6

Cyber Insurance

Greater focus on cyber risks

Over the course of last year, the market for cyber insurance hardened further. However, depending on a company’s size and business model, the trend looks very different. In view of recent developments such as the war in Ukraine and significant inflation, the situation is very unlikely to ease this year. Risk quality is becoming an ever more important factor, with insurers formulating minimum requirements and increasingly professionalising their underwriting processes. It makes sense, therefore, for companies to start preparing for this challenging renewal period early on – in consultation with brokers specialised in cyber insurance.

Market situation

First of all, it should be noted that the risk situation has become considerably more acute over the past three years, especially for large companies. For example, the number of ransomware attacks against companies more than tripled to 323 per cent between the first quarter of 2019 and the fourth quarter of 2021, as reported in Aon’s 2021 Global Risk Management Survey.

The first consequence of this trend is the increase in premiums in 2021, as the 2021 E&O / Cyber premiums chart illustrates.

Besides an average doubling of premiums in the second half of 2021, two thirds of cyber policies have also seen a significant increase in their deductibles.

In addition to premium and deductible increases, insurers have further reduced their limits for each individual risk, with the result that customers generally have an amount of between just EUR 5m and EUR 15m per insurer at their disposal. More extensive insurance programmes therefore now have to be put in place with a larger number of different insurers, in some cases under very different terms and conditions.

As a result, one in five companies reduced the insurance amount of their cyber cover in the second half of 2021, more often than not for budgetary reasons. However, the potential financial impact of loss or damage is often not sufficiently qualified or quantified beforehand. Key here is the fact that individual insurers are specifically trying to exclude main causes of damage from their insurance policies. In particular, the leading / most frequent (major) cause defined as “loss or damage from ransomware attacks” has either been excluded, sublimited and/or undermined by these insurers through “co-insurance arrangements” where, in addition to a deductible, a customer usually participates in a loss on a percentage basis.

It is, therefore, becoming increasingly important for companies not only to be able to rationally qualify and quantify their own corporate risks, but also to show insurers what security and recovery measures they have taken and to correctly demonstrate the company’s level of cyber maturity, albeit in the best possible light. Only by making insurers aware of such aspects, will industrial concerns be able to purchase adequate risk coverage at an affordable premium. In so doing, support from specialised brokers with broad insight into the current market is essential.

Ransomware attacks on companies

from 2019 to 2021

Source: Risk Based Security, analysis by Aon; data correct as at 31.01.2021; data exfiltration by ransomware and downtimes according to the Coveware Quarterly Ransomware Report as of 21.10.2021.

Outlook

Like a lake that freezes, the current cyber insurance market is hardening from the top down.

While new insurers are still trying to build up sufficiently large cyber insurance portfolios “at the bottom of the lake” by applying a low-price strategy, well-established cyber insurers are responding to sometimes significant frequency losses caused by APT attacks (on the rise since 2019) incurred in particular by larger companies.

In the industrial insurance line, the professionalisation of underwriting is now noticeably more pronounced.

This is reflected, on the one hand, by insurers’ ever-increasing need for information and, on the other, by a slowly emerging trend of different conditions and premiums according to risk quality.

Here, too, the impact of the war in Ukraine is now becoming visible in two respects:

First, insurers’ concerns about (collateral) damage from “hybrid warfare” are not only leading to territorial exclusions or modified war exclusions, but also to a situation where some insurers are no longer underwriting companies with the corresponding regional exposure.

Second, inflation, already much in evidence and set to deteriorate, is likely to lead to an additional increase in premiums.

While there is already light at the end of the tunnel in cyber excess insurance, the situation remains tense in the basic insurance line. We do not expect this to change fundamentally during 2022.

2021 E&O- / Cyber premiums for a basic insurance policy and 1st excess

Average change vis-à-vis previous year (same customer)

Market trends

The short supply of basic cyber coverage means that alternative risk-financing solutions such as (virtual) captives are increasingly being looked at. The effectiveness of such solutions will depend primarily on the reasons for their adoption and the individual company’s own risk.

The extent to which forthcoming decisions on data privacy breaches by the EU Court of Justice and the guidelines published by the European Data Protection Committee on the calculation of fines for privacy breaches will influence the future risk environment of cyber insurance cannot yet be measured with any certainty. It can be assumed, however, that the effect will be to raise risk.

The progress made in the professionalisation of cyber underwriting processes will, in the medium term, enable insurers to manage their portfolios more in line with the risk, as required by the European Union Agency for Cybersecurity (ENISA), and to purchase adequate insurance protection for well-positioned companies at acceptable premiums. Take, for example, the case of unavoidable cyber incidents such as “Kaseya,” where hackers attacked a major IT service provider in the USA, with disruptive effects for German companies, too.

Holistic approaches are becoming more important than ever

With information and communications technology (ICT) constantly evolving, its applications in business processes and the growing number of associated incentives for cybercriminals require an increasingly holistic approach that brings together the worlds of ICT, value-added processes, risk management and, ultimately, risk transfer. Isolated optimisation of individual parameters is destined to fail.

That’s why Aon is consolidating its holistic approach based on the reformed Cyber Loop by expanding its Cyber SecurityX Services in the D-A-CH (Germany, Austria, Switzerland) region.