MARGAUX L. WEINRAUB
CPCU, ARM, CPLP, CCIC, Cyber Practice Leader
Emerging Risks in Cybersecurity
After a few challenging years in the cyber insurance market — where demand and claims soared, and organizations faced extremely strict underwriting scrutiny — we finally have some good news. Instead of the double- or triple-digit rate increases we saw in each quarter of 2022, the cyber insurance market is beginning to stabilize due to an increase of both capital and capacity.
Pricing Outlook
After witnessing substantial rate increases throughout 2022, the cyber insurance market showed signs of stabilization in 2023. The average rate increases have slowed to under 10%, and organizations with robust cybersecurity measures are seeing flat or even reduced renewal rates. This shift is largely due to an influx of insurance carriers into the cyber market, intensifying competition and enhancing coverage options for our clients without additional premium costs.
Continued Importance of Robust Cybersecurity Measures
Despite the favorable market conditions, it's crucial for organizations to maintain vigilant cybersecurity practices. The rise in ransomware attacks, business email compromise claims, and sophisticated phishing and wire transfer frauds in 2023 underscores the ongoing threat landscape.
Underwriting Scrutiny and Emerging Risks in 2024
We anticipate that underwriting scrutiny will remain stringent in 2024. Insurers are likely to conduct external vulnerability scans and require supplemental questionnaires to evaluate risks associated with geopolitical tensions, supply chain reliances and biometric collection and tracking technologies. We also have an eye on a few emerging risks in 2024:
Catastrophic Risk Exposures
We’ve seen an increase in single point of failure exposures, which can infect a full network of connected businesses or organizations. For example, in May 2023, a security flaw in the MOVEit enterprise file transfer tool was exploited — allowing bad actors to steal data from more than 2,000 organizations, including the U.S. Department of Energy, Shell, British Airways and Harvard University. More than 62 million individuals were affected, according to Wired. While traditional cyber policies include business interruption insurance, it’s hard for carriers to underwrite the dependent business interruption an organization may face if a critical software or other third party experiences a security incident and shares their attack with hundreds or thousands of other organizations. Carriers are also introducing exclusions in cyber coverage for acts of war. The industry is grappling heavily with questions of how to account for state-backed attacks that take place in cyberspace, and there are no easy answers or even ways to confidently identify which attacks qualify outside of traditional kinetic war. As these catastrophic risk exposures indicate, cybersecurity is moving beyond how to keep your information off of the dark web. Now, we’re actively working with clients to prepare for systemic risk exposures with tools and processes in place to facilitate an agile recovery and achieve cyber resiliency.
Privacy Liability Exposures
With new laws and regulations enacted across the United States and the globe to protect consumer privacy, some organizations are facing legal challenges related to their collection and use of digital information, including biometrics and web tracking. There isn’t enough case law to determine what this means for cyber policies or if the risk is insurable. For now, we’re considering privacy liability to be a potential big exposure for 2024, and helping clients navigate carriers’ supplemental questionnaires about the collection and disclosure of personal information. While the current cyber insurance market is more favorable for buyers, the ever-evolving threat landscape demands a holistic strategy for data privacy and network security that balances insurability with operability.
Proprietary Tools
You can’t buy unlimited insurance, but you can be well-positioned to protect what matters most. As we prepare for cybersecurity in 2024, we’re walking clients through the Graham Cyber Blueprint® to build an updated, comprehensive overview of their connected environment and potential vulnerabilities. From there, we can shore up defenses, develop contingency plans and practice tabletop exercises to thoroughly prepare for a potential security incident and build resiliency.
Insurance is most powerful when it’s coupled with proactive, preventative restoration efforts. Organizations must consider their environment and risk appetite to land on the right mix of risk mitigation and policy to safeguard its critical assets.
The Graham Cyber Practice is proud to support our clients through every step of this process. In 2023, we both expanded our practice team and joined the MMA family — allowing us to serve even more clients with our dedicated professionals and increased access to intelligence, technical tools, markets and carriers.