Steve Krusko is the Chief Underwriting Officer for Berkley Cyber Risk Solutions, a wholly owned operating company of W. R. Berkley Corporation. He is responsible for setting strategies, underwriting guidelines, broker appointments and ensuring the profitability of all cyber insurance products underwritten within Berkley Cyber Risk Solutions.

The expectation for the first half of 2022 appears to be a continuation of 2021 as insurance carriers continue to adjust their portfolios to improve underwriting results and brokers look for solutions to meet their clients’ needs.  This will present both challenges and opportunities as the Cyber Insurance ecosystem adjusts to a long-term view that Cyber Insurance may be a less profitable and a riskier class of business to underwrite.  Changes to how this risk is measured, evaluated, and underwritten are at the beginning stages for many.  Expectations include:

Continued market volatility and uncertainty as carriers re-underwrite their portfolios, amend appetites and exit undesirable classes of business.  Expect this to be fluid as the carriers seek to find their “sweet spot” where frequency and severity meet expectations. As many insurance carriers’ profit margins have eroded, they are more sensitive to breaking news of a zero-day exploit such as Apache’s Log4j, above average frequency of claims in a specific industry group or decisions by policyholders to pay large extortion demands. These events will result in quick adjustments by insurance carriers as opposed to a wait and see approach. Litigation trends and the large settlement from Capital One made public last month could embolden the plaintiff bar to pursue more class action litigation or argue for larger settlement demands on cases which evidence individual PII was used in actual identity theft activities.  Lastly, several carriers have announced changes or new hires for Cyber Practice leaders. This could lead to new appetites and approaches to cyber risk creating additional volatility and potentially opportunities to meet various market needs.

Available Capacity continues to be a challenge and potential threat to the overall viability of the market.  Large settlements from major breach events and several eight figure extortion payments from Ransomware events forced the majority of markets to reevaluate the capacity and cut back on limits deployed per risk.  Insurance carriers are likely to maintain this approach in the near term until they work thru a full cycle of their portfolios and see a material decrease in full tower limit loss scenarios.  The tightening of terms from the reinsurance market are also driving the momentum for reduced limits per insured.  While new markets have filled some of the missing capacity, individual lines greater than 10M will be difficult to secure.  This will continue to be a challenge for companies with revenues in excess of 5B with large limit programs. Filling first and second excess layers that are now considered high risk for many carriers will lead to imbalance in supply and demand creating excess factors at or over 100%.  Once carriers see measurable reduction in claims frequency the capacity may begin to increase but it may be some time before larger limits per insured are deployed.  Several positive developments with law enforcements’ efforts to apprehend and break up the Ransomware groups is seen as a positive development but a consistent reduction in Ransomware attacks would be needed before carriers feel comfortable putting up large limits for these events. Too early to expect market relief from these efforts. While the headline grabbing Ransomware events such as Colonial Pipeline appear to be less likely, the threat actors are going after smaller targets with greater frequency. Challenges include many insureds deciding that pricing is too high or increasing too much and have reduced overall program limits.  Others view cyber insurance as critical risk transfer and have restructured their programs to take a larger SIR, use their captive to assume certain risk or drop coverages not integral to their risk transfer. Insurance buyers should expect to take on a larger portion of the financial loss, which could lead to improved risk management and investment in security solutions that have a positive impact on frequency.

