By Frederic Lee
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
Cyber security insurance prices have begun to flatten out after years of quarterly rate increases.
The price of cyber security insurance rose 11 per cent in the first quarter of 2023 compared with 28 per cent in the prior quarter, according to insurance brokerage Marsh McLennan’s Q1 2023 Global Insurance Market Index.
After two and a half years of sharp increases in cyber insurance premiums, insurers are in a better place in terms of profitability, said Meredith Schnur, US and Canada cyber brokerage leader for Marsh. It would have been “very difficult” for insurers to pursue “another hefty increase”.
But while prices are leveling off, cyber insurance coverage remains a key risk for boards to watch.
Cyber insurance coverage restrictions – particularly war exclusions – are increasing, according to Meghan O’Malley, first vice president at Alliant Insurance Services. O’Malley presented her findings alongside industry peers at the 2023 Risk Management Society (RIMS) conference.
Concern about the potential for more catastrophes post-pandemic, the war in the Ukraine, the ransomware epidemic, and scrutiny from regulators, shareholders and other relevant stakeholders has caused many insurers to take another look at their management of scenarios they believe to be potentially catastrophic, Schnur said.
For many insurers, this has resulted in new or updated policy language. “In some cases, these revisions have improved contract certainty and clarity, while in other instances, it has resulted in broad catastrophic cyber risk exclusions,” Schnur said.
One example is Lloyd’s of London, a British insurance market. Last year Lloyd’s issued a bulletin requiring underwriters to exclude certain types of state-backed attacks from their cyber policies. In particular, insurers should exclude losses caused by state-sponsored attacks that “significantly impair the ability of a state to function” or “that significantly impair the security capabilities of a state.”
Exclusions for physical war are standard across property and casualty insurance policies – including cyber policies – noted Schnur. “What Lloyd’s and other insurers are attempting to address is their exposure to a non-physical, cyber enabled state-on-state attack, which may be as harmful as a physical act of war,” she added.
One problem is the requirement to exclude coverage where a cyber attack causes a major detrimental impact to the functioning, security, or defense of another state. This is a subjective threshold, said Schnur, that is subject to underwriter interpretation and judgment. “Further clarity, modeling and explanation is needed.”
While interpretations and wordings will vary, the exclusion for “state-backed cyber operations is mandatory for all underwriters", Schnur said. All Lloyd’s underwriters must use some form of exclusion in all cyber insurance contracts from March 31 2023.
“These new exclusions may help insurers to lower costs in the short term, but they will be bad for the cyber-insurance market in the long term,” argued Wolff.
State-sponsored cyberattacks are now so common that if insurers refuse to cover them – while governments ramp up their capabilities – then companies simply won’t buy the policies.
“There is concern that companies deciding not to buy cyber-insurance may also take fewer security precautions to protect their own data and networks because they no longer have to meet the requirements of their insurers,” Wolff wrote.
This change is particularly significant for boards because of the ongoing conflict between Russia and Ukraine – and its risk of cyber threats. Boards should watch out for amendments and enhancements of war exclusionary language in cyber insurance policies to stay abreast of what’s covered for their company and what isn’t, sources say.
This article is an edited version of a story written for Agenda by Frederic Lee.
