7 Ways to Be an Adult in the Softening Cyber Insurance Market

Insurance industry veterans the world over often quip that the market is cyclical in nature and has a short memory span. Premiums, deductibles, limit size, and coverage breadth ebb and flow with the availability of competing capital, loss trends, interest rates, and broader macroeconomic conditions.

They're right.

Over the past several years, cyber insurance premiums and deductibles saw a parabolic increase while limits were drastically cut for nearly all cyber insurance buyers. The contraction of capacity was so severe that it was labeled by many as a “double/double/half” cyber hard market: double your premium, double your retention, and half your limit.

But over the last few months, we're hearing the familiar underwriter moans and groans that premiums are again falling to unsustainable levels, driven by the advent of new entrants competing in the cyber insurance space and lower claims trends compared to 2020 and 2021. At the same time, brokers are increasingly able to achieve broader coverage with fewer instances of ransomware-related exclusions and sublimits because their insureds’ security posture has greatly improved over the last few years.

As shown in the chart below, since Q4 2022, the median renewal premium for cyber insurance programs has been decreasing. The “softening” trend—at least for the moment—seems to be continuing, and in some cases, gaining momentum.

How do insurance buyers and their corporate stakeholders manage this unprecedented volatility in the cyber insurance market? We'll outline that policyholders can take in collaboration with their brokers and carrier partners to ensure they are driving positive results on their cyber renewals while also maintaining a grounded set of expectations.

1. Don't Become Complacent About Cybersecurity Controls

Continue to push and empower your chief information security officers (CISOs) to further strengthen your company’s cyber security posture. Multi-Factor Authentication, EDR, Backups, privileged account management, and training/awareness continue to be the best prevention to most ransomware and data breach events.

2. Review Your Policy's Exclusions and Restrictions

Challenge your broker to outline to you where you may have lost coverage over the last few years and where there may be opportunities to reintroduce broader coverage to your program. Make time to truly understand how your cyber (and professional liability) policies dovetail with your risk. Ask yourself:

• Did you have to take on a ransomware sublimit or co-insurance on your policy recently?
• Are you exposed to GDPR (General Data Protection Regulation) or BIPA (Biometric Information Privacy Act) claims due to a novel exclusion inserted in the policy last year?
• Were there war-related or systemic event-related exclusions, and do you have a plan to address the unprecedented nature of these coverage restrictions?

3. Determine How Your Business Practices Affect Cyber Risk

Understand how your business has changed and evolved over the past few years—maybe even as a result of the pandemic. These changes may have increased your cyber risks. Ask yourself these questions:

• Is there an increased work-from-home presence?
• Have you migrated employee or customer data to the cloud?
• Are you engaging in more complex marketing and data collection practices?
• Have you introduced biometric collection to your systems?
• Are you operating unsupported or end-of-life systems in your network?
• Has your regulatory landscape changed by virtue of new geographies you serve or new statutes/regulations?

4. Know the Benefits of a Long-Term Relationship with Your Carrier

Never underestimate the gravitas of a long-term relationship with your carriers. The most overlooked benefit of the insurer and insured relationship is the concept of “premium in the bank.” While every carrier—rightfully so—will stress that the insurability of any claim is strictly contingent on the four walls of the policy, there is something to be said for having a multi-year relationship with an insurer for accommodations, exceptions, and improved claims outcomes. Furthermore, if you have a multi-line relationship with your cyber insurer, there is even more weight behind the concept of premium in the bank.

5. Ensure New Carriers Offering Lower Quotes Will Provide the Same Coverage

Understand that a competing quote at a lower price or deductible will almost certainly come with changes to your coverage—most of which are to your detriment. A competing primary quote that undercuts your program (especially in a drastic way) requires some healthy skepticism and research. Is the alternate quote from a newer carrier that is trying to buy your business year one? Has the underwriter demonstrated a comprehensive knowledge of your risk profile to be “fully on board” with insuring your organization over the long term?

6. Learn from Your Own Claims Data

Review and contemplate your company’s claims activity. Have you reported any claims that have resulted in losses paid by your carrier? Are those claims reflective of poor controls around data security or resiliency? What lessons did your company learn and what controls did you implement as a result of the loss?

7. Test the Market If You're in Doubt

If in doubt, undertaking a marketing exercise will help you gauge how the broader insurance ecosystem views your risk, which can help inform you on how to best adjust your company’s cyber risk management strategy accordingly.

If you cannot clearly glean where you stand with your carrier relationship or you have issues with coverage, pricing, or claims handling that are not being resolved, test the market. A broad marketing exercise is going to be a heavier lift for your team from a data collection standpoint, but it is imperative that you and your broker engage in this exercise if it is appropriate to “roadshow” your risk to understand your worth as a client to the marketplace.

If you’re unhappy with your job, doctor, or contractor, don’t you usually shop around? Use that same pragmatism for your cyber insurance buying strategy. The market is in flux, and not asking the question means the answer is always no.

Work with a Dedicated Cyber Team That Knows Your Business

Woodruff Sawyer's dedicated team of cyber risk specialists constantly evaluates the latest developments and negotiates with carriers to drive improvements in cyber coverage. To learn more about trends in cyber liability and how to achieve positive results on cyber renewals, read our Looking Ahead Guide to Cyber Liability Trends for 2023 and talk to your Woodruff Sawyer account team.