This article was produced in partnership with Munich Reinsurance America, Inc. (“Munich Re US”).
Gia Snape of Insurance Business sat down with Miguel Canals, SVP, senior cyber underwriter at Munich Re US, about his outlook on the cyber insurance market and loss trends impacting carriers’ strategy.
After two years of substantial rate increases and strict underwriting requirements, the cyber insurance market is experiencing a more competitive rate environment in 2023.
“2023 is shaping up to be a year of change in terms of cyber insurance,” remarked Miguel Canals (pictured), SVP, senior cyber underwriter at Munich Re US.
“According to Best's Market Segment Report from June 13, 2023, AM Best reported +8.4% rate change for Cyber in 1Q23, relative to +34.3% in 4Q21 (when cyber rate change hit its peak); US data only as reported to the NAIC”.
“The progressive positive rate change deceleration between 4Q21 – 1Q23 may serve as a good early indicator of the market not likely benefiting in 2023 from the same level of rate increases as seen in 2021 and 2022, which helped in paving the way for a dramatic improvement in Calendar Year 2022 results, according to AM Best’s report.”
“Despite an improved 2022 from a Calendar Year perspective, brokers and their clients can’t remain complacent, as carriers continue to sharpen their strategies amid an evolving risk landscape”, stated Canals.
Canals highlighted three key loss trends that capture the current environment in cyber:
Ransomware attacks are on the rise again after the market saw a dip in 2022, accelerated by the emergence of ambitious ransomware groups and the discovery of new critical vulnerabilities.
“The frequency of ransomware incidents has really spiked in 2023 relative to 2022, which was less active,” Canals said. “More and more groups are finding opportunities to attack.”
Within this trend, the industry has seen that data exfiltration, the unauthorized removal or movement of data, is also becoming more common.
In previous years, ransomware groups would typically extort payment from victims in exchange for decryption keys to their stolen data. More recently, malicious actors have taken their attacks a step further, threatening to leak important data and instigating double-extortion scenarios.
“Exfiltrating data from a system paints a worrisome picture for victims that are already suffering from a business interruption standpoint,” said Canals. “When a victim falls into this type of ransomware attack, they must additionally mitigate the risk of a possible data leak.”
But there is a silver lining.
Efforts by the insurance industry to require more stringent cyber security controls and create stronger defenses against ransomware and other attacks have paid off in a reduced number of claims, he explained.
“The insurance community has reached a level of sophistication in terms of deploying risk assessment and risk selection methods that has really improved the composition of portfolios,” added Canals.
The industry has also seen an increase in litigation stemming from the collection of personal and sensitive information without users’ consent. On this front, Canals classified most claims under two areas:
Pixel or tracking technology-related privacy cases have been around for 15 years, according to Canals. But growing awareness of consumer rights has led to a surge in claims in recent years.
Companies in the healthcare space are becoming the most vulnerable to these types of litigation in the wake of COVID-19. This is due to hospitals and healthcare entities expanding their website functionalities and patient portals, as well as widening the availability of telemedicine services, during the pandemic.
“During the COVID-19 public health emergency and in connection with the good faith provision of telehealth, the HHS Office for Civil Rights (OCR) announced it would not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules related to remote communications,” said Canals.
“This seemed to allow hospitals and health care providers to use popular video chat programs and social media platforms as a mechanism for patients to access telemedicine services and log into their websites. However, some of the data being collected was sensitive patient information, so it actually may have been in direct violation of HIPAA [Health Insurance Portability and Accountability Act] laws.”
The industry has seen massive settlement amounts following class action lawsuits, ranging from $2 million to $18 million against Meta as it pertains to the use of the Meta pixel by healthcare entities.
However, much larger settlement amounts have been reached in the broader tracking technology space, e.g. in late 2022, the industry saw a $392 million settlement in a large multi-state privacy case against Google.
“In the Meta pixel space, the costs of settling may end up being higher than the cost to defend. It may take several years for some of these open cases to play out,” noted Canals. “It's difficult for the industry to pinpoint what an average settlement would look like.”
BIPA claims, on the other hand, are linked to the collection, use, storage, and disclosure of biometric data. This Illinois law has a unique provision in that it provides a private right of action to any individual aggrieved by a violation without needing to prove that there was actual harm.
Recent Supreme Court decisions relating to BIPA could drastically alter the landscape of claims, according to Canals.
“One decision was Tims v. Black Horse Carriers, which extended the statute of limitations to five years. Another case was Cothron v. White Castle, which changed how statutory damages are quantified,” he said.
“Now, the way that the court quantifies a violation is $1,000 per violation instead of $1,000 per individual. Each swipe or scan of biometric data counts as a separate violation, so the rate at which violations can aggregate in a single event is a lot higher.”
Finally, legal actions related to VPPA, a federal law from the 1980s, are also gaining traction. VPPA was meant to inhibit video rental companies from disclosing data of customers and the videos they were renting.
In the current context, the law is being used to get streamers, online media firms, and digital health providers on the hook for how they share their user data.
The cyberattack on the MOVEit file-transfer software has ensnared some of the world’s largest financial institutions, healthcare companies, insurance providers, and government agencies.
The attack, which started in May of this year, exploits a so-called zero-day vulnerability, a software weakness that attackers discover before the vendor becomes aware of it.
Canals noted that concern around cyber vulnerabilities due to the MOVEit software hasn’t been uniform across carriers due to their varying portfolio compositions.
“We've talked with some carriers that don’t necessarily think it's something to be concerned about, while others are very concerned,” he said.
“Those carriers that are more focused in the SME [small and medium enterprise] space may have a different view from carriers that have a book that is primarily Excess business.”
Still, the MOVEit attack has become a significant source of concern in the cyber insurance market due to its far-reaching impact.
“The problem is that when you attack a software that provides a service to a very broad array of clients in different industry sectors and geographies, the potential of a widespread impact is there, which is why we're monitoring this very closely,” Canals said.
In response to more a competitive market, some cyber insurance carriers in the excess space have broadened their appetite, with some offering higher limits, according to Canals.
It’s a slightly different story in the primary space.
“Increased limits are not as common, but where we've seen limits expand for primary business, we’ve also seen this paired with increased Self-Insured Retentions,” said Canals. “It just goes to say that if carriers are willing to offer higher limits, then the insured will need to have more skin in the game.”
In the face of Privacy litigation claims, carriers have also taken action to tighten their policy wordings.
“We've seen some carriers take an absolute exclusion approach towards unlawful collection exposure, regardless of where it comes from. We've also seen other carriers take a more tailored approach to specific states, such as deploying exclusions tackling privacy litigation claims stemming from BIPA in Illinois." Canals said.
“Carriers are always monitoring these vulnerabilities, and to the extent they think is appropriate, they are going back to their policy forms for any necessary modifications.”
In addition, carriers are in various phases of updating their cyber war clauses. This is a risk which warrants developing new clauses that offer clarity and transparency to policyholders regarding the definition of Cyber War, the types of events that constitute Cyber War, and how Cyber War actions should be attributed.
Munich Re US helps clients bolster their cyber resilience by providing cyber security expertise, reinsurance capacity, cyber underwriting and claims training, and accumulation consultation.
Learn more about cyber insurance solutions from Munich Re US.