While global commercial insurance rate hikes are starting to moderate, cyber seems likely to be an outlier for some time to come.
“Right now, we are not at a stage where we can see the end of the light through the trees,” Meredith Schnur, Marsh’s U.S. & Canada Cyber Brokerage leader, told Carrier Management.
An early May 2021 Marsh report found commercial cyber insurance prices jumped 35 percent in the U.S. and 29 percent in the U.K. during the 2021 first quarter—higher rates of increase than the year before. That bucks global commercial insurance rate hike moderation in most other lines.
Schnur explained that cyber rate hike escalation is a relatively new phenomenon for the market.
“Even in the wake of 2017, [the NotPetya cyber attacks] did not equate to a large pivot in the cyber world,” Schnur said. Similarly, in 2018 with the rise of ransomware and related extortion demands, the financial losses initially did not escalate. That started to change in 2019, when ransomware events began to become more frequent and severe.
“When I speak to severity, I not only mean it’s a given that the [ransomware] extortion demands have absolutely grown in size from what was historically maybe a couple thousand dollars,” she said. “A pretty severe ransomware demand back a year-and-a-half ago might have been $1 million, to upward of demands in excess of $50, $60, $70 million, and then you have to negotiate it down from there.”
Ransomware and Beyond
Today, ransomware payments are easily seven or eight figures, Schnur pointed out, but she said the “sharp pivot” in cyber rate increases goes beyond that.
“You can have a ransomware event trigger multiple insurance agreements on a policy,” she said. “So, it’s no longer about just the ransomware extortion itself; it’s the breach costs and the incident management costs [and] it’s the ransomware payment itself.”
In other words, insurers have been challenged even more because of the resulting business interruption and extra expenses beyond the initial cyber incident. The cyber costs expand to how the ransomware event affected the targeted company’s business income, triggering things like income loss coverage and contingent business interruption, Schnur said. Effects then also spread to clients of the company that suffered the ransomware event.
“If it was a vendor or supplier that had the event and you had a contingent business interruption because of your reliance on that vendor, your policy is now triggered,” Schnur said.
She added that there are issues about data theft from devices, privacy and regulatory violations that can also stem from a ransomware attack, so the attacked company’s liability grows in multiple ways. Simply put: One attack heavily multiplies the damage. But that reality goes well beyond ransomware.
“In the past four to six months, another overlaying concern and pressure is the systemic, or the pandemic nature of a cyber risk,” Schnur said. “Now you can have one event, but you can have one affecting multiple insureds.”
It’s worth noting that until now, cyber has been profitable, and the market has seen a huge growth in players.
“We went from five markets in 2005 to…120-plus markets writing cyber. Now, whether or not they are really formidable primary players, that’s disputable,” Schnur said. “There’s a reason why all of these insurer partners have jumped into the cyber world—because up until recently it has been an extremely profitable line of business.”
With recent trends in mind, cyber rate hikes should continue at a rapid clip for some time, Schnur said. She emphasized, however, that cyber insurance remains stable overall despite rapid rate increases, going through growing pains like any other type of coverage.
“We’re going through the same growth maturity as any other line of coverage and really, truly understanding how to price for it,” Schnur said. “We don’t want to peel back the coverage. We need the coverage, so we’re in the growing pain stage.”
Rapid rate hikes aren’t without risks, however.
Schnur notes that clients might decide their budgets can’t afford the higher cost for “effective cyber risk transfer,” so programs could emerge that renew at a lower limit than in previous years. There could also be more alternative structures, such as captive and reinsurance options that transfer risk better “and help pillow the balance sheet when and if an event happens.”
Of course, higher rates also help keep cyber insurance sustainable.
“The cyber insurance market wants to be here and wants to remain intact, and the reinsurers want to be able to support their insurer partners,” Schnur said. “In order to do so, we have to get rates to a sustainable level so that we actually have a market.”
One thing that will help, she explained, is greater “cyber maturity” from clients, so their savviness about risk reduction won’t set back insurers as much financially when ransomware or other cyber losses hit.
In the immediate future, however, rate hikes are coming in tandem with coverage limits, after years of expanded coverage.
“Defining today is a restricting of coverage in certain areas pertaining to a specific risk and control environment, coupled with really trying to rein in accumulation risk at its best,” she said. “We are not seeing any real expansion of coverage at this point in time—after 20 years of extending and expanding coverage on these policies.”