As demand for cyber insurance coverage continues to accelerate in 2021, the insurance market has put on the brakes, primarily due to the challenges of the COVID-19 pandemic and the increasing severity and frequency of ransomware attacks.
Even with the right cyber security mitigations in place, organizations are still finding it impossible to secure 2021 coverage at 2020 rates, according to the new U.S. Cyber Insurance Market Outlook report by Risk Placement Services, the E&S wholesale broker and managing general agency.
Carriers are strategically increasing premiums, some as high as 300% at renewal, and lowering coverage limits on industry classes that have been hit hardest by cybercrime and cyber extortion over the past year. Those classes include education, public entity/government, healthcare, construction and manufacturing.
Capacity restrictions that started to grip the market in 2020 have intensified. Insurers that were more than eager to issue $5 million cyber liability policies last year have scaled back to limits of $1-3 million in 2021, even on renewals. As a result, building a cyber liability coverage tower has become more challenging, requiring additional carriers to reach the desired limits.
"This year's changes in capacity, underwriting standards and even increases in premium were a necessary evolution," said RPS National Cyber Practice Leader Steve Robinson. "Cyber insurance underwriting has become more reflective of today's risks."
Those risks include the proliferation of ransomware in 2020, which many attribute to the work-from-home environment during the COVID-19 pandemic. That opened up technological vulnerabilities for hackers to penetrate. During this time, claims frequency and severity also began to climb at an unprecedented rate, and losses often far exceeded actuarial estimates. Insurance companies, therefore, began to further develop models contemplating the unanticipated impact of ransomware claims on their bottom lines.
"Ransomware has become a two-headed monster," said Robinson, referring to cyber attackers demanding payment for a decryption key, as well as payment to prevent the release of customer data and nonpublic information.
"Double extortion has become a contributing factor in cyber claim severity over the past year," he said
As a result, underwriting questions have become more strategic and better reflect the current cyber exposures. Even on renewals, insurance companies are continually tweaking their inquiries about a company's information security safeguards and practices through supplemental application forms for ransomware and business interruption (BI).
Multi-factor authentication (MFA) has become a must-have to qualify for cyber coverage, as it's one of the most effective ways to prevent a cyber extortion event, according to Robinson.
Insurers are increasingly incorporating the same scanning technology used by hackers into their own underwriting processes, and/or applying sublimits or exclusions on cyber extortion and BI resulting from ransomware events to better control their loss ratios.
"As a result of industry underwriting and mitigation efforts, a better balance between cyber insurance coverage supply and demand is expected as we draw closer to 2022," said Robinson.