◼ CYBER INSURANCE

The Cyber Insurance Market is in Turmoil – Prepare Your Clients Now!

By Tim Bennett, Senior Broker, U.S. Risk Brokers
December 15, 2021

The Cyber insurance market is in a state of disruption and turmoil these days, the likes of which I haven’t seen in my nearly thirty years in the business.

Beginning in early 2021 and escalating rapidly since then, premiums are increasing dramatically, limits are being restricted, retentions are increasing, and many coverage perks that were thrown in are being removed. Perhaps most importantly, underwriting rigor is at an all-time high, even for modestly sized insureds.

Insureds who would have been considered prime targets for an aggressive insurance market just months ago, given perceived minimal risk, are now struggling to get coverage at all. All signs indicate that this upward pressure on pricing, additional restrictions on coverage, and underwriting rigor will almost certainly continue into 2022 and beyond.

The rapid deterioration of the market is almost entirely due to the rampant incidence and catastrophic costs of Ransomware and other Cyber Extortion events. While concentrations of PII and PHI are still important considerations, underwriters are now feverishly trying to stem the onslaught of ransomware costs on their book. What were once considered nuisance events, with losses averaging in low tens of thousands of dollars, have given way to incidents regularly reaching into the high hundreds of thousands and, in some cases, many millions of dollars to mitigate.

While the global pandemic and widespread use of remote work environments does bear some blame for this trend, truth be told, this dynamic has been developing for a few years. All these costs are being borne by a market that was voracious for Cyber insurance premium dollars in which most insureds could buy extremely broad coverage for just a couple thousand dollars in premium.

Those days have come to a rapid end.

At this point, even very small insureds are being required to maintain at least a basic level of network and data security to qualify for quality coverage. This is true even for “low risk” insureds like manufacturers, contractors, trucking/logistics, and so on. Every underwriter is requiring the completion of some form of Ransomware Supplement to gauge the readiness and resiliency of each insured to extortion attacks.

These items are now considered the bare minimum to get most underwriters to even consider providing quotes:

• Multifactor Authentication (MFA) over all remote access to insured systems and over all privileged/administrative user access
• Regular employee training regarding the avoidance of phishing attacks, with such training and testing occurring at least semi-annually
• Strong backup procedures – segregation, encryption, MFA protection, and testing of backups are key
• Strong patch management framework in which all critical security patches are deployed within about two weeks or less

Besides these basic levels of controls that are required to get quotes, as much of the Ransomware Supplement that can be completed “correctly,” the better the results will be. Many underwriters are also preferring to see some type of Endpoint Protection such as Endpoint Detection and Response (EDR), or Endpoint Protection Product (EPP) being deployed on the insured system.  In addition, the use of a hardened baseline configuration is also considered a strong protection against extortion. Underwriters also like to see an end of life/end of support protocols in place if the insured has any legacy systems using older software and systems, among other controls.

The implication is that each insured should be working with their internal and outsourced IT providers to investigate and deploy any additional controls that they can reasonably take advantage of. While there is the understanding that there is often a cost component of deploying these additional controls, the plain reality is that insureds will pay for it one way or the other. They’ll allocate the resources to get these items in place, they will pay an exorbitant amount for restrictive Cyber coverage, or they will have to pay for uncovered losses out of pocket. The choice is really up them.

All this said, just as a good Cyber policy is not a substitute for solid data security hygiene, strong controls are not a replacement for good Cyber coverage. Even insureds that have all the recommended controls in place still fall victim to the newest and most insidious attacks on a daily basis. Diligence in the insurance selection process is critical to an overall data security and resiliency posture. Those insureds who do currently buy a specialty Cyber product, should check with their brokers and carriers to see if any of these controls and procedures are available free or at discounted rates through select vendors.

While the current market presents many challenges for insurance professionals and their clients, here lies an opportunity for each of us as well. Arguably, the strongest carrier-broker-insured relationships are most often built in the toughest of markets. Preparing insureds for market realities is what separates the true insurance consultants from transactional order takers whose only weapon is price.

As a community of insurance professionals, we do ourselves and our clients a better service by engaging with the end buyer early in the process well ahead of gathering applications to help them prepare and be able to get the best results out of a shrinking market. This is especially true for those insureds who have not yet purchased a specialty, monoline product to date, but are now eager to review options given what they are seeing plastered across the news media on a regular basis. ◼