Are you having a hard time securing Cyber Insurance? It can be difficult to find adequate protection in today’s market of doubling premium increases, weakened coverage terms and strict underwriting guidelines. Demand exceeds supply. Whether you’re securing new coverage or renewing, consider the current market and try a new approach to this most challenging line of coverage.
2023 Could be a Milestone Year for Online Privacy
In his 2023 State of the Union address on February 7, President Biden called for strengthened data privacy and platform transparency. Earlier this year, California passed a landmark amendment to its Consumer Privacy Act, ushering in the nation’s broadest policy on digital user data. The law limits information collection, regulates data mining and provides more consumer rights related to personal online information. Additional states passing data privacy laws include Virginia, Colorado, Connecticut and Utah.
When Cyber Liability Insurance premiered 26 years ago, privacy was the core issue, to protect against identity theft and the loss of personally identifiable information (PII). While new exposures such as ransomware and extortion have emerged, protection of personal information will only get stronger as government passes new laws. Today, underwriters still consider personal data privacy a major insurability factor.
Market Outlook for 2023
In December 2022, Alera Group released its 2023 Property and Casualty Market Outlook. Here’s what we said about Cyber Liability Insurance:
“Cyber Liability is currently viewed as the most difficult line of business to write. It is a quickly moving, immature market that is expected to become even more challenging in the coming years. Rapid changes in exposures, insufficient usable data, shortage of experienced underwriters, and inconsistent terms, conditions and language in coverage forms foretell difficulty in navigating this line of business.
- “Rates will continue to increase for most organizations, but with less volatility. In 2023, rates will increase as much as 50% before leveling off to 15% for less complicated risks as the market gains experience, introduces more limited coverages, adds exclusions and offers lower limits.
- “Capacity will be offered selectively and at lower limits to what insurers view as the best risks. Obtaining a $5 million layer will be challenging.
- “Terms and conditions are changing to clarify coverages as new cyber risks are being identified, and to add exclusions for state-backed cyberattacks. Policyholders must demonstrate they will try to verify certain emails that request transactions. Deductibles are being added, and sublimits are being required for ransomware and business interruption exposures.
- “The underwriting process will take longer. Due to extensive risk questioning, supplemental applications and a critical shortage of qualified cyber underwriters, expect the quotation process to take several weeks. As pre-qualifiers for a quotation, multi-factor authentication (MFA), a two-step process, is required to be in place before quoting. Also required: established cyber security preparedness; recovery plans in the event of an attack; offsite backups; endpoint protection responses (EPR) for laptops, mobile devices, telephones, etc.; and identified privileged users.
- “New market entrants will supplement existing capacity and availability. New managing general agents (MGAs) working with insurer’s paper will not only write business but also perform newly required critical services as ‘breach coaches,’ working with adjusters and forensic analysis.
- “Some industries will be impacted more than others. Financial services, college-level education institutions, healthcare organizations, infrastructure, pipelines, utilities and manufacturing accounts utilizing digital equipment will be more difficult to place with desired pricing, terms and limits.”
What You Can Do — A New Game Plan
Cyber Insurance is in a perpetual state of chasing technology and the bottomless depths of cyber criminals. According to Cybercrime Magazine, “If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $8 trillion USD globally in 2023 — would be the world’s third-largest economy after the U.S. and China.”
Much-needed initiatives including the recently published U.S. National Cybersecurity Strategy could shift liability to software manufacturers and device makers, and create a federal backstop for cyber catastrophes. Businesses also can help themselves by instituting or updating their cybersecurity protocols. A new game plan will help organizations secure the best policy terms, limits and pricing.
- Act like an investor, not just a buyer. Consider shifting your perspective, and approach the cyber environment as a long-term investor. Organizations that adopt this mindset tend to achieve the most favorable results. Avoid short-term price-centric strategies like shopping for coverage every year, and work to build relationships with cybersecurity and broker partners. Insurers must be confident that you’re a well-managed, profitable business, committed to managing cyber risks.
- Secure cybersecurity services. Invest in cybersecurity and cybersecurity attestation services to advance your risk management and to test your protocols. Insurers will conduct external assessments (outside scans, open ports searches, dark web review, etc.), but what’s typically missing is an internal risk assessment. Securing cybersecurity services that can validate your technical controls will distinguish your organization to underwriters. Cisco’s Cybersecurity Readiness Index reported that only 13% of U.S. organizations have a cybersecurity posture of “mature” and are ready to defend against cybersecurity threats.
- Work with an experienced broker. A broker represents your interests to insurance carriers with the goal of maximizing placement for the best coverage forms, policy limits and pricing. Cyber liability lacks any standardized policy forms among carriers, so every option must be thoroughly reviewed for coverage terms, limits, exclusions, deductibles and coinsurance. A knowledgeable, experienced broker with cyber expertise can guide you through the process at a granular level and help you understand the available options.
- Build a partnership. Strong working relationships work to an organization’s advantage, especially with this difficult coverage line. A true partnership between insurance broker, business and cybersecurity provider is key to presenting the business as the most marketable candidate to insurance carriers and underwriters. The application process for Cyber Insurance is more complex than prior years, and sometimes there’s a disconnect between what the insurance carrier wants and what the business believes the carrier is requesting. Insurance Journal reported on a recent case in which a cyber policy was rescinded for misrepresentation. The business stated on the underwriting application that it used MFA; however, the insurer discovered after the organization filed a cyberattack claim that MFA was limited to certain aspects of the business. Cyber attestation providers can run scans and test your controls before you experience a loss, and a broker will walk you through the application process.
With tight market conditions for Cyber Liability Insurance, carriers seek “best in class” risks for the limited coverage available. Businesses with strict cybersecurity protocols, a managed cybersecurity service and good loss histories will look favorable to discerning underwriters. A knowledgeable, diligent broker can help guide you through the current cyber market and craft a new game plan to present your business to cyber insurers.
For a broader look at navigating insurance market conditions, read Alera Group’s 2023 Property and Casualty Market Outlook. Learn about factors driving the current P&C market, as well as an analysis by industry and lines of coverage. To obtain the report, click on the link below.
Get the Market Outlook.
About the Author
Stephen Paulin, CIC
Cyber Risk Strategist
Orion Risk Management, an Alera Group Company
Stephen Paulin, a Certified Insurance Counselor (CIC), has more than 35 years of experience as a risk strategist helping privately held, mid-market businesses reach their profit goals by improving risk management outcomes that optimize the insurance program’s financial efficiency and produce better long-term business performance. Steve’s innovative, results-driven approach, exacting research and diagnostic process make businesses safer, more productive and profitable by delivering a proven methodology to:
- Identify the risks facing your business;
- Develop strategies to mitigate the total cost of risk;
- Attain “best in class” status to create intense competition in the insurance marketplace;
- Deliver personalized metrics to measure broker performance and ROI, and to achieve improved bottom-line results.