Risk Selection will continue to be a top priority. Carriers will continue to scrutinize applications, require specialty applications or their own applications that have implemented risk scoring metrics to enable carriers to properly select only those risks they deem appropriate to insure based on their model.  Expect this also to be a moving target. Requirements for implementation of EDR (endpoint detection and response) have moved toward MDR (managed detection and response) as a minimum control standard. Insureds who have made material investments over the last 12-18 months will begin to see a greater delta in the terms available vs an insured who has made little to no investment.  However, in the near term,ll policyholders are going to bear the rate increases to support the increases in loss ratios and perceived changes in the threat environment. More carriers are seeking other sources of underwriting information to assist in risk selection.  External Security Ratings companies, predominately used by large companies to evaluate and monitor their vendors, are being more widely used by cyber carriers to assess and monitor policyholders’ network hygiene.  Carriers will seek clarification from policyholders regarding findings on these reports, ask insureds to participate in the assessment process and send automated alerts to the policyholders when an at risk finding is identified.  As a company’s risk posture changes throughout the policy terms, these tools can be a valuable information source for both the carrier and policyholder in mitigating the risk of an event becoming material. Insider threats will be an emerging risk to watch out for. Expect carriers to be seeking information on how sensitive employees, such as those in IT Security, are screened and reviewed. Evidence has been identified that Ransomware groups are actively targeting these individuals for assistance in orchestrating a Ransomware attack on the companies they work for. Losses from 3rd parties continue to add to frequency and severity to carriers. A policyholder’s vendor management controls will be more closely evaluated, including evaluating vendor contracts for indemnification clauses to ensure rights of recovery from the responsible party are available. Expect carriers to pursue subrogation more frequently and request support from their policyholders in this effort.  Recovering these claim costs from responsible parties will help improve loss ratios, recover the policyholder’s retention and could assist in stabilizing the rate environment.

Rate increases will continue to be applied by carriers in all industry classes and organizational sizes, particularly in the primary where these increases have lagged on a percentage basis from the excess.  Lack of viable primary market capacity will be a continued challenge for agents and brokers and a tailwind on maintaining the rate environment.  Supply and demand aside, there is clear evidence that frequency of events continues to increase, due to better reporting of actual events, as well as increase in loss costs and severity. First party expenses, which can account for as much as 70% of the overall loss, are often incurred within a few months of the event resulting in faster development of loss ratios requiring immediate underwriting actions.  Other loss costs, such as data mining, forensics and legal defense are all contributing to these increases although there is clear evidence that Ransomware extortion payments could continue to be the largest single claim cost category.  Single extortion demands had morphed into double, triple and even quadruple demand attempts which should give credence to the concept of never paying for any extortion demand. While an unpopular concept, removing coverage for reimbursement of extortion payments would make a material change in loss costs and potentially disrupt threat actors’ favorable revenue, which has incentivized the rise in criminal gangs, threat techniques and attacks attempted. Lastly, funds transfer fraud, which some argue is a crime peril, remains a coverage within most Cyber policies with no material decrease in claims activity, particularly in the small business segment.  The human versus technology problem has been a challenge to solve through underwriting and risk selection. As carriers continue to pay these losses, pricing for this coverage may become more restrictive and potentially more expensive.

Efforts by insurance carriers to address Systemic Risk will take another step forward in 2022. Understandably a complex problem to identify and measure, Cyber Insurance carriers can no longer afford a wait and see approach.  Reinsurer’s terms are shifting some of that risk back to the direct carriers who in turn need to manage risk aggregation prudently.  Additionally, events such as SolarWinds, Accellion, Microsoft, Kaseya, Kronos and Apache Log4j provide recent and relevant examples of what a large-scale event could have on frequency and severity of losses. Although these events have not materialized into the “Cyber Hurricane” everyone feared, there has been an incremental effect to a carrier’s loss and expense ratios in the aggregate. Potentially adding 1-5 percentage points to a loss ratio and a material large scale event could generate 50 percentage points or more depending on how this is modeled.  Most carriers have already taken steps to address systemic risk in different ways such as adding exclusions for a universal event, state sponsored events or managing capacity by certain industries, and more adoption by other carriers should be expected.  These restrictions are unpopular as many will cite this as the “unknown” that policyholders seek to insure, but without alternative mechanisms for carriers to transfer a portion of this risk, it’s not sustainable for them be bear the risk on their balance sheets.  Ultimately, a governmental backstop such as TRIA provided for terrorism exposure may be needed or other forms of public/private partnership.

Many of these expectations are not new concepts and are generally shared by the marketplace. In the world of cyber we can expect to always see a new approaches, or what was old is new, in an ever-changing environment.  Staying focused and abreast of all developments will allow carriers, brokers and policyholders to make the best decisions to maintain a viable marketplace for Cyber insurance.

This article is informational only and should not be construed as or relied upon as professional advice.