Summary:
- According to Marsh's third-quarter research, the cyber insurance market's soaring premiums are beginning to level off as more organizations focus on cyber risk management and new insurers enter the market.
- While cyber insurance rates continue to rise, the rate of increase has slowed this year, which Marsh interprets as a sign of future rate moderation. The average increase in cyber insurance rates was 54% in July, compared to 133% in December.
- Cyber insurance is still in high demand. In five years, the percentage of first-time cyber insurance buyers has nearly doubled, rising from 26% in 2016 to 50% in 2021.
"The market has sent very strong signals, probably less than one would want, in terms of what we think matters in terms of improving security/resilience to cyber slip-and-falls," Eskins said.
Things that are largely preventable can never be completely avoided, according to Eskins. Even with excellent risk management, "inevitably, given a set of circumstances and conditions, there will be some slips and falls."
According to Marsh, the future of the cyber insurance market requires a fine balance: insurers must balance profit aspirations while meeting the needs of businesses.
According to AM Best, clear risk controls, such as the use of multifactor authentication, patching insecure software, and training, should be included in underwriting practices to help improve market performance.
"MFA has become a minimum requirement for obtaining cyber coverage," AM Best stated in a cyber insurance segment report published in June.
According to AM Best research, cyber insurance rates have steadily increased since the beginning of 2019, peaking last year. However, rate changes in Q1 2022 increased by only 27.5%, compared to a high of 34.3% in Q4 2021.
The maturity of the market will determine what is and is not covered in future cyber claims. Starting in spring 2023, the insurance marketplace Lloyd's of London will no longer cover state-sponsored cyberattacks.
Such exclusions from war raise concerns about how organizations can prove the origin of an attack, especially in an era when independent threat actors act on behalf of a nation-state.
However, AM Best discovered that there is growing support for insurance that covers ransomware for clients. Two-thirds of insurers see ransomware coverage as a value-add, while one-third see ransomware payment as encouraging bad actors.