--Irresponsible competition, often driven by a desire to boost market share, is forcing prices down and softening terms and conditions for cyber policies. A softening market seems like good news for insurance buyers but inevitably leads to volatility in insurance rates and constrictions in coverage. This kind of rubber-band effect, with pricing that stretches and snaps back, destabilizes the market and removes risk transfer options for buyers and their risk advisers.
--What buyers, as well as carriers and brokers, should work toward is stability in rates and certainty on coverage, through a focus on improving cyber hygiene and increasing resilience.
The impact of supply and demand on product pricing is a well-established economic principle – when supplies are high and demand is reduced, prices tend to fall. When it comes to cyber insurance coverage, this principle also applies, but there are good reasons that it shouldn’t.
Irresponsible competition, often driven by a desire to boost market share, is forcing prices down and softening terms and conditions for cyber policies. This is classic behavior that causes global market cycles in property and casualty insurance, and it has played out repeatedly in the past three decades. But this behavior ignores a bigger problem: Cyber is not a cyclical risk.
Businesses and the insurance industry find themselves at a turning point in the evolution of cyber risk management. What happens next will depend on how clearly underwriters, brokers and insurance buyers around the world see the risk that cyber events pose, and how committed they are to building resilience against this threat, thus ensuring a stable supply of coverage for the long term.
Why this turning point matters now
A softening market, in which prices fall and coverage terms relax, seems like good news for insurance buyers. This kind of market is especially welcomed by organizations that have experienced a market correction, which occurred in cyber insurance in 2020 and 2021 as ransomware attacks surged and loss ratios soared. Rate relief and easy capacity after a few years of steep increases can seem like a gift to buyers.
Unfortunately, the joy of short-term gain is almost always followed by longer-term pain. A soft market ultimately hurts policyholders because it inevitably leads to volatility in insurance rates and constrictions in coverage. This kind of rubber-band effect, with pricing that stretches and snaps back, destabilizes the market and removes risk transfer options for buyers and their risk advisers. It also isn’t limited to only one geography; this cyclical activity occurs in the U.S., Canada, the United Kingdom and across Europe.
Insurance pricing is intended to reflect the risks insurers assume in offering coverage. When risk is accurately priced, buyers gain valuable protection and insurers can achieve profit, which helps to keep the marketplace stable. It’s difficult for risk managers and cybersecurity professionals to explain to their executive teams why insurance costs and availability go up and down, and even more challenging to budget for that volatility.
In a world of cyber risk, stability and certainty are better for everyone. But irresponsible pricing and a lack of underwriting discipline undermine stability. Cyber risk remains intense, as the NetDiligence Cyber Claims Study 2022 and Resilience’s own 2022 Claims Report demonstrate. Since 2018, NetDiligence has found that the average recovery expense following a ransomware or malware attack has steadily increased for both small and medium-size enterprises (SMEs) as well as large companies.
An analysis of claims received by Resilience shows three major trends carrying forward from 2022 into 2023: the resurgence of ransomware; inadequate attention to common critical points of failure that lead to loss, such as phishing; and an increased focus on financial transfer fraud and third-party vendors instead of extortion-based cybercrime. In fact, Resilience saw a 300% increase in ransomware claims from the last two quarters of 2022 to the first quarter of 2023.
If cyber risk is not declining, why should underwriters weaken their pricing, terms and conditions? The risk landscape in cyber suggests they should be doing the opposite.
What the industry should do next
When the insurance underwriters, brokers and the customers they serve arrive at an inflection point, they face a choice. They can decide to think and act strategically or opt for short-term results that probably won’t last. What the industry should do next, therefore, is take the following steps:
- Reassess cyber risks and exposures. Some organizations have greatly improved their cybersecurity and thus enhanced their risk profile, so they might well merit a reduction in rates or access to greater coverage limits.
- Maintain responsible pricing, terms and conditions that align with the customer’s risk. This approach puts the client’s interest ahead of short-term gains, which can lead to strong, long-term business relationships.
- Focus on building cyber resilience. Effective cyber resilience requires quantifying an organization’s cyber risk and then implementing a combination of good cyber hygiene, protection and insurance that aligns to the risk. Connecting organizational silos in finance and security is foundational to building effective long-term resilience to cyber threats.
- Change the mindset about cyber exposure. The cyber insurance marketplace has the tools, talent and data to shift its mindset from “price and pay” incident claims to “predict and prevent” cyber events. Resilience’s 2022 Claims Report found that despite reports of new threat actors and vulnerabilities, practicing cybersecurity fundamentals with cyber resilience as an investment strategy leads to significantly better outcomes for organizations and their insurers.
The current inflection point in cyber doesn’t have to destabilize the risk transfer market. Instead, it can be a turning point for greater partnerships – especially cooperation and collaboration between government and private-sector entities. It can be an opportunity to improve customer engagement and value and ease capacity restraints that deprive organizations of adequate coverage.
Most of all, this turning point can lead to a deeper commitment to cyber resilience.