Ever since it first emerged as the new kid on the insurance block a few decades ago, cyber insurance has displayed many of the characteristics of a rolling stone – steadily picking up speed and energy and never staying still long enough to gather any real predictability. The trends and shifts sweeping the space are innumerate, but as highlighted by Lindsey Nelson (pictured), cyber development leader at CFC, among these are some key developments.
The first trend she identified is the evolution of cyber from a hard-to-sell product to a hard-to-buy product, driven by both a supply and demand imbalance. The restricted availability of insurance capacity for cyber is being primarily propelled because of the perceived threat of systemic risk events, as well as remediation from the market as a result of severity-driven ransomware attacks.
“That supply-demand imbalance has been a challenge and it has put cyber in a really unique position in the market, because it’s still that fringe expense for a lot of businesses, despite being their largest exposure,” she said. “And yet the demand for it is going up because somebody that looks like them has had an incident. So now they’re asking for that coverage a little bit more proactively but being met with a lot of [difficulty], whether that’s restricted appetite, restricted capacity or that the pricing isn’t accessible for them anymore as a business.”
Nelson noted that another key trend she is seeing is the progression of cyber from a reactive product to a proactive one in terms of what it can do for clients. A few years ago, she said, the market was a battleground for who had the best coverage to respond to an event. But today it seems cyber has shifted slightly away from focusing on how to act reactively to a claim to using threat intelligence to mitigate and manage cyber crime.
“I think cyber insurance is having its coming of age moment,” she said. “For years the market was focused around the best and broadest coverage, a couple of years ago it quickly accelerated into what I call cyber 2.0, where cyber insurers started conducting external vulnerability scans, which all looked quite clever upfront, but which didn’t tell the true picture of a client’s actual risk.
“Now we’re entering cyber 3.0 territory where we can use a huge amount of threat intelligence data, map it to our client data and actually get that immediate insight into a policyholder’s risk so that we’re not chasing the next vulnerability, but actually staying one step ahead of it. I think for sustainability in the market and [with regards] to who is going to write cyber in a meaningful way in the next few years, that’s the direction the market absolutely has to take. Moving to that point where cyber insurers can manage and mitigate cyber crime proactively and are able to do that on behalf of policyholders is in the best interests of insurers, brokers and clients alike.
The third significant trend Nelson is seeing goes back to the first point she made around the supply-demand imbalance being seen in the market, as the evolution of cyber into a hard-to-buy product in the UK market is lending itself to a variety of different approaches from cyber insurers.
She highlighted that the CFC team has seen a lot of variation from their peers in terms of coverage restrictions. From some, there are minimum security control expectations, from others there are market exits. CFC strongly believes that the right strategy is to maintain the integrity of its cyber product by keeping its wording as broad as clients are asking for, and instead addressing the elevated cyber risk that everybody is trying to price correctly for by ensuring that the price matches the exposure.
That ensures that there’s still a product available to protect what is now the single largest exposure that companies face today, she said. There’s a lot of noise in the market about affordability and making sure that cyber remains an accessible product for clients and it is when coverage is restricted that cyber insurance became inaccessible for clients.
“The affordability is challenging already,” she said, “…Cyber was historically the most competitively priced risk of a client’s insurance programme and I think it’s certainly going to change to be one of the more expensive ones. But that makes sense when it’s the largest exposure that they have as a business and for most businesses, it’s their top concern when asked what keeps them up at night. There is going to be that shift because the exposure has shifted, and the threat landscape has evolved so significantly, but, for us, delivering the why and keeping the coverage that people are asking for available is paramount.”
Nelson also highlighted that the real trial is that despite the pressing nature of this risk, only about 15% of companies are actually buying cyber insurance. Purely from a broker’s risk perspective, she said, most businesses register cyber as a top concern so even though the price has gone up, the value of the product has gone up even more.
About 85% of commercial customers are still not buying insurance to protect against the most important risk that they’re going to face this year, she said, but in that challenge lies a real opportunity for brokers. There’s also a lot of noise about cyber being a ‘hard market’ but Nelson does not believe this is quite the right term to describe the current lay of the land as, in reality, the cyber market is simply evolving with the present threat landscape.
“‘Hard market’ insinuates that we’re in a cyclical market right now, but the product is only just in its adolescence,” she said. “It’s evolving at the moment, and we’re learning as we go along to catch up with that. So, the risk has changed. The risk today is not what it was two years ago and that’s why the pricing looks so significantly different. And it’s not going to be the same two years from now. So, it’s not that insurers were under-pricing as has happened in property and liability lines.
“I think it’s our job, from a cyber insurer’s perspective, to articulate why the risk is different and what that means to a classic UK SME business, and why buying a cyber policy is going to be the best business decision that they can make. That’s really where the opportunity lies for the next year, to sell this critical product to those who still aren’t buying.”