National Cyber Practice Leader
- Cambridge, MD
With the critical July 1 renewal cycle in the rearview mirror, we can certainly say the differences in the Cyber insurance market compared to last year are striking. Last year's continuance of double-digit (sometimes triple-digit) premium increases, limited capacity, carrier appetite restrictions and slightly downward (albeit significantly) active loss trends gave way to a different environment altogether in 2023. Building higher-limit programs was generally less challenging, and even some of the more traditionally difficult sectors attracted renewed interest from markets that, a mere year before, would have taken a hard pass.
In our last quarterly market update, we discussed the state of amnesia that tends to permeate our industry, leading to the often-predictable underwriting and rate cycles that play out. The seemingly short-lived slowdown in ransomware activity, combined with the rate increases of 2020 through 2022, set the stage for a swift about-face in pricing and even underwriting strategy for many markets thus far in 2023.
However, continued rate reductions in the face of higher claims frequency and severity isn't a formula for prolonged sustainability. Things will change — the hills and troughs that represent hard versus soft markets in Cyber insurance are more concentrated and steep than those in more traditional lines of business, according to the Insurance Information Institute.1 This observation makes sense, because the very nature of cyber risk is constantly evolving and showing us things not previously seen. While emerging factors such as global warming will have their effects on patterns and severity of weather events, cyber is different. We won't see an entirely new, never-before seen type of fire, wind or flood that affects Property policies. That's what makes cyber all the more interesting and challenging at the same time.
We've discussed in detail the concerns insurers have about widespread, catastrophic cyber risk. This risk can come in many forms, from nation-state-sponsored attacks to attacks on operating systems or software program vulnerabilities, where the chances of affecting millions of customers simultaneously is real.
May 2023 brought news of a ransomware attack that was delivered through a previously unknown vulnerability in a prominent software company's managed file transfer solution, MOVEit Transfer. The attack has been attributed to a gang known as CL0P — also known as Cl0p and TA505 — with identified ties to Russia. Internet-facing MOVEit Transfer web applications were infected with a specific malware CL0P used, which was then used to steal data from underlying MOVEit Transfer databases. The impact has been significant, affecting hundreds of organizations, and our carrier partners have received an inordinately high volume of claims associated with this event.
Such exploits are commonly known as zero days — a security flaw for which the flawed system's vendor has yet to make a patch available to affected users. The software manufacturer has long since released a patch addressing the security vulnerability in the software, but not before significant effects had already been realized.
Unlike many ransomware attacks, the pattern in this attack hasn't been to restrict access to systems by way of encryption. Rather, they're attempting to extort their victims by threatening to release sensitive data obtained by exploiting the data transfer software. The ransom amounts have typically been in the hundreds of thousands of dollars, or even in the millions for some of the larger organizations impacted. It's unclear if any have paid the ransom demand to date.
The US Department of Energy and several other government agencies, including most recently the Department of Health and Human Services2 — along with major pension funds, banks and private businesses — have been affected by this exploit, and it's having far-reaching effects. Cybersecurity experts estimate that the MOVEit situation has affected hundreds of organizations globally, including more than nine million motorists in Oregon and Louisiana, Johns Hopkins University, the University of California at Los Angeles, Sony, PWC, Ernst & Young, the BBC, Shell, Putnam Investments and British Airways, among scores of others.
Insurers want to minimize their exposure to widespread events that can potentially affect thousands of policyholders simultaneously. Of particular interest are the variances among different carriers' approaches to minimizing this exposure. On the extreme end are exclusions in some Cyber insurance policies specific to zero-day attacks or attacks identified as Common Vulnerabilities and Exposures (CVEs), which are publicly disclosed computer security flaws. More common, however, are exclusions that more specifically identify triggers for what is considered "widespread." Events such as the MOVEit exploit would still be considered for coverage because it hasn't had a significantly detrimental effect on the delivery of essential services to a wide population that caused major societal and economic dislocation. Nevertheless, it's important that agents and brokers familiarize themselves with exclusions of this nature, work with your RPS Cyber product specialist, and advise your clients accordingly.
With new events continuing to occur in the background, we're seeing mixed messages coming from the markets in response to profitability results over the past year and what's being seen as a changing risk horizon in Q4 2023 and into 2024.
Despite concerns regarding adequacy of capacity to meet the growing demand for Cyber insurance, the July 1 renewal cycle saw fewer hurdles to getting desired capacity than in 2022. Public entity — typically among the most challenging sectors for placing coverage — showed signs of a changing market; for example, large municipality placements that previously saw a ceiling of $20M in capacity last year in some cases could make decisions on towers in excess of $50M or higher in July of 2023.
