A rapidly shifting cyber insurance market has brokers working harder to keep pace with coverage restrictions, diminished capacity and some of the most significant underwriting and pricing moves to date—all amid heightened client demand for a product now viewed as essential to any business.
Even as the broader property and casualty insurance market hardened, cyber insurance remained relatively stable, with plentiful coverage at reasonable prices, according to brokers. That seems to be changing weekly, as cyber insurers grapple with vast losses to an array of threats, chief among them being ransomware and systemic risk aggregation. There are also isolated instances of quick underwriting reactions to the SolarWinds hack, which has the industry nervous. However, these reactions are not yet widespread.
Nearly every carrier has implemented new application questions, usually with separate ransomware supplements. Pricing and retention are on the rise, and available limits are lower. And when the market began to change, it changed quickly and often.
“There were shifts in November, more shifts in December, more shifts in early January [and] more shifts in late January,” Chris Reese, cyber and technology insurance practice leader at Lockton, said. “It’s the gift that keeps on giving.”
“It’s a brave new world this week,” said Mike Robison, national practice leader for CRC Insurance Services, who spoke during a recent webinar hosted by the Wholesale & Specialty Insurance Association (WSIA).
“We haven’t seen every market act the same, but there is a substantially heavier focus on risk management and controls directly correlated to ransomware exposure,” Christiaan Durdaller, president and CEO of INSURETrust, said. “So, it’s a sign of what’s coming.”
Underwriters are no longer shy about walking away from business that doesn’t whet their appetite, with cybersecurity controls a primary focus at renewal or inception.
“Underwriters have always looked at risks individually, [and] they are doing it even more so now,” Joe DePaul, head of FINEX, cyber E&O, at Willis Towers Watson said. “There is a heightened sense of needing to get that information in order to go through the process.”
It’s a bumpy road for brokers and buyers, according to CRC’s Robison. Much of the shifts center around coverage restrictions, coinsurance and sublimits on any provision tied to ransomware, including extortion and business interruption.
“This is what’s driving the losses, and it’s what is driving the carriers,” said Mickey Estey, SVP, E&O/cyber/media at RT Specialty, who spoke on the WSIA panel. Insurers are regularly seeing seven-figure demands—and they’re being paid, erasing policy limits in one day and triggering multiple provisions. Estey added, “If it’s so bad the carriers are saying, ‘We don’t even want to play,’ that’s a big shift.”
For the risks insurers find appealing, the price needs to be right.
“Pricing’s definitely not going down,” said David Lewison, senior vice president at AmWINS, during the WSIA event. Lewison cited 30% increases being at the lower end of overall increases.
The volatility in pricing prompted Marsh to, for the first time, offer a month-to-month look at pricing changes in its quarterly market update, according to Meredith Schnur, U.S. cyber brokerage leader at Marsh. The soon-to-be-released report for the fourth quarter of 2020 will show a jump from an 11% average increase on cyber insurance in November to a 26% average increase in December, Schnur told Advisen.
All that said, coverage is available, client demand is rising and brokers are building towers. Most brokers don’t feel it’s a true hard cyber market, at least not in the traditional sense as other P&C lines are currently experiencing.
“That’s when we can’t find capacity,” Schnur said, adding that—for the month of December—Marsh successfully placed all its Dec. 31 to Jan. 1 renewals. The biggest challenge comes down to being able to plan ahead and set client expectations in a fast-moving market.
“We could be planning to the best of our ability and we’re still going to have curveballs,” Schnur said. “It absolutely varies by carrier. When a market comes out with sharp pivots—not a slow and steady introducing of change—it really throws us for a loop.”
However, a key message is that scaling back on ransomware coverage doesn’t negate the value in a cyber policy for data breaches, privacy, business email compromise or the many other digital threats organizations face.
“There’s so much coverage under a cyber policy,” added Schnur. Buyers with solid ransomware prevention and business continuity plans may not even see coverage restrictions, Schnur explained.
Coverage changes place additional burdens on brokers, prompting them to quickly find new solutions and go to market more frequently on business, particularly in the last year or so. Variation in cyber policies has long been a sticking point for many buyers who want as close to an apples-to-apples comparison. In this market, though, brokers focus more on the differences.
“You need a sophisticated team of individuals to take a very deep look, and you have to understand how these policies will respond and communicate that back to clients,” WTW’s DePaul said.
“In terms of what we’re dealing with, standardization of coverage is not the top-of-mind problem,” Lockton’s Reese said. A more prominent focus is helping clients with their cybersecurity posture, and, while there are some common themes, it’s “… not cookie cutter, [and] there’s a divergence of underwriting philosophy,” Reese said.
As insurers analyze the many claims they’ve received over the life of the line, most—but not all—have begun to require certain cyber basics of clients. Brokers say carriers look for multifactor authentication at a minimum, along with controls around privileged access and remote desk protocol. They also want to see organizations implementing rigorous patch management programs, backup segmentation and endpoint security. But, brokers say there’s no broad generalizations possible to answer the questions.
For their part, underwriters have expanded their teams, with most embracing third-party, cyber risk assessment firms to provide external scanning capabilities and a technological view of an insured’s cyber posture.
“We’re seeing a couple of larger players introducing some scanning component as part of their underwriting process,” Lewison said. “The better informed you are, the better you can underwrite.”
It’s a move that makes sense in the view of most brokers, as long as it doesn’t become the de facto decision-maker.
“We still need to have underwriters who have authority to understand the risks and make decisions on the risk, because they’re the ones who know the client,” Schnur said.
According to Durdaller, a greater underwriting focus on risk management gives brokers and their clients an opportunity to boost the take-up rate of risk mitigation services.
“For us, there’s been a heavy focus on the risk management side for several years,” Durdaller said. While many organizations are quick to make the easy security fixes, like turning on MFA, putting RDP behind a VPN or closing up open ports, the more complex and pricier implementations are a tougher sell.
“The businesses that successfully marry risk management and insurance in cyber will find more interest in their risk among insurers,” Durdaller said. “The direct tie between risk management implementation and a reduction or increase in premium is something we are seeing across a good portion market for the first time in nearly a decade.”
Some areas of the market are tougher than others, but brokers remain upbeat on their ability to meet client needs. They also see the changes as a natural shift as the market evolves.
“We don’t know what tomorrow will bring, and it might bring an event that none of us in the industry thought of,” WTW’s DePaul said. “We all see the potential for a far larger, broad pervasive systemic loss. We want the market to be around for the next 20 years. We want a sustainable market.”
“This will be a more challenging year than the recent past when it comes to renewals if brokers haven’t focused their clients’ eyes on a cyber risk management strategy up until this point,” Durdaller said. “The last few years in some ways have felt like a race to the bottom from a premium standpoint, as the focus was heavy on capturing market share. Those with market share now have a better opportunity to redefine the risks they want. In 2021, we expect there to be a healthy correction from cyber insurance companies on a more aggressive scale than we saw in 2019 or in 2020.”
Contact us today for more information on how we can help strengthen, improve, and protect your organization’s cybersecurity risk management program.