"Stability, but not simplicity" perfectly summarizes the state of cyber insurance for 2023. While prices have settled, relatively speaking, insurers are rolling out major changes that may limit coverage due to cloud outages, major software vulnerabilities and other widespread cyber events. Major changes are also on the horizon with respect to "acts of war" exclusions, which are especially concerning given the ongoing Russia/Ukraine conflict.
Read on for details and tips for getting the most out of your cyber insurance in 2023.
The state of cyber insurance
The past couple years saw a great reckoning. Cyber insurers took huge losses during 2020, fueled by an epidemic of ransomware attacks and business email compromise claims. In response, cyber insurers increased premiums in 2021 and 2022, often hiking rates as much as 50 to 100%, according to The Betterley Report. At the same time, many insurers began evaluating risks more carefully, releasing more detailed questionnaires, using technology to assess risk, employing stricter underwriting practices and reducing coverage.
The result was a whirlwind for buyers through mid-2022. Many experienced sticker shock or were flat-out denied coverage during the renewal process. Others scrambled to meet requirements such as multifactor authentication deployment under renewal deadlines. In the turmoil, retention rates hit an "all-time low" according to insurance broker, risk management services and consulting firm Gallagher, with organizations switching insurers rapidly to procure what they perceived as reasonable deals.
Still, the cyber insurance market did grow. Although some cyber insurers deliberately dropped policyholders they viewed as poor risks, by the middle of 2022, new upstarts -- smelling opportunity -- emerged to provide additional capacity. For prospective insureds, this translated into more options, although some of the newer entrants had less mature pre-breach services and response support capabilities.
Fortunately, buyers are likely to sail calmer seas in the coming year. Insurers have been buoyed by improved loss ratios. According to the National Association of Insurance Commissioners' latest report, the 2021 average loss ratios for cyber are down slightly for the first time in five years. As a result, restrictions are loosening. Financial services firm AON's midyear report said, "As we work through the second half of 2022, the Errors & Omissions (E&O) and Cyber Insurance marketplace is becoming more buyer-friendly than a year ago."
But it may not be completely smooth sailing. Two curveballs are ahead: new policy language to curb systemic risks and recent changes to "acts of war" exclusions. These issues can seriously limit the value of a cyber insurance policy, so prospective buyers need to watch carefully.
Evolving systemic risk changes
When AWS had an outage in December 2021, it made national news. Businesses including Instacart, Venmo, Roku, McDonald's and Netflix suffered. "Colleges … had to postpone exams during finals week," CNBC reported. It was just one example of the tremendous potential for damage that could be caused by operational impacts to a key technology provider.
Software vulnerabilities have also wreaked havoc, especially those that affected products as widespread as Microsoft Exchange. After a series of flaws in the popular email server was uncovered in 2021, hackers broke into over 30,000 U.S. servers in just a few days and caused untold damages.
Cyber insurers are grappling with how to manage these and other systemic risks -- often in different ways. Beazley, for example, announced in 2022 that it had defined the following two types of catastrophic cyber events to which sublimits would apply:
- an extended outage of a major cloud provider, specifically AWS, Microsoft, Google, IBM or their affiliates; and
- a widespread malware attack affecting an OS such as Windows or iOS.
In contrast, Chubb defined the following two categories of events:
- Limited-impact events are local cyber incidents that affect an organization and entities that organization has relationships, such as owners, partners and customers.
- Widespread events are cyber attacks that can affect many organizations at once, such as a major software vulnerability, supply chain exploits or other catastrophic cyber event.
Coverage from Chubb for widespread events may be subject to co-insurance, sublimits or other restrictions, unless additional coverage has been purchased. For policyholders, this can pose a challenge for planning purposes, since a claim may or may not be covered depending, in part, on how many others are affected.
Cyber insurance customers must be diligent in keeping track of systemic risk changes and carefully evaluate how their organization may be affected.
New acts of war exclusions
In early 2022, pharmaceutical giant Merck won a $1.4 billion dispute with its insurer, Ace American Insurance Company, after it refused to cover damages resulting from a malware infection of 40,000 computers. According to the insurer, the NotPetya malware used in the attack was the work of the Russian government and therefore fell under a war exclusion clause. A New Jersey judge disagreed, however, and "unhesitatingly" ruled for the policyholder, stating that the insurer "did nothing … to reasonably put this insured on notice that it intended to exclude cyber attacks."
The ruling sent shockwaves through the insurance industry. Many feared the insurance industry simply did not have capacity to absorb the losses that could result from similar attacks -- particularly as the Russia/Ukraine conflict loomed.
"The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread and the critical dependency that societies have on their IT infrastructure … means that losses have the potential to greatly exceed what the insurance market is able to absorb," wrote Tony Chaudhry, underwriting director at Lloyd's of London, in a company bulletin in August 2022.
The bulletin said the company requires standalone cyber insurance policies to clearly exclude coverage for certain losses resulting from war or state-sponsored cyber attacks when the losses "significantly impair" a state. Lloyd's provided four model clauses, although underwriters and brokers are free to develop their own language. As of March 31, 2023, all new Lloyd's standalone cyber insurance policies as well as renewals must include updated language.
For policyholders, clarity is generally better. But new language and coverage limitations will undoubtedly create new uncertainties. For one thing, it can be difficult to clearly identify attribution for a cyber attack, especially in the complex hacker ecosystem where nation-states hire independent hackers or hacking groups and loose-knit affiliations are the norm. While the burden of proof is typically on the insurer, no policyholder wants to have to go to court to receive their payout after suffering the injury of a cyber attack.
Organizations must watch for war exclusions and similar clauses in the coming year and consult their broker and attorney as appropriate.
4 tips for getting the most out of your cyber insurance in 2023
Cyber insurance is complex, but good options are available for most organizations. Follow these tips to choose a solid cyber insurance policy and get the most value in the year ahead:
- Start early. With all the new changes in coverage and policy language, it's a good idea to give yourself extra time to review the fine print.
- Use an experienced cyber broker. No standard form for cyber exists, and every insurer has a different track record when it comes to handling claims and coverage. An experienced cyber broker who understands the nuances can help ensure you get the best value and reduce headaches if you need to make a claim.
- Take proactive security steps. Been putting off that multifactor authentication deployment? Wrap up these and other key security improvements before submitting your application. Many insurers have rolled out new, more detailed questionnaires and even technology that scans your systems. Be prepared for more scrutiny and tackle what you can ahead of time.
- Take advantage of pre-breach services. Many insurers offer valuable discounts or even free pre-breach services for policyholders that include training, policy templates, vulnerability scanning, readiness assessments, tabletop exercises and more. These can help you reduce your risk -- a win-win for you and the insurer.
As the cyber insurance industry continues to mature, expect to see more coverage clarifications emerge as well as more exclusions. Ensure you understand the policy your company has purchased, as well as what it does and doesn't cover. Take advantage of valuable pre-breach services that may be available to reduce your organization's risk.