“In 2020 and 2021, if you solved ransomware, you solved cyber," says Shawn Ram, head of insurance at Coalition Inc. “During the coronavirus pandemic, ransomware increased substantially when people were working from home and IT departments were not entirely prepared for employees to operate in a secure fashion because of how quickly the pandemic came upon the world."

Fast forward to 2022: The cyber market had evolved, with ransomware attacks declining and cyber liability rates softening, creating an increase in capacity.

“After two years of significant rate increases, we're seeing a trend of rates flattening in some pockets, especially for mid-market and larger businesses," says Adam Glaude, director of small commercial product solutions at Liberty Mutual. “And although many markets across personal lines and small commercial are experiencing challenging rate environments, cyber is in a better place than it was a few years ago."

Yet, the fast-moving world of technology continues to turn, and cyber isn't without its challenges. “In the first half of 2023, we observed a 27.3% spike in ransomware claim frequency compared to the second half of 2022," Ram explains. “Couple that with a nearly 53% increase in claim severity from the average of the full year 2022 to 2023."

While this market is not currently considered to be a major contributor to the hard insurance market that is enveloping both the auto and property lines of business, indicators point to its potential for volatility.

“Looking ahead for rates, much will depend on the current ransomware trajectory, and there's always the specter of a systemic catastrophic event," says Steve Ventre, senior vice president, management liability & surety, The Cincinnati Insurance Companies. “If a catastrophe event occurs, all bets are off and the current market will dramatically pivot. And while the cyber line has been significantly growing—in part due to rate increases, in part due to new risks—the reality is it's still very much an immature market." 

Currently, changes are afoot because of increased ransomware attacks, but other factors are also at play on the claims side. “Threat actors are now using a double extortion method to monetize their crime," says Kirsten Mickelson, cyber product group leader, Gallagher Bassett. “What that means is not only will they go into your system and encrypt the data and demand a ransom payment for the decryption tool, but the attackers are also exfiltrating the data and using double extortion to then demand a fee for data deletion."

In August 2023, more than two months after the data breach of Progress' MOVEit Transfer file management program that handles sensitive information such as pension information, Social Security numbers, medical records and billing data, nearly 40 million people have been affected by the hack. In addition, digital extortionists have generally been found to be increasingly aggressive about releasing data into the public domain.

Further impacting the severity of claims is the exponential increase in wire fraud. “This is where you transfer money electronically, but erroneously, to a threat actor account," Mickelson explains. “That includes through a business email compromise on the policyholder side. It can happen on the counterparty system or it can happen through straight-up impersonation where no system was compromised. Approximately $27 billion has been lost to wire fraud in the last five years, according to an FBI report, with $10 billion lost in 2022 alone."

So, where does cyber liability stand in an overall difficult property & casualty landscape? “At the present, cyber shouldn't be included in the current hard market, but it's not a soft market either," Ventre says. “Rather, the cyber market is in a more of a moderate, yet cautious phase." In essence, the world of cyber insurance is in a state of flux.

“While pricing has stabilized and we are not experiencing the astronomical increases felt the past two years, renewal rates are generally flat to slightly higher in the small and midsized enterprises (SMEs)," says Steve Robinson, national cyber practice leader for RPS. “We have witnessed rate reduction in middle-market and large risk sectors in the range of 5% to 25%, sometimes higher—the biggest pricing reductions are found in the excess market." 

For insurers, “cyber insurance also presents a particularly interesting challenge as the CAT modeling and historical data typically relied on for more established markets—think wind and hail—are less mature and, unlike other lines of business, are subject to human factors that can lead to more volatility in the market," Glaude says.

“Every few years, cybercriminals come up with a novel new way of extracting data and stealing money from businesses and consumers," Glaude continues. “And when these new types of cybercrimes crop up, the industry is required to look at the risk in a different way and adapt its modeling."

Nevertheless, the cyber market has a unique ability to control its CAT events. “There's lots of ways to interdict in cyber and manage the potential event that's occurring," Ram says. “You can update your software, you can establish controls, you can monitor the activity, but a cyberattack is unlike an earthquake, where there are very few limits on what damage an earthquake can do," Ram says.

“As long as insureds continue to update, protect and educate themselves to mitigate the severity of breaches, I think the market will stay stable," says Derek Kilmer, associate managing director, professional lines broker, Burns & Wilcox. “And with the new carrier entries into the marketplace coupled with increased retentions and strict IT controls (like MFA) we're expecting stabilization in the market overall."

“Nevertheless, we're always one large incident away from the market hardening," Kilmer warns.

Olivia Overman is IA content editor.