The Cyber-Insurance Market Has Grown Rapidly but Remains Challenging

Combination Lock with Padlock on Front and the words Cyber Insurance

April 13, 2022

Combination Lock with Padlock on Front and the words Cyber Insurance

The cyber-insurance market has grown dramatically in recent years, yet, at the same time, many insurance buyers are finding it difficult to purchase cyber insurance.

If they can find the coverage, cyber-insurance buyers will likely find premiums increasing significantly while limits might be shrinking. Meanwhile, cyber insurers are becoming increasingly demanding of the cyber-risk controls they require buyers to have in place before providing coverage.

"Cyber insurance is one of the hottest products in the insurance market today," said John Weber, senior associate editor at A.M. Best. "So, what's the problem? The problem is that cyber insurance is broken. Businesses need cyber insurance, but it's hard to qualify. Rates are going up significantly and claims are being denied. Insurers have limited data to underwrite cyber insurance and are finding it difficult to provide a quality product at price points customers can afford. And brokers are caught in the middle."

Mr. Weber made his comments while moderating a recent A.M. Best webinar titled "Cyber Insurance Is Broken—How Insurers, Brokers, and Risk Managers Can Work Together To Fix It."

One webinar panelist, Trent Cooksley, cofounder and chief operating officer at cyber-insurance provider Cowbell Cyber, disagreed with the use of the word "broken" to describe the current cyber-insurance market.

"I'm not sure 'broken' is the term that I would use. I would use 'transition' and 'evolving,'" Mr. Cooksley said. "It's a technology risk that we're looking at and technology evolves at an ever-increasing pace. So, it would make sense that you would have to transition into a new environment as new exposures, new vulnerabilities are emerging.

"New threat actors, new evolutions in technology are really driving this transition," he said. "And this may be the new normal for a long time that this particular risk is evolving at this pace kind of for the foreseeable future.”

Twane Duckworth, managing director, risk management, for the City of Garland, Texas, said he approached 36 cyber-insurance markets prior to his city's renewal last October and received only 2 quotes. Ultimately, the city took a reduced limit and eliminated some favorable coverage terms in order to obtain coverage at a reasonable rate.

"The pace of change in cyber is unlike any other product that's out there. We're seeing [insurers] change rates from day to day," said Brian Thornton, president of wholesale specialist and surplus lines broker ProWriters Insurance. "It's hard to move organizations as quickly as the pace that the exposure's changing as well as the market and the controls that the market's requiring."

That said, Mr. Thornton said he believes conditions in the cyber-insurance market are less chaotic than they were a year ago.

Mr. Thornton noted that the rapid change in the cyber-insurance market is a reflection of changes in cyber exposures. Much of that can be attributed to the rise of ransomware attacks and the increase in remote working resulting from organizations' responses to the COVID-19 pandemic.

While data breaches are still a component of what businesses should consider in cyber exposures, cyber risk has moved beyond data breaches to include such perils as business interruption from a ransomware event, liability issues, or crime exposures, he said.

"In the past, businesses thought that people that had cyber exposure were people with lots of credit cards or lots of healthcare information," Mr. Thornton said. "It's really any business that's utilizing technology that has a whole set of these exposures."

"I think there's a recognition that every company is a technology company," said Mr. Cooksley. "And that really drives the overall enterprise risk management of the organization."

In addition, the cyber-insurance industry's risk bearers are coming to grips with the need to move more quickly than they have in the past on adapting to exposures. "With cyber, we might have a new type of disaster happen yesterday that we weren't contemplating," he said.

Hugh Barrett, vice president, technical solutions, at Telos and co-inventor of the company's Xacta cyber-risk management and compliance platform, noted the trend of many companies embracing cloud technology services. Moving to the cloud doesn't free organizations from cyber-security responsibilities or potential cyber exposures, however, he noted.

"Depending which cloud you move to, there's always a shared responsibility model in the cloud," Mr. Barrett said. But the business moving to the cloud still has risk control requirements they must meet, even though the cloud provider will provide some controls, he said.

"Moving to the cloud, the problem of cyber threats doesn't change," Mr. Barrett said. "The same due diligence needs to be taken into consideration regardless of where you're hosting your IT systems."

Mr. Thornton offered a similar opinion. "When you're using a third party like a cloud provider or otherwise, that doesn't offload you of the responsibility or the exposure," he said.

Rajeev Gupta, cofounder and chief product officer at Cowbell Cyber, acknowledged that there has been a significant shift in the cyber-insurance market over the past few years. That shift includes insurers' eliminating so-called silent cyber coverage that might have been provided in other lines such as property policies. Now, "the only way to really get cyber is stand-alone cyber," Mr. Gupta said.

Ultimately, the cyber-insurance market will move beyond its current challenges and become more stable, Mr. Gupta suggested. "The current disconnect between supply and demand is going to fix itself," he said.

April 13, 2022