18 September 2023
Cyber Market Update
H1 2023
2023 followed several turbulent years for the global cyber market. It is no secret that 2020 and 2021 were severely unprofitable for cyber insurers globally. Carriers were forced to put the brakes on; many stopped writing new business or dropped limits and coverage for renewals while everyone grappled to understand what a good risk genuinely looked like.
2020 to 2022 saw a huge transition in underwriting methodology, not only regarding requirements of rate and retention but also the minimum controls and risk management needed in order to deem a risk insurable. Two of the main factors driving this were COVID-19 (and the global shift to a remote workforce) alongside the beginning of the ransomware epidemic – combined they highlighted cybersecurity weaknesses across the globe.
Consequently, underwriters had first to ascertain what key controls were acceptable in protecting organisations from ransomware, and then request that insureds implement these accordingly.
Midway through 2022 there were slight indications of a positive shift to come at the end of the year, with rumblings of broadening appetite and capacity. Existing insurers who had previously been restricting cover were keen to grow and the market saw a number of new entrants.
H1 Review
Many were intrigued to see how 2023 would develop amidst the backdrop of increased competition from new insurers alongside top line growth strategies deployed amongst existing players. Beazley became one of the largest direct cyber insurers in 2022, writing just under USD1.15billion in GWP worldwide, compared to USD814million the year before. Despite growing its cyber premium by 42%, the insurer was tasked with growing a further 20% in 2023. On the basis that market rate would hold, this would roughly translate to USD230million in new premium. However, Beazley was far from alone in its ambitious growth target, and a renewed appetite for income amongst insurers has injected long awaited competition back into the market. Therefore insurers have had to work even harder to retain existing clients and win new business, leading to a softening of the market.
The welcome news for insureds is that rate reductions are now commonplace following several years of steep increases. Organisations that demonstrated positive information security controls and risk management saw reductions between 10-30% as the rating environment eased. The average reduction sits toward the lower end of this spectrum with the final number determined by the expiring pricing, underlying risk profile and placement strategy. Insureds have looked to capitalise on the easier trading environment, often utilising these savings to reinstate higher program limits back to a level held prior to 2020.
Another theme has been the broadening in core underwriting appetite with respect to industry sector, geography and security posture. Markets also started to drop minimum attachment points and deploy increased capacity on individual risks to combat the premium reductions across their portfolios. Insurers that had previously wanted to attach at USD30million or USD40million were now happy to consider USD10million or as low as USD5million. Some excess markets have also started to develop their own primary offerings in order to take advantage of the improved underwriting performance since 2020.
Perhaps the biggest change has been a softening in approach toward the minimum security controls insurers now require. While mainstay controls such as multifactor authentication (MFA) and endpoint detection and response (EDR) solutions need to be in place throughout the organisation, there has been increased flexibility across areas like privileged access management (PAM) solutions. In the hard market without these key controls insurers would have simply declined the risk outright. However fast forward to today and insurers are willing to write such risks and take on the heightened risk provided clients can demonstrate a suitable work-around or evidence improvements are in the pipeline.
The cyber market was arguably in the hardest market cycle globally across all lines as little as 12 months ago. Few would have predicted the shortness of the period in which the market would recover. Nonetheless we shouldn’t be counting our chickens quite yet as we contemplate the H1 claims landscape.
Claims
In the first half of the year the cyber claims environment saw a substantial uptick, with ransomware notifications at the forefront. However, the severity of these claims is unlikely to follow the same trajectory we saw in prior years due to the controls insureds now have in place to combat the evolving threat landscape. This has reduced the need or requirement for clients to ultimately pay ransoms. According to global cyber risk company Arete, the percentage of incidents where a ransom is paid fell to 19% in the first half of 2023. Businesses can instead rely on improved back up hygiene to recover critical data and rebuild systems with less business interruption impact as a result. Threat actors aren’t invisible to these developments though and we have already started to see them adapt their tactics to focus on data extortion instead of encryption as reported by Arete.
Global supply chain vulnerabilities continued to be highlighted with arguably the most severe zero-day exploitation to date following the breach of MOVEit. The widely used file-transfer program’s vulnerability has affected at least 120 organisations exposing the data of 15 million people. Russian ransomware group CL0Pare the party responsible and have extorted several of the organisations impacted by the MOVEit breach resulting in significant paid losses to cyber insurers globally.
Putting ransomware to one side, what is further concerning UK insurers is the evolving privacy landscape. The US is a well-known litigious environment and data breaches often result in considerable damages from resulting class actions, whilst this is not yet the case in the UK. The British Airways class action lawsuit, along with a handful of others, is likely to set a precedent for the future privacy landscape in the UK. One of the other main causes of the increase in third-party liability claims concerns unauthorised collection of web data, such as website trackers, pixels and cookies. A string of class actions began in late 2022 and allege that healthcare providers used the Meta Pixel website code to share confidential medical information of potentially hundreds of thousands of patients. This has placed pixel and cookie tracking tools in the spotlight for insurers. Meta might be the name that is currently in the media, but underwriters are focused on various tools that could lead to problematic consequences in the future.
Coverage
The main talking point from a coverage perspective within the cyber market has been around the war exclusions. This has been the case since Lloyd’s introduced its clauses for cyber war and cyber operation exclusions. Lloyd’s have since gone one step further and syndicates must now provide clear evidence and rationale behind the war exclusions they are electing to write business on.
Cyber war risk is considered systemic in nature by many, and excluding war perils has been a feature of insurance policies for centuries. Cyber insurance policies were never intended to cover, nor were they priced for, cyber events in conjunction with a physical war that has a wide lateral affect, felt by a significant population. Whilst the intent of these new exclusions was to remove ambiguity and add as much clarity as possible around the scope and intent of the exclusion. The reality is that there are differing approaches deployed from insurer to insurer and indeed across the cyber market more broadly. It‘s therefore more important than ever that clients read the fine print and brokers explain the potential impact to their insureds who have concerns about how these unlikely yet devastating events could affect their coverage.
Looking Ahead
Rate depreciation typically goes in cycles. In the next six months, we believe that competition will continue to drive prices down, which will reverse out some of the corrections endured over the previous two years. What happens after that, however, is difficult to predict. Despite competition and a negative rating environment, claims are still increasing and the threat of systemic risk looms large. Where the number of ransomware demands being paid has fallen, many hackers have turned their attention to lower-level financial crimes like social engineering.
We have seen a huge number of insurer notifications off the back of the MoveIt cyber attack. It is too early to say how these incidents will impact underwriting performance in 2023. The softening of the market will continue for now, but there will come an inflection point. As the claim performance reveals itself, it might also become a significant driver of a potential market hardening.
The cyber market is in a precarious position currently; industry experts are anticipating another market hardening, and 2024 may witness another significant market change. While minimum security standards have undeniably improved, the downward pressure on rates is not a direct consequence of sufficiently long and sustainable improvements in insurers’ claims ratios.
Let's talk
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.