Editorial: Cyber liabilities test corporate defenses

It took awhile to happen, but it looks like cyber liability insurance is well on the way to becoming the mainstream line of coverage that the earliest market participants said it would become.

Figures vary, but according to the National Association of Insurance Commissioners, insurers wrote about $4.1 billion in cyber liability premium in the United States in 2020, with $2.75 billion in direct written premiums by U.S. domiciled insurers, the latest year for which figures are available. That’s still just a fraction of the $727 billion in U.S. property/casualty direct written premiums, but the numbers are growing fast.

Globally, data company Statista estimates that cyber liability accounted for $8 billion in premium in 2020 and will grow to more than $20 billion by 2025.

The premium growth is just part of the story. The market conditions for cyber liability have transformed over the past few years. Not so long ago, insurers were jumping into the cyber market and trying their best to persuade sometimes circumspect buyers that this was a must-have coverage that they could purchase at very reasonable rates.

Now, premiums are increasing sharply, in some instances by multiples; capacity continues to shrink, with some insurers exiting the market; and underwriters are insisting on strict risk controls before they sign on to a policy. According to Amwins Inc.’s state of the market report released last month, primary aggregate limits have fallen from $10 million to $5 million or less and rates are not expected to start flattening in this “impossibly hard market” until the fourth quarter of this year.

<div align=”center”><a rel=”gallery” class=”fancybox” href=”https://www.businessinsurance.com/assets/pdf/BI_0522-10.png”><span class=”rsrch_img” style=”background:white !important; width: 480″>

<img src=”https://www.businessinsurance.com/assets/pdf/BI_0522-10.png” width=”480″></span></a></div>

Insurers are reacting to the surge in cyber losses that began shortly before the onset of the COVID-19 pandemic in 2020 and has continued since. Ransomware attacks, which some attribute in part to the rise in remote work over the past two years, have surged.

As cyber insurance claims move from the realm of theory to practice for more and more companies, risk managers must grapple with a different kind of claims scenario. As we report here, when a cyber incident occurs, it needs to be addressed urgently and with the full participation of insurers and their approved cybersecurity vendors as quickly as possible after the breach — regardless of the time or day of the week.

But like other insurance claims, there is plenty of room for long-running coverage disputes to arise from cyber-related incidents. As we report here, claims over the infamous 2013 Target Corp. cyberattack are still being litigated.  

With such a complex exposure, risk managers are just part of the army of experts that organizations need to have on standby to address the threats, but they have a vital role to play in ensuring that internal and external resources are ready to respond. Given the pervasiveness of the threat, cyber risk adds yet another dimension to the concept of enterprise risk management.