Cyber liability insurance overview
- Cyber liability net earned premiums grew at a 4-year compound annual growth rate (CAGR) (2018-21) of 6%.
- High frequency and severity of claims activity continue to challenge the profitability of cyber liability, with claims ratios averaging 207% from 2019-21.
- To combat high claims ratios, 2022 saw insurers significantly increasing the amount of cyber liability reinsurance premium ceded.
- Claims appear to be trending down, however, carriers have been getting off risk, reducing limits, or declining coverage; this ultimately decreases the ratio of claims to premium charged.
- Lloyd’s continues to dominate the cyber liability market, growing its market share from 45% in 2015 to 77% in 2022; During this time frame, 18 net new insurers have entered the Canadian cyber liability market.
- Key trends observed in the Canadian landscape are (1) evolving data protection regulation (e.g., Bill 64), (2) continued rise of ransomware attacks, and (3) increasing restrictions imposed by insurers.
- Due to increasing regulation, ransomware attacks are now often triggers for data breach events; businesses and their directors and officers have increased responsibility for preparedness.
- Policy holders should validate their policy will respond to the privacy regulations in each of the jurisdictions in which they serve customers globally, as well as ensure that the definitions are broad enough to avoid denial of coverage.
- We anticipate that insurers will continue to refine and tighten their underwriting appetites; In parallel, insurers will raise rates and some insurers will increase deductibles for cyber liability coverage; the best carriers are offering clients claims prevention services and employee training.
Line of business (LOB) performance – Cyber liability
The performance of cyber liability was improving from 2015 to 2018, with growth of Net Earned Premiums slightly outpacing growth of claims. However, from 2019 to 2021, net incurred claims were greater than Net Earned Premium, with a significant spike in 2020. In recent years, the cyber liability market faced a net loss, with net premium earned growing at a compound annual growth rate (CAGR) of 47.6% from 2015 Q4 to 2021 Q4 (see below Figure 1). During this same period, net incurred claims increased at a CAGR of 75.5%.
Figure 1: Net Earned Premiums and Net Incurred Claims for cyber liability coverage across all Canadian P&C Insurers from 2015 Q4 – 2022 Q4
The cyber liability market is expected to continue to grow significantly. Per IMARC Group, “the global cyber insurance market size reached US$ 9.8B in 2022… [and] expects the market to reach US$ 31.7B by 2028, exhibiting a CAGR of 22.39% during 2023-2028.”
Performance in cyber liability continues to vary widely across commercial insurers. Across the ten leading cyber liability insurers (as of 2022 Q4), the CAGR of these insurers ranged from -7.7% to 276.5% (see below Table 1 for a complete breakdown).
Table 1: As of 2022 Q4, the top ten insurers (by Net Earned Premium) in the cyber liability market in Canada were as follows:
Based on Net Earned Premium, Lloyd’s continues to dominate the cyber liability market, growing its market share from 45% in 2015 to 77% in 2022.
Figures 2 and 3: Net Earned Premiums for cyber liability coverage across ‘top 10’ insurers (based on Net Earned Premium, as of 2022 Q4) from 2015 Q4 – 2022 Q4
An additional gain in Net Earned Premium for cyber liability came from new market entrants, with 18 net new insurers entering the market from 2015 to 2022.
On the claims side, net incurred claims have been increasing at a CAGR of 75.5% from 2015 to 2021 (see above Figure 3).
Figure 4: Claims Ratio for cyber liability coverage across all Canadian P&C insurers from 2015 Q4 – 2021 Q4
Claims ratios averaged 103.2% from 2015 to 2021 with a peak of 402% in 2020 (see Figure 4 above). However, this was followed by a steep drop off with the claims ratio decreasing from 402% to 112% in 2021 (see Figure 4 above). This decline may not be sustained as claims continue to develop and are reported to insurers. Based on poor prior year results, in 2022, insurers increased cyber liability, and ceded reinsurance levels significantly. With improvements in loss experience, this resulted in a negative claims ratio for cyber liability as ceded premiums exceeded direct claims. It will be interesting to observe how insurers handle their reinsurance and go-to-market strategy moving forward for cyber liability due to stronger financial performance in 2022. While cyber liability claims activity appeared to improve in 2022, these savings may not be directly passed on to insureds as insurers reassess the appropriate levels of reinsurance on their Cyber books and seek to recapture lost profitability from prior terms.
Cognyte, a market leader in investigative analytics software, reported that in the first half of 2021, they were notified of almost as many ransomware attacks as they were in all of 2020 (1,097 and 1,112 respectively). Rate increases played a key role in the overall climb in cyber liability Net Earned Premium from 2020-2021 as compared to previous years.
