"Stability, but not simplicity" perfectly summarizes the state of cyber insurance for 2024. While prices have settled, relatively speaking, insurers are rolling out major changes that might limit coverage due to cloud outages, major software vulnerabilities and other widespread cyber events. Major changes are also on the horizon with respect to "acts of war" exclusions, which are especially concerning given the ongoing Russia/Ukraine conflict and events taking place in the Middle East that have led to cyber-risks for various organizations.
Read on for details and tips for getting the most out of your cyber insurance in 2024.
The state of cyber insurance
The past couple years saw a great reckoning. Cyber insurers took huge losses during 2020, fueled by an epidemic of ransomware attacks and business email compromise claims. In response, cyber insurers increased premiums in 2021, 2022 and 2023, often hiking rates as much as 50% to 100%, according to The Betterley Report. At the same time, many insurers began evaluating risks more carefully, releasing more detailed questionnaires, using technology to assess risk, employing stricter underwriting practices and reducing coverage.
The result was a whirlwind for buyers through mid-2022. Many experienced sticker shock or were flat-out denied coverage during the renewal process. Others scrambled to meet requirements, such as multifactor authentication, deployment under renewal deadlines. In the turmoil, retention rates hit an "all-time low" according to insurance broker, risk management services and consulting firm Gallagher, with organizations switching insurers rapidly to procure what they perceived as reasonable deals.
Still, the cyber insurance market did grow. Although some cyber insurers deliberately dropped policyholders they viewed as poor risks, by the middle of 2022, new upstarts -- smelling opportunity -- emerged to provide additional capacity. For prospective insureds, this translated into more options, although some of the newer entrants had less mature pre-breach services and response support capabilities.
Fortunately, buyers are likely to sail calmer seas in the coming year. Insurers have been buoyed by improved loss ratios. According to the "2023 U.S. Cyber Market Conditions Outlook Report" from Gallagher, losses have risen by more than 300% since 2018. However, premium growth that took place in 2021 countered this statistic, and standalone cyber loss ratio declined by 7% compared to the prior year.
But it might not be completely smooth sailing. Two curveballs are ahead: new policy language to curb systemic risks and recent changes to "acts of war" exclusions. These issues can seriously limit the value of a cyber insurance policy, so prospective buyers need to watch carefully.
Evolving systemic risk changes
When AWS had an outage in December 2021, it made national news. Businesses including Instacart, Venmo, Roku, McDonald's and Netflix suffered. "Colleges … had to postpone exams during finals week," CNBC reported. It was just one example of the tremendous potential for damage that could be caused by operational impacts to a key technology provider.
Software vulnerabilities have also wreaked havoc, especially those that affected products as widespread as Microsoft Exchange. After a series of flaws in the popular email server was uncovered in 2021, hackers broke into over 30,000 U.S. servers in just a few days and caused untold damages.
Cyber insurers are grappling with how to manage these and other systemic risks -- often in different ways. Beazley Group, for example, announced in 2022 that it had defined the following two types of catastrophic cyber events to which sublimits would apply:
- Prolonged cloud outage, which applies to a lack of activation containing a duration of more than 72 hours that leads to first-party loss.
- Contagion malware involving the computer operating system leading to first-party loss while causing a negative impact on the functioning of a sovereign state.
In contrast, Chubb defined the following two categories of events:
- Limited-impact events are local cyber incidents that affect an organization and entities that organization has relationships with, such as owners, partners and customers.
- Widespread events are cyber attacks that can affect many organizations at once, such as a major software vulnerability, supply chain exploits or other catastrophic cyber event.
Coverage from Chubb for widespread events could be subject to coinsurance, sublimits or other restrictions, unless additional coverage has been purchased. For policyholders, this can pose a challenge for planning purposes, since a claim might or might not be covered depending, in part, on how many others are affected.
Cyber insurance customers must be diligent in keeping track of systemic risk changes and should carefully evaluate how their organization might be affected.
New acts of war exclusions
In early 2022, pharmaceutical giant Merck won a $1.4 billion dispute with its insurer, Ace American Insurance Company, after it refused to cover damages resulting from a malware infection of 40,000 computers. According to the insurer, the NotPetya malware used in the attack was the work of the Russian government and therefore fell under a war exclusion clause. A New Jersey judge disagreed, however, and "unhesitatingly" ruled in favor of the policyholder, stating that the insurer "did nothing … to reasonably put this insured on notice that it intended to exclude cyber attacks."
The ruling sent shockwaves through the insurance industry. Many feared the insurance industry simply did not have capacity to absorb the losses that could result from similar attacks -- particularly as the Russia/Ukraine conflict loomed.
A Lloyd's of London bulletin from August 2021 said the company requires standalone cyber insurance policies to clearly exclude coverage for certain losses resulting from war or state-sponsored cyber attacks when the losses "significantly impair" a state. Lloyd's provided four model clauses, although underwriters and brokers are free to develop their own language. As of March 31, 2023, all new Lloyd's standalone cyber insurance policies as well as renewals must include updated language.
For policyholders, clarity is generally better. But new language and coverage limitations will undoubtedly create new uncertainties. For one thing, it can be difficult to clearly identify attribution for a cyber attack, especially in the complex hacker ecosystem where nation-states hire independent hackers or hacking groups and loose-knit affiliations are the norm. While the burden of proof is typically on the insurer, no policyholder wants to have to go to court to receive their payout after suffering the injury of a cyber attack.
Organizations must watch for war exclusions and similar clauses in the coming year and consult their broker and attorney as appropriate.
4 tips for getting the most out of your cyber insurance in 2024
Cyber insurance is complex, but good options are available for most organizations. Follow these tips to choose a solid cyber insurance policy and get the most value in the year ahead.
1. Start early
With all the new changes in coverage and policy language, it's a good idea to give yourself extra time to review the fine print.
2. Use an experienced cyber broker
No standard form for cyber insurance exists, and every insurer has a different track record when it comes to handling claims and coverage. An experienced cyber broker who understands the nuances can help ensure you get the best value and reduce headaches if you need to make a claim.
3. Take proactive security steps
Been putting off that multifactor authentication deployment? Wrap up these and other key security improvements before submitting your application. Many insurers have rolled out new, more detailed questionnaires and even technology that scans your systems. Be prepared for more scrutiny and tackle what you can ahead of time.
4. Take advantage of pre-breach services
Many insurers offer valuable discounts or even free pre-breach services for policyholders that include training, policy templates, vulnerability scanning, readiness assessments, tabletop exercises and more. These can help you reduce your risk -- a win-win for you and the insurer.
As the cyber insurance industry continues to mature, expect to see more coverage clarifications emerge as well as more exclusions. Ensure you understand the policy your company has purchased, as well as what it does and doesn't cover. Take advantage of valuable pre-breach services that might be available to reduce your organization's risk.
Sherri Davidoff is CEO at LMG Security and the author of three books, including Ransomware and Cyber Extortion and Data Breaches: Crisis and Opportunity.