Looking at the numbers alone, it’s clear that the massive cyber insurance market is quickly changing. Last year, the marketplace hit US$7.8 billion in overall premiums written, according to Research and Markets, and in 2020, 577 carriers wrote some form of cyber insurance.
However, loss ratios have started to tick upwards over the last few years, moving from the low-50s in 2017, to the high-50s in 2018, and inching past the 60s in 2019, explained David Derigiotis, senior vice president and national professional liability practice leader for Burns & Wilcox, during a recent webinar, entitled “Evolving with the Dynamic Cyber Market.”
Read next: Cyberattacks transform into targeted affairs
Considering this environment, “It’s no secret there has been a lot of movement within the cyber privacy space,” he said. “Many companies are currently re-evaluating their portfolios. We’ve seen notable exits – MS Amlin, as well as Argo, and AXIS is re-evaluating their primary book of business as well … Underwriters are taking a step back, they’re reassessing the risk, they’re looking at the portfolio, and they’re making changes, so we’re seeing a lot of rate increases.”
In turn, for brokers, it hasn’t been as easy as in prior years to secure renewals for their clients, as carriers scrutinize insureds, and take a closer look at their risk management practices, while generally not being as willing to provide the limits and capacity that they have in years prior.
The skittish reaction of carriers is logical given the rise in cyber threats. The SolarWinds attack alone – where Russian state-sponsored hackers are believed to have exploited a vulnerability in IT management software, leading to around 18,000 SolarWinds customers downloading trojan malware – could result in $115 million in claims.
“They’re one of many cybersecurity companies that were compromised,” said Matthew Lefchik, director of cyber risk management for Node International, North America, adding that this ties back to why cyber insurance applications have evolved to focus on risk mitigation, like dual-factor authentication, appropriate data back-ups, and the security practices of third-party vendors.
Smaller organizations are especially at risk in this cyber risk environment because of their traditionally lower degree of investment in cybersecurity, as well as less support internally and externally when it comes to implementing effective risk mitigation before disaster strikes and the post-breach follow-up needed to put a company back on its feet.
Nonetheless, for all organizations, the laissez-faire attitude about cyber risk is no longer possible. Before some of the bigger attacks from the past year, “The cliché comment was that ‘it won’t happen to me, I don’t have any significant data,’ or ‘we work with programs and policies and partners to prevent and mitigate this risk,’” said Lefchik.
However, this way of thinking has been upended by all-encompassing and highly directed attacks, like the SolarWinds one as well as the recent Microsoft hack, during which tens of thousands of Microsoft Exchange servers in businesses and organizations around the globe may have been infected, according to a new report from CyberCube.
To navigate this evolving and often overwhelming risk space, Lefchick recommends that brokers stop being generalists, and really learn how to specialize and adapt to meet the market in the direction in which it’s going.
After all, “[Hackers today are going to] target your book of business,” he explained, though he added that brokers don’t have to go it alone. “We can give you different ways to develop and improve your [insureds’] cyber hygiene. One of them is as simple as implementing a password manager, [as well as a] zero-trust policy, because a lot of people have access to senior team members, and you really need an administrator, and different guidelines and rules … This is what you need to learn when you’re speaking to your clients and educating them on how to actually improve their posture.”