Cyber Insurance: Top Five Trends for 2022

The following is the first blog post in a multi-part series on cybersecurity insurance produced by ACA Aponix^®’s Thought Leadership Team. The objective of this series is to provide clients with the highest quality insights and expertise on the changing and evolving cyber insurance marketplace. To help guide this research and to receive actionable data on premium rates, coverage limits, and more, take the 2022 Aponix Cyber Insurance survey here. 

The increase in the number and severity of cyber attacks in 2020 and 2021 has triggered significant changes to the cyber insurance marketplace. Historically, the cyber insurance marketplace had been considered “soft”, making it relatively easy for firms to obtain coverage at lower premiums. However, the heightened cyber risks and exponential growth of ransomware attacks in particular over the last year has led to a hardening of the marketplace. As we look ahead, these are the top five trends we anticipate seeing in 2022.  

Trend #1: Increase in Demand  

With the increase in the number and cost of cyber incidents globally, more firms are recognizing they are not immune to attack and subsequently seeing enhanced utility in cyber insurance. According to The National Association of Insurance Commissioners (NAIC), the number of written cyber insurance policies in force increased by 21.3% from 2019 to 2020.

In particular, the looming costs of a potential breach are applying additional pressure on firms to protect themselves from the possibility of staggering losses. Not only are there direct costs involved in responding to a cyber attack, but likewise there are indirect costs including disruptions to business operations and reputational losses. IBM’s 2021 Cost of a Data Breach Report estimates that the average total cost of a cyber breach is $4.24 million, with the average cost for the financial industry substantially higher at $5.72 million. These high costs are ultimately driving firms to trade in the possibility of large losses for a less costly alternative by seeking cyber insurance coverage. 

Trend #2: Tighter Terms and Exclusions

At the same time demand for cyber insurance has been increasing, supply has been tightening, as insurers and reinsurers take a step back and reevaluate their risk appetites. With the increase in the number of cyber incidents and claims filed, the industry has become less profitable. Based on estimates from Fitch, a credit-rating agency, insurance company payouts on claims, known as the direct loss ratio, jumped from 47 cents for every dollar in earned premiums in 2019 to 73 cents in 2020. 

As a result, insurers are focusing more intensely on risk selection by asking more questions and requiring more documentation to evaluate firms’ cyber programs. One way in which insurers are responding is by establishing tighter security control requirements of applicants. Multi-factor authentication (MFA) is becoming a key requisite of many insurers alongside other controls such as the presence of an end point detection and response solution, secured and encrypted backups, privileged access management, business continuity and incident response planning, and cybersecurity awareness training to name a few. 

Insurers are also leaning on supplemental applications related to firms’ history with ransomware and high-profile cyber breaches as an attempt to piece together firms’ inherent risk. Throughout these investigative processes, insurers are working more closely with cybersecurity professionals to better understand where cyber risks lie at an organization. Ultimately, firms who do not provide the proper documentation and/or do not have the required controls in place may not be considered for coverage altogether or may incur higher premiums and/or lower coverage limits to account for their perceived added risk. 

Trend #3: Rising Premiums   

The imbalance of supply and demand in the cyber insurance market has resulted in soaring premium rates. Rates experienced a significant uptick following the Colonial Pipeline and Kaseya attacks in the summer of 2021. As a result, it has not been uncommon for firms to experience a 100-300% increase in premiums. According to Marsh, in September 2021, clients’ cyber premium rates per million in coverage increased 174% compared to the 12 months prior. Looking to 2022 and beyond, it is forecasted firms will continue to experience higher premiums as insurers respond to evolving cyber threats. 

Trend #4: Lower Coverage Limits 

Enhanced scrutiny by insurers and rising premiums are impacting the amount of coverage available to firms. Whereas in the past it was not uncommon for a midsize firm to have $10 million in coverage, that same firm today is likely only being offered $5 million or less by most carriers. Specifically, if firms are determined to be of high risk, insurers are less likely to offer them a higher coverage limit or coverage altogether. Likewise, with the rising cost of premiums, some firms themselves are making the decision to reduce their coverage in exchange for a less costly policy. These factors have resulted in an overall downward trend in coverage limits. In September 2021, Marsh reported 23% of its clients experienced either a voluntary or involuntary decline in coverage.  

Alongside lower coverage limits, some insurers are reconsidering coverage altogether for certain cyber incidents such as ransomware. AXA, a French insurance firm, announced it will stop covering ransomware payments in France starting in May 2022. AXA’s decision is a response to the growing losses incurred from ransomware attacks by insurers as well as pressure from government officials who claim cyber insurance payouts are contributing to the rise in ransomware attacks. While AXA’s decision only applies to France currently, it has the potential to open the door for other insurers to follow suit in the future.  

Trend #5: Increase in Self-Insured Retention Levels  

While coverage limits fall and premiums soar, insurers are also expecting their clients to carry more risk through application of retention clauses. Similar to a deductible, a retention clause specifies the portion of damages policyholders will be responsible for paying before the insurance policy kicks in. While often retention policies are being demanded by the insurers, some policy applicants are willingly taking on higher retention rates in the hopes of minimizing their premium hikes. In Q4 of 2021, Marsh reported 60% of its clients had taken on increased retentions in an attempt to keep their premium rates at bay. As providers continue to look to shore up their risk and avoid major losses, retention policies may become a clause they increasingly lean on to distribute the risk.  

Considerations 

So where does increased demand, tighter terms, rising premiums, and lower coverage limits leave firms? For starters, industry professionals advise firms who already have cyber insurance or those considering obtaining coverage for the first time to begin the process sooner rather than later. By engaging early in the planning and application process, firms will be able to better identify existing gaps in their security and work to remedy them to increase their chances of securing a policy with more attractive rates and coverage.  

When it comes to considering how much coverage to obtain, firms should work closely with their brokers to assess their risk appetite while paying close attention to the amount of sensitive information they house. While firms ultimately must be prepared to pay more in premiums than they have in the past, by taking the necessary steps to mitigate risk though enhancing security controls and strengthening their cyber programs, firms will be better positioned for entering the cyber insurance marketplace in 2022 and beyond.  

How Aponix Can Help  

ACA Aponix offers the following solutions that can help your financial institution develop, implement, and maintain the required information security program:  

• Business Continuity Planning, Cyber Incident Response Planning, and Business Impact Analysis
• Domain Monitoring
• Payment and Fraud Risk Assessment Services
• Penetration Testing and Vulnerability Assessments
• Phishing Testing
• Portfolio Oversight