These larger placements (with favorable loss experience) generally saw a rate decline on their primary layer. Couple this with an excess market bringing Increased Limits Factors (ILFs) in the 70% to 85% range, and buying higher limits became an easier decision this year. As a frame of reference, many of the ILFs we saw a year ago exceeded 100% of their primary layer pricing.
We've found retentions and deductibles to be relatively stable in the past quarter. After jarring market adjustments in 2021 and 2022 brought significantly higher retentions, our carrier partners generally feel that retentions are where they need to be. We didn't see the skyrocketing adjustments to retentions that we witnessed this time last year, when it was common to see retentions quadruple. If anything, we've seen rate adjustments for buying retentions back down in some cases — again, depending on industry sector, size of risk and loss experience.
Pricing has stabilized across the board, and as with retentions, we've not witnessed the significant increases we saw during the last renewal cycle. Renewal rates are generally flat to slightly higher in the small-to-midsized enterprise (SME) sector — sub-$100M revenue organizations — on renewals, with some even seeing rate reductions. New business has seen significant competition for acquisition of market share, particularly among some newer market entrants whose investors are unaccustomed to growth rates under the 50% that they witnessed the previous two years.
This trend toward stabilization has led to what we view as irresponsible underwriting activity that wouldn't have been contemplated when the ransomware epidemic was red-hot, daily, front-page news from 2019 through 2022. A dichotomy is in play, however. Some markets, in their efforts to regain market share (or achieve it in the first place), are offering unsolicited quotes on Cyber policies alongside a Crime insurance renewal, for example. Many times the coverage has been significantly restricted, or sublimits on critical insuring agreements like cyber extortion or incident response are taken down.
Tim Foody, RPS Executive Lines area senior vice president, notes, "Many markets are getting more aggressive and quoting accounts they would have declined six months ago, but they're adding exclusions and sublimits that significantly impact the coverage. There's nothing wrong with a healthy dose of skepticism toward what appears to be appetite expansion."
Confirming the erratic nature of carrier approaches is Zach Kramer, area vice president of RPS Executive Lines: "Right now, I am seeing inconsistencies in underwriting not only between carriers, but also within the same underwriting teams at the same carriers. This ranges from pricing to what controls are required."
As with anything in our industry, the fine print is very important. Because each market often refers to these coverage nuances with different terminology, it's important to partner with an expert that works in Cyber insurance every day.
From a coverage perspective, rapid innovation hasn't been a trademark of the Cyber insurance landscape since 2019. As we've opined in previous reports, there was a breakneck race for nuanced coverage expansion and buzzword add-ons in the early jostle for market share that we're not seeing now. In fact, the opposite has been in play, as carriers look to limit their exposures to third-party vendor loss, systemic risk, war and terrorism, biometric, pixel and website data collection liability exposures and increased regulatory intervention.
Future expansion of coverage grants will likely be implemented with precision and limited to particular industry sectors, where coverage innovation is less likely to run afoul of profitability. As a result, as is frequently the case with amendatory endorsements, there's often more sizzle than steak. Still, we see room for growth, and the RPS Cyber practice remains on the front line of coverage innovation discussions with our carrier partners, as we've been since the beginning of Cyber insurance coverage.
The regulatory front remains interesting, to say the least. Nevada has recently introduced a new law, effective October 1, 2023, that prohibits defense inside the limits in Liability insurance policies.3 Many believe that while the political nature of such a move benefits consumers, the unintended consequence will likely be insurers exiting the market. We've talked with many Cyber insurers about this topic, and none indicated willingness to leave their exposure open to defense of liability claims, particularly in an increasingly litigious environment around privacy matters. It'll be interesting to see if lawmakers reverse course here, and if not, what the resulting fallout will be for buyers of Cyber insurance policies (in addition to Errors and Omissions, Directors and Officers, etc.) in Nevada. We suspect some markets may pivot with an indemnity and first-party Cyber option only — excluding coverage for defense, — but the results remains to be seen.
In May, the Biden Administration announced that it's considering a ban on ransom payments as part of the International Counter Ransomware Initiative.4 This ban would represent a shift in policy from previous White House statements. The nuances of this possibility are complex, wrought with complications and potentially unintended consequences, and far from being settled.
Under discussion are topics such as conditions under which a waiver could be obtained allowing, for instance, organizations to pay a ransom if the threat actor is preventing access to essential services. The State of North Carolina implemented a ban on ransom payments for public sector entities in April 2022. Initial indications are that this strategy hasn't worked, as the number of publically reported ransomware attacks among public sector organizations hasn't decreased since the ban went into effect.
