Sponsored: AXA XL

A Cyber Insurance Backstop? Hold On — We Need to Build Resiliency First

Skyrocketing cyber insurance rates have many wondering if a federal backstop is needed. Experts say we need to tackle cybersecurity controls first.
By: | June 1, 2024

Insureds felt the pain of major cyber insurance rate increases in 2021 and 2022. Premiums jumped 50% in 2022, Bloomberg reported, as hackers launched more frequent ransomware attacks and other cyber intrusions.

The good news? We might be starting to see the calm after the storm.

Today, cyber insurance prices are moderating — rates flattened or decreased in 2023, even as the number of ransomware attacks rose — and are expected to continue to stabilize into 2024. Still, some insureds are concerned about how the line will mature and whether more support is needed.

“While we have insights from the past, predicting the future is difficult,” said Michelle Chia, chief underwriting officer for cyber in the Americas at AXA XL.

Enter public-private partnerships. Governments and insurers can work together to foster stability in the cyber space. A mix of regulations and a (potential) government backstop could provide needed protections now that cyber is a risk that affects every industry.

We’ll dive into what that could look like in a moment. First: Companies in all sectors will need to step up their cybersecurity game.

Building Much-Needed Cyber Resilience

Michelle Chia, Chief Underwriting Officer for Cyber in the Americas, AXA XL

Many experts will point to the 2013 Target data breach as a turning point for organizational awareness about the necessity of cybersecurity. During the massive breach, attackers stole data from $40 million worth of consumers’ debit and credit cards in the midst of the busy holiday shopping season.

“The Target data breach … highlighted the need for organizations to strengthen their cybersecurity controls,” Chia said.

The Target breach was a major event, but back in 2013, many believed smaller companies didn’t need to worry about cyber risk. That’s quickly changing, as cybercriminals have started targeting organizations in every sector and of every size. From 2018 to 2019, Chia said, ransomware became an epidemic — there were over 206 million attempted attacks in 2018 and over 187 million in 2019 — causing insurers to raise rates, tighten terms and require insureds to adopt cybersecurity controls like multifactor authentication.

“All organizations connected to the internet have some level of exposure — regardless of their data or industry,” Chia said.

Hackers are always learning new tricks, too, which makes cyber exposures difficult to manage. As soon as an insured adequately prepares for one type of attack, a new one is likely to pop up, a predicament that leaves many vulnerable.

“Unlike traditional insurance lines, cyber risk is constantly changing, requiring continuous adaptation and improvement of controls and risk management strategies,” Chia said.

What Would a Public-Private Cyber Partnership Look Like?

Given the dynamic nature of cyber exposures and the ubiquity of digital technologies, governments might step in to create public-private partnerships to tackle cyber threats. Many view this step as logical, as cyberattacks could substantially threaten economic stability.

“Public-private partnerships are crucial for managing cyber risk and enabling both economic and social stability,” Chia said.

These public-private partnerships could be as simple as governments enacting policies and regulations, then stepping in to require companies to use various cybersecurity controls. Think of it like seat belt laws: They help make everyone safer and keep loss costs down.

Or the government could create a federal backstop for cyber insurance claims, as they did with terrorism claims through the Terrorism Risk Insurance Act in the aftermath of 9/11. A government backstop would allow insurance companies and the federal government to share the costs of cyber claims — something that would be helpful for exposures like cyber warfare, which are difficult to price and protect against.

“Cyber activity is not currently included under the traditional war umbrella as defined by international groups,” Chia said.

“Insurers cannot predict when cyber war activity will occur, how long it will last or the extent of its impact on the parties involved. Many insureds do not have access to the military-grade tools necessary to protect and defend themselves against such attacks. This combination of factors makes pricing and scaling coverage for these risks extremely difficult.”

Before public-private partnerships can be considered, insureds need to reach a base level of cyber hygiene. The government has stepped in to regulate many industries touched by insurance (auto and workers’ comp, for example). But unlike cyber, those industries were mature and safety practices were more commonly accepted when the public part of those public-private partnerships came in, according to Chia.

“There is a general consensus that there may be an opportunity for the public sector to create a financial safety net,” she said. “[But] until awareness and adoption improve, the specifics of a financial backstop remain a question mark.”

Still, public-private partnerships are a step toward acknowledging the pivotal role digital technologies play in our lives. The government stepped in to make auto insurance compulsory because cars forever changed how people got around; cellphones, computers and other technology have had a similarly world-altering impact.

“Even small glitches in these digital systems can cause ripple effects that grow into catastrophic waves,” Chia said. “Cyber risk is a societal concern, and cyber tsunamis can be detrimental to economic stability.”

Partnering with an Insurer Focused on Resilience

Whether or not public-private cyber insurance partnerships come to fruition, insureds need to partner with carriers that prioritize working with their clients to build good cyber hygiene habits.

Taking actions to protect cybersecurity — like using multifactor authentication or logging in through a VPN — needs to be as automatic as buckling a seat belt or evacuating when you hear a fire alarm.

“Just as fire drills have been fully socialized and practiced since elementary school, we should adopt a similar approach to cybersecurity education,” Chia said. “Teaching cybersecurity safety from a young age — much like we do with fire, earthquake or tornado drills — can help build a culture of awareness and mitigation in our everyday lives.”

AXA XL is a leader in helping insureds improve their cyber resiliency. It leverages its knowledge of cyber risks and mitigation tools to help its clients protect their businesses, improving societal cybersecurity in the process.

As an insurer, it has substantial knowledge of how to assess and price cyber risks. In consolidating markets, AXA XL strives to reduce its reliance on reinsurance and focus strategically on specialty lines of business.

“The insurance industry’s role is to make organizations whole for quantifiable risks,” Chia said. “Cyber insurance is no different. There are quantifiable exposures within cyber insurance policies that can be evaluated based on historical information, even if they are systemic in nature.”

Insureds can trust AXA XL’s commitment to helping them protect themselves from cyber risks. Carrier partners can evaluate cybersecurity tools to ensure organizational fit and guide insureds through the process of introducing these tools.

“Cybersecurity controls are an ongoing journey for all organizations, regardless of size or industry,” Chia said. “Purchasing the best tools without correct implementation leaves companies vulnerable.”

By acting as a trusted leader for insureds, AXA XL can help them adapt to cyber risk’s constant pivots.

“Truly resilient organizations are those that can adapt quickly to changing circumstances,” Chia said. “[They] prioritize risk management and have contingency plans in place to handle potential disruptions.”

Chia recently attended a cyber conference and one of the speakers made a point often repeated in the cyber insurance world: having any kind of plan in the event of an attack is better than having no plan at all.

Insurers are well-positioned to help develop these plans given their long history managing risks and helping organizations build resilience. If the cyber insurance landscape evolves to include public-private partnerships, strong insurers will help pave the way toward a world suited for today’s critical cyber risks.

“Insurers have paid thousands of cyber claims, providing a collective experience to identify trends, insights and best practices,” Chia said. “The insurance industry is well positioned for the private portion of the partnership.”

To learn more, visit: https://axaxl.com/.

SponsoredContent
BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with AXA XL. The editorial staff of Risk & Insurance had no role in its preparation.

AXA XL, the property & casualty and specialty risk division of AXA, provides insurance and risk management products and services for mid-sized companies through to large multinationals, and reinsurance solutions to insurance companies globally. We partner with those who move the world forward. To learn more, visit www.axaxl.com.

More from Risk & Insurance