Cameron Baker, the Commercial Manager for Westland’s Alberta Small Business Solutions teams, highlights that businesses should remain cautious when reviewing models that predict downward trends in cyber claims. He says, “carrier limits on cyber policies decreased substantially in the years shown above. If carriers offer lower limits, they pay out far less in the event of a claim.”
Evolving risks and industry response – Cyber Liability
Regulatory compliance, the impact of remote work, ransomware attacks, and cloud computing are four major trends facing the cyber liability market.
Governing bodies now recognize how impactful privacy and data problems can be to individuals and large corporations and are reacting by enhancing cyber regulation. Two examples of evolving cyber regulation include the following:
- Data protection: The United States has proposed new rules surrounding cyber The Security and Exchange Commission proposed new cyber disclosure rules in early 2022. These newly proposed rules are focused on improving cyber governance, enhancing cyber risk oversight, and driving more timely and specific cyber incident discloses.
- Privacy protection: Per a KPMG report on privacy and data governance, “the adoption of Bill 64, now known as ‘the Act to modernize legislative provisions respecting the protection of personal information (Act)’, brings significant changes to the framework of privacy and processing of personal information as all organizations and businesses that either collect, process or hold personal information in Quebec will have to be compliant.” Furthermore, “The adoption of Bill 64…brings significant changes to the framework of privacy and processing of personal information as all organizations and businesses that either collect process or hold personal information in Quebec will have to be compliant.”
These increasingly difficult-to-navigate regulatory environments have been described as a key factor driving increasing policy costs. The discussed cyber regulation puts the additional onus on companies and their directors and officers personally to ensure they’re acting appropriately and increases the potential fines that companies could face for non-compliance. With an increase in potential fines for non-compliance (whether intentional or not), all companies face a need for coverage higher than previous years to be appropriately prepared, which plays into the increasing rates.
Moreover, Canadian regulations now impose reporting requirements following a cyber attack. Businesses need to report on the event, its scale, and whether personal data was compromised, including every individual who may have had personal information breached. Given that companies now manage so much more personal data and more often, the costs to verify the extent of a cyber event can be astronomical. Derek Henneberry, Westland’s director of commercial sales, notes that “where a threat may have strictly been a ransomware attack in the past, the same event today would now also be a trigger for a data breach event.” He highlights that “businesses need to work with their insurance broker to understand the implications of managing any amount of data, the impact a breach might have, and the responsibilities of the directors and officers.”
When discussing regulatory environments, Cameron Baker flagged an often-overlooked component of an effective cyber risk program: the jurisdictions in which a business operates. “If you have customers in different parts of the world, you need to ensure your policy will respond effectively to the regulations and privacy laws of those jurisdictions. For instance, Canadian businesses that sell into the United States or the European Union need to ensure their policy will respond favourably in those environments. A client’s broker needs to be able to manage those requirements.”
Impact of remote work
The COVID-19 pandemic brought many changes in how people act and work, some of which are here to stay. One such change is the increasing percentage of employees who work remotely. This increase in remote work brings with it changes to how employees act. According to Munich Re’s HSB Group, employees are suffering from a greater susceptibility to deception-oriented attacks due to the usage of different devices for reading work emails. These deception-oriented attacks – often called phishing attacks – can include fake Office 365 password changes and fake Webex account access emails. These two scams have seen an uptick in popularity. These types of internal failures are the most frequent cause of cyber claims, at 54% of the total number of claims, according to Allianz Global Corporate & Specialty.
While internal failures like falling for deception-oriented attacks might be the most common cause of a cyber claim, losses from external incidents like ransomware campaigns account for nearly 85% of total dollar value (i.e. severity) of cyber-related claims. Ransomware attacks continue to increase in prevalence, with $6.3 billion in ransom demands in 2019 alone, according to AGCS. These increases are likely due to both a ransomware’s ability to allow cybercriminals to extort and receive payment in a nearly anonymous way and a lack of diligence from some companies in backing up their critical data. Even for companies that are better at backing up their critical data, a full retrieval might not always be possible which can cost the victim companies significantly as they lose revenue and must pay to recreate lost data or historical records.
Ransomware claims response has also changed, and we anticipate this in the future as well. Some carriers have denied policyholders coverage by using different policy exclusions, particularly since the start of the Russian-Ukraine war. “Ransomware attacks are now considered a normal course of international warfare and carriers have begun to take coverage positions depending on the nature of the attack,” says Cameron Baker. He adds, “If a ransomware extortion event occurs with a Russian Threat Actor, carriers may reject the claim by citing the war exclusion. They may also not be allowed to pay the ransom due to sanctions against the country.”
