Following a rise in ransomware insurance losses in 2021 and 2022, the insurance industry is more diligently assessing clients’ cyber risk profiles in a bid to incentivize companies to improve cyber security and risk management controls.
By increasing cyber security, companies are less attractive to attackers. Generally, it is not commonplace for us to see clients with strong cyber maturity and security mechanisms suffer a high frequency of ‘successful’ attacks.
Even where they are attacked, losses are typically less severe due to established identification and response mechanisms. It is clear that organizations with good cyber maturity are better equipped and prepared to deal with these incidents.
Incident response is critical, as the cost of a claim quickly escalates once business interruption kicks in.
The cyber risk management partnership
You can build a high defensive wall, but that is not guaranteed to hold. You will also need test plans and measures in place to deal with an incident, including a crisis management team and a network of professional support partners (see Cyber Risk & Ransomware Trends).
This will help to keep claims as small as possible. A win-win situation for everyone. The higher the maturity of IT security in a company, the lower the percentage of customers with damage or prior damage.
Ransomware losses have changed the industry’s approach to cyber risk for the better, encouraging cooperation between insurers and clients on cyber risk management and mitigation.
We wanted to really getunder the hood of our insureds and help them with more insightful information on how to protect themselves and mitigate cyber risks. It’s now night and day from where we were just three years ago (see Global Cyber Insurance Claims).
There is also now a very different conversation on the quality of cyber risk. We are getting much better insights, while the insurance industry is providing more value.
For example, through collaboration with our trusted partners and our in-house specialist risk consultants, we can offer useful information and advice to customers, such as which controls are most effective, as well as provide risk management and response services.
The net result in the future should be fewer successful or significant cyber events for our customers. Insurers’ recommendations place a “value” on cyber security investment. We make sure that the ‘digital sprinklers’ are installed.
Risk engineering and underwriting recommendations are now a pre-requisite to obtaining cyber insurance. While these recommendations clearly make sense, increasingly we see that insurance is the catalyst to get cyber security measures implemented today, rather than in two or three years’ time.
Based on AGCS underwriting and risk engineering questionnaires, a number of companies still need to improve their frequency of IT security training; network segmentation for critical environments; and clean patch management in particular. Companies’ cyber incident response plans and cyber security governance are among the weakest areas.
Stephens advises companies to engage with their insurers early and have concrete plans to address gaps in cyber security: “We do see this as a partnership. By asking the right questions in advance you can identify vulnerabilities and gaps and address them ahead of renewal. It pays to have that conversation early and often.”
Working towards a sustainable cyber insurance product
Demand for cyber insurance remains strong, but market factors and weak cyber security in some sectors are limiting growth opportunities.
In response to a spike in ransomware losses, and growing awareness of systemic, and aggregations of, cyber risk, capacity in the market has become constrained, while premiums have increased. Many insurers have also tightened underwriting criteria, requiring insureds to maintain minimum levels of cyber security and controls.
There are still many companies out there with vulnerabilities and lacking security controls that will struggle to purchase cyber insurance in this market.
There is adequate capacity for well-managed companies that have a proper understanding of their cyber risk profile and that have appropriate controls and security in place.
Many customers continue to receive broad cover for a wide range of exposures, including third party liability and business interruption.
The cyber insurance market has undergone correction, but deep-rooted issues remain, such as systemic risks and aggregations of exposure. There also continues to be a delta between the drivers of exposure and mitigation.
We need to get to a place where the cyber insurance market is sustainable. The more we partner with our clients and help them adjust to the threat landscape, the more losses will hopefully reduce (see Cybersecurity Automation Adoption).
The insurance industry has an important role to play in improving cyber security. We want to be a partner forcyber insurance in the long term.
Cyber has the potential to become one of the most important insurance policies a company purchases, given it is one of the biggest threats most companies face today and in the future.
Business will need a risk transfer solution for cyber and that is why we continue to adjust our underwriting and work hand-in-hand with clients to improve cyber security maturity.
Insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels.
Cyber will become a well-established insurance product. The market and the cyber product is maturing, and we increasingly see a consensus on what good cyber security maturity looks like and what can and cannot be covered by insurance.
According to Munich Re, at the beginning of 2022, cyber insurance premiums worldwide totaled in excess of $9bn. This is expected to increase to well-over $20bn by 2025, a figure also predicted by AGCS in its first cyber risk report in 2015.
Growing interest in captives and ART
Purchasing habits for cyber insurance have been shifting with the evolving risk landscape and the challenging market for cyber insurance.
Following large ransomware losses, cyber insurance premium rates have increased over the past two years, and underwriting criteria has tightened.
In some cases, organizations have not been able to buy the limits or programmes they previously did. As a result, many buyers of cyber insurance have considered alternative programme structures and alternative risk solutions for cyber.
Captives are often used as a tactical complement to increase coverage and fill in gaps in coverage and after recent ransomware attacks and other cyber losses, an increasing number of companies are looking at how they can utilize captives to both benefit their finances and protect their organization.
Generally, retention levels have increased, and companies now have more skin in the game. As a result, we have seen more interest in the use of captives and virtual captives for cyber.
In the US Stephens agrees that retentions have also increased considerably, and demand for limit is being tempered by the cost of insurance.
As a result, many companies are looking for ways to get the most out of their cyber insurance and fund higher retentions: “We are having more conversations with clients on alternative risk transfer solutions for cyber, including fronted policies and tailored structured solutions.”
AUTHORS: Jens Krickhahn – Practice Leader Cyber Insurance, Central and Eastern Europe at AGCS, Michael Daum – Global Head of Cyber Claims at AGCS, Tresa Stephens – Head of Cyber, Tech and Media, North America, AGCS, Marek Stanislawski – Global Cyber Underwriting Lead at AGCS