The Cyber Insurance Market Is Booming. How to Stay on Top of Evolving Exposures

The cyber insurance market may reach close to $100 billion by 2030. An increasing reliance on technology and a growing industry of cybercriminals are the driving factors.

By: Liberty Mutual Insurance | October 2, 2023

In the near future, the insurance industry might just see the abbreviation “P&C” become “PC&C” — property, casualty and cyber.

Experts predict the market will double from $15 billion to more than $30 billion over the next five years, and it could reach close to $100 billion by 2030. Once purchased primarily by large enterprises in the U.S. and Europe, cyber insurance is now becoming a must-have investment for companies of all sizes.

“It’s becoming more common for all businesses, across all industries, continents, and sizes — even down to sole proprietorships and main-street types of businesses — to buy cyber insurance,” said Patrick Thielen, global head of cyber, Liberty Mutual Insurance.

As cyber risks continue to evolve, companies will turn to the market to meet their cyber insurance needs and offer proactive risk management solutions. Cyber insurers partner with clients to offer a broad range of cyber risk management, underwriting, and incident response capabilities.

From Data Breaches to a Trillion-Dollar Criminal Enterprise

Patrick Thielen, Global Head of Cyber, Liberty Mutual Insurance

The cyber market has seen such explosive growth in part because of the fact that digital exposures are more ubiquitous than ever. About twenty years ago toward the end of the dot-com era, the cyber insurance market grew because bank and tech industry leaders were asking their brokers and insurers for bespoke “digital risk” coverages, typically attached to more traditional policies like property, D&O or E&O. Now, it’s a risk every company contends with. Moreover, cyber risk follows employees from work to their homes and seeps into our private lives.

“Most people know somebody who has had a cyber incident. Whether it’s identity theft or a ransomware incident, they’ve been personally impacted by cyber risk,” Thielen said.

Over the past 20 years, exposures have evolved rapidly. First, there were data breaches, then ransomware and business email compromise became commonplace. Now, in addition to those continued threats, companies are contending with data privacy regulations like the EU’s General Data Protection Regulation or the California Consumer Privacy Act. These government regulations are turning cyber exposure from a point-in-time concern following data breaches, into a constant operational risk that pertains to many dimensions of how firms collect, use, and manage the data of others within their businesses.

Cybercriminals are well aware of how critical digital technologies are becoming in the business world, and they’re ready to exploit any vulnerabilities. Hackers are forming organized and specialized groups, using digitization, automation, and sophisticated supply chains with structures not unlike those of the companies they’re attacking.

“People might view a hacker as being a loner, sitting in their basement, wearing a hoodie, doing an attack themselves,” Thielen said. “It’s probably more accurate to think about hackers just as serious businesspeople, typically operating in countries where that’s their best economic opportunity.”

A number of countries have become safe harbors for these criminal enterprises, enabling them to grow further and attack more businesses. “Cyber crime organizations have been given de facto impunity to operate without fear of law enforcement in many countries around the world,” Thielen said.

While there’s consensus about the rising stakes of cyber across the insurance industry, there’s also been a notable lack of a true cyber CAT event — a single attack that affects a wide swath of insureds with severe loss impact. A 2023 report from Conning found that a $30 billion insured cyber loss could result in an industry-wide loss of around 210% of annual premium.

“Modeling any risk can be challenging, but cyber risk is particularly difficult due to its constantly-evolving nature. The peril is human beings, with various and changing motivations, tools, capabilities, and creativity. Their target is also a constantly-evolving and expanding attack surface—which just means the global collection of potentially attackable firms, networks, technologies, and vulnerabilities,” said Thielen.

“With risks accelerating on all sides of the cyber landscape, companies need to keep pace. A lot of folks think about cyber defense as technology, and that’s part of it, but an even more important way of thinking about cyber risk is around an organization’s cyber philosophy. That means, training and resources. That means partnerships and planning. It means operational redundancies and organizational resiliency. In short, it means taking it seriously at a board level, and respecting cyber risk management as a critical source of value.”

“It’s becoming more common for all businesses, across all industries, continents, and sizes — even down to sole proprietorships and main-street types of businesses — to buy cyber insurance.”
— Patrick Thielen, Global Head of Cyber, Liberty Mutual Insurance

Expanding Risk Control into the Cyber Space

Companies are getting better at backing up their data, preparing for cyber events by conducting tabletop drills and empowering chief information security officers (CISOs) to help guide their businesses through loss-prevention strategies.

“Companies are doing a better job, generally, of backing their critical systems up,” Thielen said. “Five or 10 years ago, it was very common for companies to pay if cybercriminals encrypted their critical systems.”

And yet, when companies improve their defenses, cybercriminals develop new strategies. “A lot of the same tools that are used by good guys to perform defensive activities are then used by bad guys to either reverse engineer the defenses or use those same tools for offense,” Thielen said. Case in point: When companies started backing up their data, hackers didn’t just stop at encrypting it and locking the systems. They started threatening to leak the data, attack a business’s clients, or go after their executives — tactics known as double and triple extortion.