Cameron advises businesses to verify that their policy has a broad definition for what is covered and, where possible, to validate that the exclusion threshold is high. He noted that clients should ensure their broker partner has the size and scale to partner with carriers for the most predictable coverage. “A client’s policy should respond as expected when dealing with a cyber loss.”
Looking forward, Lucas Romaniuk, a Senior Commercial Account Executive at Westland, works with clients to ensure their incident response protocols comply with industry standards and best practices. He points to the 1:10:60 rule of cyber preparedness, saying “clients should be able to detect a cyber breach within 1 minute, understand it within 10 minutes, and respond within 60 minutes or less. If a business cannot articulate what they will do in each of these categories, we have some readiness work to manage.”
Lucas also points out that the best cyber liability coverage responds to shifts in the marketplace and is needs-driven. He strongly advises businesses to ensure that their policy offers services that focus on preparedness and prevention, not just response. “Better carriers have begun to understand the areas from where businesses are reporting claims. Instead of declining risks because you don’t have the right systems or protocols in place, they offer partner services to help businesses with employee training and pre-planning for when a claim will arise, not just if.
One area where we see companies improving their technological processes is in increased use of Infrastructure-as-a-service (IaaS) cloud services. With growth of 41.4% to $90.9 billion in 2021 the IaaS market is clearly a continued focus for organizations. According to Sid Nag, VP Analysis at Gartner, this growth is expected to continue unabated as cloud-native becomes the primary architecture for modern workloads. Nag suggests that this will continue to be necessary as “cloud supports the scalability and composability that advanced technologies and applications require.” However, according to Clutch, a B2B research firm, cloud infrastructure is prominently both a benefit and a challenge. Specifically, Clutch noticed that 22% of respondents to their survey ranked security as the number one cloud computing benefit and 31% of respondents ranked security as the number one challenge. This is likely due to the growth of between 27-45% of top cyberattack methods aimed at cloud deployments as compared to a lack of growth of attacks aimed at on-site deployments.
Outlook and recommendations
Combined with an average loss ratio that is greater than 100%, each of these noted trends clearly showcase an environment where insurance rates on cyber liability will continue to increase. In addition to rate increases, some insurers will also increase deductibles or decrease policy limits offered on related Cyber coverages. In parallel, insurers will continue to refine and tighten their underwriting appetites while reducing their capacity. For example, many insurers are responding to reduced capacity by imposing restrictions that limit access to coverage when proper controls like multi-factor authentication (MFA) are not widely implemented across the company’s IT infrastructure. We anticipate these trends continuing throughout 2023.
Due to rising rates and more restricted risk appetites, some companies are finding it challenging or perceive it too costly to get cyber liability coverage. PropertyCasualty360 notes that “among startups without cyber insurance, cost remains a top reason… [despite] around half (44%) of startup founders… being pressured to invest in cyber insurance by their investors, board members or both.” Despite the evolving cyber risk landscape, many businesses still go unprotected from an insurance perspective. In the report referenced above, of the surveyed startup founders, “27% said they have merely added basic cyber coverage to a pre-existing policy.” Businesses must continue to monitor their cyber liability risks to determine the appropriate insurance and risk management approaches. To do so, they must have a clear understanding of the types of risks that are prevalent in the markets in which they operate.
“Two-thirds of small businesses close within six months of a cyber event. About 75% of all attacks do not involve malware, rather, the events are triggered by employees that fall victim to phishing scams when they unwittingly click a bad link from an email,” says Derek Henneberry. “These days, you’re more likely to experience a cyber attack than you are to suffer a fire claim. Still, you probably wouldn’t – or couldn’t – run your business without fire insurance. We work with clients to understand these emerging types of risks.”
As cyber threats become more prevalent and sophisticated, the cyber liability insurance market faces both opportunities and challenges. Insurers are working to strike a balance between meeting the increasing demand for coverage and maintaining profitability. Businesses must remain vigilant in assessing their cyber risks, understanding regulatory changes, and adopting robust risk management strategies to navigate this evolving landscape effectively. The future of cyber liability insurance hinges on the collective efforts of insurers, businesses, and regulators to address emerging risks and ensure the cyber resilience of organizations across industries.
Visit our Cyber insurance page to learn more.
Connect with us to review your current insurance policies, discuss your unique risks and operations, and find the perfect insurance policy for your business.