What should business leaders and risk managers keep in mind as they navigate this challenging cyber market?
Insurers have responded to the changing cyber threat landscape of the past decade by developing innovative cyber insurance products that suit multiple clients. Unfortunately, the many product additions and expansions they introduced have sometimes left coverage convoluted and mismatched. It isn’t always fit for purpose.
Early cyber products focused on data breaches, and included business interruption coverage, but that aspect of the cover wasn’t popular with clients. It was typically thrown in as an extra which companies didn’t realise they had, or was declined by buyers to reduce their premium. That changed with the much-publicised NotPetya attacks in 2017, which shut down multiple companies. After that, many more showed interest in understanding and insuring their cyber BI exposure.
Cyber began a huge expansion phase. Coverage was extended rapidly as new insurers entered cyber, and many tried to gain market share through generosity. Cyber BI, which had covered only the insureds’ networks after a malicious attack, soon insured third-party failures, and even ‘unexplained or unintentional system outage’. As companies began to rely on third-party computing – the cloud –coverage was extended further to include contingent business interruption, often without additional premium.
More recently, insurers have pulled back from this robust expansion of coverage. Many have questioned the breadth of the coverage they provide, especially given the paucity of underwriting data behind it. In this new environment, clients should consider in detail the coverage they buy, and ensure it provides adequate protection.
The recent, dramatic increase in ransomware activity caught insurers by surprise. It is the reason companies purchase cyber insurance, and has shifted much of the focus to the scope of BI cover required and supplied. However, insurers now treat BI much more cautiously, because they are concerned about the possibility of an outage that affects multiple clients at once.
Virtually everyone relies on a very small number of cloud providers, which scares most insurers. They regularly ask potential insureds about their cyber security protocols, which can give them comfort with specific customers, but is much harder for them to gain comfort with all the vendors in the digital supply chain.
Over the past two years the market has reduced the cyber capacity it offers, and increased premium rates, retentions, and waiting periods. Now, in year three we are seeing more capacity come back to the market which is causing rates to stabilize somewhat, but the coverage pullback is still a concern. Systems-failure coverage and dependent business interruption are often still limited or excluded, because carriers are very nervous about the risk.
To navigate this challenging market, risk managers should seek a custom product tailored to their exposure. They may choose to reduce limits in some areas, for example, while increasing them in others. In addition, they need to understand clearly their contractual obligations to acquire cyber cover, while ensuring they buy a scope of coverage that matches their risk profile. They need to find the sweet spot that optimises their cyber insurance spending.
Lauri Floresca is a partner at Woodruff Sawyer. She began her career in D&O, and expanded her practice ten years ago to include cyber, advising primarily technology and consumer-facing companies. She made these comments during a webinar hosted by Parametrix, in collaboration with RIMS, the Risk & Insurance Management Society. To read more of the participants’ views, download the complete webinar transcript.