Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

On July 12th, The Arizona Tech Council convened a panel of experts for a forthright discussion about cyber insurance. The panel, moderated by PacketWatch’s CEO, Chuck Matthews, included industry experts Anthony Dagostino, CEO & Founder of Converge Insurance; Chris Branch, Chairman of ATS Underwriting; Wes Gates, CIO of the Arizona School Risk Retention Trust (the Trust), and Tracy Foss, Senior Program Director, Risk Program Administrators, a division of Arthur J. Gallagher. The specialist panel explored current market dynamics, discussed changes in underwriting practices, and shared experiences with the claims process. The goal of the discussion was to help member businesses understand how to effectively use cyber insurance in their arsenal of risk management tools and avoid common pitfalls.

Recent estimates show that the $4.8 billion cyber insurance market is growing at a rapid 25% compound annual growth rate (CAGR) and is expected to triple in the coming years. However, as a result of poor underwriting, direct loss ratios have ballooned to unsustainable numbers. Over the past two years, nearly 70¢ of every dollar in premium went to cover losses from claims involving ransomware, funds transfer loss, and business email compromise-related claims.

The resultant impact on businesses as insurers seek to stem losses is huge and wide-reaching. Smaller businesses are reportedly being priced out of the market entirely. For others, cyber insurance premiums are skyrocketing with an average 97% increase in 2021. Some companies experienced up to 300% increases. Businesses lacking key cyber controls were not even renewed. Panel members said they expect that trend to continue. In the first quarter of 2022 premiums for the top 25% of businesses increased an average 83.3%. Companies experienced other impacts from loss mitigation methods employed by the insurers including:

Key Takeaways

Read the Policy! Make sure you understand what you are getting and the requirements you are obligated to follow.

Make sure you know the Insurer’s Panel Providers which you are required to use in the event of a claim!

Expect more changes to coverages, policy language, premium increases, and underwriting practices.

Consider preventing losses with additional controls or self-insuring some 1st party risks to reduce premiums.

• Reduced Policy Limits – Policy amounts were reduced by a third or half as industry capacity dropped
• Increased Deductibles or Retentions – for one small business going from $25k to $150k
• Coverage limitations – including new coinsurance provisions for ransomware; new exclusions of certain types of losses, and new sublimits for others
• Greater underwriting scrutiny – multiple applications and technical addenda focused on the existence of key vulnerabilities
• Tougher claims management practices – strict use of panel providers, denial of claims based on application deficiencies.

Shared Experiences

The panel explored and shared experiences on several other topics impacting the use of cyber insurance including:

1. The applicability of “Act of War” and “Terrorism” policy exclusions in light of nation-state and state-sponsored malware campaigns given recent “special military actions’ with Russia and Ukraine
2. Conflicts in legal representation and the insured’s loss of control when panel legal counsel and responders are involved
3. The vicious cycle of ransom payments by insurers creating the need for more cyber insurance to cover ever larger ransoms to criminal organizations
4. The impact of non-standardized policy language and definitions hindering coverage comparisons for those actively shopping policies
5. The risk of paying ransoms to potentially (OFAC) sanctioned entities/affiliates given warnings from the US Treasury and others
6. Small businesses are being priced out of the market or excluded because they lack some protective controls of larger organizations
7. Recent litigation surrounding voiding policies due to inaccurate application materials submitted by the insured
8. The practical impact of insurers underwriting at the time of claim rather than at the time of application and the resultant uncertainty created
9. The difficulty in managing overlap between conflicting or duplicate provisions in other insurance policies (e.g., crime coverage in a package policy vs. stand-alone cyber policies)
10. Obligations to use Insurance Panel Counsel and Responders with Reservation of Rights and very large deductibles
11. Whether policies offering bundled pre-breach, response, and post-breach services were beneficial to the insured vs. managing the effort internally
12. The necessity to quantify potential 1st- and 3rd-party liability before selecting a policy and limits
13. The need for a government backstop for systemic risk and terrorist activity to promote additional capital necessary for market growth

Final Thoughts

The panel concluded that ultimately businesses must carefully read every word of the policy being offered, shop around to the myriad of insurers, obtain expert help where needed and judiciously consider what they are purchasing. Five years ago, cyber insurance was relatively inexpensive, and its promises seemed relatively clear and simple. The panel concluded that is no longer the case and businesses can expect more change in the cyber insurance marketplace in the coming years.

If you are considering cyber insurance and would like to discuss the alternatives for your organization, give us a call.