Rates in the cyber insurance market are continuing to rise as ransomware becomes increasingly prevalent.

At the same time, the risk is coming under far greater scrutiny, with underwriters tightening their terms, conditions and capacity, both in the primary insurance and reinsurance markets.

But for those policyholders who work with their insurers to gain a better understanding of their exposure, there are opportunities to find the right coverage at an appropriate price.

"Everything right now is pointing towards an increased level of scrutiny," said Paul Needle, Senior Vice President, Cyber Treaty Reinsurance Underwriter at Munich Reinsurance America, Inc. (“Munich Re US”). "There is a decrease in the quote to submit ratios and declining retention ratios. On the primary side, there's a greater utilization of risk control for larger accounts, with underwriters requesting meetings with the insured’s chief security officer, chief information officer, or chief technology officer."

During the latest round of renewals, there was an increase, not only in underwriting analysis, but also the number of stakeholders involved in the underwriting process. Primary markets now require insureds to have the requisite policies, procedures and controls in place to even consider underwriting the submission.

At the same time, authority in the field is being restricted and referrals require prescribed documentation. This leads to additional internal and external correspondence as matching internal documentation requirements with a wide variety of applications and dynamic technology products isn't always easy or clear. Additional steps in the underwriting or referral process increases the time to provide a new or renewal quote, both on the primary and reinsurance side. With a greater workload from increased submissions as well as a prolonged quoting process, underwriters naturally pursue best in class accounts that fit their said strategy, resulting in a more selective approach by the marketplace.

There is also a push from underwriters for insureds to provide better data. New sophisticated applications and ransomware supplements are providing additional detail on cyber maturity levels. By using smart applications, underwriters can obtain and aggregate data on a far larger scale. Aggregated application material, when compared with claims data, will serve as leading indicators for carriers when underwriting action might be necessary. Outside in scans contribute to and supplement the underwriting process.

Similarly, there is also an increased emphasis on documentation of controls. Underwriters won't release terms unless they have the information they need from the insured. Underwriters are requesting details about all previous cyber events, including cause of loss and remedial action taken by the insured.

Reinsurance underwriters are also demanding more granularity in data and claims, separating out ransomware from other risks, to track development of these losses over time. They also want to know how cyber insurance carriers are using third party vendors. Specifically, how the reports are interpreted and incorporated into underwriting guidelines.

"Cyber insurance carriers can also help by tracking their data in terms of sub-limits, specifically where contingent business interruption is concerned," said Needle. "Many carriers are endorsing that business, so it's not easy to aggregate the data. More work needs to be done there too."

Increases in rates are still relatively large quarter-over-quarter and year-over-year. Minimum rate per million and increased limit factors are translating into larger rate increases for the bigger accounts, which are likely also buying excess coverage.

Capacity is also being restricted on the primary side, as are budgets on the reinsurance side, with average limit deployment and line participation decreasing across the board. Concurrently, new buyers are entering the market, pushing up demand, and therefore prices.

"It's a basic economics and elasticity of demand equation," said Needle. "Also, cedants continue to realize significant rate increases, mainly driven by ransomware claims and uncertainty over future systemic events."

With current market conditions in mind, policyholders and their brokers are starting the renewals process much earlier than in previous years. This, in turn, is contributing to granularity of data as underwriters have more time to obtain the information required. Having time to develop an underwriting file with the information required contributes greatly to the stability of the marketplace.

Underwriters will benefit from a risk-based approach in conducting their analysis. A risk assessment based off controls will help uncover the most effective means in defending an attack. Certainly no one control will do everything but taking a risk-based approach will guide the underwriter's analysis and contribute to underwriting consistency. Implementing risk-based underwriting will develop critical thinking as underwriters prioritize control criticality and interdependency.

What would really benefit the cyber insurance industry is releasing the digital forensic and incident response reports if a breach occurs. Right now, the report is protected by client attorney privilege. The report would enable underwriters to look at tactics, techniques, and procedures deployed by an adversary and better understand losses. With this information underwriters can guide insureds and help implement controls with the greatest impact and probability of reducing risk, contributing to a more stable line of business.

