A rapidly changing cyber risk landscape requires companies to reassess defence levels regularly to minimise potential damage to their balance sheets and reputations. While cyber insurance underwriters have become very selective in their approaches, this process is having a positive effect in helping companies to identify and address their weaknesses.
Cyber Insurance Trend in 2024Pricing reductions: Clients commonly secured pricing decreases, with up to double-digit (in %) reductions in premiums due to strong competition between insurers.
Increased market capacity: There was a persistence in capacity which fueled the competitive market conditions.
Flexible underwriting: Insurers demonstrated a greater readiness to provide quotes with less comprehensive underwriting information compared to previous years.
With the help of artificial intelligence (AI), cyber threats (such as phishing email, ransomware) continue to evolve as threat actors use more advanced techniques to carry out cyber-attacks. Frequency and severity of cyberattacks continue to rise and as companies continue to expand their digital footprints, the greater focus on cyber hygiene protocols, may be viewed as a welcome opportunity to increase resilience.
Lockton have observed several instances where internal IT departments have actually leveraged off insurer minimum requirements as a key incentive to internal cyber security projects or improvements being approved – a win for both insureds and insurer. Besides, transferring cyber risk to the insurance market, as opposed to retaining it, is likely to make commercial sense.
Add into the mix, a 24/7 ‘cyber hotline’. A cyber policy typically includes a breach response team, providing immediate access to legal advisers, IT forensic consultants, specialist ransomware negotiators, and public relations and crisis management personnel. Having an experienced response team on call, ready to deal with the consequences of a cyber event is a welcome benefit, particularly when staff may be feeling vulnerable, and when time is of the essence. This will maximise the ability for an insured to get back ‘up and running’ as quickly as possible.
The continuous rise in claims has led to breach response teams being engaged now more than ever. Lockton have observed insureds benefiting from intelligence obtained by breach response teams. By way of example a breach response team may be dealing with the same threat actor across a number of claims over a one-month period. Expertise in how particular threat actors operate and negotiate can be priceless and has led to better outcomes on claims.
There can be some misunderstandings around what cyber insurance is and in fact, what ‘cyber cover’ a company has, in fact, purchased. Anecdotally, we are aware of businesses which thought they had purchased ‘cyber cover’ only to reveal that their cover was a component part of another policy. Historically, some more traditional policies such as professional indemnity (PI) insurance has little or no cover for cyber insurance risks. Therefore, relying on cyber cover in these more ‘general’ (i.e., not standalone cyber) policies can be risky without a dedicated cyber policy.
A standalone cyber policy is designed specifically to respond to events involving privacy breaches (as often happen in the ‘cyber space’) and network security breaches (e.g., the classic ransomware attack or phishing event).
Cover generally extends to both 3rd party liabilities and 1st party costs.
Many companies, as part of purchasing a cyber insurance policy, choose to complete a full cyber risk analysis as part of the process (often using third party consultants who specialise in this area). This should ensure that the cyber threat is appropriately (and accurately) identified, mitigated, managed, and then transferred.
Insurers now also provide significant ‘add-values’ through information sharing, vulnerability alerts and applications that assist organisations in their broader risk posture.
Openly and transparently addressing a company’s cyber strengths and weaknesses can limit potential exposure to directors and officers (D&O) claims, based on a proposition that management failed in its duties to protect the organisation appropriately.
Addressing deficiencies, having assessments performed by independent third parties and transferring the risk to insurance all assist in showing serious consideration, understanding and management of a business’s critical risk, mitigating directors’ and officers’ obligations.
Furthermore, the process may mitigate claims of ‘greenwashing’ of environmental, social, and governance (ESG) principles, showing commitment to the S (e.g., data protection) and the G (management leadership).
For more information, visit our Cyber and Technology page.
