Today, companies are more aware of their cyber risk and are looking at the insurance market to mitigate that risk.
The cyber insurance market has transitioned over the last few years: Capacity has tightened, rates continue to rise, and underwriters are looking much more closely at what risks they will write.
Also, composite cyber insurance pricing increased 48% in the U.S. in the third quarter of 2022, continuing to outpace other products, according to Marsh's Global Insurance Market Index. Eighty-two percent of cyber insurers expect pricing to keep going up for the next two years, according to Panaseer's 2022 Cyber Insurance Market Trends Report. The reason for this is simple: Cyber claims frequency and severity are increasing, which means carriers must improve their profitability to remain viable in this evolving segment.
At the same time, the cyber insurance market is one of the fastest growing segments in the insurance industry—and that isn't expected to change anytime soon. Annual premiums have reached an estimated $10 billion and are expected to grow to nearly $23 billion by 2025, according to Fitch Ratings.
Companies are more aware of their cyber risk and are looking at the insurance market to mitigate that risk. Business decision-makers cited cyber threats as their No. 1 concern for the third time in four years in the 2022 Travelers Risk Index. Awareness of the danger is a good thing, but thanks to claims volatility, it isn't as easy as it used to be to secure cyber insurance.
Here are three important things that agents need to know to be successful in the cyber market in 2023:
1) Cybercrime will continue to increase, particularly against small businesses. Cyberattacks are increasing every year as bad actors find easy targets in companies of all sizes, particularly small to medium-sized businesses. There were more than 700,000 cyberattacks on small businesses in 2020, totaling $2.8 billion in damages, according to the Small Business Administration. In 2021, cyberattacks on all sizes of companies were up 15%, according to a report by ThoughtLab, and the number of material breaches rose by nearly 25%.
Alarmingly, most companies are not doing enough to protect against the growing cyber threats, despite recognizing they are at risk. While 88% of company boards “regard cybersecurity as a business risk rather than solely a technical IT problem," only 13% of boards have actually instituted a cybersecurity-specific board or committee, according to a cybersecurity report from Gartner.
Further, 88% of small business owners “felt their business was vulnerable to a cyberattack," according to an SBA survey. At the same time, only 50% reported being “fully prepared" against such an incident, a Provident Bank survey found.
Understanding the current cyber risks is not rocket science—it ultimately comes down to employees doing the wrong things and companies not doing enough to stop them. While ransomware attacks get the biggest headlines, most cyberattacks occur because of a simple phishing campaign where an employee clicks a bad link or sends proprietary information. These incidents can do a lot of damage to a company's network and result in serious costs to the business.
Doing nothing to prevent cyber threats leaves companies vulnerable to more than just a cyberattack or breach. Also, if they are not protecting company assets, executives and owners will also face increased litigation.
2) Carrier appetite for cyber risk depends on the insured's cyber hygiene. After several years of significant losses, carriers are limiting their cyber exposure with more coverage restrictions and refusing to waste time on bad risks. In other words, companies that aren't proactive about cyber risk management will not be considered insurable going forward.
Carrier applications are getting more difficult, and underwriters want to see proof of cybersecurity protocols, such as multifactor authentication, mandatory employee cyber training and consequences for those employees that do not meet company cybersecurity requirements.
Until companies make cyber wellness and cyber hygiene a top priority in the boardroom and a key component of their brand, year-on-year premiums will continue to explode. And for some, coverage will simply become unattainable.
3) Clients expect support, knowledge and resources. There is a huge opportunity for agencies that can prove their value by offering cyber expertise and resources that their clients wouldn't otherwise have access to, especially considering the growing talent drought in the cybersecurity workforce.
“Organizations are trying to fill the worldwide gap of 3.4 million cybersecurity workers," according to (ISC)², a nonprofit association composed of information security leaders. There are too many cybersecurity jobs and too few cybersecurity professionals.
The insurance industry can and must play a role in filling this gap, particularly for smaller businesses, but they also can't do it alone. The cybersecurity picture continues to evolve, and it's too much for agents to keep up with—that's why they should partner with organizations that can help their clients identify and mitigate network vulnerabilities, implement cybersecurity best practices and assist with monitoring for dangerous activity.
Those agencies that can differentiate themselves in the evolving cyber market stand to reap the rewards for years to come.
Dean Mechlowitz and Bill Haber are the founders of TEKRiSQ, a technology company in Ponte Vedra Beach, Florida.