What will cyber insurance buyers face in the coming year? Here’s a snapshot of the top five trends to watch, based in part on our 2019 Insurance Marketplace Realities Report: Cyber risk.
1. Pricing will remain stable, and capacity will keep up with demand: We expect cyber insurance rates to remain stable, with most renewals averaging single-digit increases of up to 5% for primary and excess policies. For organizations with claim activity or recent incidents, premium increases may be higher.
Insurers are looking closely at organizations’ risk profiles and have tightened pricing and retention guidelines for companies that have not addressed their cybersecurity vulnerabilities. However, where organizations have demonstrated increased levels of security and internal policy controls, insurers are more inclined offer premium decreases.
Midsize companies in low-hazard industry classes will continue to see a very competitive marketplace.
Overall, we expect a steady increase in capacity, with new U.S., London, Bermuda and Asian markets providing limits of up to $600 million (per risk) in some cases.
2. Midsize companies will drive market growth: As gross written premiums continue to climb, one of the biggest segments driving growth is the middle market (organizations with annual revenue below $1 billion). While historically, cyber insurance take-up rates in this segment have been low compared with large and Fortune 500 companies, midsize companies across a range of industries are realizing the threat and potential financial consequences of an attack, which Cybersecurity Ventures estimates could reach $11.5 billion by 2019 for losses associated with global ransomware and cyber extortion alone.
And as we saw with the NotPetya and WannaCry attacks, midsize companies can be prime targets for cyberattacks because they often lack the resources and protocols of larger firms to defend against them. For others, the menacing headlines alone are enough to drive them off the sideline and into the buying market. The additional cyber resources and notification services that accompany a standalone cyber purchase are critical factors and a big draw for these new buyers.
3. Carriers will begin to address whether cyber is a product or a peril. A key question in the industry has been whether cyber should be a stand-alone product or continue to be included with other coverages, such as property and general liability. While the issue has yet to be resolved, we’re seeing some carriers take clear positions with regard to physical loss and how a cyber event could affect an insured’s other policies, including property and general liability. By understanding these risks more broadly, carriers can now assert affirmative coverage under a particular policy, or insert exclusionary language based on where affirmative coverage may fall.
4. Coverage will evolve to address new regulatory risks: Insurers are starting to address coverage for claims stemming from the General Data Protection Regulation (GDPR) and those anticipated under the California Consumer Privacy Act, which will take effect in 2020. Ensuring contract certainty and specific language is a positive step for insureds. While we have yet to see any substantial fines or penalties related to the GDPR, we expect to see an increase in claims activity, given the complexity of the regulation and potential triggers for regulatory proceedings.
5. Workforce awareness will remain key: It’s important to remember that investing in technology will only go so far, and that effective cyber risk management starts with your workforce. Our own cyber claims data shows two-thirds of cyber incidents are the direct result of employee behavior – for example, negligence leading to lost devices and malicious insiders seeking to profit from corporate espionage.
When analyzing other cyber incidents, a large portion can ultimately be traced back to additional “human elements,” such as talent shortage, skill deficits and employee engagement. As organizations continue to make substantial investments to strengthen their security and privacy protections through technology and become more vigilant about tackling the human element of cyber risk, they will have further leverage to press on pricing and coverage improvements.