Cyber and privacy issues are dynamic, but the market for mitigating them is developing rapidly.
There was no shortage of topics for discussion at Insurance TV’s most recent expert panel discussion on the cyber insurance industry, with pricing and exposure taking center stage.
According to Jacob Ingerslev, senior vice president, cyber & tech E&O, Tokio Marine HCC Cyber and Professional Lines Group, “we have been in a hard market for three to four years.” Even though the market appears to be leveling out, he has noticed “some pretty substantial coverage-tightening relative to cyber war, widespread events, and infrastructure exclusions.”
According to CFC’s cyber development head Lindsey Nelson, the market has changed significantly since this time last year.
“The price is now reflecting the exposure,” Nelson added. A “teenage” period of development had passed in the cyber sphere. We’ve made it to that position of stability that comes with maturity and adulthood.
The vice president of cyber risk product leadership at Arch Insurance, Shiraz Saeed, stated that businesses were “seeking for
and that “markets are going to sharpen their pencils and come in with better pricing, better retentions,” implying that similar baseline controls will be implemented. Because a company has invested in itself and taken the time to straighten up.”
LOKKER’s chief commercial officer, Jeremy Barnett, has observed that “cyber carriers, brokers, and insurtech solutions are more innovative and adaptive to the criminal environment and changing regulatory environment.”
Why is there such a mess in cyber pricing now?
According to data compiled by Marsh McLennan, the cost of cyber insurance rose by 10% between January 2022 and January 2023. However, in early 2022, prices had already increased by 110 percent annually in the first quarter.
According to Nelson, ransomware claims are “much more severe” than they have been in the past, and brokers are recommending “very broad coverage” for their clients, so “now we know the appropriate price to charge for that.”
But it was also “future-proofing against the very real threat of systemic risk,” meaning that it would help prevent losses of a similar magnitude in the future.
“I think we are fooling ourselves if we think that we are ever going to be solving cyber risk or preventing it from happening in the first place,” Nelson added.
According to Saeed, there are a several foundations around which carriers base their price decisions. Carrier-specific variables include, but are not limited to, loss history, security and governance controls, income, and the complexity of the risk being covered.
An organization’s price will be determined by taking into account all of these factors simultaneously.
According to Ingerslev, “we are going to see other things than price coming into play” in the market over the next few quarters.
Ingerslev stressed the importance of service.
When competition increases, though, he warned, “high service levels” will be required. One defining feature is that we offer superior loss mitigation services to our insureds.
Is ransomware still the most pressing security concern?
There is no denying the peril posed by ransomware; attacks on manufacturing firms grew by 87% in 2022. According to the US Treasury, almost $1.2 billion in ransomware-related payments were identified by financial institutions in 2021.
When it comes to the expense of claims, ransomware is still the top concern for Nelson at businesses of all sizes. But there was some good news: “Ransomware, for us, in the last quarter of 2022, was down 24 percent” in terms of frequency.
Various factors contributed to this, including the dissolution of criminal organizations as a result of the conflict in Ukraine, heightened sanctions, and the establishment of proactive cyber services units. Specifically, she remarked, “Their sole responsibility is to work with clients to prevent cyber attacks.” This refers to the team at CFC. More often than responding to actual cyber attacks, they have had to warn customers about potential dangers.
Besides ransomware, Saeed highlighted two other “super important” problems: “wrongful, unauthorized, unlawful, or illegal” collection and sharing of private information, for which “you’re seeing significant fines and penalties being issued.”
Is there any impact of the many data privacy litigation on cyber claims?
Recent years have seen a heightened focus on data privacy lawsuits and enforcement activities.
Working with defense attorneys, their clients, and insurance providers, Barnett and his company, LOKKER, have been conducting forensic work to discover data privacy leaks and concerns affecting clients’ web properties.Enhanced enforcement may leave plaintiffs feeling “emboldened,” as Barnett put it. By using trackers like the Facebook pixel and adtech, many businesses are “inadvertently sharing data” about their customers.
“Companies are being sued for a range of these issues,” he explained.
“There is no perfect way to underwrite to it,” Ingerslev added. Covering this story could be difficult because of the complex interplay between federal and state laws.
Saeed faces numerous difficulties in terms of publicity. Some policies provide an outright guarantee of coverage, while others explicitly deny liability, some limit coverage to legal defense expenses, and yet others are “silent,” meaning they say nothing either in favor of or against the insured event. In addition, he stated, “some people refer to it as wrongful, some people refer to it as illegal, and some people refer to it as unlawful.”
The crux of the matter is answering the question, “Was this or was this not an intentional act, a fraud, or a mistake?” regarding the means by which the information was obtained and shared.
In what ways can brokers better their cyber literacy?
When it comes to selling cyber products, brokers believe that “they have to speak the IT jargon and become the IT professional as well,” as Nelson put it. However, this may prevent them from effectively communicating with their customers.
She suggested tapping into a client’s insurance provider’s wealth of resources. She remarked, “Simplicity is key.”
It’s crucial to let them know that by subscribing to your service, they gain access to a cyber security team that can help them out in an emergency. “It’s no longer a specialist product,” Nelson declared.
It is the brokers, not the government, who are “educating the market,” as Barnett put it. To improve the market, educate the brokers. They can ask the right questions, and they can explain complicated concepts like IT and insurance in terms that clients can understand.
Saeed remarked that it was significant that Arch had included personnel with expertise in security operations in its underwriting process with carriers and brokers. When it comes to underwriting and brokering, the unique insights of those with experience in security operations are invaluable.
He also voiced concern that many brokers lack the “luxury” of concentrating solely on cyber.
Ingerslev noted that more work was needed to convince customers that signing up for a cyber policy would provide them access to experts who could assist them better secure their networks.
Getting through the “It won’t happen to me” mentality
More than 2,400 brokers at CFC were surveyed recently about the difficulties of selling cyber.
“The overwhelming majority said it was a client, and specifically IT person, not believing that they required cyber insurance or thinking that they had everything under control,” added Nelson. “In a perfect world, you would be having this conversation about cyber insurance with someone who is not part of the IT department. Nonetheless, their help is crucial in completing the necessary forms.
She says that the most important thing to stress is that cyber insurance is not a substitute for information technology.
“She said that cyber insurance provides an incident response service. “Information technology and incident response are two distinct but related areas of expertise.”
“Complement each other very well,” says Nelson of the two.
He emphasized the importance of “proactive services” as a key feature of insurance. An excellent perk of having insurance is that “your insurer will help you with an incident response plan with tabletop exercises to test your system” to sniff out any loopholes.
The key, according to Ingerslev, is “how often and how severely” it occurs. When asked, “What is the risk of having an incident, and how much is it going to cost?”
Saeed answered with just one word: “Operations.”
Can you run your company or organization without any kind of computerization or internet connection, he probed. That is extremely challenging in the twenty-first century. Is there money set aside in your budget to help fund data recovery, extortion, notifications, and incident response if you don’t have a plan in place? If you don’t, and you have access to a computer, “well, you have the exposure.” I’ll let you decide if you’d rather take the risk yourself or have an insurance company shoulder it.