How cyber insurance placement is becoming more competitive

Cyber hand throws a life ring to businesses, to represent insurance coverage

Much like D&O insurance, cyber insurance pricing is becoming increasingly competitive, and sources say several niche MGAs are now providing capacity to underwrite cyber policies.

Loss ratios, while still on the unprofitable side, are vastly lower than the 400-plus percent loss ratios recorded early in the pandemic. Those ratios had cyber insurers paying out more than $4 for every dollar of premium they collected. Nowadays, sources say, cyber loss ratios are more in the 125% to 150% range.

But after a hard market in cyber, it appears capacity is once again plentiful. In part, because of several cyber security controls established during the pandemic.

“Insurers are generally opportunistic,” says Katie Andruchow, senior vice president and national cyber broking practice leader at Aon Canada.

“They’re not necessarily so focused on the underwriting rigour that they developed in hard market conditions. Although I would say critical controls will not waver in their importance. MFA [multifactor authentication], EDR [Endpoint Detection and Response] and backup resilience are…the three that don’t have wiggle room like some other critical [security] controls we have gained over time.”

 

Still the new kid

Cyber is still a nascent line of business, sources note.

In Canada, federally regulated P&C insurers wrote more than $475.2 million in direct premium for cyber in 2022. That’s up 217% from the $20.9 million they wrote in 2015, when Canada’s solvency regulator, the Office of the Superintendent of Financial Institutions (OSFI), started collecting statistics for cyber.

The approach to cyber prevention is more advanced than in the early days of cyber insurance, says Meredith Schnur, regional cyber practice leader for the U.S. and Canada at Marsh Specialty, based in New York.

See also  Roll Like an Actual King in This 1987 BMW M5, Our Bring a Trailer Auction Pick

“We’re seeing sophistication, we are seeing resiliency, we are seeing maturity,” Schnur says of companies’ cyber security controls. “We are seeing a mindset and a culture around the idea that, ‘It’s going to happen, so now what do we do?’

“If I can give you an analogy…sprinklers do not prevent a fire. The fire is going to happen. But the sprinkler is going to mitigate [the damage]. And when you underwrite cyber, you underwrite it for the controls that are in place…There’s more of an open understanding of what you have as your cyber resiliency, and the maturity of your cyber plan, so you can prevent these things from happening.”

 

Reduced ransom payments

These controls may factor into why companies are not paying ransoms as quickly following ransomware attacks, sources tell CU.

“Although there was an uptick in ransomware claims, there was a downward shift in actual ransomware payments by our by organizations,” Schnur says.

Insurers say ethical codes, as well as the type of industry, are always in play when deciding whether or not to pay a ransom. For instance, if a hospital ransomware attack threatened to stop life-and-death medical procedures, that would factor into whether or not to pay the ransom.

It is common knowledge within the P&C insurance industry that cyber criminals are starting to employ AI to manufacture attacks against companies’ infrastructure. AI is making social engineering scams — essentially duping people at companies to direct money or information to cyber thieves — much more sophisticated.

And so, expect to see a rise in phishing attacks, says Suzanne Tavaszy, assistant vice president of specialty lines (central technical unit) at Aviva Canada.

See also  Want to Prove a Personal Property Claim in Court? Pick the Right Lawyer

“AI is playing a key role in in the frequency and severity of cyber incidents we’re seeing,” Tavaszy tells CU. “The obvious [reason is that] it provides cyber criminals with tools to conduct more complex and sophisticated schemes, but at a faster rate and with fewer resources.

“An obvious example would be voice and video deep fakes. We’ve all heard some high-profile, media worthy examples of that recently. And for phishing emails, in the past we’ve all been told to look for spelling mistakes, look for logo issues. Now, that’s all taken care of with AI. So, it’s quite scary.”

 

This article is excerpted from one appearing in the August-September 2024 print edition of Canadian Underwriter. Feature image courtesy of iStock.com/erhui1979