Cyberattacks are becoming more sophisticated, but so are insurers. In its 2023 US cyber market outlook, Risk Placement Services (RPS) says that insurance carriers have adapted to underwriting cyber risks even as threat actors raise or change their tactics. Combined with improved cybersecurity practices within organizations, this has led to rate stabilization in the marketplace.
It’s a positive sign shining light into a tumultuous market, which in 2023 will continue to face capacity challenges “driven by increased demand, two-plus years of significant premium increases, more judicious limits deployment, and the exit of some players from the market,” according to Steve Robinson (pictured), area president and national cyber practice leader for RPS.
“Carriers have basically raised the bar for entry for cyber insurance, increasing the information security requirements for organizations to qualify,” Robinson told Insurance Business. “Requiring multi-factor authentications (MFA) for remote access to networks is the big thing that the insurance industry got in lockstep with over the last few years.”
While brokers and their clients should acknowledge that a lot of hard work has been done, cyber security is an evolving process. Certain sectors will also need to work harder to meet cyber insurance requirements.
“While we're seeing pricing easing up, we're also seeing more industry specific underwriting,” Robinson noted. “Carriers are little more comfortable [with some sectors] as we see information security postures in a better place overall. But they have gotten out of certain industry groups that are poor performers, such as K-12 school districts, or cities and municipalities.”
RPS pointed to several themes in the cyber insurance market for the new year:
Sophisticated underwriters are using third-party scanning technologies to help detect security weaknesses. They will make endorsements around the vulnerabilities scanned, and if not addressed, these could impact an organizations’ coverage.
Ransomware losses have dropped in the past few months, but they have increased in severity. Ransomware-as-service is also on the rise; it’s predicted to be among the biggest threats to face the cyber market in the next few years.
Social engineering attacks have outpaced ransomware ones this year, fuelled by the global shift to hybrid working. Social engineering tactics involve using manipulation to gain access to cybersecurity weaknesses. RPS’ data found that fraudulent payments and social engineering fraud among small to medium-sized enterprises made up more than 50% of claims between January and August 2022.
Amid changes in the threat landscape, bans on ransomware payments and other cyber-related laws could crop up across the US. But such measures could have immense bearing on public entities, which are among the least prepared for cyberattacks. The public sector, including education, also faces fewer options for risk transfer after the pull-out of several carriers from the space due to skyrocketing claims.
For Robinson, the jury’s still out on whether banning ransomware payments can decrease the frequency of attacks.
“Logic would tell you that the bad guys wouldn't attack entities because there's no money for them to get. The problem is that’s not always the case, such as ransomware-as-a-service which are more indiscriminate attacks,” he said. “Nobody wants to pay the ransom. But in some instances, it could be important to have that as an option.”
The cyber insurance market is still evolving, but according to Robinson, what's clear is that insurance providers can no longer be an organization’s only risk management strategy. Agents and brokers play a key role in helping clients mitigate their risk and preparing them for 2023 renewals.
Robinson recommends that organizations partner with a third-party assessor to investigate vulnerabilities in their networks. Communication with clients will also be key so that they have a change to act on those vulnerabilities before their cyber insurance application and get the appropriate level of cover.
Despite hard conditions in the market, Robinson encourages agents and brokers not to approach cyber insurance with a negative lens.
“Certainly, we never want our clients to be getting less coverage than they had the year before. However, these policies were never priced to account for cyber warfare that's accompanying an armed conflict, or major cloud breaches that could simultaneously affect millions of cyber policyholders at the same time,” Robinson said.
“In order for the market to remain viable and sustainable, these are necessary changes that need to happen. It’s important for agents and brokers to understand that we’re still in a growth phase, not just in terms of demand and premium, but also in how carriers are managing the risk and its evolution.”
What are your predictions for the cyber insurance market next year? Share your thoughts in the comments below.