The cyber insurance market is beginning to stabilize following several years of steep rate increases, according to Risk Strategies’ State of the Market 2022 Update.
The insurance brokerage predicts that rate increases could decelerate to the 10-25% range in 2023 “under the right conditions.” This followed 50% rate increases on average during the first two quarters of 2022 before a deceleration to 30-40% in Q3.
The biggest factor in this stabilization is a slowing in the pace of cyber-attacks throughout the year, according to the report. Speaking to Infosecurity, Rob Rosenzweig, national cyber liability practice leader, Risk Strategies, said this reduction has been driven by improved cyber awareness and maturity across industries, which in turn has been facilitated by more stringent demands for cybersecurity controls from insurers.
“Over the last 18 months we have seen significant improvement in cyber maturity across all industries and segments of the market,” he outlined. “Much of this has been driven by the corrective action in the cyber insurance market and more stringent underwriting controls but also due to greater awareness on cybersecurity issues at the board level. We have seen less frequency in cyber incidents, and insurer profitability has improved partially due to the better behavior across the market.”
The Risk Strategies report added that excess rates are starting to come down due to new capacity entering the market, “which is usually a precursor to further softening of primary layers.”
Nevertheless, the study noted that insurers are still being “conservative and restrictive on coverage” due to fears over the potential for a single “systemic event,” which leads to widespread consequences. This includes incidents affecting managed service providers and cloud services firms, which can impact many different organizations.
“The insurance marketplace is most concerned by the threat of a systemic event where a single attack takes out a widely utilized cloud service provider,” said Rosenzweig.
Encouragingly though, “we believe that we will start to see some more consistency in how insurers are willing to address this cyber doomsday scenario,” he stated.
Rosenzweig also highlighted some improving trends regarding ransomware coverage, although this is more limited than for other types of cyber incidents. “Over the last two years, we have seen insurers focus on risk selection by being more discerning in their underwriting process while also pushing rate to ensure profitability and long-term stability in the market. In certain cases where a client does not have the proper controls, they may be able to secure insurance but with certain limitations on the availability of coverage for ransomware claims,” he explained.
“We are not seeing insurers step back from providing coverage for ransomware entirely. In fact, we have seen some improvement on the outcomes of ransomware claims as our clients have implemented a more resilient backup strategy.”
There has been significant debate about the impact of cyber insurance coverage for ransomware attacks, including extortion payments, with research in 2021 finding that 70% of cybersecurity professionals believe that the issue of ransomware is being exacerbated by cyber-insurance payouts to victim organizations.
In August, experts warned that a “perfect storm” of surging threats, economic headwinds and evolving regulations will see many organizations miss out on cyber-insurance in 2023.