The US cyber insurance market appeared to have stabilized after the turbulent rate hikes of 2020 and 2021, but industry experts warn that underlying risks continued to accumulate. Insureds may no longer face the same sticker shock at renewal, yet systemic exposures and emerging threats could trigger the next wave of losses.
“If you would ask any one of our clients, or anyone who has cyber insurance, I feel like it’s a no-brainer that they feel like it is stabilizing from a premium perspective,” said Clay Swanson (pictured), risk management specialist – professional liability at TrueNorth Companies. “Where I don’t think it is stabilizing – and I think the silent killer here – is just that the risk is still compounding and it is only a matter of time.”
Swanson traces the stabilization to a market reset around 2020, when cyber coverage was widely underpriced and underwriting scrutiny minimal.
“Underwriters understood the potential for a loss. This thing wasn’t priced the way it should be. There was minimal barrier to entry,” he said. “That obviously changed almost in an instant.”
As ransomware surges and losses mount, carriers have tightened requirements and raised rates. Controls such as multi-factor authentication have become standard.
Today’s market reflects a new baseline, he said. “I did think it was stabilizing because everyone’s new base level of what was required – was stabilizing from a price perspective.” But he cautioned that stability is cyclical. “I don’t think that it is permanent. Like anything in the insurance industry, it is cyclical. Cyber is even more unpredictable.”
While ransomware frequency has moderated, Swanson said the bigger concern remains severity and aggregation. Unlike property or casualty risks, cyberattacks are difficult to quantify.
“Cyber is unlike any other line of insurance… you can’t quantify it or put it in a box the way that you can a building,” Swanson said. “The attacks are criminal, they’re all over the place, you can’t define it.”
Carriers seek to manage uncertainty through exclusions and sublimits, but headline-driven concerns sometimes dominate the conversation. “In 2020, they seem to be more concerned with exclusions, like a war exclusion… and how war exclusions are now gonna deem cyber insurance useless,” he said. “OK, where did that conversation go?”
Swanson suggests that emerging technologies, including artificial intelligence, pose a greater future threat. “No-one’s really talking about what’s actually going to impact cyber, which is how it interplays with AI or other coverage.”
Despite tighter standards, Swanson said cyber insurance is not inherently harder to obtain. “I don’t think it is getting harder to insure. If anything, all the tools are getting better to make it easier,” he said.
Pre-bind controls – from MFA to endpoint detection tools – have become baseline expectations, but he notes a persistent gap between perception and reality. “Yes, the bar is higher. You have to have X, Y and Z. Well, yeah, you do if you want a good policy,” he said.
Controls often affect coverage limits more than premiums. “I think controls don’t change a lot of the pricing,” Swanson said. “Controls will impact the amount of coverage that you have more than they will change your ability to get or not get cyber insurance.”
Swanson also highlights misconceptions at both ends of the spectrum. Some companies assume cloud adoption alone guarantees protection. “Everything’s in the cloud, I’m good, I can get cyber, and cyber is my protection, so I don’t really give a shit,” he said. Others overinvested in technology expect blanket coverage. “They think that they should have coverage for everything.”
Revenue and industry class are key underwriting factors. “Your revenue and the industry that you’re in are going to be the two biggest pre-bind controls,” he explained. “Have a narrative that you can fill out to support why you need a lower premium, or why you need this coverage, or why you shouldn’t be sublimated for this. That’s the biggest misconception.”
