Since launching in the late 1990s to cover technology companies against exposures related to data breaches, cyber insurance policies have evolved significantly. Thanks to ever-growing cyber risks, coverage is now a necessity for organizations of all sizes and scope. As the coverage and risks have evolved, so has the cyber insurance market.

Carriers have flocked to the segment over the last 10 years, growing the market to an estimated $10 billion in premium last year, according to Fitch Ratings, which predicts that the market will reach $22.5 billion in premium “as demand for coverage expands with recognition of threats" by 2025. Also, 2021 data from the U.S. Government Accountability Office (GAO) shows the take-up rate of the coverage rose from 26% in 2016 to 47% in 2020.

However, cyber insurance losses are also growing. For years, cyber insurance pricing did not keep up with claims frequency and severity. As a result, cyber loss ratios among the top 20 insurance groups more than doubled from 32.4% in 2017 to 66.4% in 2021, according to data compiled by the National Association of Insurance Commissioners (NAIC). 

As carriers tightened up capacity, raised rates and limited their coverage offerings, the cyber market changed overnight—a trajectory that is reminiscent of another once-burgeoning segment that was hit hard by claims that carriers weren't prepared for: employment practices liability insurance (EPLI).

Learning From the Past

While both cyber and EPLI coverages were developed to address evolving risks in the 1990s—EPLI in response to employment lawsuits related to the Americans with Disabilities Act of 1990 and the Civil Rights Act of 1991—the EPLI market grew much quicker than cyber did.

Then came an influx of wage and hour lawsuits, which rose 358% between 2000 and 2015, according to a 2015 Washington Post article. Between 2016 and 2017, wage and hour settlements totaled $1.2 billion, according to the Society for Human Resource Management (SHRM).

Since 2017, social movements related to #TimesUp, #MeToo, and the COVID-19 pandemic have sparked new EPLI exposures and litigation. These evolving trends led to an increase in demand for EPLI coverage, but rates and capacity also tightened up, and it became harder to find affordable coverage. Sound familiar?

What EPLI underwriters learned—and what cyber underwriters have also come to understand—is that protecting companies from costly claims must start with being proactive about risk management.

Turning Risks into Risk Management Opportunities

The cyber market isn't just following a similar trajectory to EPLI when it comes to claims and losses, it is also shifting to include better loss prevention practices.

Mitigating cyber risks by arming companies with the tools they need to prevent claims from happening in the first place is crucial. That means ensuring insureds are using multifactor authentication (MFA), looking at their endpoint detection response (EDR) solutions and using real-time monitoring to catch vulnerabilities before breaches occur.

Carriers are now looking to protect their books of business by scrutinizing the risks they write. If companies do not have basic security measures in place, such as MFA, incident response plans, and annual cybersecurity training for employees, carriers will not even consider binding cyber coverage.

As companies look to differentiate themselves with different cyber security mitigation and management tools, agents must closely scrutinize their cyber carriers. Agents need to shift from just looking at the differences between coverage to considering what else carriers are offering to make their cyber policies more valuable, particularly when it comes to threat intelligence, incident response and claims handling. The ability for a policy to get a business back up and running quickly after an incident occurs is absolutely key.

As the EPLI market has evolved and endured unanticipated challenges, so will the cyber market. Awareness of cyber risks will continue to grow, and those agents who can help insureds understand and mitigate their exposures will be positioned to help them secure the best solutions.

Anjali Camara, Ph.D., currently serves as partner and head of cyber for Connected Risk Solutions, a wholesaler focused on professional liability insurance products.