Product overview: Cyber

The dotcom boom of the late 1990s shifted everything from banking to shopping online. But, with criminals recognising that there’s money to be made from our online activities, it also saw the birth of the first cyber insurance policies.

These early policies were designed to pick up third party liability exposures only. “They were basic ‘hacker policies’,” explains Andy Hall, cyber risk specialist at Clear. “Cover has developed significantly over time with other exposures gradually added such as first party, incident response and business interruption.”

Driving this increased breadth of cover was a shift in the nature of cyber risk. As reliance on technology and connectivity grew, the cyber threat landscape became more sophisticated. “In the latter part of the 2010s we saw high profile data breaches, the implementation of GDPR, supply chain attacks and more recently Covid-19,” explains Fiona Barker, account director on the cyber team at Marsh Commercial. “These affected both the demand for cyber insurance but also the losses being sustained by the market.”

Cyber demand
The increase in demand can be seen in figures from the government’s Cyber Security Breaches Survey 2021. It found that 43% of businesses have some form of cyber insurance – up from 32% in 2020.

Greater awareness of the risk has helped drive take-up, with a significant proportion of businesses experiencing a cyber attack. According to the report, 39% of businesses say they have had a cyber security breach or attack in 2020, with the average cost incurred by companies who had to deal with these incidents, £8,460.

Just how much a headache cyber risk is to organisations can also be seen in Allianz’s Risk Barometer 2021. Although it is regarded as the third most significant risk, it only lost its top billing from 2020 as a result of a couple of Covid-19 related risks – business interruption and pandemic outbreak.

Cyber losses
The changing nature of cyber losses has also helped to put insurance on the corporate agenda. James Burns, head of cyber at CFC Underwriting, says that while social engineering is the most common form of cyber attack, ransomware represents the biggest cost to insurers. “Over the last couple of years, the cyber criminals have got more brazen and, because businesses are more dependent on their systems than ever before, ransoms have got bigger and bigger,” he explains.

Attacks are also more sophisticated. Rather than target thousands of PCs in the hope that enough of them will pay a small ransom, cyber criminals will research a target company, often getting into their networks to find out exactly how much cover they have and setting the ransom in line with this.  

For instance, back in 2017, the WannaCry malware infected more than 200,000 computers, demanding a ransom of between US$300 and US$600. Four years later, CNA Financial paid a $40m ransom to regain control of its network.

Add to this the effects of the pandemic, especially the shift to home working, and losses have increased significantly. “Organisations are much more reliant on technology now,” says Hall. “This has resulted in a significant risk factor when technology goes wrong or is compromised but it’s also increased the opportunities for hackers and ultimately the number of claims.”

Cyber rates
The upward trend in claims costs means rates are rising sharply too. Marsh’s Global Insurance Market Index shows that while global commercial insurance pricing was up 15% in the second quarter of 2021, the frequency and severity of ransomware claims means that cyber insurance premiums see much steeper increases. In the US, prices increased by 56% while in the UK, 35% rate increases were recorded, increasing to 50% during the latter part of the quarter. Some UK clients saw triple digit increases.

As well as increasing premiums, insurers are focusing more on capacity management and the extent of cover being offered. “The main issue facing the market is the availability of capacity,” says Barker. “This is particularly the case on excess layer placements, where historically such capacity was readily available and pricing was relatively flat.”  

Concerns about the size of losses, which are exacerbated by fears around risk aggregation, are driving a more robust approach to underwriting. Hall says that while insurers used to be happy to know the client had basics such as a firewall, antivirus software, encryption and backup procedures in place, they now want more detailed information. “They want to see a good attitude towards risk management with steps such as employee awareness training, multifactor authentication across key business software and regular patching,” he explains. “It’s a good opportunity for a broker to showcase their role as a risk adviser.”

Risk prevention
The size of the losses being experienced by insurers has also accelerated a trend towards risk prevention. Vulnerability scanning is becoming more commonplace, with insurers able to see where there are any potential issues. “This is really helping to transform the cyber insurance market,” says Burns. “Where we identify certain types of critical vulnerability, we can insist it’s resolved before we offer insurance. This is a positive development, which benefits all parties.”

This approach continues after clients are on risk. As well as support from brokers to help manage risk, some insurers have invested in their own inhouse security teams. These can offer a range of services such as proactive alerts and dark web scanning to identify and prevent potential incidents.

Future outlook
Although the cyber market may be going through a challenging period as premiums catch up with losses, it’s expected to go from strength to strength. Cover will continue to evolve as risks change and emerge but the insurance industry is committed to building on the risk mitigation approach rather than act as a financial safety net for businesses with inadequate cyber security.

It’s also expected to make more of a leap into the personal lines market. Current propositions tend to focus on high net worth individuals but research from GlobalData shows that interest goes beyond this group, with one in five consumers interested in taking out cover.

Burns see a bright future ahead for the cyber insurance market. “It’s a fantastic product for clients and brokers,” he says. “It can provide invaluable support to businesses that wouldn’t otherwise know where to turn, whether or not they need to make a claim.”