Advisen

The pandemic brought buyers in, and the cyber insurance market is ready to prove its value

By Erin Ayers, Advisen

With interest in cyber insurance rising during the pandemic, insurance professionals say there’s plenty of room for market growth and competitive pricing even as underwriting standards become tougher and more targeted.

With many businesses shifting to work-from-home structures, increased cyber insurance adoption, particularly among smaller businesses, seems a real possibility for the industry.

“Cyber risk is now being viewed as an operational risk,” Robert Parisi, managing director, Marsh FINPRO, told Advisen. “Once you get on that operational risk radar, it’s not discretionary anymore.”

The pandemic may have brought the need for cyber coverage into focus for many organizations, but many new buyers of cyber insurance also recognize the risks have always been there.

“We probably had more submissions and new-business binds in March than any other month. In April, we exceeded that,” said Brian Thornton, CEO of ProWriters, an MGU that also offers cyber rate comparisons via its Cyber IQ tool. New buyers coming in outweighed businesses that had shut down and had no current need for cyber coverage, he said.

There’s been no shortage of dire warnings on cyber threats and actual cyberattacks that have taken advantage of the disruption of the pandemic. Businesses are paying attention, and looking for solutions, said experts.

New to the market buyers include business-to-business firms, the industrial sector, and manufacturers, according to Robert Rosenzweig, national cyber risk practice leader for Risk Strategies. Media reports of ransomware and other threats have opened eyes to the risk.

“There’s some level of awareness now that everybody’s exposed,” he said. “They read the stories. They understand there’s more phishing attacks.”

Rosenzweig said he also sees enhanced worries about claims arising out of data relating in any way to COVID-19.

"Cybercriminals are taking advantage of the disruption and the current crisis has triggered a jump in email attacks, phishing, and other scams. Getting explicit insurance protection for such incidents is becoming more important than ever especially for small and mid-size businesses that are less prepared. Businesses are obviously reviewing their insurance policy for business interruption. This is the perfect time to also reevaluate existing or new cyber coverage for the inclusion of the new work-from-home normal,” said Isabelle Dumont, vice president of market engagement for Cowbell Cyber, which just launched a standalone admitted cyber program specifically for small businesses in California. “In parallel, many insurance agencies have told us that they are now providing standalone cyber quotes to every new account or renewal. Cyber is clearly becoming a new imperative."

Silent no more

Conditions have aligned to make cyber insurance more of a prerogative for buyers as Lloyd’s of London silent cyber initiative swept through the industry. As insurers either affirm or exclude coverage for cyber-related losses under traditional lines, organizations must find alternatives.

Cyber insurance “got a push from an entirely different area,” said Parisi. “If you’re suddenly being told you’ve got no coverage for the risks that you’ve just realized are your biggest risks … These are challenging times, there’s no two ways about it.”

However, the strength of the cyber insurance market is its flexibility, Parisi added. The silent cyber initiative has driven the cyber market to meet needs it might not have considered five years ago and it has responded, he said.

“We are seeing the cyber insurance market explore how far it can go to bridge that gap,” Parisi said. Marsh is seeing expansion in the market outside North America and among non-privacy-focused buyers. Uptake is still higher in data-driven industries, but there has been “tremendous” movement among other sectors manufacturers, shipping companies, the marine sector, and small to mid-size businesses in all sectors seek covers they might previously have had under other policies.

“They’re looking at the coverage in a slightly different way and buying more robust coverage,” he said.

Ready market

As most of the property-casualty market hardens significantly, cyber has been more moderate. Marsh’ Parisi said prices rose by an average 5% in the first quarter of 2020 across Marsh’s book of business.

“I don’t know that I’d call that hardening. I think it’s a recognition that the market has changed,” he said. Marsh also hasn’t seen any “reluctance” to offer coverage or broaden coverage.

“Underwriters may ask a few more questions,” he said, but the appetite is still there.

Some carriers are seeking more information on security practices, according to ProWriters’ Thornton. Whether an applicant enables multi-factor authentication or uses secure email gateways can make a difference in price or sublimits, as well as allow insurers to proactively offer assistance in implementing controls.

“We still see a fairly aggressive competitive market. There’s not much I would say that’s tough to place,” said Thornton. Payment processors and law firms might get “a tougher look,” but the market has a fairly broad appetite, especially in the SME space, he added.

