks of capacity. Brokers have done the same thing, organizing groups of carriers to build large towers more quickly,” Grella said.

“We get opportunities to look at towers attaching at $200 million to $300 million on a regular basis.”

“One key area of divergence is coverage for business interruption. Everyone does it a little differently — how it’s triggered, how the loss is calculated and who in the supply chain is part of the loss.” — Marcin Weryk, cyber underwriter, AXA XL

Carriers are not only offering more capacity but also more services as well. More investment has been directed to the development of pre-breach cyber security solutions and partnerships.

“Over the last five years, insurers have begun offering more proactive services to help companies identify and minimize potential vulnerabilities, providing them with consultants who will rehearse tabletop exercises, build response plans and recommend security updates.

“Most policies don’t come with this level of service and technology tools,” Grella said.

Utilization of Growing Data Stores

One of the biggest changes in the cyber market, however, is the development of meaningful data. Now that losses and claims have accrued, there are opportunities to put the information to work. Modeling of cyber losses, while still in its infancy, is a primary area of focus.

With more data, insurers can better quantify, select and price cyber risks.

“We now have 20 years’ worth of claims, so there is a lot of investment going into modeling. Insurers are better able to benchmark risks against the rest of their portfolio and move towards risk quantification,” Grella said.

The growing volume of data will also feed more granular underwriting and is likely to drive some tightening of terms and conditions and rising rates.

“Underwriters have a lot more data, and we’re starting to ask more relevant questions,” said Marcin Weryk, cyber underwriter with AXA XL.

“As a result, we are seeing a general tightening in the underwriting process, restrictions on certain industry classes, increased premiums in certain sectors, increased retentions and even outright exclusions for those insureds that demonstrate a lack of preventative measures,” Robinson said.

“The industry is currently at an inflection point where a greater understanding of the exposure and actual loss experience are starting to shape the underwriting and pricing of the risks — rather than sheer market capacity, demand and competition,” Fenaroli said.

“In this sense, I do think that buyers may no longer be seeing as much coverage expansion or innovation as they have in the past two or three years,” he added. “At the same time, equipped with much more experience in adjusting and paying losses, this represents an opportunity for carriers to demonstrate the true value of the coverage.”

Disproving Myths that Cyber Policies Don’t Pay

The true value of the coverage has been at the center of some debate in recent years, fueled by a lack of common terminology that feeds misinterpretation of policy language.

The confusion has had a real impact on industry growth. Despite strides in building risk awareness and recent boosts in uptake, still only about 50% of companies are buying cyber insurance.

The issue ultimately stems from the way the word “cyber” is used in the media and conflation of cyber-triggered events versus cyber losses.

Many non-industry folk classify any loss stemming from the use of a computer as a cyber loss.

Social engineering fraud provides a good example. Because the scam is carried out via digital channels, it gets categorized as a cyber loss.

But the loss is the theft of funds, so coverage is likely to be found under a crime policy. If the claim is denied under the crime policy, the case may be described as the denial of a cyber claim, creating the misconception that a cyber policy failed.

Tracie Grella, global head of cyber risk insurance, AIG

“When we say ‘cyber’ in the insurance industry, we are typically talking about network breaches and network interruption and the related mitigation costs that extend to these breach events. If you buy a cyber policy, it’s usually one that is designed for the types of non-physical losses resulting from a cyber security event.

“Often times, when there is a denial of coverage for a cyber-triggered loss, or a technology-related loss, we’ll see headlines that the cyber claim was denied.

“But it may be that the organization did not have a cyber policy to begin with, or a data breach did not occur, or the claim was denied under a traditional P&C policy — property, casualty, crime, errors and omissions or K&R, for example, that were not designed to cover cyber,” Grella said.

“If we didn’t use the term cyber at all, it would make messaging easier,” she added.

According to Marsh & McLennan’s cyber claims report, U.S. insurers paid cyber claims to the tune of $394 million in 2018, up from $226 million in 2017.

“For many of the headlines claiming that cyber insurance policies didn’t pay, it turned out they were not actually cyber insurance policies at all. Rather, they were disparate policies with ‘cyber’ add-ons that contained questionable exclusions,” said Robinson.

“As someone who has a front row seat watching hundreds of cyber claims each year, I can assure you, the policies are paying, and they are restoring organizations to operational normalcy in ways they never could have realized without insurance.”

An Industry-wide Need for Common Terms

The lack of policy standardization also confuses potential buyers. While carriers like to craft their own language as a point of differentiation, the use of different terms from one policy to the next can leave insureds uncertain of the coverage.

“There are still a lot of variations among standard policies. One key area of divergence is coverage for business interruption,” Weryk said.

“Everyone does it a little differently — how it’s triggered, how the loss is calculated and who in the supply chain is part of the loss.”

Privacy triggers can also vary. Some policies cover expenses related to suspected privacy violations occurring; others won’t kick in unless an actual breach has been confirmed.

“That’s a nuance people need to pay attention to,” Weryk added.

Exclusions for acts of war or terrorism are increasingly under the spotlight as well. The Mondelez v. Zurich case — though not involving cyber insurance at all — raised the question of what constitutes an act of war.

Mondelez was a victim of the NotPetya ransomware attack and filed a claim under its all-risks policy. The claim was denied due to the policy’s war exclusion, because the attack was launched by the Russian military.

The question of whether this exclusion should be included in standalone cyber policies and how it should be applied is a point of contention.

Nadia Hoyte, national practice advisor, executive and professional risk solutions, USI Insurance Services

“We’re seeing more nefarious acts by state actors. We have enemies in the world,” said Nadia Hoyte, national practice advisor, executive and professional risk solutions, USI Insurance Services.

As the potential for cyber warfare grows, companies that accept this exclusion in cyber policies — without appropriate modification — may be hung out to dry if they become a victim of such an attack.

“I think carriers need to work on common forms and terms,” Hoyte said.

Weryk also believes the industry needs to work toward a consensus on how other policies deal with “silent” cyber coverages. Many carriers have taken a stance, either excluding cyber-related events altogether or positively affirming coverage via specific cyber endorsements and enhancements. But a unified approach could provide some clarity.

“I look forward to that happening in the next 12 months or so, because it does need to happen,” Weryk said.

What’s Next

The continued growth of the cyber market will depend on the success of education efforts.

Many brokers and carriers agree that risk managers understand cyber risk and available coverages well enough; the challenge is educating the C-suites. SMEs also lag behind large companies in purchasing the cover.

This market suffers more cyber attacks than its larger counterparts, and it will likely be a new product focus for cyber insurers.

“Data protection and cyber risk awareness has greatly improved for many large business sectors, yet we still see too often a huge gap in the understanding of cyber exposures and how to mitigate those risks in smaller sectors that are just as vulnerable, perhaps even more so,” said Melanie Tullos, vice president of ProAssurance Agency.

Specialized, industry-specific products are also likely to become the norm.

“There’s a lot more specialization and products tailored to address specific needs, especially for medium-sized businesses,” said Mark Voronin, managing director, West Coast, with Charles Taylor Adjusting.

“Scenarios/losses can take many forms, but I think, over time, the winners and losers will be dictated by competition and free market forces.” &