Signs of stability emerge in turbulent cyber insurance market

Dive Brief:

Soaring premiums in the cyber insurance market are beginning to stabilize, as more organizations focus on cyber risk management and new insurers enter the marketplace, according to third-quarter research from insurance broker and risk advisory firm Marsh.
Though cyber insurance rates continue to soar, the pace of rate increases has slowed this year, which for Marsh is a signal of future rate moderation. Average cyber insurance rate increases were up 54% in July, compared with 133% in December.
Demand for cyber insurance remains high. The percentage of first-time cyber insurance buyers has almost doubled in five years, from 26% in 2016 to 50% in 2021.

Dive Insight:

Fears of claim payouts drowning the market appear to be subsiding thanks, in part, to the growing culture of cybersecurity.

Rate hikes are decreasing on average and "with fairly consistent behavior across the marketplace," there are signs of stabilization, Gregory Eskins, cyber product leader at Marsh, U.S. and Canada, said.

Corporate risk management postures are improving. Insurers are setting clearer underwriting standards, which can, in turn, strengthen customer controls; and public-private sector coordination is improving.

"The market has sent very strong signals, probably less than [precisely] what one would want, in terms of, what do we think matters in terms of improving security/resiliency to cyber slip-and-falls," Eskins said.

Things that are largely preventable can never be 100% prevented, said Eskins. Even with really good risk management, "inevitably there's going to be some slips-and-falls, given a set of circumstances and conditions."

The future of the cyber insurance market requires a fine balance: insurers need to balance profit aspirations while meeting the needs of companies, Marsh said.

Insurance services company AM Best says to help improve market performance, underwriting practices should include clear risk controls, including the use of mutlifactor authentication, patching insecure software and training.

"MFA has become a minimum necessity for obtaining cyber coverage," AM Best said in a June cyber insurance segment report.

Cyber insurance rates have steadily increased since the start of 2019, spiking last year, according to AM Best research. However, rate changes in Q1 2022 were up just 27.5%, compared with Q4 2021's high of 34.3%.

The market's maturity will dictate what is, and is not covered in future cyber claims. Insurance marketplace Lloyd's of London plans to no longer cover state-sponsored cyberattacks starting in spring 2023.

Such war exclusions raise questions about how organizations can prove where an attack originated, especially in an era where independent threat actors act on behalf of a nation-state.

However, there is momentum behind insurance covering ransomware for clients, AM Best found. Two-thirds of insurers see ransomware coverage as a value-add, compared to one-third of respondents who see ransomware payment as encouraging to bad actors.