Rosenzweig noted that some insurers have asked specific questions of applicants about remote work and bring-your-own-device arrangements and cybersecurity investments.

“Underwriters want to know -- and rightfully so, with so many companies under financial stress – want to ensure that the same level of IT security investment is going to continue,” he said.

Buyers have also worried about cyber insurance applications being a “long, drawn out invasive process.” Underwriting has become more streamlined in recent years, with insurers understanding the right questions to ask about security.

“We need to strive to find the right balance,” said Rosenzweig.

Underwriters’ increased diligence comes in response not only to the pandemic, but also higher claims activity – particularly ransomware.

“Carriers are definitively asking more questions around remote workers for company business, and Insureds will need to demonstrate how remote access is properly secured and that operating systems are updated with the most current security patches,” said Joe DePaul, head of FINEX Cyber/E&O for Willis Towers Watson, in an email to Advisen. “The increase in ransomware has been impactful from a carrier loss perspective, which has forced carriers to ask additional questions with regard to with email security, internal security, back-up and recovery policies, and ransomware prevention measures.”

Price is important to buyers, he explained, but coverage is the primary concern, especially in a challenging environment.

“A client experiencing an incident wants assurance that the coverage they have in place will respond immediately and appropriately to the event,” said DePaul.

On the underwriting side, Coalition’s Joshua Motta told Advisen, “I think it’s value, not price, that is becoming more an issue in cyber insurance discussions. Businesses don’t want to wait until something bad happens to see value from their insurance spend. They want broader solutions that help prevent incidents from happening in the first place, along with support when cyber incidents do arise.”

Room for work

Even as organizations as organizations recognize the need for cyber coverage, there remain some barriers to entry, including misconceptions about the application process and what type of events are covered. The flood of interest has prompted the need for some extra “hand-holding” when guiding buyers through the process of both analyzing their own risk and the coverage available to meet it.

“There isn’t that level of cyber insurance maturity as you’d see in finance services or healthcare,” said Rosenzweig. “Oftentimes, there’s some level of acknowledgement that it’s not a new risk, but one they’re now forced to address.”

Oddly, the pandemic may be the perfect time for agents and brokers who don’t specialize in cyber to update their knowledge of the market offerings.

“We’ve definitely seen demand for educational content from brokers,” said Thornton. “They say, ‘I know I needed to get up to speed on this.’”

Providing as much knowledge as possible for brokers, many of whom don’t feel confident to sell a rapidly changing product for an ever-evolving risk, will enhance the take-up rate, he said. Brokers know they need to offer it, but the process of educating clients can be a time-consuming process.

On the client side, increasing awareness requires the industry to “get more creative,” said Rosenzweig. Webinars, outreach, and product development education can help get the message out at a time when many businesses may be in the right space to hear it.

“As everybody has a little more time to breathe, businesses have time to think strategically and address some things they may not have had time or bandwidth for before,” said Rosenzweig. Tackling some misconceptions about how insurance will respond and whether a business is insurable is a priority.

“The fear that legitimate cyber incidents are going to be excluded has surprisingly acted as a barrier to a lot of potential insurance buyers,” he said. New stories about denied claims on non-cyber policies have encouraged the belief among some executives that “there’s going to be some ‘gotcha’ exclusion.”

Some of the change may involve the industry telling their story better. Coalition’s Motta said, “The challenge is that as an industry we’re terrible at communicating what insurance does, how it does it, and how it can add value for people and businesses. Insurance has no real value to a policyholder until they suffer a loss, and that is a paradigm that needs to change.”

According to WTW’s DePaul, offering real-life examples of where coverage has responded can demonstrate the value of cyber insurance.

“Our clients want to know the program they purchased will respond to an event.  The severity and frequency of ransomware is increasingly concerning with our clients,” he said, citing Willis’ proprietary data showing that the average cyber insurance event costs about $5 million, with healthcare, financial institutions, technology, and education experiencing 62% of all claims. Offering clients this kind of information provides “a foundation when communicating the overall benefits of investing in a cyber insurance policy vs. the significant financial impact of not investing in cyber insurance.”

According to Rosenzweig, whether an insurer is there for them at the time of a claim can be a powerful differentiator in making the investment in cyber coverage. It reflects a new level of scrutiny from buyers.

“Clients want that peace of mind that the investment in premium dollars is going to result in a positive outcome with a carrier that really is going to be a partner to them,” he said.

Editor Erin Ayers can be reached at eayers@advisen.com.