With the arrival of the New Year, the question across every sector is what the next 12 months may bring. This question is particularly pertinent to the cyber insurance market where a key characteristic of the risks it faces is that they are constantly shifting and evolving. On hand to lend its perspective, research and forecasts, however, is cyber security services firm Cyberscout and its commercial director of global markets, Tom Spier (pictured).
Find out more: Learn everything you need to know about Cyberscout here
In addition to the likelihood of standard insurers receiving a wake-up call about cyber insurance and personal cyber insurance being set to become a “must-have” in personal lines insurance packages, there is also the growing threat that a cyber capital capacity crisis will emerge, Spier believes.
He noted that the poor performance of mid-market commercial policies, combined with a failure to diversify downwards into small business and personal lines risks, may force secondary capacity to exit the market. There’s a number of London market cyber-focused MGAs that have struggled to get the underwriting capacity they need this winter, he said, and they may continue to have real trouble securing that this year.
“They must examine what needs to change and how they can tighten their belts and make sure that they’re underwriting across a broader range of risks than the US mid-market, medium-sized business space which they’ve been writing almost exclusively for a number of years now,” he said.
“So, I think we’ll see a number of those companies start to branch out into smaller businesses, micro-businesses, private individuals, and perhaps even include some corporate risk that they maybe weren’t before. And that might make them more attractive in terms of big reinsurers or syndicates putting down lines of capacity.”
On the other side of the coin, Cyberscout is not seeing the same kind of capacity crunch when it comes to new product development across existing composite insurers who wish to expand the number of risks that they’re covering as part of their package policies. The capacity limitations coming into the market over the next 12 months are being driven by the overexposure to the US mid-market business by the London market, Spier said, so anybody not in that area is going to pick up this slack.
“Demand isn’t really going to drop off at all over the next 12 months,” he stated, “but the ability to write cyber generally and very broadly is going to be limited. And so, the big composite guys are going have to take up that slack that was previously taken up by the specialty insurers.”
With remote working continuing to blur the lines between personal and commercial security risks in 2021, the value of cyber security services will likely only be accentuated, and Spier highlighted that the complexity of cyberattacks will require crisis management as well as coverage going forward. Between social engineering scams, such as business email compromise, and the rise of double-extortion ransomware in the last year, the cyber threat environment of 2021 is both complex and perilous.
Looking at the double extortion ransomware risk facing businesses, he emphasised that it doesn’t matter how good your backup is or whether you restore from a backup, the threat actor still has access to your data and the ability to publish it.
“And so, the ransom demands are going up,” he said, “and we’re also seeing a reduced willingness to negotiate. We’ve seen some ridiculous requests, for instance, we saw a case involving a small business a few weeks ago and the request was for about $11 million in Bitcoin. And given the size of the company and the type of insurance that they had, that was just a ridiculous request, but they wouldn’t move on it. So, obviously, they didn’t get paid but we’ve seen these guys get bolder and bolder.”
With remote working still the norm for businesses throughout the UK, the role that insurance brokers play in instructing clients on the threat landscape that faces them is more pertinent than ever. Cyber insurance brokers will be in high demand, Cyberscout believes, and Spier noted the team has seen a drive towards large broking houses buying up independent cyber specialist brokers.
The UK is really leading the charge in terms of upskilling the broking community to ensure they are able to educate and advise on products, he said. Sometimes brokers face an unfair label of being resistant to change and slow to adapt to product innovation but he has seen the UK market take the problem by the scruff of the neck and a lot of individual brokers stepping up to the challenge and educating themselves. 2021 is the year for brokers to take that knowledge into the mainstream.
“Brokers know best that experiences sell policies,” Spier said, “and in 2021 there won’t be a single broker that hasn’t experienced working from home and being completely at the whim of their technology and internet connection. That is invaluable, and if brokers can do what they naturally do very well, which is translate that experience into describing the risk to their customers, then cyber insurance is in quite a good spot going forward.”