The history of cyber insurance
First, let’s look at the past, and how this has shaped the market. I liken this to the growth of a child.
First, we had the early days when cyber was newborn, with teething problems, which saw an arms race to get a perceived best wording out in the market. Like their children, all insurers believed that theirs was the best wording. The spectre of the ICO and GDPR was also coming over the horizon, and there were concerns over the likely consequences. This now feels like a lifetime away. These early days were all about impact of data and information storage of third party data and how this would be impacted by the new regulations.
Then as we moved through childhood, we started to see the profligacy of low premiums versus high claims costs starting to seriously impact insurers. We also started to see a number of markets pulling out of writing cyber and reduced primary limits which were previously readily available with the market now shrinking.
Brokers placing risk with markets without really understand both the cover and their client needs. The “better to have something that nothing” analogy prevailed, leading to loss of confidence in the market, as losses were not covered.
What this period did bring, despite high premiums, was stability to the market with the insurers beginning to write for profit, having clearer underwriting strategies and providing more realistic coverage. There was also a significant growth in risk management, with cyber resilience and incident response being key.
The capability of an in house claims team with the ability to be agile, saw not only a real positive impact on insurers claims costs, but the ability to manage these losses proactively.
As cyber experts, we became better able to advise and actively support our clients on what they needed to do to protect themselves against the growing threats that they faced.
This was all framed with the support of two of the world’s leading cyber insurers, both of whom continue to be both relevant and forward thinking as we head through 2023 towards 2024.
Have we reached the teenage years? Probably, there is still some angst with cover and limits for certain sectors being difficult to place. Customers now have much better awareness, are seeing a real value in having the right cover but with the necessity to build resilience. Good cyber hygiene is key to insurability.
We have seen that this topic has moved significantly up the agenda in board rooms with shareholders wanting to know their interest’s and reputations are protected.
Patricia Kocsondy, Head of US Cyber & Tech for our insurance partner Beazley says, “It can be easy for companies who’ve never experienced a cyber attack to underestimate their level of preparedness… but the fact of the matter is that cyber risk isn’t going away and companies are more dependent on technology than they’ve ever been in the past.”
Turning to what will this year look like
- It is very likely that any lack of investment with Technology obsolescence will really impact. We are seeing insurers asking for what the IT spend is, not just this year but future years. Obsolete infrastructure leads to greater vulnerability, but is this near the top off businesses agenda’s, post pandemic and in a real living crisis we now find ourselves in.
- Level of preparedness for IP threats at the same time as concern is increasing, raises a red flag. IP still features lowest on business leaders’ risk registers, with only 11%* of all respondents putting it first. However, in the UK and US, the proportion of business leaders putting IP concerns top has increased by 107%.
- Claims costs continue to increase. As threat actors have become more sophisticated, so have their ability to extort larger sums. Invariably ransomware continues to be top of their agenda.
See below a recent breakdown provided by CFC on types of losses.
The key question for businesses is ‘How insurable am I?’ Our experience tells us that mid market clients are struggling to keep pace with what is being asked of them in terms of funding, budgeting for, and repairing technology to keep pace with the cyber risks arms race.
Insurers are placing more emphasis on how their clients handle end of life software and hardware issues, and industries are having to include insurers requirements within their IT budgets. This certainly means that they reacting to insurers requirements rather than proactively addressing issues.
Business leaders might not want to undertake good cyber hygiene, but they need to do it or risk having an incident as well as being uninsurable.