One of the biggest challenges for cyber, however, is that cyber risk is continually changing. With a dynamic risk and no true prior systemic events, probabilistic modeling of a systemic event is less informative. By integrating a real-time threat feed into the current models and developing a mature risk assessment probabilistic modeling could give a much clearer picture of the systemic risk it poses.

"Systemic risk is a huge issue and something that needs to be addressed, both in terms of pricing and policy wording," said Needle.

"It has not been consistently factored into pricing and some exposures have not been excluded from policies, yet as a risk it has only increased in the past five years, given the rise of the internet of things, the cloud and interconnectivity – and it can only be fully understood and solved by a concerted effort across multiple industries, disciplines and participants." 

The regulation of data and privacy has evolved since the initial attempts at regulation in the 1970s and the drafting of the first cyber liability policies in the 1990s. Currently, more than 130 countries have data and privacy protection legislation, including, most significantly, the European Union's General Data Protection Regulation, which became effective in 2018.

In the U.S., regulations are enacted on a state-by-state basis (such as the Illinois Biometric Information Privacy Act and the California Consumer Privacy Act); through different industry regulators (such as the New York State Department of Financial Services Cybersecurity Regulations and the newly-proposed Securities and Exchange Commission cybersecurity rules) and with respect to specific types of data (such as the Fair Credit Reporting Act and the Children's Online Privacy Protection Act.

"There are so many different considerations in light of all the new regulations and revisions," said Amy Pines, Senior Cyber Underwriter, Munich Re US. "Both in the U.S. and globally, there's undoubtedly a heightened risk of cyber claim activity for any commercial insured due to non-compliance with applicable regulations."

"Since 2019, we’ve been focused on the frequency and severity of ransomware attacks and the result in claims, but with all the attention that's devoted to that threat vector, it's important not to lose sight of the causes of other claims that can have a similar effect on the industry," counseled Pines.

"Insureds should have a clear understanding of what data they collect, where it comes from, to whom it belongs, and what permissions were sought/obtained in the collection process," Pines continued. "They also need to understand where and how it is stored, processed, sold and destroyed. Data mapping is essential, but knowing and understanding the data is just the start of the process. After, insureds must evaluate which specific regulations and laws apply to them – and with multi-state or national corporations, it is likely not just a single regulation or law."

Once an insured makes a determination of which apply, it must ensure compliance with each – and not all requirements are the same. Insureds must also maintain awareness of the enforcement of various regulations and laws to maintain an understanding of how such regulations and laws evolve in light of enforcement.

"Ongoing vigilance is a Herculean task, but it’s also an absolute necessity," said Pines.

At Munich Re US, we provide insurers with a host of cyber risk services including: cybersecurity expertise, reinsurance capacity, cyber underwriting and claims training, actuarial support, accumulation consultation, and risk management portal and post-breach third party vendors.

We partner with our clients to educate them about market conditions, cyber perils and appropriate insurance and reinsurance solutions.

By adding cyber resilience across the entire value chain through our pre and post-incident products and services, Munich Re US facilitates the mitigation of risk and preparedness, timely and effective responses in the event of a cyber event, and an added layer of security with insurance and reinsurance coverage.

The material presented here reflects projections based on assumptions and forecasts, and is intended for information purposes only. It is not intended to be legal, underwriting, financial or any other type of professional advice and the recipient should consult with its own counsel or other advisors to verify the accuracy and completeness of any information used and to determine its applicability to the recipient’s particular circumstances. No representation or warranty of any kind, whether express or implied, is provided with respect to the accuracy, completeness, or applicability of this material to any recipient’s circumstances. Any descriptions of coverage contained here are meant to be general in nature and do not include nor are intended to include all of the actual terms, benefits and limitations found in an insurance policy. The (re)insurance policy and not any descriptions or representations made here will form the contract between the insured and (re)insurance company, and governs in all cases. Munich Reinsurance America, Inc. and its affiliates disclaim any and all liability whatsoever resulting from reliance upon this material.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Munich Re. The editorial staff of Risk & Insurance had no role in its preparation.