While demand for Cyber Insurance continues to grow, the current soft market is expected to continue into at least 2025. With new entrants on the carrier side and consistent but manageable demand from the market, downward pressure on rates remains. This market softness has evolved over the last two years after an initial increase in cyber events during COVID-19 and a contraction in capacity led to significant rate increases.
One reason rates are expected to rise is continued demand. Many small-to-midsized businesses are in the market as first-time Cyber Insurance buyers. Demand alone can drive a market correction even as carriers covet low risk. Regardless of current rates, underwriting discipline must remain to balance the market and provide clients with value.
Carrier interest in providing adequate capacity is significant despite the rating environment. Excess capacity is also available from reinsurers and should give brokers and agents many options for their clients.
Key Takeaways:
- Today’s Cyber Insurance market is marked by affordable rates and significant capacity, yet so many businesses are underinsured or forgo coverage all together. Education, especially for first-time Cyber Insurance buyers, is a critical step to secure the proper coverage and keep clients engaged.
- All organizations, regardless of size, are at risk of a cyberattack. Top targets include education, financial services, healthcare, manufacturing and retail.
- Experts estimate at least 50 percent of all claims in the Cyber space derive from social engineering. Advances in technology, including AI-powered deepfakes, are making potential cyberattacks more challenging to detect.
- The full aggregate limit is recommended for most policies and underwriting discipline will offer long-term benefits.
Given how quickly the Cyber market is evolving, brokers and agents should stay abreast of trends and strive to educate their clients as much as possible. Various breaches and cyber events that have impacted prominent organizations such as CrowdStrike, Change Healthcare, AT&T, Ticketmaster and CDK Global, highlight the importance of Cyber Insurance. This is one reason securing Excess policy limits can better protect an organization.
Bad actors constantly threaten proprietary data and system access – threatening to, or actually, exfiltrating data for exposure on the dark web and denying access to systems to conduct everyday business. A cyberattack can be damaging to any size business but for small businesses, it can be especially difficult to recover financially. It can be easier for criminals to find small business vulnerabilities using automated software that searches for unprotected access points. Depending on the client’s profile, brokers and agents must help them prepare for the risks and limit exposure.
Types of cyberattacks continue to evolve
Cyberattacks are becoming more sophisticated, but not all attacks are advanced. Businesses that do not invest the time to educate internal leaders and employees about current trends and best practices are at an even greater risk.
After falling out of favor with hackers during COVID-19, ransomware attacks have risen in the last year. Ransomware attacks aim to extort money from an organization and can lead to particularly larger claims.
Social engineering, or using methods of deception, manipulation, or influence to gain control over systems, is another common criminal tactic. Some industry experts suggest at least 50 percent of claims in the Cyber space today derive from social engineering efforts. Phishing emails can be effective weapons for bad actors to launch financial fraud or other malicious attacks, especially against organizations with insufficient cyber security.
While no industry is safe, education, financial services, healthcare, manufacturing and retail can be among the common industry targets. Criminals target supply chain vulnerability exposure as well, which can have an adverse ripple effect on multiple industries. Large cyber claims can lead to costly class-action lawsuits, representing another potential financial concern for the insureds.
Challenges in the Cyber Insurance industry
Highlighting the value of Cyber Insurance can be a challenge for some clients. Cyberattacks are risk agnostic. Thus, a general awareness of current exclusions and industry best practices, such as using domain scans, phishing training and other preventative measures, is essential.
Brokers and agents should keep clients educated on the latest Cyber market trends. A more educated client will likely feel that the level of service and policy options provided to them meet or exceed their needs if they have a basic understanding of cyber news, which can improve client retention and help build your book of business.
First-time Cyber Insurance buyers may be sensitive to rates because they need help understanding the value and, more importantly, the cost of not having coverage. Brokers and agents can help mitigate such risks through account diligence and preparation. Regular meetings and communications with clients about Cyber trends highlight the value these policies offer and help to manage client expectations better.
Given how fast the cyber industry is evolving, brokers and agents may need to move quickly and aggressively to address client needs. One way to do that is by securing the full aggregate limit where possible. Yet, in acting rapidly, ensure that underwriter discipline remains in place. Some brokers and agents can fall into the trap of chasing revenue at the expense of higher risk and lower quality placements but maintaining that underwriting discipline will offer long-term benefits.
Preparing for the future – and advances in AI
Rates are expected to rise in the future. Underwriting changes could cause more immediate rate fluctuation, especially as biometric laws or other privacy protections are implemented more broadly. Cybersecurity disclosure rules were updated in 2023, and more updates are expected in the coming years.
While artificial intelligence’s (AI’s) role in Cyber Insurance is still in its infancy, it can make it easier for criminals to find vulnerabilities. Conversely, AI can support added safeguards for businesses and more companies are using AI to help power their operations.
As technology evolves, underwriters will need to focus more on AI discrimination and biases along with how active of a role generative AI plays in creating video and audio that mirror human activity, also known as deepfakes. Industry professionals should monitor AI’s influence and be willing to adapt quickly.
Tips for brokers and agents
Building a book of business in the Cyber sector takes time. Still, demand and capacity give brokers and agents opportunities to become subject matter experts and trusted advisors for their clients. To accomplish this:
- Do not “sell the easy sell.” Resist the urge to present and sell the lowest limits and lowest price. Encourage insureds to invest in a policy that is genuinely in their best interests will have long-term benefits for all parties. This may include buying over the minimum limits to maximize protection against cyber criminals.
- Ask questions. Cyber is ever evolving and complex, even for experienced brokers and agents. Collaborate with partners you trust who are willing to provide a diverse range of policies and options.
- Become educated on claims trends and processes. Having a better understanding of client options and strategies can lead to more effective client retention.
- Ensure all submissions are thorough. Utilize narrative boxes on applications to fully explain the nature of risk to be insured in order to secure more favorable terms. Be as transparent as possible.
- Make sure you understand the details of all policy options. Zero in on possible exclusions and other information that can limit policy effectiveness.
Contributors: Andy Wood, Vice President, Professional Liability; Derek Kilmer, Associate Managing Director, Broker, Professional Liability, Burns & Wilcox; Kenneth Labelle, Senior Broker, Professional Liability, Burns & Wilcox Brokerage; Michael Drummond, Head of Cyber & Tech E&O, At-Bay
