25 Years: The Journey of Cyber Insurance

June 17, 2022 by Kurtis Suhs
New You can now listen to Carrier Management articles!

This year marks the 25th anniversary of the cyber insurance market.

Executive Summary

While young underwriters may think that cyber insurance is a recent coverage innovation, the line is actually more than two decades old. Here, Kurtis Suhs, a veteran of the cyber insurance industry who served as an investigator and criminal coordinator for the FDIC early in his career and later as a broker for INSUREtrust in the late 1990s, gives a personal account of the development of the cyber insurance industry from his vantage point and assessment of the market today.

While many industry observers view cyber coverage as a surging phenomenon in response to escalating incidence of random attacks, the first cyber policy was envisioned and crafted in 1997 to address a then perceived risk identified by financial regulators. The journey of cyber insurance launched to protect against a little-known exposure of Internet fraud related to cyber risk is today the hottest, fastest growing sector of the world’s insurance markets.

In 1995, Federal bank regulators and financial regulatory authorities met in Atlanta for an annual fraud conference. As part of the agenda, officials were given a presentation by Security First Network Bank, a licensed bank in the state of Georgia, to introduce its proposed business model as the world’s first Internet bank, defined as having no physical branches or brick-and-mortar presence. The presentation via Netscape browser was a straightforward value proposition with drawn images depicting the interconnectivity of various parties engaged in a typical banking transaction.

Conference attendees, while intrigued, voiced concern about risk management controls, security and financial soundness issues. The primary concern centered around the bank’s ability to safely deliver online banking services amidst the conceivable threat of financial institution fraud exposure and hacking of bank assets. Recommendations set forth included the underlying need for insurance coverage to protect the institution in the event of an unforeseen data attack or fraudulent incident.

The Atlanta-based insurance broker for Security First Network Bank was charged with securing insurance to protect the online-only bank from Internet risk. At that time, however, coverage for web-driven perils did not exist. Insurance bank underwriters considered such exposures as technology risk, while technology insurance carriers believed the invisible bank risks should be covered within specialty Financial Institutions lines. The insurance broker, Steven Haase, envisioned the need for hacker insurance. He subsequently created Network Risk Management Services LLC (later known as INSUREtrust.com) as a managing general agency (MGA) to launch the first cyber insurance policy at the height of the dot.com era.

The MGA’s model was based on the proven approach for underwriting certain at-risk commercial operations based on the concept of Highly Protected Risk (HPR). Construction property carriers designed insurance solutions on engineering-based risk management assessments for commercially installed state-of-the-art sprinkler systems. Under commercial HPR policies, construction engineers would identify property risk and establish guidelines for adherence by the insured. Once the insured implemented system criteria and procedures for meeting certain coverage qualifications, they could be certified as an HPR, with inherent benefits of favorable premium rates and pricing options. Periodic reviews for compliance would be conducted by the engineers for continuation of policy coverage.

“The unfortunate reality is that many organizations and insurance applicants may not qualify in meeting minimum information security insurance requirements or may simply forgo the purchase of cyber insurance due to prohibitive cost barriers.”
Network Risk Management Services, following the HPR playbook, engaged information security professionals and miliary experts to conduct an external vulnerability assessment against a cyber exposure of insurance applicant’s computer network systems. Military security professionals from the Air Force were familiar in evaluating potential third-party threats, based on experience with national security risks so defined as Critical Vulnerability Exploits (CVEs). The company would be required to complete a detailed, multi-page insurance application that outlined its risk management controls around people, processes and technology. As a condition of binding coverage, the insurance applicant had to immediately remediate any discovered high vulnerabilities and to fix any identified medium vulnerabilities within 30 days of the policy’s effective date.

In essence, security vulnerability scans are where the industry started 25 years ago; an approach that is continuing to be instituted by cyber InsurTech platforms today.

Cyber Insurance’s Path to Market Relevance

Cyber insurance has exploded and captured market share exponentially over the past two decades. Initial standalone cyber policies consisted of two levels of protection: first-party coverage for digital asset restoration, business interruption and network extortion; and third-party liability arising from network security and privacy wrongful acts as well as media liability arising from copyright and trademark infringement.

By 2015, the marketplace boasted over 50 cyber insurance carriers, continually offering more lenient terms and conditions with accelerating premium reductions. External vulnerability assessments were no longer an underwriting prerequisite, and cyber insurance applications were reduced to a mere two to three pages. Coverage options broadened to include such cyber risks as: 1) bricking, when malware does not physically damage tangible property but the hardware is rendered useless; 2) business email compromise incidents; and 3) system failure when the insured mistakenly takes their network offline resulting in business interruption loss.

While soft market conditions teetered with the prospect of creating an all risks policy, most cyber risk programs are underwritten on a standalone basis with some limited exceptions for supplemental sublimits and packaged policies in admitted markets.

By 2017, private equity firms began investing heavily in cyber insurance MGAs to compete with traditional insurance carriers following practiced underwriting processes. This new wave of cyber MGAs touted innovative underwriting prowess by offering external vulnerability scanning at the time of application and process verification during the policy period.

In 2020, the market showed signs of hardening as the frequency and severity of claims were amplified by rampant ransomware attacks, data breaches and money theft arising from business email compromise. Further complicating matters, organizations had more complex connectivity of devices, business partners and third-party providers with respect to both information technology and operational technology. According to a recent report by Sophos, the cyber security firm, 66 percent of midsize organizations worldwide were targets of a ransomware attack last year compared with 37 percent the year prior.

By 2021, the cyber insurance market hit an unprecedented hard market cycle. Today, cyber insurers have restricted their appetite for certain higher-risk industry classes, increased retentions, reduced overall policy limits, incorporated new coinsurance provisions and introduced other exclusions. As one of the fastest growing lines of business worldwide, cyber insurance premiums have increased anywhere from 25-400 percent over the past year for an insured with or without a cyber claim episode.

Cyber insurance spending for standalone coverage in the U.S. reached nearly $3.1 billion last year, an annual increase of 92 percent from the prior year, as reported by Fitch Ratings. Exorbitant price points are compounded by greater underwriting scrutiny and often onerous insurance constraints. The majority of cyber insurers now require enterprisewide multifactor authentication, written strategy of data-backup processes and a privileged access management tool to protect user credentials, among other criteria. Conditions for policy binding also may stipulate that the insured applicant institutionalize protection monitoring and response tools and establish a 24/7 security operations center (SOC).

The cyber insurance landscape will continue to evolve and mature. The unfortunate reality is that many organizations and insurance applicants may not qualify in meeting minimum information security insurance requirements or may simply forgo the purchase of cyber insurance due to prohibitive cost barriers. Cyber insurance carriers will be challenged to serve brokers and agents with timely information and relevant resources needed to help their insureds navigate protection options for their respective organizations.