16 September 2024 Cyber Insurance Market Update

The prevalence of cyber risks is steadily escalating due to the ever-changing global regulatory landscape and rapid technological advancements, such as cloud technology and artificial intelligence. With businesses increasingly dependent on technology, their vulnerability to potential cyber risks also intensifies. The escalating sophistication of cyber criminals, coupled with ongoing geopolitical tensions, further exacerbates the cyber threat landscape, posing a significant threat to organisations worldwide. Cyber risk management has never been more important.

With businesses increasingly dependent on technology, their vulnerability to potential cyber risks intensifies.

Market conditions

Key updates

  • Ongoing shift in favour of insureds: The cyber insurance market has unequivocally transitioned into a soft market, as carriers have begun to ease the stringent measures implemented during the hard market phase to maintain profitability. The market currently offers clients a chance to procure coverage at highly advantageous terms.
  • Substantial premium reductions: Rates have experienced a significant decline due to aggressive competition, and surplus capacity amongst carriers, amplified by the prioritisation of top-line growth over ensuring rating adequacy.
  • Relaxed barriers to entry: There has been a notable relaxation in the minimum security requirements previously mandated to obtain cyber insurance, allowing for greater flexibility in accessing coverage.
  • Broadened appetite: Carriers are now venturing into industry sectors that were previously considered high-risk, such as aviation, healthcare, and the public sector, indicating a more inclusive approach to providing coverage.
  • Risks of changing insurers: Insureds should exercise caution when considering a switch to a different insurer solely based on lower premiums, as there is a potential for coverage discrepancies to arise.

Threat landscape

Cyber insurance continues to be a rapidly evolving field due to the constantly changing nature of cyber threats. As new risks emerge, insurance products must adapt to provide coverage against these evolving perils. The threat landscape is constantly changing, necessitating a need for risk management and insurance to be flexible and adaptable.

Insurance companies play a crucial role in understanding and mitigating the latest threats, as they have privileged access to information regarding successful claims and the impact of various threats. By analysing these incidents, insurers gain valuable insights into the controls that failed or were absent, enabling attackers to exploit vulnerabilities. This knowledge empowers insurers to better assess risks and develop effective strategies to protect against emerging threats. Given ransomware has had such a profound impact on businesses’ cyber security, it is commonly understood that it will continue to challenge IT and cyber security teams. However, there are other threats that continue to impact businesses, including cyber fraud, which is primarily driven by social engineering tactics.

Ransomware

Ransomware unsurprisingly remains the dominant force in the cyber landscape. The major breach at Change Healthcare is a prime example of how threat actors continue to utilise ransomware to wreak havoc, targeting critical infrastructure and causing widespread disruption.

Read on

Supply Chain Vulnerabilities

Dependencies on software and hardware supply chains and digital services continue to rise. Just over one in ten businesses say they review the risks posed by their immediate suppliers (11%) and under one in ten are looking at their wider supply chain (6%). Recent incidents highlighted how business-critical it is for organisations to identify, understand and manage third-party supply chain cyber risks.

Read on

AI Influence

AI is being leveraged by cybercriminals to launch more sophisticated and targeted attacks. AI can be used to automate the discovery of vulnerabilities, making it easier and faster for attackers to exploit weaknesses in systems.

Read on

Heightened regulatory environment

The global privacy regulatory environment is becoming increasingly stringent as governments and regulatory bodies worldwide implement and enforce more rigorous data protection laws. This heightened scrutiny is driven by several factors:

Growing Concerns Over Data Privacy: With the rise in data breaches and misuse of personal information, there is a growing public and governmental concern over data privacy and security. This has led to more comprehensive regulations aimed at protecting individual privacy.

New Legislation and Amendments: Many countries are introducing new data protection laws or amending existing ones to strengthen privacy protections. For instance, the European Union's General Data Protection Regulation (GDPR) has set a high standard for data privacy, prompting other regions to follow suit with similar legislation.

Increased Enforcement and Penalties: Regulatory bodies are becoming more vigilant in enforcing data privacy laws, imposing significant fines and penalties on organisations that fail to comply. This has heightened the urgency for companies to adhere to privacy regulations.

Cross-Border Data Transfer Restrictions: As data flows across borders, there is a growing emphasis on ensuring that international data transfers comply with local privacy laws. This has led to stricter regulations and more complex compliance requirements for multinational organisations.

