Expect Cyber Insurers to start transferring risk, back to you

The halcyon days of transferring significant amounts of risk to insurance carriers for bargain premiums are practically over.

The latest indication comes to us via Fitch Ratings

Cyber insurance direct written premiums for the property/casualty industry rose sharply 22% last year to over $2.7 billion, reflecting expanding demand for coverage. The industry statutory direct loss plus defense & cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

Cyber Insurance Losses Spark Rate Increases – FitchRatings.com

In layman terms, demand is increasing and providers are paying out more money.

Near-term Expectations

In the near term you should expect:

  • Higher Premiums – Renewals that increase premiums 15-20% in 2021 should not be a surprise.
  • Lower Caps on Coverage – Some organizations are seeing the amount of insurance coverage they can purchase drastically reduced.
  • Increased Audits – Some providers are doing automatic audits if a claim exceeds $250-300k. That’s peanuts for any regulated data breach.

Long-term Prediction

I think the Cyber Insurance business is poised to dramatically shift Cybersecurity. I suspect that coverage will be increasingly tied to the security posture of an organization specially through the solutions, services, and utilization of independent auditing. While that statement seems self-evident here is a how I see that playing out

  1. Preferred/Required Product Stack – To gain coverage, or at least affordable coverage, organizations will need to use a certain security solutions. I expect certain vendors to be named for Endpoint Protection, Network Security, Multi-factor, and Monitoring. These products may even be bundled into the coverage. This will be done to reduce risk for the provider and could well disrupt the marketplace in both positive and negative ways.
  2. Preferred Services / Independent Auditing – I think we’ll see an emphasis on using service providers and partners that meet a certain compliance or best practice standard (SOC2, HITRUST, ISO 27001). I also suspect that independent auditing from both a security standpoint as well as a compliance/controls audit will be major factors in gaining coverage. I would not be surprised by industry groups that require members meet such a standard to join forces and try to leverage collective buying power when it comes to cyber insurance.

I appreciate the White House’s attention to cybersecurity, and ransomware, in particular but without a whole of government response I don’t think they will move the proverbial needle dramatically. I think Cyber Insurers might be that catalyst. I’m not naive enough to believe that all the changes will be a net positive but the current situation seems more untenable on a daily basis.

Things you should be doing NOW

  • Re-shop your Cyber Policy with multiple providers every year. Have your IT/cybersecurity specialists reading the policy.
    • Make sure you understand the provider’s terms. There are key phrases like “on you network” that don’t mean what you think it means.
  • Attach an Addendum of Explanation that gives a justification of why you answered X on the Cyber Application. Address any questions you have with your broker. Practice extreme integrity and transparency. You want to discuss skeletons during the application process NOT during a claims audit.
  • Align your program to a framework and audit standard. Utilize best practices blue prints like the NIST CSF and perform a readiness assessment for audit frameworks like SOC2, HITRUST, ISO. This helps you identify strategic gaps in your program as well as giving you insight into how to demonstrate your good work to an auditor.

Links:

DISCLAIMER: I’m not an Insurance Broker, I don’t advise on coverage.

Leave a Reply