The State of Cyber Insurance: Understanding This Transitional Market and Finding Ways to Make Your Company Insurable
The cyber insurance landscape is changing every day as more technology is introduced and information is stored by digital means. Innovation and growth abound.
But just as quickly as cyber-enabled technology and devices hit the market, so too do malicious actors — hackers who are more than happy to encrypt a file, hold data for ransom or demand bitcoin payment over threats of extortion. Businesses big and small have to be on the lookout for solutions to protect against unwanted cyber threats.
“Every company has privacy and cyber exposures,” said Jason Glasgow, Senior Vice President, and U.S. Cyber Lead at Allied World. “It comes down to how much exposure they have and how they choose to protect their assets.”
The cyber market itself is hardening, and protecting against growing threats has become an imperative but sometimes difficult task. Cyber events are costing insurers and insureds big — the average cost of a data breach in 2021 reached $4.24 million per incident, the highest in 17 years, according to IBM and the Ponemon Institute. And the market is reacting, pulling back on capacity and meticulously reviewing whether an insured is even a good risk to take on.
Luckily, there are ways for businesses and their risk managers to show they are a favorable risk to insure.
Here’s a look at the state of the cyber market today and how risk professionals can partner with their carrier to get adequate coverage for cyber risk.
The Cyber Market: How We Got Here
When looking at cyber as an exposure, it’s important to understand how the marketplace got to where it is today. Cyber, compared to other lines like property or workers’ compensation, could be called a “newer” insurance. But it’s been around long enough — more than 20 years now — that there’s a good amount of history to look at and learn from.
“What we really think of as cyber insurance started around the year 2000 as privacy liability,” explained Glasgow. At the time, carriers saw data breaches as the primary exposure for a cyber policy. Such incidents would involve hackers infiltrating a system, gaining access to personal information and monetizing that information on the dark web.
But, as we all know, the simplicity of a data breach grew complex as the world turned more and more toward digital capabilities.
“It started to change in 2018 or so,” Glasgow said. “Threat actors started devising different ways to monetize their activities. They realized that having personal information, credit card numbers, healthcare information wasn’t enough.” Malware became more sophisticated. Companies were dealing almost exclusively online. Hackers realized they could ask for much larger sums, upwards of $2 million to $10 million, and businesses would pay.
“Carriers started having much more severe losses on their cyber portfolios than they had before, but coverage remained mostly the same,” Glasgow said.
Then 2020 came.
“2020 was a perfect storm,” said Brook Dutcher, Vice President, FrameWRX Lead and Cyber Strategic Initiatives. “In addition to the pandemic, the rise in large systemic cyber attacks and work from home vulnerabilities, we saw a marked increase in double extortion, which is the criminal practice of exfiltrating confidential proprietary information to use as leverage coupled with the encryption of victim’s systems.
“All those components, combined with ransomware, exponentially magnified the impact of the malicious activity and criminal activity associated with cyber breaches,” he said.
“These expanded circumstances and increase in market sustained ransomware losses – both in frequency and severity – drove the market to react with tighter controls, lowered capacity and higher rates.”
2022’s Cyber Market Update
Today, the insurance industry is doubling down on its response.
“We’re in a transitional market. Threats are shifting from that traditional data breach and privacy liability coverage to that of a first-party exposure around ransomware expenses, ransom payments and business interruption,” Glasgow explained.
This shift to first-party exposure directly links to insurance companies paying more severe losses at a much faster pace, which is why carriers are adjusting their approach.
Premiums have increased to compensate for significant losses. Self-insured retentions are also on the rise. Underwriters are asking detailed questions of their potential insureds, vetting them to make sure they are a favorable risk to take on.
“We are seeing a maturing within the market space as a result of large systemic events — the rise of ransomware, the cost of ransomware and the short period of time required to come up with the ransom payments,” Dutcher said.
