Cyber liability premiums and capacity restrictions have hiked in an effort to catch up with the high-risk cyber environment, according to the new U.S. Cyber Insurance Market Outlook report by Risk Placement Services (RPS).

Even with cybersecurity mitigations in place, organizations seeking cyber liability coverage will need to battle through sticker shock. Carriers are strategically increasing premiums, some as high as 300% at renewal, and lowering coverage limits on industry classes that have been hit hardest by cybercrime and cyber extortion over the past year, according to RPS. Those classes include education, public entity and government, healthcare, construction and manufacturing.

Additionally, capacity restrictions that began in 2020 have continued to build. Insurers that issued $5-million cyber liability policies last year have scaled back to limits of $1-3 million in 2021, even on renewals.

The increases in premiums and restrictions are an indicator that underwriting has caught up to the realities of the market facing the coronavirus pandemic's impacts and the increasing severity and frequency of ransomware attacks.

With frequency and severity jumping, cyber loss ratios spiked from 44.8% in 2019 to 67.8% in 2020—and higher for many carriers—exceeding actuarial estimates.

“This year's changes in capacity, underwriting standards and even increases in premium were a necessary evolution," said Steve Robinson, RPS national cyber practice leader. “Cyber insurance underwriting has become more reflective of today's risks."

“Ransomware has become a two-headed monster," Robinson added, referring to cyber attackers demanding payment for a decryption key, as well as payment to prevent the release of customer data and nonpublic information. 

In the current environment, agents should expect underwriting questions to “become more strategic and better reflect the current cyber exposures," according to the study. “Even on renewals, insurance companies have begun asking detailed questions about a company's information security safeguards and practices through supplemental application forms for ransomware and [business interruption]."

In particular, multifactor authentication (MFA) has become a must-have to qualify for cyber coverage. MFA can potentially block 99% of bulk phishing attacks and 66% of targeted attacks, according to the Google Security Blog.

“As a result of industry underwriting and mitigation efforts, a better balance between cyber insurance coverage supply and demand is expected as we draw closer to 2022," Robinson said.

AnneMarie McPherson is IA news editor.