Why the current rates for cyber insurance are unsustainable

"It won't be that long before we start to see rate increases," predicts broker

Why the current rates for cyber insurance are unsustainable

Cyber

By Alicja Grzadkowska

It’s official – cyber incidents have landed at the top of the list of global business risks for the first time ever in Allianz’s Risk Barometer 2020. With these exposures top of mind for all industries and cyber cover becoming one of the fastest growing parts of the insurance industry, there’s a lot of changes that brokers in this space have to keep up with.

Just over the past 12 to 18 months, the Canadian cyber insurance marketplace has seen many of those changes, especially after the introduction of mandatory breach notification regulations as well as other privacy regulations that have been implemented in key markets.

“The marketplace is still very competitive right now. Even this morning, literally 35 minutes ago, I got a new wording from one of our carriers that we do some business with, so coverages continue to evolve to address both some of the newer threat vectors that we see surrounding claims and then also to address things like the new privacy regulations,” said Brian Dagg, account executive at Gallagher. “The new wording this morning specifically addressed the CCPA in California, for example. While it wasn’t necessarily written into the wording previously, it’s now affirmative and it’s there under the definition of privacy regulations, so I think insurers are just trying to keep up with the ever-changing exposure.”

When it comes to Canadian-specific regulations, mandatory breach notification came into play for the Gallagher team shortly after the legislation went into effect. In fact, a client had a related claim as soon as December 2018.

“We’ve seen the mandatory breach notification called into action with respect to all facets of it, whether it’s the drafting and creation of that notification, what that notification looks like and what our obligations are, and then, following that, the response,” said Dagg. “Thankfully in that instance [in December], we haven’t seen any litigation brought forward, but it’s certainly something that is going to mature. I think it’s still in its infancy stage somewhat, so I do expect to see a lot more action surrounding litigation as we move forward.”

Regulations outside of Canada have also been impacting cyber coverage, whether it’s the aforementioned California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR) in the European Union.

“The interesting part with legislation in the US is there’s no overarching federal legislation like we have in Canada. With respect to privacy, there are 50 different states so 50 different mandates that we must adhere to, and what our obligations are and how soon we can notify. Some require notification within 48 hours of awareness of the incident,” explained Dagg. "With the GDPR, it’s 72 hours that you have to notify the regulator or authority of the breach event. And I can say from our experiences and a claim that we’re dealing with very recently here in our office, that notification takes time to prepare and 72 hours is a very short window to get that notification out the door, and to do it properly and effectively. It’ll be interesting to see how the coverage continues to evolve to address those potential issues that we’re going to see from a regulatory standpoint.”

As for how cyber insurance solutions and the market have already evolved, new endorsements and coverage enhancements are on offer in the marketplace, while markets are becoming more and more competitive. Nonetheless, Dagg says that rates are too low at the moment, compared to the firming that’s going on in other markets.

“I know I’m going to get my day where I have these unfortunate and difficult conversations, but right now it’s such a competitive space,” he said. “You look at the dollar amounts that we pay out on even some of the simplest, smallest claims and they are far in excess of premiums that are generated a lot of the time. We’ve come from a point where three or four years ago coverage was fairly narrow and a lot more expensive than it is today. That rate has been driven down quite a bit and, as a result, you’ve started to see a lot of clients buying the coverage.”

In turn, a lot of clients are also now filing claims, thanks to the proliferation of breach and hacking incidents, though Dagg predicts that rates will start to stabilize as insurers adapt to the changing cyber risk landscape.

“I do expect that as these different regulations and the different breach events come to the forefront, insurers will have to maintain the ability to provide that coverage, but I do believe that it’s going to come at a price,” he told Insurance Business. “I do think that it won’t be that long before we start to see rate increases and I can’t say that with 100% certainty, but just based on what I’ve seen and based on what we’ve been experiencing, I can’t see how the current structure of rate as it is now can be maintained for an extended period of time.”

A takeaway for brokers working in this dynamic marketplace is to first and foremost educate themselves and do a good job of educating their clients on both threats and solutions. A lot goes into that education process and it’s not about poking holes in cybersecurity platforms, programs, policies, and procedures, says Dagg. It’s about demonstrating how cyber insurance can augment those cybersecurity strategies and address that exposure through the transfer of risk or through other sources.

“My end goal is to sell a cyber policy to a client, but if I can go in there and educate [clients] on exposure and help them understand what their exposures are,” he said, “and if they feel comfortable in addressing that in another way then maybe we haven’t sold the policy, but at least we’ve educated them and we’ve assisted in bettering the risk posture of that client.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!