“We now have a marketplace that’s positioned very differently compared to three years ago. It’s looking at cybersecurity in a very serious, new light.”
Becoming a Favorable Risk
The question on every risk professional’s mind should be how to make their business as cyber ready as possible. Underwriters are on the lookout for insureds that are proactive in their cyber approach.
“The underwriting community is asking detailed questions about whether or not specific protocols or practices are in place to prevent attacks,” Dutcher explained. “These detailed questions focus on security posture, security hygiene, endpoint detection, whether there’s active NextGen firewall technology in place, as well as a variety of other factors that are contemplated during the underwriting process.”
Compliance with regulations and the law is another area where underwriters are reviewing insureds’ practices, especially for businesses operating with a complex supply chain spanning multiple countries and jurisdictions.
“Recognizing compliance down through the supply chain is becoming more and more important,” said Dutcher.
Dutcher said these safeguards are necessities to make a risk more palatable for carriers in the marketplace.
“We want to make sure businesses are proactive beyond the most basic levels of compliance within their respective industry sectors. We want to make sure that there’s multifactor authentication. We want to make sure that there is encryption on devices. We want to make sure that there’s access privileges and escalation privileges,” he said.
Don’t Underestimate the Role a Carrier Can Play
The good news: Compliance and safeguards can be implemented with the help of the entire cyber team, including guidance from carriers.
“Carriers are encouraging insureds to participate in proactive services, to mitigate risk, not only for the benefit of carrier, but for the benefit of the insured,” said Glasgow.
For example, Allied World //FrameWRXSM, a proactive risk management platform, was designed to provide insureds with cyber best practices and risk reduction tools, which in turn should help them become (and remain) favorable risks.
“Cyber can become more and more difficult to manage because the higher the amount of assets, the more levels of compliance required,” Dutcher said. “Through our FrameWRX offering, we provide phishing exercises, tabletop exercises, security hygiene exercises – all at no additional cost – so that we’re able to identify client vulnerabilities and help fix them.”
Carriers are offering similar services because finding the right tools and resources helps clients better prepare for cyber threats. Allied World doesn’t shy away from innovations, either.
“We most recently partnered with CyRisk, a vulnerability management platform, which provides real-time threat assessments, real-time vulnerability assessment, asset discovery, vendor assessment / management, access to market and threat intelligence,” Dutcher said.
“Our company believes that the best way to protect against cyber threats is to be proactive on our end,” added Glasgow. “We’ve implemented a white glove concierge approach where we invite the insured to participate in the FrameWRX platform. We’re then in a position to have an introductory call with the risk management personnel to discuss their protocols, practices and identify areas where our FrameWRX services can assist in shoring up their systems.”
The team also works with the insured to ensure they are proactive against cyber issues. Allied World gives the insured as much direct control as possible to allow them the chance to monitor their own risks with the aid of the cyber team just one call away.
“With that control, the insured can generate the types of reports that they want to see with the frequency they want, and distribute that throughout their supply chain, as they deem necessary,” said Glasgow. “This holistic, proactive partnership approach affords both the carrier and the client the confidence to know that every effort is being made to keep threat actors at bay. It’s a great example of the proactive value of insurance as a way to help reduce or mitigate loss.”
To learn more about Allied World, visit: https://alliedworldinsurance.com/products/framewrx/.
Coverage will be underwritten by an insurance subsidiary of Allied World Assurance Company Holdings, Ltd, a Fairfax company (“Allied World”). Such subsidiaries currently carry an A.M. Best rating of “A” (Excellent), a Moody’s rating of “A2” (Good) and a Standard & Poor’s rating of “A-” (Strong), as applicable. Coverage is offered only through licensed agents and brokers. Actual coverage may vary and is subject to policy language as issued. Coverage may not be available in all jurisdictions. © 2022 Allied World Assurance Company Holdings, Ltd. All rights reserved.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Allied World. The editorial staff of Risk & Insurance had no role in its preparation.