Evolving Risk Driving Cyber Insurance Market

Underwriters shifting their focus to controls and resiliency

The cyber insurance marketplace had been due for a correction, and in the past few years, it got one. Organizations of all sizes seeking coverage are now required to provide more details about their exposures and answer questions that underwriters might not even have asked previously.

To understand why the marketplace for cyber insurance has changed, we need to recognize that the nature of cyber risk itself has evolved — quite dramatically.

Cyber risk was not front of mind for most organizations as recently as 2015, but in the years since, that has completely changed. Cyber is on the minds of boards and senior management in virtually every industry. A decade ago, most cyber claims involved a data breach, whereas now ransomware is responsible for increasing frequency and severity in cyber losses. It’s important to note that the cyber risk environment changes every six to 12 months, and the insurance industry also must change to keep pace. The cyber insurance market hardened because of ransomware, and it has led to a reset of what insurers require of policyholders from a control perspective.

Based on number of claims, the top five causes of loss for small and medium-size enterprises over the past five years, according to the 2021 NetDiligence Cyber Claims Study, were:

• Ransomware  • Hackers

  • Business email compromise

• Staff Mistakes • Phishing

The increase in ransomware attacks since 2016 has prompted underwriters to focus on cybersecurity and controls in place to mitigate the impact of cyber events. Even though no solution is perfect or can eliminate 100% of cyber risk, insurers have begun applying minimum requirements on risk controls.

 For example, multifactor authentication, endpoint protection and firewalls are the bare minimum to obtain cyber coverage. If a policyholder organization can demonstrate stronger mitigation efforts, that’s even better.

As cyber incidents continue to occur, and insurers have tightened their underwriting requirements, risk professionals should focus more on risk prevention and resilience. Controlling cyber incidents and minimizing their impact is essential to prevent disruption and ensure a swift recovery.

An important exercise for risk professionals to conduct periodically with their broker and cyber insurer is to examine hypotheticals and risk scenarios, such as what might happen if a ransomware message flashes on a user’s screen at 10 p.m.

Whom does the policyholder contact first? What should policyholders expect from their insurer? What are the sequence of steps in the response after notification of a cyber event? Knowing these things in advance, ideally in a meeting with the insurer before any incident occurs, can go a long way toward making organizations more resilient and confident in their risk partners.