In Cyber, The Only Constant Is Change

The cyber insurance market is showing signs of stabilization after two years of extreme volatility, characterized by high frequency and severity of claims, soaring rates, reduced insurer appetite, and strict underwriting and risk management requirements. 

Contending with an ever-changing cyber-threat landscape, insurers have made corrective actions to reflect the increased frequency and severity of the risk. Adjustments to pricing and risk appetite – although challenging for insureds and agents – are starting to have an impact. Rate increases are stabilizing as insurers gain more control over attritional losses and insureds focus on the implementation of cyber security controls.

There are reasons for both optimism and caution in the cyber insurance market, according to the panel of cyber insurance experts gathered for the latest edition of IBA’s Executive Insights Series. 

Gwenn Cujdik, manager, cyber incident response at AXA XL North America, says the market is “stabilizing [and] maturing” to the point where carriers, agents, and insureds are being more proactive and innovative in their cyber insurance and risk-management strategies. 

CFC executive vice president Shannon Groeber agrees that the market has “entered a new segment of stability” after almost two years of “swift changes” and market corrections.

She says, “While it’s been quite difficult for everyone to navigate, I think the positive is that clients should have a better view of what to expect over the next 18 to 24 months as compared to the uncertainty and instability they’ve had to navigate  [in recent years].”

AXA XL, the property & casualty and specialty risk division of AXA, provides insurance and risk management products and services for mid-sized companies through to large multinationals, and reinsurance solutions to insurance companies globally. We partner with those who move the world forward.

“We remain cautious, but optimistic,” says Annamaria Landaverde, cyber team lead, Munich Re US. “We’re cautious in that reinsurers are still carefully monitoring our exposure to systemic risk, and we’re also monitoring volatility. We’re now starting to see the full picture from the 2018 to 2020 losses, and the impact of frequency and severity in those years. I think it’ll take more time before we have enough evidence of continued improvement to really get more optimistic.

“We are optimistic in that there has been forward progression in policy wordings, rate adequacy, and scenario modeling, but we think that there’s still much to be done to bring the cyber product to a greater level of maturity.”

Significant challenges remain in the cyber insurance market, with the panelists expressing concerns about ransomware costs, risk aggregation or systemic events, third-party exposures, and ongoing issues around fraudulent funds transfer through social engineering and business email compromise, among other things. 

After years as the primary culprit behind rapid hardening in the cyber insurance market, there have been some reports that ransomware attacks have decreased in both frequency and severity in the last six months, a trend that Shawn Ram, experienced.

“Interestingly, the ransomware demands that we saw in 2022 reduced at a much larger percentage, from an average of $1.3 million to just under $900,000 in [the first half of 2022, versus the second half of 2021],” he says. “I do believe ransomware is subsiding slightly, but it continues to be the largest driver when it comes to severity-related risks. 

“Having said that, we saw a slight increase of about three percent in that same time period for fraudulent funds transfer, social engineering, and business email compromise. The notion of phishing continues to be, from our standpoint, the most prominent threat vector that adversaries are using to infiltrate and exploit a network.”

We’re a digital-age insurance provider built to help businesses and families stay ahead of cyber threats as well as respond to them. BOXX offers cyber insurance and services curated for everyday businesses and consumers. Powered by great technology, BOXX is making cyber simpler for customers and partners. 

BOXX Insurance brings together new technologies, data science, and specialized underwriting to go beyond protection to predict, prevent, and respond to the risks of today and tomorrow. We go beyond traditional insurance – helping the world be digitally healthy.

Proactive risk management 

All panelists agree that cyber-risk management requires going beyond just insurance and should include proactive measures such as active threat monitoring and network scanning, consistent cybersecurity education, and offering a highly engaged claims process. Proactive risk-management is key in reaching more stability and maturity in the marketplace. 

Regarding proactive risk-management, there are certain nice-to-have and need-to-have cyber-risk controls that are determining insurability and competitiveness in the marketplace. Underwriters are concentrating on several crucial controls at this time, including multi-factor authentication (MFA), secure remote desktop protocol (RDP), endpoint detection and response (EDR), and the segmentation of back-ups and different network capabilities. 

