CyberGuide - Information Security and Cyber Risk Management

Cyber market ‘rollercoaster ride’ shows no signs of slowing: Advisen panel

By Erin Ayers, Advisen

The high prices of the cyber market aren’t likely to let up in 2022, as the insurance industry works to create a sustainable market and continues to face major losses, according to experts speaking during Advisen’s virtual Cyber Risk Insights Conference.

“This is a changing of the market,” said Richard DePiero, senior vice president at Sompo International. “Cyber has gone through a few iterations and this is the next iteration of protecting our insureds and trying to underwrite profitably.”

He added, “The risk exposure has changed so dramatically that we have to bring up those rates and we have to wait until those insureds have better controls in their network for us to bring those rates back down a bit.”

Pricing is part of the solution, but pricing alone won’t end the hard market, according to Paul Needle, senior vice president of cyber treaty reinsurance at Munich Re. Increased cyber maturity for insureds is what will have “an exponential effect” on losses, he added.

“No longer can we accept that they’re going to implement certain controls post-binding, it absolutely needs to be in place,” said Needle. “To me, the difference between this and any other hard market is the underlying change in the underlying process.”

Want to listen to virtual Advisen’s Cyber Risk Insights Conference @ Home? Click HERE.

For buyers, the cyber insurance market has been a “rollercoaster ride,” minus any amusement-park fun, according to Audrey Rampinelli, senior vice president of risk management and insurance services for Mastercard, who moderated the panel. The term “market correction” suggests insureds are paying for past errors, she added.

“It’s not so much that we were missing the mark,” said Robert Rosenzweig, national cyber practice leader for Risk Strategies. “We’re in a completely fluid environment where the threat landscape changed and the regulatory environment changes as well.”

Buyers should expect “more of the same” in 2022, he added, noting, “I don’t think the market has settled to where it needs to be … That being said, certainly, with a fresh start in 1/1, there might be a little more competition in the market, which can make underwriting discipline waver at times.”

New information and new risks prompt all markets in all lines of coverage to reevaluate, according to Jamie Bouloux, CEO of EmergIn Risk.

“The insurance industry is constantly correcting itself,” he said. A key difference for the current cyber market is the continued availability of capacity.

“None of the major markets have pulled out, but we are asking for more information and we are asking ourselves and our peers to consider how we create a model that’s sustainable for everybody moving forward,” said Bouloux.

Ransomware wasn’t even on the radar five years ago for insurers – underpricing and data breach notifications caused most of the losses in the past, panelists agreed. Underwriters, unable to ignore increased claim frequency and severity, now need more information from buyers and have been more “discerning” about where to deploy capital. More data and better correlation from threats to losses is making the difference, said Rosenzweig.

He commented, “Risk selection is paramount. It’s tougher for insureds to get the capacity they need in the market. If controls aren’t there, where you find yourself on the spectrum of average rate increases is going to fluctuate to the high end.”

What the cyber market has going for it right now is a “drastic increase in expertise” for underwriting, according to Needle. “We’ve come a long way in thinking critically about the controls an insured might have.”

Working against the market, however, are years of coverage broadening, expanding to risks that “chip away at profitability,” said DePiero. Non-IT business interruption is “a large looming threat on a cyber portfolio” that insurers may not be modeling well.

Needle agreed cyber coverage need to be curtailed from “everything under the sun” to provide insurers with more certainty.

Bouloux advocated learning from other lines of coverage for non-IT dependent business interruption – by requiring tiered named vendors with contractual obligations, sublimits, and narrowly defined covered perils.

“One of our biggest shortfalls we have is that we’re not learning from that. That’s where it will blow up and it’s an obvious thing for us to corral and fix,” he said.

Any pullback in the market is “just narrowing the scope of what is truly at the core of cyber risk,” added Rosenzweig. The industry also needs to move beyond the risk transfer conversation, he said.

“The onus is falling back on our insureds to bear the brunt on not just on BI losses, but also first-party incident response and investigation costs as well. How can we better structure contracts to have vendor risk better addressed?” said Rosenzweig.

Cyber cover isn’t one-size-fits-all, he added. Small and middle-market organizations are looking for more than risk transfer.

“They’re looking for partnership,” Rosenzweig said. “We’ve got to do a better job as an industry of saying ‘The price point might be higher … but here’s how we’re going to help you on the path to becoming a better risk.’ Ultimately going to be a win-win for both parties.”

Rampinelli questioned whether there is a “tipping point” for insurance buyers on whether the cost of coverage is worth it. It’s a good question, the panel agreed, but for many U.S. organizations, regulatory and shareholder market forces have come to expect cyber insurance and risk management as a priority. Coverage is still providing value, Bouloux said.

“We’re not saying, ‘Ransomware is your biggest issue and we’re excluding it.’ We’re not, we’re providing the coverage. We’re just asking clients to have skin in the game, whether that’s coinsurance, or limiting elements of the coverage, or expanding the underwriting process,” he said.

The January 1 reinsurance renewal season is going to be “critical,” Bouloux added. The “pressure points” filtering down from the reinsurance market will be “very telling,” he said.

“Let’s do something corrective as a market and try and create as much stability as quickly as possible so we can continue to go forward and give everybody what they need.”

Editor Erin Ayers can be reached at [email protected]