Cyber Insurance Market Update Q3/H1 2022

Executive summary

This update is a general overview of the key developments in the GB cyber insurance market, analysing the current conditions for both international and domestic companies using the London insurance market to transfer risk.

During Q3 the GB cyber insurance market saw a continuation of the positive trends that emerged in Q2, with an ongoing transition to more stable market conditions, in contrast to the harder market conditions we saw earlier in the year.

In particular:

• Q3 2022 has seen improved buying conditions, particularly for enterprise-scale (£1 billion plus revenue) companies
• Insurance capacity is stabilising for most market segments with increased insurer competition

There is ongoing insurer focus on:

• premium adequacy and sustainable pricing but with fewer instances of significant increases;
• sustainable policy retentions/excesses; and policy coverage with War & Terrorism and systemic risk in particular focus;
• Provision of detailed underwriting information, especially context around cyber risk controls, remains essential

The analysis is based on our own observations of the market and uses WTW proprietary data unless otherwise stated. Referenced claims reports are available on request.

Cyber insurance market capacity

We have seen increased insurer competition on primary and excess layers in Q3 due to a combination of:

• existing insurers being more willing to increase their capacity and offer bigger lines sizes; and
• new entrants to the market in H1 starting to deploy their capacity.

This has enabled existing cyber insurance buyers to purchase increased policy limits, in some cases restoring limits that were reduced in 2022 due to lack of available capacity or cost constraints.

New capacity has entered the market in Q3, most notably Coalition Inc and Resilience Cyber Insurance Solutions who launched in the UK on 1 September and 1 October respectively. Their initial focus will largely be on sub £1 billion revenue companies and their entrance should help drive further insurer competition for the remainder of 2022.

We estimate that total new capacity entering the market this year is $20-35 million predominantly on an excess layer basis and we estimate that existing insurers line sizes have increased by 25-50% towards a more common maximum of $10 million.

Whilst companies must still show a high level of risk controls in key areas, insurers are increasingly demonstrating flexibility where clients can provide the necessary context to explain where they are perceived to have a lack of necessary controls.

Key tip: Placement strategy (particularly placement structure) and utilising increased market competition are key to achieving premium efficiencies.

Premiums and self-insured retentions

Whilst insurers continue to focus on rate adequacy (i.e. the premium commensurate with the level of risk) and sustainable pricing, companies renewing their programmes in Q3 are obtaining more positive outcomes. We are still seeing rate/premium increases but these are beginning to stabilise and in some cases we have seen single digit increases or flat renewals being achieved.

The positive changes in market conditions are largely due to insurers having improved the profile of their portfolios, an improved claims position and increased competition.

It is important to note that where a company’s risk controls are still not perceived as adequate or where there has been claims activity, insurers interest remains limited and with an expectation of further premium increases.

In terms of self-insured retentions, these have also stabilised. Those adopted by an increasing percentage of clients renewing in Q3 have been seen by insurers as adequate and, in some cases, insurers have been willing to provide alternative retention options/structures.

Policy coverage

Insurers remain focused on systemic risk issues and we have started to see different approaches emerging as they seek to address this.

One leading insurer is introducing a Catastrophic Cyber Event sub-limit to address issues arising from cloud service providers, operators of essential services and computer operating systems. This will take effect from 1 January 2023, and will be focused on sub $1 billion revenue companies where they feel they have the greatest aggregate exposure.

Another global insurer is using a materially lower ‘widespread’ impact sub-limit as their threshold. As such, WTW’s coverage specialists team believe this less client-friendly than the ‘Catastrophic’ impact threshold. Sub-limits and/or coinsurance are not yet mandatory (but are offered for premium relief) for widespread events.

We are continuing to monitor War and Terrorism exclusions very closely. A market bulletin was issued by Lloyd’s of London (“Lloyd’s”) on 16 August, which outlined its minimum requirements with respect to nation state cyber-attack exclusions. Our recent client bulletin1 explores the impact of that bulletin on standalone cyber policies.

Insurers continue to utilise ransomware coinsurance and/or sub-limits where they are not satisfied that a client’s security controls meet the insurer(s) own minimum standards. However we are seeing increasing flexibility from insurers and in some cases we have been able to remove ransomware restrictions where relevant key controls have improved.

Key tip: Coverage broking (supported by specialist product teams) in respect of the nuances of a cyber placement is as important as core placement broking and can take a significant period of time to complete.

Claims and notifications

From our WTW Cyber Claims analysis report – Turning Data into Insight we have seen cyber claim notifications reduce in volume (not impact), having increased year-on-year since 2014.

With the ever increasing trend of ransomware incidents involving data exfiltration, increasing numbers of claims will have a ‘tail’, addressing the liability and/or regulatory exposures that manifest months or years after the initial response/business impact – an example of the data exfiltration trend can be found in the Coveware 2022 Quarterly Report² noting that 86% of ransomware cases involve a threat of leaking exfiltrated data. In addition Crowdstrike report an 82% year-on-year increase in ransomware-related data leaks in their 2022 Global Threats Report³.

The cost of data breach claims has reached an all time high as detailed in the IBM Cost of a Data Breach Report 2022⁴.

From our data we have seen that insureds are retaining significant insurable losses both within their excess and above their cyber limit of indemnity – with 90% of the average data breach loss falling within the coverage provided by cyber policies, but up to 41% of this average loss being funded by the insured above their limit of indemnity.

Key tip: Carefully consider both the self-insured retention (excess) and total limit of indemnity you desire, leveraging analytics to quantify your exposure.

A view from the boardroom

The 2022 Directors Liability Survey Report from WTW in partnership with Clyde & Co LLP⁵ identified that cyber attacks and data loss continue to be the top two risks to directors. Cyber extortion was introduced as a new risk category this year and it has immediately been ranked in the top four risks across all regions, company revenue sizes and industries.

The concerns around cyber extortion are undoubtedly driven by the surge in ransomware attacks over the last 24 months, the majority of which have included the demand for an extortion payment. We have seen a 200% increase in ransomware claims notifications under cyber insurance policies since 2019 and the top two cost components following ransomware attack are business interruption (33%) and ransomware payments (22%), with an average ransom demand of $5.5 million.

When faced with an extortion demand, one of the key considerations for D&Os is whether or not to pay the demand and in our experience this decision is not always straightforward. The board will usually need to consider several factors including:

• If we don’t pay, will we be able to recover our systems and data? If we do pay, does this guarantee that we will recover everything?
• Given legal and regulatory confines are we allowed to pay extortion demands?
• If we choose to pay an extortion demand, how can we go about that?

The risk of cyber extortion is real, and the considerations for D&Os can be complicated. This highlights the need for organisations to take a proactive approach to cyber risk identification and quantification and the options for risk transfer through insurance.

Disclaimer

WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in which WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements. The information given in this publication is believed to be accurate at the date of publication shown at the top of this document. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date.

References

¹ Client alert: Lloyd’s requirements for state backed cyber attack exclusions

² Coveware July 28, 2022 Quarterly Report

³ Crowdstrike 2022 Global Threat Report

⁴ IBM Cost of a Data Breach Report 2022

⁵ Directors’ Liability Survey 2022