“We are firm believers in the three pillars of predict, prevent, and insure,” says Hilario Itriago, president, USA, BOXX Insurance. “[Regarding cybersecurity controls and capabilities], it’s about making sure small- and medium-sized businesses up their level of sophistication in how they manage their businesses. We think that’s really important because if we just provide an insurance policy, but we don’t help clients prepare [to face cyber threats], we’re not really adding any value to them, to their business model, or to their defense architecture in the long-term.” 

Ram thinks cybersecurity controls have improved and have “contributed to the decline in ransomware” over the last six months. He explains: “We believe that roughly 40 percent of ransomware derives from RDP – particularly with the pandemic and many companies aggressively pursuing methodologies to work from home. I refer to RDP as ransomware deployment protocol. It’s something that is commonly used by adversaries in order to deploy malware and exploit a policyholder.

“Some of these best practices, like managing how you deal with remote work, addressing back-ups in appropriate manner, and using MFA, have a tremendous advantage in thwarting adversaries and making your company not a target to the hacking community.” 

CFC is a specialist insurance provider, pioneer in emerging risk, and market leader in cyber. Our global insurance platform uses cutting-edge technology and data science to deliver smarter, faster underwriting and protect customers from today’s most critical business risks.

Headquartered in London with offices in New York, Austin, Brussels, and Brisbane, CFC has over 500 staff and is trusted by more than 100,000 businesses in 90 countries. Learn more at cfcunderwriting.com.

What lies ahead? 

Itriago says cyber insurance is still in the early stages of its “maturity curve,” but he believes that society is not far from a state in which technology use and digital connectivity will be so systemic that cyber insurance will soon be “essential.” He adds, “We’re going to mature faster as an industry, and we’re going to learn faster by having all those domains and all those data points … and inevitably, that’s going to turn people within the cyber insurance industry into rock stars.” 

Coalition is the leading provider of cyber insurance and security, combining comprehensive insurance and proactive cybersecurity tools to help businesses manage and mitigate cyber risk. Backed by leading global insurers Arch Insurance North America, Allianz, Ascot Group, Lloyd’s of London, Swiss Re Corporate Solutions, and Vantage, Coalition offers its Active Insurance products in the US and Canada and its security products to organizations globally. Coalition’s Active Risk Platform provides automated security alerts, threat intelligence, expert guidance, and cybersecurity tools to help businesses remain resilient in the face of cyberattacks. Headquartered in San Francisco, Coalition is a distributed company with a global workforce that collaborates both digitally and in office hubs across the globe.

Cujdik also expects to see more growth and maturity as recognition of cyber risk grows. She says, “Over the years, there’s been huge payouts, [generating] more understanding of how events happen … so I see us actively moving toward writing better policies and helping our insureds better prepare for risks. Nobody wants to have an event. It’s a scourge on the reputation of the company. It’s tremendously stressful. It can be an event that bankrupts a company or shuts down a company. And so, really being proactive and helping to avoid those events – I think that’s what we’re going to see more of in the future.”

CFC’s Groeber expects cyber insurers to make better use of data points – collected through active network monitoring and scanning, and contextualized with the use of intel feeds – to analyze cyber risks in a way that will benefit both carriers and clients. She says, “We need to connect the dots … to create solutions with a more mature view toward protections and enhanced cyber hygiene. I think we’re seeing that now, and we’ll continue to see that as we – the cyber insurance community – start to access more data points and rely on tools and technology to support the solutions we’re providing to clients.”

Landaverde sums up the situation nicely: “The one constant in cyber insurance over the last 20 years has been change. Therefore, I predict that we’ll see new loss trends, a shifting cyber-risk landscape, and further maturity in the areas of innovative risk assessments, more clarity in policy wordings, and more predictive CAT modeling. If we could achieve more certainty in all of this and less volatility, then I think we will continue to see more capacity coming into this market, whether it’s traditional capacity like we see today or more alternative capital capacity. Ultimately, the end game for us is long-term sustainability of the cyber market.”

Munich Re is one of the world’s leading providers of reinsurance, primary insurance, and insurance-related risk solutions. Munich Re is globally active and operates in all lines of the insurance business. Since it was founded in 1880, Munich Re has been known for its unrivalled risk-related expertise and its sound financial position. Munich Re possesses outstanding innovative strength, and is playing a key role in driving forward the digital transformation of the insurance industry. Its tailor-made solutions and close proximity to its customers make Munich Re one of the world’s most sought-after risk partners for businesses, institutions, and private individuals.

Originally published on Insurance Business America in October 2022