In recent years, especially through 2019 and 2020, the cyber insurance market in the U.S. has seen significant growth. Middle-market companies have been actively requesting cyber insurance policies with low rates and broad coverage terms. Amid the boom, however, brokers provided cyber policies performing minimal due diligence, taking advantage of the increased demand for cyber insurance. Yet, later due diligence in the underwriting process revealed that the industry was taking on far more risk to secure a larger book of business. As cyberattacks have become more sophisticated and frequent, it became apparent that neither insurers nor the insureds were appropriately prepared to handle claims and attacks respectively. This increase in threats and claim volume has forced the insurance industry to harden its defenses in order to manage losses, and insurance carriers have now shifted towards micro-level assessments of organizations.
United States Market Update
The cyber insurance market in the United States has seen rapid growth over the past few years, driven by cyber-attacks becoming increasingly frequent and complex. The cyber insurance market is expected to dramatically expand in the next few years, and the so-called 'Cyber Big Bang' is still in full sway. It is expected that more organizations will come to recognize the importance of cybersecurity and invest in cyber insurance products to protect themselves against potential losses. Additionally, cyber liability coverage is likely to become a necessity for most enterprises due to growing regulations mandating its purchase. With these changes on the horizon, companies should prepare themselves for cyber threats and consider how cyber insurance can help them protect their data and operations from malicious actors. Here we will examine key trends in 2022, and highlight potential developments for 2023:
Cyber Insurance Premiums and Requirements Rose Alongside Increased Risk
Prior to 2022, U.S. companies were accustomed to being able to buy high-quality cyber coverage at a relatively low price. Due to the increased attacks in 2020 and 2021, however, the insurance industry responded by increasing rates by as much as 83.3% on average for the top 25% of companies.[1] As policies increased in cost moving into 2022, firms offering cyber insurance also imposed new requirements to qualify for their policies.[2] These requirements could include cyber risk assessments and cybersecurity matrices, as well as more stringent cyber incident response plans.
These two factors combined led some large companies to consider dropping cyber insurance altogether, which also contributed to the subsequent reduction in claims. Insurance brokers are being forced to work harder to deliver for their clients, having to reduce the quality of the coverage in some cases.
Geopolitical Unrest and Improved Cyber-Policing Drive Attacks Down. Cyber Insurers Improve Underwriting
In 2022, geopolitical unrest in Ukraine motivated improved cyber-policing actions. Many cybercriminals began to feel less safe engaging in cybercrime. Therefore, with global unrest coupled with attacker’s concerns regarding attribution, the industry saw an unprecedented slowdown in attacks in 2022. Seizing the moment, the cyber insurance industry used this time to improve its underwriting process, leading to a significant increase in proactive service spending by insureds in the U.S.
The ‘Cyber Big Bang’ Continues. Increased Competition will Drive Premiums Down
Nowadays, the internet is increasingly ubiquitous in people's lives, with more of everyone's daily routines being connected to technology. The cyber big bang has and will continue to attract a large volume of new clients seeking cyber insurance coverage on an annual basis. As competition between brokers intensifies, we can expect a reduction in cyber policy premiums over the course of 2023. Brokers will reduce rates to attract new clients as the brokers all compete with one another to build a larger book of business. Brokers have already begun to share examples of where reduced costs of premiums in late 2022 to win new business, and professionals are banking on the coming stabilization of premiums.[3] However, as the cyber big bang continues, attackers will likely evolve, implementing new techniques and tactics to take advantage of recent industry growth. Brokers will continue to improve the underwriting process to reduce risk, leading to higher demand for proactive services. Even so, some may take on additional risk merely to build a better book of business. All of these factors combined will likely result in additional vulnerabilities and a higher volume of claims in 2023.
Defenders Building Resilience
The past two years have placed a heavy burden on Incident Response (IR) teams. The war in Ukraine has increased the pressure on cybersecurity professionals, and as the conflict continues, nation-states and cartels are joining forces to create new and destructive zero-day exploits. Meanwhile, other attackers that have been pressured by law enforcement have shown resiliency: ransomware has become cyber extortion, and new endpoints—such as Application Programming Interfaces (APIs) and containers—are increasingly vulnerable.
However, government agencies are now ever more engaged in information sharing to help defenders get out ahead of attacks, while security professionals have adopted new detection, protection, and response techniques to disrupt cybercriminals’ activities sooner. In every case, the more visibility they have across today’s widening attack surface, the better equipped they will be to defeat their adversaries. Though the road ahead will undoubtedly be rough, defenders that continually learn and adapt to the evolving threat landscape can and will avoid major obstructions and setbacks.
Threat Actors Rebranding to Avoid Attribution
Threat actors have been adapting to the heightened pressure of cybersecurity by rebranding in an effort to avoid attribution. This has made it difficult to track and identify these groups, as they take extra steps to retain their anonymity while perpetrating cyberattacks. Additionally, with the recent focus on tracking ransom payments through cryptocurrency, these attackers can be identified and held accountable for their actions by law enforcement. It is evident that cybercrime will not come to an end anytime soon, as perpetrators may adjust their tactics according to the environment.
