The state of cyber insurance in 2023 can be summarized as stable, but not simple. While prices have settled, insurers are implementing major changes that could limit coverage in the event of cloud outages, software vulnerabilities, and other cyber incidents. Additionally, there are concerns about “acts of war” exclusions, especially given the ongoing conflict between Russia and Ukraine.
Over the past couple of years, cyber insurers experienced significant losses due to a surge in ransomware attacks and business email compromise claims. In response, premiums were increased in 2021 and 2022, often by 50% to 100%. Insurers also started evaluating risks more carefully, implementing stricter underwriting practices, and reducing coverage. As a result, many buyers faced challenges during the renewal process, with some being denied coverage or experiencing sticker shock. Retention rates hit an all-time low, and organizations switched insurers rapidly in search of better deals.
Despite these challenges, the cyber insurance market continued to grow. Some insurers dropped policyholders they deemed as poor risks, but new entrants emerged, providing additional capacity. This gave prospective insureds more options, although some of the newer insurers had less mature pre-breach services and response support capabilities.
Thankfully, buyers are likely to have a smoother experience in the coming year. Improved loss ratios have boosted insurers’ confidence, and restrictions are beginning to loosen. According to the National Association of Insurance Commissioners, the average loss ratios for cyber insurance in 2021 decreased slightly for the first time in five years. AON’s midyear report also stated that the market is becoming more buyer-friendly than it was a year ago.
However, there are two curveballs on the horizon that could impact the value of cyber insurance policies. One is the introduction of new policy language to address systemic risks, such as cloud outages and major software vulnerabilities. Insurers are grappling with how to manage these risks, and coverage for widespread events may be subject to additional restrictions or requirements, depending on the number of affected organizations. Buyers need to stay informed about these changes and assess how they may impact their organization.
The second curveball is the recent changes to “acts of war” exclusions. In a notable case, pharmaceutical giant Merck won a $1.4 billion dispute with its insurer after it refused to cover damages resulting from a malware infection, citing a war exclusion clause. A judge ruled in favor of the policyholder, pointing out that the insurer did not adequately communicate its intent to exclude cyber attacks. This ruling has prompted the insurance industry to address the capacity to absorb losses from cyber attacks, particularly in the context of the Russia/Ukraine conflict. Some insurers have introduced language in their policies to exclude coverage for losses resulting from war or state-sponsored cyber attacks that significantly impair a state. Policyholders need to be aware of these exclusions and consult with their broker and attorney to fully understand their coverage.
To get the most out of cyber insurance in 2023, there are several tips that buyers should keep in mind. First, start the process early to allow enough time to review the fine print and understand any changes in coverage and policy language. Working with an experienced cyber broker is also crucial since there is no standard form for cyber insurance, and different insurers have varying track records in handling claims and coverage. Taking proactive security steps, such as deploying multifactor authentication, is essential before applying for coverage, as insurers are implementing more detailed questionnaires and technological assessments. Lastly, policyholders should take advantage of pre-breach services offered by insurers, such as training, vulnerability scanning, and readiness assessments, to reduce their organization’s risk.
As the cyber insurance industry continues to evolve, more coverage clarifications and exclusions are expected to emerge. It is essential for organizations to thoroughly understand their policies and take advantage of available pre-breach services to mitigate risk. By staying informed and proactive, buyers can navigate the complexities of cyber insurance and ensure they have the coverage they need in the dynamic cyber landscape of 2023.