The cyber liability market continues to constantly evolve to counter the ever-changing tactics employed by cybercriminals, according to a Risk Placement Services report.
While cyber insurance has been around for more than 25 years, it is constantly evolving to counter the ever-changing tactics employed by cybercriminals against critical infrastructure, financial platforms, operational technologies and cloud-hosted environments.
This means that the cyber liability market must also change underwriting processes and develop coverages, as well as factor in increased regulatory influence, according to Risk Placement Services (RPS) “2023 U.S. Cyber Market Outlook."
The last two years have resulted in double- and triple-digit premium rises following an influx of claims related to increased cybercriminal activity, according to the report. Further, capacity continues to be a challenge, which is a problem driven by increased demand, more judicious limits deployment and some players exiting the market.
Although premium increases of between 15% and 25% may still be common at renewal, advancements within the market may provide respite for rate hikes as the market begins to adjust, the report said.
As the market continues to evolve, here are four things the report says that agents can expect in 2023:
1) Increasing regulatory oversight. If the billions of dollars a year being spent on cyber losses wasn't enough of an issue, cyber risk has shifted from being purely a business risk to a risk to society as a whole. And while direct intervention in the cyber insurance market has so far been limited, dozens of cyber-related laws are in the works, with a particular focus on data privacy.
Specifically, the efficacy of making ransom payments and even potentially banning them altogether is currently being debated. Yet, the one thing that remains certain is “as long as ransomware attacks remain both lucrative and anonymous, they will not suddenly disappear because a state law says certain sectors cannot pay," said Steve Robinson, area senior vice president, RPS.
2) Ransomware-as-a-service is expected to be one of the most pressing threats. “Ransomware firms are now effectively licensing out proprietary ransomware software that is leading to much wider-scale attacks with more potential facets to it," said Bryan Dobes, area senior vice president, RPS. “This makes it much less likely that an organization—or even a cybersecurity firm—will be able to pinpoint exactly how an attack is developing."
Additionally, cybercriminals are now often bypassing the negotiation phase, deleting or selling data if initial ransoms are not paid or if third-party forensics firms are involved. Ransomware attacks are evolving to take down systems and prevent business operations, so traditionally unaffected sectors that don't hold a lot of data, such as wholesale distribution and manufacturing, face a much bigger threat.
3) Tightening policy wording. Many insurers are starting to exclude cyberterrorism events, state-backed attacks, and infrastructure attacks from coverage. With varied approaches from insurers, general mandatory endorsements can include significant implications for policies.
Another concern is the systemic risk from the widespread use of third-party cloud providers, in response to which insurers are introducing sublimits or exclusions for claims that result from a specific large-scale attack.
One example is war exclusions, meaning that an insurance policy won't cover state-backed attacks influenced by the Russia-Ukraine conflict. “We are starting to see insurers exclude cyber terrorism events," said Zach Kramer area assistant vice president, RPS. “We are also starting to see exclusions relating to infrastructure attacks and carriers broadening their stance on what is considered infrastructure."
4) More sophisticated underwriting for cyber risks. As the market matures, so does insurers' understanding of threats. The increased implementation of inside-out underwriting with the use of “behind the firewall" technologies will enable underwriters to craft programs and pricing more commensurate with the risk, according to RPS. Further, tailored endorsements around security measures are making businesses more resilient in the face of attacks.
While approaches to the ever-changing risks of the cyber insurance market vary, it remains clear that the market has the potential to be dynamic and offers greater promise to those taking a measured and proactive approach to reducing risk.
“As the cyber insurance industry has taken on, in our view, an unfair share of criticism relative to enabling the ransomware epidemic to flourish, the irony is that the insurance industry is leading the way to promoting improved defenses and operational resiliency to these ever-evolving threats," said Steve Robinson, RPS area president and national cyber practice leader, in the report.
Ann Seaberg is an IA contributor.