As cyberattacks continue to make headlines and cause angst among businesses across the globe, the state of the cyber insurance market remains in flux.
Cyber policy terms and conditions are often inconsistent and can differ from insurer to insurer and determining what’s covered can be challenging because many policies lack standard definitions.
Meanwhile, as cyber insurers look to provide coverage while adjusting to an evolving risk environment, they face their own exposures because there’s little historic loss experience — as compared to more mature lines such as property, which has decades worth of claims to analyze.
Here’s what you need to know for understanding what’s covered and how to get risk-transfer solutions to mitigate cyber exposure:
Cyber Risk is Rapidly Changing
While cyber insurance has been around for more than a decade, it didn’t see much action until recently. The take-up rate was 47% in 2020, compared with 26% in 2016.
As cyber threats grew and insurers produced policies to meet growing demand, insurers tended to develop those policies along the lines of their own appetite and capacity. Along the way, diverse solutions emerged.
The shift to remote work and increased digitization at many businesses in the past 18 months only amplified the increase in digital risks. Cyber insurers reported a 336% increase in claims from the start of 2019 through 2020. Ransomware attacks have been prominent recently, with business costs related to ransomware expected to reach $20 billion this year.
Insurers have taken note of the mounting losses, leading many of them to increase rates, reduce coverage capacity or modify policy terms.
The Nature of Your Business Drives Coverage
For companies looking to purchase cyber insurance, the nature of the business and its risks will certainly impact coverage considerations. Businesses looking to address operational risk exposures, for example, should look for policies offering coverage for business interruptions related to networks and that are dependent on system failures; for cyber extortion; and for digital-asset restoration, among other factors.
Organizations seeking to cover privacy and network-security risks should make sure their cyber policies cover the appropriate liability, including any regulatory fines and penalties, as well as breach-event expenses such as call centers or credit monitoring for customers whose information may have been exposed. A comprehensive cyber-policy structure should include a dedicated section addressing both the operational risk and coverage for privacy and network-security risk. Work with your broker to ensure your coverages align with your risk profile.
The current cyber-insurance market is seeing erosion in some of those coverage areas, however, due to insurers’ claims experience or their discovery that many buyers’ risk controls aren’t as sound as they expected. Some cyber insurers are reducing limits or restricting what they’ll cover, while others are declining some risks altogether.
Know Your Exposures
Ultimately, businesses need to understand what the financial impact of a cyberattack could be and then seek coverage that aligns as much as possible with their exposure and risk appetite. A broker can help quantify the risk and mitigate exposures; a broker also can help buyers understand what’s covered and help trigger the claim process and incident-response plan in the event of a cyberattack.
While cyber insurance is a relatively new market, a broker well acquainted with the market can help identify insurers with ample experience and knowledge. Some exposure areas that underwriters will want to know about include:
- Dependent business interruption: Insurers are scrutinizing the breadth of coverage they provide for business-interruption losses across the cyber supply chain.
- Ransomware exposure: As the threat grows, some insurers are looking to cap coverage for ransomware events, impose sublimits, or exclude the peril altogether.
- Incident response vendor exposure: Some insurers are showing less flexibility in covering expenses associated with breach-response vendors that haven’t been agreed to in advance or that are [not] included in preapproved vendor panels. It is usually a wise decision to use insurer-approved incident-response vendors.
Understand What Insurers Want to See
There are a variety of cyber security risk-mitigation areas insurers are looking for when assessing coverage for companies including:
- Multifactor authentication
- Endpoint protection and response
- Cyber awareness training
- Good patching hygiene
- A secure virtual private network (VPN)
- An incident-response plan
- Active directory service accounts
- Backups and disaster-recovery preparations
- Email filtering
Those who can’t address the issues above may find it difficult to purchase the cyber insurance they seek. If that’s the case, it’s time to work with information-technology providers to mitigate risks and put the business in a position in which transferring risk to the insurance market becomes an option. A broker can help facilitate this positioning by helping a company develop an incident-response plan or conduct prebreach planning, in conjunction with their insurer.
Create a Culture of Cyber Security
One critical element in helping businesses compete for cyber insurance is to demonstrate a culture of cyber security.
This includes having, among other things, a proactive cyber risk-mitigation strategy, an incident response plan, regular employee training, and threat-response exercises. As insurers grow more concerned about ransomware attacks, businesses should also be prepared to show steps they’ve taken to address the threat.
Businesses should be able to provide established and regularly updated privacy policies and show awareness of cyber risks with third-party contracts, service providers and supply chains.
Finally, as cyber exposures evolve, it’s important to communicate regularly with insurers regarding policy terms and conditions and to understand any exclusions that might arise from other insurance lines such as crime, property, casualty and general liability.
 “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market,” Government Accountability Office
This article has been prepared for informational purposes only and from sources believed to be reliable. Aon does not warrant, represent or guarantee the accuracy, adequacy or completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who relies on it. No one should act on any information contained in this article without appropriate professional advice after a thorough review of the situation. In any case, any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to June 1, 2021.
About Aon: Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
Cyber-security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.
©2021 Aon plc. All rights reserved.