European Market Update: United Kingdom and Germany
As in the U.S., the cyber insurance market in the European Union (EU) is growing rapidly, with cyber insurers predicting that its value will increase significantly by 2023. This growth reflects Europe's increasing awareness of cyber risks and cyber threats, as well as a greater willingness to invest in cybersecurity measures. It has been predicted that by 2025, 60% of businesses will prioritize cybersecurity when evaluating their IT procurement needs.[4] Cyber insurance policies are being adopted not just by businesses but also individuals across the EU, providing them with financial protection from cyber-attacks and other cyber-related incidents. Next, we'll look at the current state of the cyber insurance market in Europe and what to expect in 2023.
Germany Faces High Cyber Insurance Premiums. Economic and Geopolitical Turmoil Makes Price Stabilization Unlikely
Cyber insurance continues to be in high demand in Germany, especially among SMEs.[5] However, insurers have reacted strongly to the high number of claims and the associated claim volumes. Much like in the U.S., insurers have become much stricter with their cyber maturity assessments and have expanded their questionnaires, meaning that companies interested in cyber insurance must now meet significantly higher requirements to obtain insurance at all: they must invest more in proactive measures for threat detection and response to become insurable, or alternatively forego insurance should they consider themselves well-positioned in terms of the cybersecurity they have achieved. Furthermore, the trends for premium pricing have followed those of the U.S., with costs having risen dramatically. These developments were the product of three main factors that determined the threat landscape in 2022: ransomware, supply chain attacks, and critical infrastructure attacks.
In addition, some insurers in Germany have set up their own small cyber incident response teams to classify incidents themselves, and to be capable of resolving smaller incidents without external service providers. For cases of larger and more complex incidents, external companies continue to be used as service providers.
Due to the expected recession, however, the cyber insurance landscape seems less auspicious than that of the U.S. and is unlikely to stabilize. The number of cyberattacks may increase further over 2023, which would further intensify the threat and insurance situation.
The United Kingdom Struggles With Skepticism Over Cyber Insurance. Insurers Are Responding With Improved Services
The cyber insurance market in the UK has also followed the global trend over 2022, with insurance providers raising premiums, increasing the size of deductibles, and in some areas reducing the coverage offered. In the first half of 2022, over 90% of Marsh clients experienced an increase in premiums and more than half experienced an increase in retentions requiring clients to have more “skin in the game” when taking out cyber insurance.[6] Several corporate and mid-market companies continue to challenge the value that cyber insurance brings, either due to premium price hikes or being “locked-out” of the market due to strict increased requirements and minimum standards being imposed by underwriting decisions. Consequently, many organizations are turning to alternatives such as self-insurance and creating their own retainer agreements with legal and forensic service providers.[7]
While 2021 was a tough year with regards to the sheer quantity of claims, 2022 appears to have been far more profitable for many of the insurers with an increased awareness of the cyber insurance products, and who have learned much since the previous year.[8] Furthermore, it appears that some cyber insurers are improving the way they handle claims by managing incident activities internally and not involving legal or loss adjustors. Additionally, some have created their own forensic capability to assist insureds in responding to incidents promptly. This may pave the way next year for further innovation in the cyber insurance product should additional margins be available to incentivize good practices and security behaviors amongst insureds.[9]
Conclusion
2023 will be a year of cyber insurance growth as cyber risk continues to increase, with likely market oscillations still to come. In Germany, risks, prices, and insurer requirements are likely to remain demanding, especially due to higher risk caused by the economic and geopolitical climate. Clients in the UK are reacting with skepticism concerning cyber insurance due to their increased requirements for cybersecurity maturity and past premium price hikes. As a result, many organizations either don’t have a choice or are turning away from cyber insurance and towards self-insurance or creating retainer agreements with legal and forensic service providers. Some cyber insurers are starting to improve their services by managing incident activities internally and not involving legal or loss adjustors. This is not unlike in the U.S., where premiums are beginning to stabilize thanks to increased competition, improved underwriting capabilities, and a deeper understanding of the business as a whole. Looking ahead to 2023, we may begin to see a softening of the cyber insurance market again due to a lack of large claims in 2022 (significantly reduced ransomware attacks), increased competition from new entrants in the cyber insurance market as a result of more capacity being offered, and the insured community becoming attractive through increased maturity in their cyber resilience programs.
References:
[1] Report: Top companies saw cyber rate increases over 80% in Q1 2022; PropertyCasualty360, 2022.
[2] Cyber Insurance Requirements Increase as Cyberattacks Become More Prevalent; Yeo & Yeo, 2022.
[3] Signs of stability emerge in turbulent cyber insurance market; Cybersecurity Dive, 2022.
[4] Cyber insurance: Risks and trends 2022; Munich RE, 2022.
[5] Demand for cyber insurance growing among German SMEs; Commercial Risk, 2022.
[6] UK Cyber Insurance Trends Report H1 2022; Marsh, 2022.
[7] Cyber – when insurance isn’t there; Farrer & Co, 2023.
[8] The Need for a Proactive Approach to Cyber Risk Management; Griffiths & Armour, 2022.
[9] Cyber Insurance And Cybersecurity Converge: How Smart Investments Cover All Bases; Forbes, 2022.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.