How do you convince a client to pay four-times their premium upon renewal for a policy with less coverage and a higher deductible? That’s the type of conundrum that cyber insurance brokers come up against on a daily basis in today’s hard insurance market … but it hasn’t always been that way.
Patrick Bourk, principal and national cyber practice leader at HUB International Ontario, has seen the cyber insurance market evolve dramatically over the past 12 years.
“When I first got into doing cyber insurance about 12-years-ago, there was a lot of crime, tech E&O, and specialty lines underwriters pivoting into this new space […] and they were reaching out to brokers for education and advice on their policy wordings. That’s how I got involved,” said Bourk, a lawyer turned insurance professional, who worked in specialty lines claims management before becoming a broker in 2006.
“Twelve-years-ago (12), there was so much education going on. Clients would say: ‘Oh, you’re just trying to sell us more insurance. We don’t really need this. We have a great IT department. I don’t think we have a problem here.’ It was like that for a few years until 2014, when we had some pretty seminal privacy law cases, and companies started to take notice of the privacy element in cyber insurance policies. A lot of underwriters thought: ‘This is going to be our moment when we can really start selling these policies,’ but it didn’t really happen.”
With more education in the following years, uptake for cyber insurance started to increase. Noticing a turn in momentum in 2016-17, cyber insurance carriers started to compete for market share by offering very cheap coverage and very simple, client-friendly application forms. Bourk commented: “It was a soft market. Everybody was just trying to get market share, and nobody really knew what claims were coming because they were focused on privacy. They definitely weren’t thinking about ransomware.”
The cyber insurance market really started to turn in 2019 thanks to a massive uptick in cyberattacks, particularly driven by ransomware, as well as an increase in non-criminal system failures. Whether caused by criminal activity or not, these events cause huge interruption to business operations and significant insured and uninsured losses. To offset their deteriorating loss ratios, cyber insurers started increasing premiums and deductibles, limiting their capacity, and introducing new coverage restrictions, ransomware sublimits, coinsurance provisions, and specific event exclusions.
“We went into 2020 with these elevated premiums, and then COVID hit and all of a sudden, insurers were being sued for business interruption, and they weren’t sure if they were going to have a pipeline of premium because businesses were going bankrupt,” Bourk added. “Then there was this perfect storm for cyber insurance because […] everybody pivoted to work from home. The systems to work from home weren't quite designed the way they should have been, so ransomware claims skyrocketed, and, by the end of 2020, the cyber insurance loss ratios were up to 400%. For every $1 taken in, insurers were paying out $4.
“In my role as our national cyber practice leader, I had the heads of all the underwriting shops calling me up, saying: ‘We have to change course because our books are on fire and we’re not sure if we’ll be able to hold on.’ So, I then had to speak to clients, who for years had asked to roll over their cyber insurance, paying $2,000 for $1 million in coverage, and I had to tell them it would now cost them $30,000.”
Managing clients’ expectations suddenly became an even bigger part of the broker’s role, Bourk explained, particularly when it came to helping clients to understand why their premiums increased so much and what they could do to mitigate some of those extra costs.
“The challenge is, a few years ago, a broker could tell clients about cyber, it was cheap, and the applications were easy. But in a very short time, I now have to send my clients three or four application forms, and I need 120 days to go to market, and I have to build a white paper for them to give to their executive management team to say: ‘Our cyber insurance renewal is going to be horrible this year – here’s why. We’ve got to rework the budget.'
“We now have to ask clients to bring their director of IT security into the conversation and the renewals because insurance companies have in-house cyber risk engineers who want to know: Where are your assets? What would happen if they were compromised? How quickly could you pivot? Are you doing scenarios like war games? Are you practicing them? Do you have a playbook? There’s just so much more to do around client expectation management and budgeting issues. It’s a lot of work now for brokers in the cyber space.”
