After two years of volatility, cyber liability prices finally appear to be normalizing due to factors that include a downturn in price increases and a lower frequency of ransomware attacks in 2022—all of which have resulted in healthier insurance carrier loss ratios.
Woodruff Sawyer’s cyber insurance experts Dan Burke, Priya Cherian Huskins, Keeley Sidow, and Lauri Floresca recently reviewed trends that affected cyber insurance over the past year and provided their insights to help you plan for 2023. As described in our Cyber Looking Ahead Guide webinar, here are five takeaways they offered from the hottest topics in cyber insurance.
1. Premium Prices are Indeed Coming Down, but Not Decreasing, from 2019’s Soft Market
Insurance carrier loss ratios are healthier now than in the past few years, as evidenced by price increases tailing off in Q4 of 2022.
And while we are not yet seeing decreases, there are instances when decreases can be achieved on a program—but that is an exception, not a rule.
“Decreases are not the norm yet, but every sign we’ve seen so far points toward a more normalized market in 2023,” said Dan Burke, Senior Vice President, National Cyber Practice Leader. “The increases of the last two years are coming back down to earth.”
However, even with positive cyber market trends, such as ransomware ransoms falling by hundreds of millions of dollars in 2022, cyber liability pricing will not be dropping as quickly as other markets. According to Burke, one primary reason is that cyber doesn’t have the same new or unused capacity found in other insurance markets.
2. The CPRA Will Significantly Influence Privacy Issues Moving Forward
The California Privacy Rights Act (CPRA) went into effect on January 1st, replacing the California Consumer Privacy Act of 2018. While the CPRA maintains the private right of action against companies that suffer a data breach, it also increases the likelihood of penalties for violations of the law.
Keeley Sidow, Client Relationship Director, Management Liability, observed, “In the past, companies had a 30-day period to fix their violations, but that is no longer the case. Plus, there is now an established agency created just to enforce this law, so they will have more time to come after companies that are violating the law, which we expect will lead to more violations.”
Burke added that although several other states are following suit with California and enacting their own consumer data privacy laws—most notably Illinois’ Personal Information Protection Act (PIPA)—federal legislation on data privacy is not expected in 2023.
3. There Is Still a Lack of Clarity Surrounding War Exclusion and Nation-State Sponsored Hacking
The Russian invasion of Ukraine in 2022 raised the prospect of the war exclusion being invoked in response to cyberattacks that might spill over to countries other than Ukraine. Many cyber insurance carriers are raising the issue with the intent of providing clarity around what types of attacks constitute an act of war.
Ultimately, there are multiple approaches to how cyber insurers deal with this exposure, noted Lauri Floresca, Senior Vice President, Cyber Liability. “A state-on-state type of action, where a country warring with another uses cyber warfare to attack them, that’s pretty clear in what the exclusions were intended to protect against,” she said. However, what if the attack spills over and affects private industry, or an attack that either originated or is backed by a state agency goes against private enterprises and triggers these exclusions?
“It’s a tricky wording issue trying to manage between these two types of exclusions,” said Floresca. “I think we will be taking a look at it in 2023, as there are a lot of insurers with capacity provided by Lloyds of London that are going to be looking at these exclusions and the variations Lloyd’s is suggesting. We will need to ensure that the coverage will respond.”
Floresca observed that major events like the 2014 Sony hack—widely believed to have been an act committed by the North Korean state—were treated well by cyber insurers, which did not deny coverage to affected clients.
4. C-Suite Liability for Cyber Incidents Is Growing
The C-suite is being held accountable for cybersecurity failures at their companies. And while this isn’t a new trend necessarily, they also face the prospect of personal liability for those same cybersecurity failures, as cyber risk and D&O claims are starting to cross over.
“It’s a disturbing trend,” said Priya Huskins, Senior Vice President, Management Liability. “I do think chief information security officers (CISOs) as a group feel a little anxious, and it’s somewhat justified. Consider the SolarWinds debacle of 2020. It ultimately led to securities class action lawsuits and derivative lawsuits… We’ve also seen the DOJ go after CISOs; we’ve seen the FTC try to hold C-Level executives accountable in an enforcement action.”
Huskins offered some keen advice for CISOs to mitigate their risk. First, she emphasized that a D&O policy does cover corporate officers, as it’s an automatic coverage grant. Secondly, if you’re a CISO and worried that your title doesn’t qualify for D&O coverage, be aware that a D&O policy for public companies covers all employees for securities claims. However, CISOs can go further and take agency by asking for a personal indemnification agreement.
Huskins added that California’s labor code is highly pro-employee. The state’s code mandates indemnification for all employees when they act within their scope of work activities.
5. Vendor Failure and Systemic Risks Continue to Evolve
Systematic risks from a vendor failure (such as a cloud provider) can impact a company’s customers or other companies that use their product—2020’s SolarWinds hack being a prime example. For companies impacted by the widespread vulnerability of another’s security or product failure, there is not much they can do, but it still impacts their policy.
Insurance carriers typically add a catastrophic load charge to the premium to account for the risk of a widespread event. More recently, they have been looking to limit coverage available for these scenarios by reducing the limits available under the policy for specific widespread events. This is a topic that will continue to draw plenty of attention in 2023.
However, Burke noted that some new innovative insurance products are starting to surface that include parametric triggers. These agreements trigger automatic loss payouts to a company if a pre-determined event happens, such as a cloud failure. There is no need to offer proof or go through a claims process, as each event designates a specific amount for a particular event.
Huskins noted that even though these new products are starting to surface, this is a place where companies can take a measure of control—especially larger entities—and recommends at least considering new products like parametric triggers, if available.
Stay Informed on Cyber Concerns
For more information on how you can be ready for your next cyber policy renewal, read the Looking Ahead: Cyber Liability Insurance Concerns in 2023 Guide, watch the webinar video, and subscribe to the Cyber Notebook.
IN THE NEWS
Related Blog Posts
Every company has cyber risk. Learn how Cyber Liability insurance can help your company manage this risk and protect your business now.