By Kelly Butler ,
Head of Cyber, Marsh Speciality, Pacific
31/03/2022 · 3 Min Read
The ever-evolving nature of cyber risks, the digital dependence of business, and the sophistication of cyber statecraft contribute to making cyber risk quantification and pricing a daunting task. With the future fundamentally uncertain, pricing cyber risk in a way that is commercially viable is challenging. At the same time, contract certainty and product integrity are taking centre stage as the insurance market navigates the evolving cyber risk paradigm.
Insurance products and available capital supporting them inevitably change as new risks emerge, existing ones evolve, and data analysis and predictive modelling tools become more powerful and effective.
Cyber insurance has proven resilient in its relatively rapid development from a niche eCommerce technology policy into one that addresses an array of digitally derived risks. Importantly, it has been effective in paying claims as intended, enabling organisations to take risks responsibly as they innovate and digitalise their business models.
As the breadth of the coverage and its purchasers has grown, so have insurer concerns pertaining to accumulated exposure and systemic risk. In response, insurers are revising strategies, including taking operational and tactical actions, such as changes to risk appetite, underwriting methodologies, the composition of the product, and support services offered to the insured. They do so in an effort to improve their portfolio’s profitability and set the stage for the long-term sustainability of the cyber insurance market.
Some of the major concerns and corresponding actions include:
Underwriting requirements: Short questionnaires and high-level underwriting meetings have been replaced by comprehensive applications and supplemental ransomware applications, whose questions are informed by loss analysis, external scanning, and threat intelligence. For insured organisations, the inability to demonstrate key cyber hygiene controls will likely result in less than desirable outcomes. However, those that demonstrate cyber maturity remain in a position to withstand erosion of coverage.
Aggregation, accumulation, and systemic risk: Broadly, these three terms reflect insurer concerns related to correlated losses, amplified by a growing reliance on certain technologies and services. These concerns are set against the backdrop of a market that is spread among a relatively small number of reinsurers and primary underwriters, resulting in a concentration of risk. Excess insurers are re-evaluating attachment points in layered programs and scrutinising the scope of underlying coverage.
Scope of the coverage: Insurers are increasingly scrutinising not only the scope of coverage, but also the construction of the contract. Frequently, scope is being expressed as limitations related to ransomware and contingent business interruption coverage; liability emanating from business decisions around the collection, storage, use, and consent requirements concerning personally identifiable information; and through some broadening of exclusionary language in relation to infrastructure, natural perils, government actions, and war.
The following are topics and issues your broker and insurers are likely to discuss in-depth with you during your next policy renewal discussion:
Ransomware: This risk sits close to the heart of nearly every cyber risk discussion today. As ransomware attacks continue to increase in frequency, sophistication, and severity, it has become the dominant cyber threat to many organisations’ daily operations, long-term finances, reputation, and more. Insurers continue to use sublimits and coinsurance as a risk-sharing mechanism to incentivise cyber controls and resilience.
Not all ransomware coverages work the same way; buyers need to beware. Some insurers impose ransomware limitations on the entire policy, including liability exposure, while others focus solely on the ransomware payment and/or resultant business interruption losses.
Regulatory risks: In response to relentless cyber events that adversely impact society, changes are being made to existing regulations, and new ones are coming into existence.
For example, the Australian Government has introduced the Ransomware Payments Bill 2021 (No. 2) which establishes a mandatory reporting requirement for Commonwealth entities, State or Territory agencies, corporations, and partnerships that make ransomware payments. It requires these entities to notify the ACSC of key details of the attack, the attacker, and the payment. This bill will provide important foundational information for a comprehensive national ransomware strategy.
Another example is the Security Legislation Amendment (Critical Infrastructure) Act 2021 which expands the sectors recognised as critical infrastructure from four to eleven. These eleven sectors must now adopt and maintain a critical infrastructure risk management program as well as mandatory cyber incident reporting to the ACSC.
Supply chain risk: The full scope of an insured’s third-party suppliers/vendors remains somewhat of a blind spot. Thus, there is increased pressure from underwriters seeking information about an insured’s vendor ecosystem to identify and underwrite critical dependencies beyond tier-one suppliers/vendors.
Where insurers do not see evidence of an organisation possessing a comprehensive view of its third-party exposure (both IT and non-IT), with controls and processes in place to proactively manage the same, they are likely to increase waiting periods, remove qualifying retentions, and impose sublimits or coinsurance. Addressing these concerns by showing an organisational dedication to understanding and mitigating the impact of third-party risk on business operations is key to maintaining broad coverage.
Exclusionary language: Many insurers seeking to address concerns related to accumulation and aggregation issues are focused on amendments to a few exclusions, namely war, infrastructure, and government actions. In an attempt to reduce catastrophic exposure, they explore ways to express their concerns more precisely through the amended language. This includes amending carve-backs for cyber terrorism, redefining war in the context of modern cyber warfare, expanding often ignored government actions wording, and casting a wider net by expanding that which is considered infrastructure. In so doing, insurers bring more variability and volatility to the process, creating non-concurrencies within programs.
Systemic risk: Intended and unintended effects of a cyberattack may cascade across various sectors of the global economy, impacting many stakeholders.
Two pathways for contagion from systemic risk relate to common vulnerabilities and dependencies. This awareness, coupled with some near misses — for example, Solar Winds, Kaseya, and MS Exchange — has been a catalyst for change by leading primary underwriters.
Specifically, the construction of the contract is being bifurcated into events that are limited in their scope and impact versus those that are widespread in scope and can result in a catastrophic impact. This sets the stage for future restrictions in coverage. Elements of these novel concepts are untested, inclusive of corresponding terms and conditions, and are thus more susceptible to unintended consequences. Appropriate articulation of such concepts will likely need to include a reasonable degree of quantification and illustrative guidance in an effort to create clarity between parties, and set a clear threshold as to what currently constitutes an uninsurable event for a given insurer.
Achieving a balance between insureds’ and insurers’ needs and expectations regarding cyber risk transfer involves a shared responsibility — and, ideally, a partnership, notwithstanding the potential for friction between those that cede risk and those that accept it.
Experimentation, to a certain extent, is unavoidable as the market seeks to resolve concerns and avoid certain catastrophic consequences. That said, it becomes unpalatable when strategies and approaches diverge to the point of creating a lack of clarity regarding the impact of coverage changes and significant non-concurrencies within a cyber insurance program.
Cornerstone coverages within the cyber product have matured to a point that harmonisation of intent, common and consistent definitions, and clear and concise naming conventions are now appropriate. In fact, they are needed to remove ambiguity relating to non-controversial insuring agreements, terms, and conditions.
Collectively, the industry has never had more data to inform underwriting actions, pricing, and proposed product changes. With that in mind, it is imperative that underwriters provide transparency pertaining to pricing/risk differentiation, and clear explanations when proposing changes to the product.
To maintain broad coverage terms and optimise economic utility, it is essential that insureds commit to cyber resilience. The ability to demonstrate that cyber risk is strategically addressed within the organisation, including through good governance, comprehensive controls, and an aware cyber culture, is a competitive advantage when many carriers have reduced the overall capital dedicated to underwriting cyber insurance.
At Marsh, our mission is to protect and promote possibility — helping clients protect their balance sheet and enable responsible risk taking is a key objective. We continue to advocate on behalf of insureds through discussion with insurers and other market participants, and remain at the leading edge of product innovation and services that support cyber resiliency, all in an effort to reduce uncertainty and ambiguity, and maximise the value of cyber insurance products for our clients.
"Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage."