Cyber insurance has come a long way since the first policy was written in 1997.¹ It has evolved from little-known niche coverage to a widely recognized form of necessary protection. As recently as 2010, cyber premiums totaled just $600,000. In 2021, premiums exceeded $10 billion, and they’re expected to grow 20% annually to reach $23 billion by 2025.²

The cyber insurance market is changing at lightning speed. Premiums for cyber coverage rose 79% from 2021 to 2022.³ Policy terms have changed frequently, as have underwriting requirements. Evolution is to be expected for a relatively new type of coverage. With more traditional forms of insurance, such as property coverage, carriers have amassed decades of experience assessing, underwriting, and pricing risk. However, that’s not the case with cyber insurance. The market is still new, and the threats are evolving so rapidly that the market is seeing sharp changes in premiums, coverage offerings, and underwriting practices.

Given the volatility in the market over the past several years, many retail agents and insureds may be experiencing what can be referred to as “cyber fatigue,” – weariness, disinterest, or reluctance to delve deeper into the complicated cyber insurance marketplace. It is very trying to continually stay aware of, and in step with, rigorous underwriting processes as well as changing policy terms and premiums. Similarly, clients can be fatigued by increasing premiums and their efforts to hit what can feel like a moving target when it comes to cybersecurity. They know the risks are serious and that protection is needed, but it can be tempting to choose the least expensive policy, easiest carrier to bind with, or the insurer they’re most familiar with to avoid extra stressors. Cyber fatigue can make it easy to simply check the box of offering or obtaining minimal coverage rather than undertaking the due diligence to obtain the right policy to meet each client’s needs.

CYBER FATIGUE LEADS TO COSTLY RISKS

The risk of simply “checking the box” for cyber coverage can be costly for the insured and the retail agent. A small accounting firm with less than 50 employees recently suffered a cyberattack that included malware and ransomware – very common attack elements. The accounting firm had cyber insurance in place to protect against the impact of such an attack…or so they thought.

Before the malware was discovered, the firm’s leaders had reviewed their insurance coverages with their insurance agent. In an effort to reduce costs, the firm eliminated a standalone cyber policy in favor of a more affordable rider on the general liability policy. Unfortunately, the new policy did not cover this type of cyberattack because the malware was found to be present on the company’s network before they purchased the new coverage. The policy did not cover preexisting attacks. The new policy also only covered third-party damage suffered by those outside the company, like clients or vendors. In this instance, the attackers demanded ransom, which meant first-party damages for the accounting firm, which were excluded. In the end, the firm was forced to cover the costs of the attack out-of-pocket. Such an expense can be crippling for a small-to-medium-sized business. In fact, 60% of small companies go out of business within six months of suffering a cyberattack.⁵

CYBER COVERAGE IS NOT ONE SIZE FITS ALL

As the accounting firm discovered, low-cost direct cyber policies or riders often don’t cover the full range of cyber risk. They often only cover third-party damages for claims brought by clients. If they do include some measure of breach response cost coverage, it is at such insignificant limits to be of little practical value. However, the possible risks aside from third party or regulatory claims arising out of a data breach are many. Malware can destroy a business’s network or data. Ransomware can hold a business hostage and disrupt operations. An attack that originates with a third party, such as an IT vendor, can result in a costly shutdown of the insured’s computer network.

Standalone, full-coverage cyber policies offer protection against a wide variety of third- and first-party cyber risks. While third party losses may be significant, the first party losses could be catastrophic, ranging from data restoration expenses or lost business income and system failure to reputational harm resulting in the loss of future income as clients shy away from an insured after a breach becomes public. Each policy has its own nuances, some offering indemnity for business interruption/system failure or even reputational harm for up to 180 days, while others may extend up to a year. Each policy and any attending endorsements need to be evaluated thoroughly to determine which policy form best fits a particular client’s needs.

UNDERSTAND THE SCOPE OF RISK

Navigating cyber underwriting can be complex and time-consuming, but it can also be enlightening. At its heart, underwriting is a risk assessment. The cyber insurance underwriting process evaluates an insured’s vulnerability to a cyberattack. Because cyber is a rapidly evolving risk, many insureds don’t fully understand their own exposure.

While it’s understandable that an insured may be frustrated by high premiums, very often, those premiums are a direct reflection of the insured’s lack of cyber protection. For instance, the business may not employ multi-factor authentication (MFA). They may have failed to adopt a cybersecurity framework that provides a process to identify, protect, and recover from cyberattacks. The client may lack a zero-trust network architecture or not yet have a vendor risk management program in place.

Sometimes performing due diligence in obtaining the right cyber policy can illuminate serious deficiencies in an insured’s cyber risk mitigation systems. But knowledge is power, and that information presents an opportunity to bolster networks and reduce the chances of a cyberattack.

THINKING BEYOND COVERAGE: TOTAL VALUE OF POLICY

Cyber insurance isn’t just about covering attacks when they occur. Full standalone cyber policies also aim to reduce the chances of a cyberattack and minimize any damages that may result by offering valuable services and support. For instance, a cyber policy may offer:

• Network vulnerability scans to identify areas of weakness
• Ongoing network notifications and updates
• Data retrieval support
• Ransomware negotiation services
• Business interruption support
• Software restoration and replacement

A full standalone cyber insurance policy isn’t just financial protection; it’s business protection. Insurers have a vested interest in minimizing risk and they often work in partnership with insureds to reduce the threat level.

FIGHTING CYBER FATIGUE

Overcoming cyber fatigue is made easier by partnering with a wholesale broker well-versed in cyber insurance. Brokers can add significant value to a cyber insurance placement by:

Understanding the insured’s risk profile. Experienced cyber brokers know what underwriters are looking for when they evaluate an insured’s cyber risk. They can help an agent understand the client’s risk profile and set appropriate expectations about how coverage may be priced. Brokers can also provide benchmark data for the insured’s industry and risk profile helping them better understand where they fit.

Identifying the best possible carriers. Brokers collaborate with a wide range of cyber carriers regularly. They know which markets are the right fit for particular clients. Some carriers prefer large organizations or companies within specific industries. Others are better suited for small-to-medium sized businesses.

Explaining coverage and benefits. Finally, a wholesale broker can help an agent and an insured better understand the differences between policies. What’s the difference between first-party and third-party damages? What support services are offered? How does the carrier monitor the insured’s network and identify vulnerabilities? There are many questions and points of coverage that an agent may not be equipped to answer, but an experienced broker can help fill the gaps.

Agents can take their cyber placement process to the next level by considering just a few insightful questions:

• Do you review unique cyber exposures such as media, biometrics, or pixels with each client?
• Do you present alternative limits and claim benchmarking data to each client to inform their choice of limits?
• There may be multiple viable market options, but do you default to only one or two cyber carriers when offering quotes?
• Do you discuss who an insured’s major supply chain partners are and the impact it may have on revenue if those partners experience a shutdown due to a cyber event?
• Do you discuss your clients’ business income or reputational harm exposure to determine an appropriate period of indemnity and or coverage limit?

BOTTOM LINE

Cyber insurance isn’t as straightforward as other more traditional forms of coverage. However, the risk of cyberattack is very real and it can be devastating for a business. A low-cost policy or rider may “check the box” of coverage, but it can still leave an insured vulnerable to devastating risk. It’s critical that cyber coverage fit each client’s specific needs and goals. 

Don’t give in to cyber fatigue. Contact your CRC Group producer today to learn more about the cyber insurance market. Our experienced brokers leverage extensive market knowledge to obtain the right coverage for each unique insured. Let’s work together to protect your clients from the risk of cyberattack.

CONTRIBUTORS

• Darren Valencia is a Professional Lines Broker with CRC Group’s Nashville, Tennessee office. He is an active member of the ExecPro Practice Group and a member of the Cyber Specialty Team.
• Mark Smith is Senior Vice President and a Professional Liability Broker with CRC Group’s Seattle office. He is an active member of the ExecPro Practice Group and a member of the Cyber Specialty Team.

END NOTES

1. The Growth and Challenges of Cyber Insurance, Federal Reserve Bank of Chicago, 2019. https://www.chicagofed.org/publications/chicagofed- letter/2019/426#
2. Making Cyber Risk Insurable: Disrupting the Cyber Industry in 2023, Forbes, April 27, 2023. https://www.forbes.com/sites/ forbesfinancecouncil/2023/04/27/making-cyber-risk-insurable-disrupting-the-cyber-insurance-industry-in-2023/?sh=1a8ca5f658eb
3. Cyber Insurance Premiums Are Up - And That’s Not The Only Industry Shakeup, Forbes, October 21, 2022. https://www.forbes.com/sites/ forbestechcouncil/2022/10/21/cyber-insurance-premiums-are-up-and-thats-not-the-only-industry-shakeup/?sh=769f79da2290
4. Accounting Cybersecurity: Keeping Your Financial Data Secure, Multiview Corp., August 2, 2022. https://multiviewcorp.com/blog/accountingcybersecurity- keeping-your-financial-data-secure#  
5. 60 Percent of Small Companies Close Within 6 Months of Being Hacked, Cybercrime Magazine, January 2, 2019. https:// cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/
6. Cost of a Data Breach Report, IBM, 2023. https://www.ibm.com/reports/data-breach