The first half of 2021 has been anything but quiet for cyber insurance. Forrester has seen a steady flow of client inquiries on the topic, with questions coming in not just from the private sector but also from the public sector. Some are trying to navigate acquiring a cyber insurance policy for the first time, while others are struggling with their renewal coverage decisions and rising premiums. It’s no surprise, given the state of the market.
Ransomware Causes Disruptions And Ripple Effects Across Providers And Their Customers
No business is immune from the threat of cyberattacks. Small businesses are especially vulnerable: In a recent study by Hiscox, 23% of small business owners surveyed said that they had had an attack in the past 12 months. The average loss for US small businesses? Nearly $26,000. Worse, many of those small businesses go out of business within six months of the attack.
And if this is the Roaring 2020s, then cyber insurers are among the first to taste their own champagne. Cyber insurance providers like AXA, Chubb, and CNA have been thrust into the spotlight after suffering their own ransomware attacks and data breaches. Recorded Future threat intelligence analyst Dmitry Smilyanets interviewed an individual from a ransomware-as-a-service group who indicated that operators are targeting organizations that have cyber insurance as they are “one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
Meanwhile, AXA France has announced that it is no longer selling new cyber insurance policies with ransomware payment coverage within France. It will continue to assist customers with damage and recovery costs. AXA’s decision, an industry first, is unlikely to be the last to take drastic measures to stay solvent as policy claims reach an inflection point tipping toward unprofitability. Unlike the actuarial models built on years of data that inform traditional business insurance policies, cyber insurance policies don’t have the benefit of robust historical data. Could it be that many unknown variables and a lack of cybersecurity subject matter expertise at the insurer level have created a product that’s underpriced in the current environment?
Cyber Insurers Face Additional Pressures
All that business demand for cyber coverage is happening when market capacity and appetite to write the coverage is shrinking. Yes, demand is outstripping supply. Fitch Ratings estimates that 2020 US cyber direct loss ratios were at 73%, the highest recorded level in six years, highlighting the extent of increased cyber damages and claims. The result? A hardening market where premiums for standalone cyber policies are expected to increase by 30% in 2021 — if they can be bought — and insurers tightening up their underwriting standards and exclusions.
While insurance providers have their own incentives for better understanding risk when underwriting policies, external forces like regulatory pressures from entities like the New York Division of Financial Services (NY DFS) have also put forth a cyber insurance risk framework for insurers to comply with to manage risks. NY DFS is also recommending that insurers not make ransom payments so as not to perpetuate economic incentives for this type of activity.
According to Moody’s, cyber risk is a global concern and “an increasingly important factor in our financial sector credit analysis.” We think it’s fair to say that cyber risk is business risk.
Musings About The Future
When forces collide and disruption mounts, change is inevitable. We see four possible shifts:
- Cyber insurance capacity challenges increase. With shrinking capacity, we’ll reach a point where some organizations will not qualify for cyber insurance. They won’t be insurable through typical commercial channels and coverages. A parallel that exists in the US housing insurance market today is the FAIR (Fair Access to Insurance Requirements) plan created in the 1960s to make insurance available in areas with an abnormally high risk exposure to factors outside their control. After Hurricane Katrina, when insurance companies reworked their models for high-risk flood zones, millions of homeowners who were dropped from their private property/home policies sought coverage under state-backed FAIR plans. Will the government step in to backstop the cyber market as it did with terrorism insurance, despite being bantered about for pandemic coverage? The reality is that it can’t do it all and will have to pick wisely.
- Risk management maturity becomes the qualifier and the gauge. An insurance carrier will acquire smart cyber startups to improve its ability to monitor cybersecurity posture. Today, we already see partnerships between insurers and managed security service providers (MSSPs) primarily geared toward servicing the small and medium-size business market with discounted rates on their premiums for use of a specific MSSP partner’s services. The capability to improve monitoring opens up the possibility for greater innovation if insurers are able to offer appropriate incentives for monitoring. Imagine innovations like a mechanism for dynamic premium pricing, burstable pricing depending on the severity of need like we see in the DDoS protection market, or even a credit score-like metric that we now see applied to fraud that would “rate” the cyber risk. The insurers themselves may even morph into a sort of alternative security services provider, enabling greater profits with lower risk.
- Cyber insurance becomes the price of admission for the partner ecosystem. Cyber insurance will become mandatory for all third-party relationships, not just IT vendors. Requiring cyber insurance is common in IT service contracts, but as firms increasingly share more PII, protected health information, and IP with more vendors, suppliers, and partners, a cyber policy will become a need-to-have rather than a nice-to-have. Traditionally, professional liability policies have been invoked to cover losses from cyberattacks, but increasingly, cyberattack claims have been denied under standard policies. As business liability policy providers fine-tune their language to decouple cyber claims from traditional business interruption claims and cyber policies invoke “failure to follow” exclusion language (basically saying the insured didn’t uphold their part by failing to maintain minimum/adequate security standards), be prepared to provide a cyber liability insurance certificate, with some customers even requesting to be named additionally insured under the policy.
- Digital business DNA will test underwriting processes — and underwriter skills. Not all businesses have the same digital profile. Healthcare providers capture sensitive financial and medical information about their customers. Even artisans at the local craft fair or on Etsy have their own digital profile. That means that cyber insurance underwriting inputs need to capture more about the digital nature of potential customers. It also means that underwriters will have to be able to stomach a new launch track: quickly developing competencies in all things digital, even at the microindustry level. The demand for these digital chops also must include regulators.
Outside and industry forces will change the future of cyber insurance, and we’ll get to experience that change with all its bumps and dips. For companies still thinking cyber insurance is their umbrella for protection, it’s not. It’s a tool in the toolbox for managing risk. Better, more mature risk management should be the goal.
And for more from Forrester on cyber insurance, check out this blog post from Jess Burn: When It Comes To Incident Response, Is Your Cyber Insurance Carrier On Your Side?