“In the US we have a saying about the month of March – that it comes in like a lion and out like a lamb but in 2020, it came in like a lamb and went out like a lion,” said Tom Reagan (pictured), US & Canada cyber risk practice leader at Marsh during a Guidewire-sponsored discussion on cyber trends and predictions for 2021.
2020 had been set up for success, he said, with a market that had been consistently growing for a long time and in which rates were trending upwards but generally manageable. Then two key events hit. The COVID-19 pandemic transformed everything about how people live and work and, from a cyber perspective, it has had a genuine impact on how organisations regard cyber risk. Many organisations had to make a transition to remote work effectively overnight and the focus became business continuity which, in the short term at least, potentially came at the expense of security.
2020 also saw a continued drumbeat of claims activity, Reagan said, as the impact of the broad category of ransomware made itself heard and felt. This was percolating in the background at the beginning of the year and continued to grow throughout summer 2021 until, by the end of the year, increasingly radical and urgent action was being taken by the underwriting community.
“We’re still trying to sort through exactly what that means,” he said, “but clearly, we’re in a period of transition and evolution in the space, as the market looks to understand what is the path forward in the face of what I would call an epidemic of ransomware. If COVID is a pandemic, then it’s quite clear that cyber is an epidemic.
“[Also]... I think business leaders and executives have come to recognise that there is no future without a digital operation, that no matter where we go from here, organisations are going to have to embrace elements of remote work, and everything that entails, so anxiety around the cyber future has never been higher.”
2020 was a pivotal year for the cyber insurance sector between a significant increase in activity and a worsening threat environment, said Tracie Grella. global head of cyber at AIG. For many years, the industry had been working with governments, regulators and cyber security companies who had been asking ‘when is the insurance industry going to be able to encourage and acquire certain controls to help approve the security of organisations?’
“Coming off last year and going into this year, we really hit a period where we’re able to do that,” she said. “The industry has certainly seen a number of losses and activity has been increasing all year, and we started to see the market take action, increase rates, which continue to increase from month to month, some reduction in cover, some pullback in capacity, and some markets really taking down their position. And, at the same time, we also saw some new markets come in.”
Grella noted there has been a ramp-up in claims where one entity is targeted but the incident impacts many organisations and results in multiple claims being reported, and said this trend is likely to increase. However, in addition to the challenges and changes in the sector, she believes there is a great role for the insurance industry to play here in understanding the claims at the root of loss activity, in self-improvement, in enforcing best practices and controls, and in partnering with insureds to improve their security and the security of their organisations.
Offering her perspective, Swiss Re’s head of cyber and digital solutions Maya Bundt highlighted the evolved understanding of businesses around managing cyber resilience. And this is not just true for the larger businesses, and the mid-market corporates, but also for SMEs; for those two-person law practices and medical practitioners operating from small clinics. There is a huge protection gap when it comes to smaller businesses because there is less acknowledgement and awareness that this is a real risk which can and likely will impact them. This has now changed and managing cyber risk has become a necessity.
“What we’ve also seen, which is something that is even a bit newer from last year, is the understanding of individuals that they are also facing cyber risks,” Bundt said. “I think one of the big drivers here was the pandemic, with everyone working from home and thinking, ‘Oh, I have to safeguard my work environment from home, but my family’s here so what does it mean for us?’
“So, what we’ve seen is a huge interest in personal lines cyber insurance, and also a need for people to understand those risks, to be able to manage those risks and to get help if something happens. And I think here, as Tracie said earlier, the insurance industry really can do its part, both in terms of the risk transfer, but also, and especially also, in combining that with risk management. And not only for the businesses, but also for individuals and families.”