The ever-evolving nature of cyber risks, the digital dependence of business, and the sophistication of cyber statecraft contribute to making cyber risk quantification and pricing a daunting task. With the future fundamentally uncertain, pricing cyber risk in a way that is commercially viable is challenging. At the same time, contract certainty and product integrity are taking center stage as the insurance market navigates the evolving cyber risk paradigm.
Insurance products and available capital supporting them inevitably change over time as new risks emerge, existing ones evolve, and data analysis and predictive modelling tools become more powerful and effective.
Cyber insurance has proven resilient in its relatively rapid development from a niche ecommerce technology policy into one that addresses an array of digitally derived risks. Importantly, it has been effective in paying claims as intended, enabling organizations to responsibly take risks as they innovate and digitalize their business models.
As the breadth of the coverage and of its purchasers has grown, so have insurer concerns pertaining to accumulated exposure and systemic risk. In response, insurers are revising strategies, including taking operational and tactical actions, such as changes to risk appetite, underwriting methodologies, composition of the product, and supporting services offered to insureds. They do so in an effort to improve their portfolio’s profitability and set the stage for long-term sustainability of the cyber insurance market.
Some of the major concerns and corresponding actions include:
Underwriting requirements: Short questionnaires and high-level underwriting meetings have been replaced by comprehensive applications and supplemental ransomware applications, whose questions are informed by loss analysis, external scanning, and threat intelligence. For insured organizations, this means that the inability to demonstrate key cyber hygiene controls will likely result in less than desirable outcomes. However, those that demonstrate cyber maturity remain in a position to withstand erosion of coverage.
Aggregation, accumulation, and systemic risk: Broadly, these three terms reflect insurer concerns related to correlated losses, amplified by a growing reliance on certain technologies and services. These concerns are set against the backdrop of a market that is spread among a relatively small number of reinsurers and primary underwriters, resulting in a concentration of risk. Excess insurers are reevaluating attachment points in layered programs and scrutinizing the scope of underlying coverage.
Scope of the coverage: Insurers are increasingly scrutinizing not only the scope of coverage, but also the construction of the contract. Frequently, scope is being expressed as limitations related to ransomware and contingent business interruption coverage; liability emanating from business decisions around collection, storage, use, and consent requirements concerning personally identifiable information; and through some broadening of exclusionary language in relation to infrastructure, natural perils, government actions, and war.
The following are topics and issues your broker and insurers are likely to discuss in depth with you during your next policy renewal discussion:
Ransomware: This risk sits close to the heart of nearly every cyber risk discussion today. As ransomware attacks continue to increase in frequency, sophistication, and severity, it has become the dominant cyber threat to many organizations’ daily operations, long-term finances, reputation, and more. Insurers continue to use sublimits and coinsurance as a risk-sharing mechanism, in part to incentivize cyber controls and resilience.
Not all ransomware coverages work the same way; buyers need to beware. Some insurers impose ransomware limitations on the entire policy, including liability exposure, while others focus solely on the ransomware payment and/or resultant business interruption losses.
Regulatory risks: In response to relentless cyber events that adversely impact society, changes are being made to existing regulations, and new ones are coming into existence.
For example, the 2022 Cyber Incident Reporting for Critical Infrastructure Act (S.3600), which requires mandatory cyber incident reporting. The bill defines 16 critical infrastructure sectors whose assets, systems, and networks are considered vital to the US. The legislation requires critical infrastructure owners and operators to report cyber incidents within 72 hours of knowing the incident has occurred, and to also report any ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA), within 24 hours of being made. Additionally, it includes several ransomware-specific provisions, as well as appropriate liability, privacy, and use protections.
Another concern for insurers involves alleged improper collection and/or storage of biometric data, which is the subject of thousands of lawsuits, the majority of which have been filed in Illinois. Other media-related concerns at non-media companies relate to improper clearance procedures, including, for example, the use of copyrighted music, as well as the name and likeness of student athletes.
Supply chain risk: The full scope of an insured’s third-party suppliers/vendors remains somewhat of a blind spot. Thus, there is increased pressure from underwriters seeking information about an insured’s vendor ecosystem in order to identify and underwrite critical dependencies beyond tier one suppliers/vendors.
Where insurers do not see evidence of an organization possessing a comprehensive view of its third-party exposure (both IT and non-IT), with controls and processes in place to proactively manage the same, they are likely to increase waiting periods, remove qualifying retentions, and impose sublimits or coinsurance. Addressing these concerns by showing an organizational dedication to understanding and mitigating the impact of third-party risk on business operations is key to maintaining broad coverage.
Exclusionary language: Many insurers seeking to address concerns related to accumulation and aggregation issues are focused on amendments to a few exclusions, namely war, infrastructure, and government actions. In an attempt to reduce catastrophic exposure, they are exploring ways to more precisely express their concerns through the amended language. This includes amending carve-backs for cyber terrorism, redefining war in the context of a modern cyber warfare, expanding often ignored government actions wording, and casting a wider net by expanding that which is considered infrastructure. In so doing, insurers bring more variability and volatility to the process, creating non-concurrencies within programs.
Systemic risk: Intended and unintended effects of a cyberattack may cascade across various sectors of the global economy, impacting many stakeholders.
Two pathways for contagion from systemic risk relate to common vulnerabilities and dependencies. This awareness, coupled with some near misses — for example, Solar Winds, Kaseya, and MS Exchange — has been a catalyst for change by leading primary underwriters.
Specifically, the construction of the contract is being bifurcated into events that are limited in their scope and impact versus those that are widespread in scope and can result in a catastrophic impact. This sets the stage for future restrictions in coverage. Elements of these novel concepts are untested, inclusive of corresponding terms and conditions, and are thus more susceptible to unintended consequences. Appropriate articulation of such concepts will likely need to include a reasonable degree of quantification and illustrative guidance in an effort to create clarity between parties, and set a clear threshold as to what currently constitutes an uninsurable event for a given insurer.
Achieving a balance between insureds’ and insurers’ needs and expectations regarding cyber risk transfer involves a shared responsibility — and, ideally, a partnership, notwithstanding the potential for friction between those that cede risk and those that accept it.
Experimentation, to a certain extent, is unavoidable as the market seeks to resolve concerns and avoid certain catastrophic consequences. That said, it becomes unpalatable when strategies and approaches diverge to the point of creating a lack of clarity regarding the impact of coverage changes and significant non-concurrencies within a cyber insurance program.
Cornerstone coverages within the cyber product have matured to a point that harmonization of intent, common and consistent definitions, and clear and concise naming conventions are now appropriate. In fact, they are needed to remove ambiguity relating to non-controversial insuring agreements, terms, and conditions.
Collectively, the industry has never had more data to inform underwriting actions, pricing, and proposed product changes. With that in mind, it is imperative that underwriters provide transparency pertaining to pricing/risk differentiation, and clear explanations when proposing changes to the product.
To maintain broad coverage terms and optimize economic utility, it is essential that insureds commit to cyber resilience. The ability to demonstrate that cyber risk is strategically addressed within the organization, including through good governance, comprehensive controls, and a cyber aware culture, is a competitive advantage when many carriers have reduced the overall capital dedicated to underwriting cyber insurance.
At Marsh, our mission is to protect and promote possibility — helping clients protect their balance sheet and enable responsible risk taking is a key objective. We continue to advocate on behalf of insureds through discussion with insurers and other market participants, and remain at the leading edge of product innovation and services that support cyber resiliency, all in an effort to reduce uncertainty and ambiguity, and maximize the value of cyber insurance products for our clients.