Human error, too, remains a weak spot and is still the leading loss driver in the industry. “You can have the best controls and the best cybersecurity program in the world, but if you have human beings working for you, then there are ways for attackers to get in,” Thielen said. “That’s why phishing, vishing, smishing, social engineering, and many other forms of deceit have continued to be very common strategies for attackers to gain initial access into a targeted network.”

“This is the benefit of experience. At Liberty Mutual, we’ve been writing this business for over 15 years, originally as Ironshore, so we understand these kinds of loss events and what kind of protocols make sense. While the specifics of the technology may change, the themes and protocols can remain remarkably similar.

“I see a lot of organizations get really spooked when you start talking about cyber risks and that’s fair because the stakes are high because practically everything is digital. But I think they take a lot of comfort in talking to us because we can help them proactively plan and train. We know where small changes can make the biggest impact, and we know what to do in the event of a loss—because we’ve probably seen similar incidents in the past.”

Cyber risk management strategies can help mitigate the likelihood of falling victim to an attack; but they can also be a form of legal defense in the aftermath of an attack: “It’s harder to argue that your company was negligent just because you suffered an event. If you deployed the same best practices as your peers in the industry, that could meet that threshold of reasonableness from a risk management perspective,” Thielen said.

Cyber Insurance Carriers: A Critical Source of Knowledge

Tabletop drills, CISOs, employee cybersecurity training, and other risk control practices are important for companies looking to stay on top of evolving digital exposures.

“We know this is a pain point for a lot of clients and we continue to invest in our cyber capabilities to help them manage this rapidly changing risk,” whether that means providing risk control resources, packaging cyber policies with other lines of insurance, or offering stand-alone primary and excess coverage through retail and wholesale channels.

The company’s growing cyber team includes risk engineers, cyber actuaries, and other experts.

“I’m excited about the future of cyber insurance at Liberty Mutual. We are committed to bringing all of the firm’s organizational capabilities to bear, and remain an industry leader in this space,” Thielen said. “We’ve got a history of insuring cyber risk, and we’re also one of the largest P&C insurance companies in the world. We’ve got offices in 29 countries. We continue to invest directly into our cyber risk capabilities. We’ve got a really broad set of products and services to meet the current and future needs of our policyholders.”

To learn more, visit: https://business.libertymutual.com/

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.

Liberty Mutual Insurance offers a wide range of insurance products and services, including general liability, property, commercial automobile, excess casualty and workers compensation.

How a Carrier Partner Can Help Navigate a Challenging Management and Professional Liability Market

A combination of a choppy economy with increased claims frequency and severity could lead to rate increases in the Management & Professional Liability market.

By: Risk & Insurance | April 3, 2024

Rates in the management & professional liability (M&PL) markets were on the rise from 2020 to early 2023 and are now falling rapidly.

M&PL divisions manage a number of different insurance products including management liability (D&O), professional liability (E&O), employment practices liability (EPL), fiduciary liability policies, cyber, etc. In 2023 and into 2024, a big influence on the marketplace has been the extremely aggressive and softening public company D&O market.

Though these rates have been softening for management liability, that may change over the next few years as companies continue to adjust their business models motivated by economic uncertainty. Layoffs were up nearly 200% last year, Forbes reported, even as other recession indicators, like the inflation rate, improved. A recession could lead to an increased claim activity and force carriers to raise rates.

“Whenever there is a meaningful downturn in the economy, we tend to see claim frequency pop up,” said George Schalick, Jr., senior vice president of the Management and Professional Liability Division at Philadelphia Insurance Companies (PHLY).

With continued fiscal uncertainty, businesses potentially already burdened with pandemic-related claims should seek a carrier with a long history in M&PL products. They will provide much-needed risk management guidance and be better positioned to support their insureds during market fluctuations.

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.

More from Risk & Insurance

10 Ways Cyber Risks Threaten Businesses

AI and Vendor Payment Fraud: 6 Questions for Trustpair’s Baptiste Collot

Rising Star Jordyn Arons Rosen on M&A’s Property Challenges and Innovating Client-Centered Solutions

The Real Promise of Artificial Intelligence in Healthcare and Workers’ Comp

Sponsored: Liberty Mutual Insurance

The Cyber Insurance Market Is Booming. How to Stay on Top of Evolving Exposures

From Data Breaches to a Trillion-Dollar Criminal Enterprise

Expanding Risk Control into the Cyber Space

Cyber Insurance Carriers: A Critical Source of Knowledge

Share this article!

Trending Stories

7 Questions for RGA’s Carmony Wong

Navigating Global Travel Uncertainties: Business Travel Risk Insights from HUB’s Will Mule

Planck’s Leandro DalleMule Discusses the Ethics of AI in Insurance

3 Keys to Combat ‘Big Brother’ Fears with Safety Technology