Consumer Empowerment: Individuals are becoming more aware of their data privacy rights and are demanding greater transparency and control over their personal information. This shift in consumer expectations is driving organisations to adopt more robust privacy practices alongside creating a more litigious environment where organisations fall foul of such rights.

With the rise in data breaches and misuse of personal information, there is a growing public and governmental concern over data privacy and security.

Implications & considerations for insureds

The competitive landscape

  • Incumbent insurers face significant challenges in the current competitive environment, where new entrants can set pricing with greater flexibility and fewer historical underwriting restrictions. This puts pressure on incumbent insurers to maintain rate adequacy while competing for market share.
  • New insurers leverage their pricing freedom to aggressively pursue business, potentially undercutting established players and reshaping market dynamics.

Pricing inconsistencies in cyber insurance

  • Standalone cyber insurance offerings exhibit notable price discrepancies, often ranging from 20% to 40% for identical risks among different carriers. This variability complicates pricing strategies for insureds and underscores the volatility within the cyber insurance market.
  • Insureds must work with their broker to navigate these wide pricing differentials carefully to secure optimal coverage that aligns with their risk management and budgetary objectives.

Emerging market trends

  • Traditionally loss-making industry sectors such as the public sector, aviation, and manufacturing are increasingly attracting interest from multiple insurers. This diversification of market appetite reflects evolving risk perceptions and strategic expansion by insurers.
  • Insureds are increasingly inclined to opt for competitive pricing offered by new market entrants over the comprehensive coverage traditionally provided by incumbent insurers, driven by cost considerations and the allure of competitive premiums.

Considerations for insureds

  • While premium savings are appealing, insureds must exercise caution when considering offers from insurers with limited experience or history in the cyber insurance market. Sustainable coverage and robust risk management practices should remain paramount considerations for insureds navigating a complex and evolving insurance landscape.

Sustainability concerns

  • The industry faces sustainability challenges as claims frequency rises amid declining insurance rates. This trend poses a significant risk to long-term profitability and operational stability for insurers.
  • While market conditions have yet to prompt widespread changes in insurers' strategies, anticipation of a market shift underscores the need for proactive risk management and adaptive business strategies.
  • The CrowdStrike event illustrated the potential impact of a single point of failure on a global information technology supply chain. We expect cyber insurers globally to use this event to evaluate supply chain dependencies across their portfolio and manage their potential aggregation across commonly used vendors and technology.

Coverage dynamics

  • Increased scrutiny and potential exclusions related to AI claims activities highlight insurers' efforts to refine underwriting practices and mitigate emerging technological risks.
  • An increase in class action lawsuits in respect of website tracking software tools has led to increased underwriter due diligence around the implementation of these tools alongside potential exclusions where this is not being managed effectively.
  • In response to systemic events such as the CrowdStrike outage and heightened cyber threats, insurers are likely to implement deeper underwriting practices for dependent business interruption and full supply chain coverage, including the introduction of exclusions or sub-limits to manage this exposure effectively.

Cyber risk landscape

  • Cybercriminals are increasingly targeting single-point-of-failure vulnerabilities associated with widely adopted software solutions, demonstrated recently by the MOVEit and Change Healthcare breaches. This trend emphasises the need for insurers to adjust underwriting practices and policy terms to address evolving cyber threats.
  • Ongoing adjustments in underwriting strategies and policy terms reflect insurers' proactive efforts to align with evolving cybersecurity risks and protect insureds against emerging threats.

Summary

The cyber insurance market is currently favourable, with strong competition among insurers. However, there may be a shift in the market towards hardening in the future, possibly as early as Q1 2025. Industries like healthcare, which have experienced significant claims, are already seeing a more cautious approach from insurers.

In 2024, the cyber insurance market is characterised by intense competition, with new entrants offering more flexible pricing. However, insureds should carefully consider the track record of these new entrants before choosing lower premiums over comprehensive coverage.

As claims frequency and systemic events increase while rates decline, insurers are anticipating market shifts and addressing emerging risks in cyber insurance policies. They are also adjusting underwriting practices to mitigate single-point-of-failure cyber threats.

In this dynamic insurance landscape, insureds should prioritise sustainable coverage and robust risk management practices. It is important to consider the long-term viability of insurance coverage and not solely focus on short-term cost savings.

Let's talk

Nick Barker

Technology & Cyber Practice Leader

Nick_Barker@ajg.com

Back to Home

Share on social

The Walbrook Building 25 Walbrook London, EC4N 8AW

Legal & Regulatory | Privacy Policy

Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.