The Federation of European Risk Management Associations (Ferma) has voiced concerns that the cyber insurance market is evolving in isolation from the industries it serves. The body has warned that cyber insurance could become an “unviable product” for companies, as buying such policies has become harder due to exemption clauses introduced recently by Lloyd’s of London.
But some insurers argue the cyber insurance market is stabilising and companies have an improving chance of buying a reasonable policy. Buyers must have good defences in place to purchase cyber insurance, however, if they want to receive a payout.
Cyber insurance may be an ‘unviable product’
Ferma, which represents 22 risk management associations in 21 countries, says the cyber insurance market may be inexorably affected by controversial war exemption clauses introduced in March by Lloyd’s of London.
The clauses recommend that standalone cybersecurity policies exclude coverage of attacks carried out by state-sponsored criminals. Some confusion has arisen over how a state-sponsored attack is defined. As many attacks are anonymous, some have feared that any cyberattack could be outside of insurance coverage under the war exemption clause.
The approach needs to be more balanced in order to meet the needs of the industry’s customers, Ferma argues. “Without a more collaborative approach to cyber, balancing the risk appetite of the insurance market with the coverage requirements of the corporate buyers, there is a risk that cyber insurance becomes an unviable product for many organisations,” the organisation told the FT.
The clauses “highlight growing concerns about the overall value and sustainability of the cyber insurance product from the corporate perspective”, especially for larger companies where the risk is much larger.
Ferma is calling for a “constructive” dialogue between all players in the insurance landscape, from insurers, brokers and corporate buyers to regulators.
Worries also stem from the spike in cyber insurance premiums triggered by the rise in ransomware in 2021, driving the cost of cyber insurance up by 102% in the first quarter of 2022, according to a report by insurance broker Marsh.
The spike cost increase came with “continued market deterioration and reduction in capacity, many clients turned to self-insured retention as well as co-insurance,” Marsh said.
Spiking cyber insurance prices – is the end in sight?
These figures have caused many to worry about the market. However, despite the discomfort this trend has caused it appears to be slowing down.
A report released by insurer Aon states that despite industry-wide worries, there appears to be substantial new capacity and improved insurer loss performance, leading to decreasing rates in cyber in early 2023.
Premium rates are expected to continue falling, but buyers must ensure their own security is up to scratch, says Craig Dunn, head of cyber M&A insurance at Aon. “The situation has improved somewhat. if you have good security, you won’t have trouble getting cyber insurance. If you have bad security, you will have trouble,” Dunn says.
The standard of cyber defences that insurers demand is linked to both the buyer’s industry and its revenue, Dunn explains. “If they’re under £50m of revenue then they’re not going to have to have the same level of security as a managed service provider with £500m of revenue.”
He explains: “If you’re under £50m, you’ve got good back-ups, you’ve got multi-factor authentication for all remote access, some sort of good endpoint solution in place, that’s probably good enough.”
Larger companies are under more pressure, as they are more likely to be attacked, he says. “If you’re a couple hundred million in revenue, brokers will probably ask for continuous monitoring,” Dunn says. “If you’re a managed service provider who’s doing security services, it is likely they will ask you to have endpoint detection and response on all endpoints and have some kind of security operations centre capability, whether in-house or outside.”
Some degree of volatility when it comes to policy price and availability is to be expected, however, as the industry is still in its infancy, explains Nicolas Jeanmart, head of personal and general insurance at Insurance Europe, the European insurance federation. “The cyber insurance market is still at its infancy, even though it has grown fast in recent years,” Jeanmart says.
“Insurers providing cyber insurance cover are constantly developing innovative, sustainable solutions, which usually include advice to firms on how to limit their exposure and support after an attack. Cyber insurance can only be offered if key conditions are met, in particular, adequate risk management by the companies buying the cover.”
Because of this, insurers are better placed than regulators to raise the bar of cybersecurity, Dunn believes. “I don’t think government is necessarily as reactive as somebody who’s got their bottom line and their bonus tied to these standards,” he says.