In our 2023 Q2 Cyber Market Update, we discussed potential increases in ransomware activity on the horizon, as many carrier partners were seeing a return in frequency and severity on the heels of a respite in activity of this nature in 2022 and Q1 2023. Increased activity is indeed proving to be the case, particularly in the middle market and larger insured demographics.
Our colleagues at renowned data privacy law firm Mullen Coughlin shared that, "In 2023, through the same timeframe of January to May, there has been an increase of approximately 29% in ransomware incidents." Aligning with our predictions, Mullen Coughlin expects this upward trajectory to continue throughout the remainder of this year.
Analyzing data specific to RPS policyholders in the SME sector June represented a 25% increase in overall reported cyber claims. Fraudulent payments and system compromise incidents led the way at 30% each. For these smaller organizations, ransomware events didn't show an uptick in June, bucking the overall trend we're seeing and hearing among their larger counterparts. The MOVEit attacks were generally experienced by larger organizations, demonstrating far less impact in the SME space, explaining why the needle didn't move up in reported ransomware incidents for this demographic.
On a year-to-date basis, fraudulent payments continue to outpace other matter types by a significant margin. While the severity is far lower than ransomware, the frequency is far greater. This frequency is creating a death-by-a-thousand-cuts effect on many Cyber insurers, leading more to adjust conditions-precedent wording, and require higher retentions and higher sublimits to mitigate the effect on profitability.
In much the same way that insurers have increasingly invested in risk management resources to help prevent data breaches and ransomware attacks, we expect to see advancements in strategies to help organizations validate changes in payment instructions in the future.
From an industry sector perspective, RPS small business insureds in the Non-Profit, Construction and Manufacturing sectors lead the way in reported matters through the end of June 2023.
Information shared by Mullen Coughlin shows that their top reported industry sectors year to date are Professional Services, Manufacturing and Distribution, Healthcare and Life Sciences, and Financial Services. Business email compromise incidents are on an all-time record pace, tracking similarly with RPS claims data (fraudulent payment).
With all of the dialogue surrounding carrier response to misrepresentation in applications and the resulting impact on claims decisions, we have a story to file in the "I thought I'd never see that happen" category. Says Foody, "We had a claim that was covered, but subject to a sublimit due to controls the insured noted on the application. During the claim, it was discovered that the insured did indeed have the required control and accidentally answered the application question inaccurately. Through the RPS relationship with the insurer, we were able to have them remove the sublimit and apply the full limit to that claim. This made a massive difference in the insured's out-of-pocket costs."
We're observing with great interest the varying approaches to a maturing Cyber insurance market that different carriers are taking. And make no mistake, the differences are significant.
As mentioned, rate reductions, coupled with an increase in claims frequency, followed by a relaxing of certain cybersecurity control requirements, isn't a recipe for a sustainable future in this market. Thus, changes are coming.
While we don't expect the pricing shift to be as swift or severe as those experienced from 2019 through 2022, we expect to see more pronounced increases starting in Q1 2024. We're already seeing early signs of these increases in small pockets. New threats that creatively incorporate artificial intelligence (AI) will continue to put pressure on carrier margins, as the distribution of malware and the art of social engineering become more automated and widely available to those with ill intent. These new risks will also lead to innovations in prevention tactics, a race that never ends in the world of cyber risk.
Such market turbulence underscores the need to partner with experts who are adept at navigating this market and equipped with all the markets and clout to help ensure the best outcomes for your clients.
"Don't go it alone," says Foody. "This market is evolving on a week-to-week basis, and it can be hard to keep sight of everything your clients need without a partner who's in the space all day, every day. While price is important, it's not nearly the most important consideration when comparing options."
Kramer agrees. "Bring in an expert, as most carriers are trying to limit coverage with new endorsements, and underwriters may attempt to minimize the impact these endorsements have on quotes, indicating they're not as bad as they seem," he says.
Your Cyber insurance product experts at RPS are ready to help you come through for your clients in new and creative ways, giving you the confidence to focus on what you do best.
1"Percent Change from Prior Year, Net Premiums Written, P/C Insurance, 1998-2022," Insurance Information Institute, accessed 21 Jul 2023.
2The Associated Press. "The Latest Victim of the MOVEit Data Breach Is the Department of Health and Human Services, AP News, 29 Jun 2023.
3"An Uncharted Frontier: Nevada First State to Prohibit Defense-Within-Limits Provisions," The National Law Review, 6 Jul 2023.
4Kapko, Mark. "White House Considers Ban on Ransom Payments, With Caveats," Cybersecurity Dive, 8 May 2023.