By Emily Selck and Michelle Lopilato
Just a few years ago, cyber insurance was offered by less than 20 carriers. Today, the marketplace has swelled to well over 100. Increased regulatory oversight and wide-spread ransomware attacks, social engineering and phishing schemes, have all led to a greater demand for risk transfer. This has created new opportunities for carriers to enter the cyber insurance marketplace, across the globe in the U.S., Europe and Asia. Competition has brought more favorable pricing, broadened coverage and brought pre- and post-loss mitigation services to the consumer. The cyber insurance market will continue to grow in 2019 as more businesses will seek coverage, and in response, even more carriers will offer it.
Here are HUB’s predictions for the cyber insurance world in 2019:
- Favorable pricing will continue. In 2018, insured companies enjoyed a soft market across most industry and company sizes. The same is expected in 2019 for most industry classes, and especially for small and mid-size businesses, where the uptake rate of cyber insurance remains relatively low, and carriers continue to seek market penetration because of the profitability. Many companies that are insured are surprised at the cost-effectiveness of the policies and the beneficial pre-loss mitigation services available. Insured companies can anticipate continuing to enjoy this pricing through 2019.
- Further expanded coverage enhancements. The insurance industry is still undecided on the subject of cyber risk as a product or a peril. As a result, the insured companies are experiencing affirmative coverage granted on stand-alone cyber policies where they may not have been contemplated for other lines of insurance. For example, Contingent Bodily Injury and Property Damage would traditionally be considered part of General Liability coverage, but are now offered as part of some Cyber policies. Similarly social engineering and other crime-type risks may now fall under a Property policy. Conversely, the waters continue to be muddied by traditional (non-cyber) policies and carriers offering extensions of coverage that can conflict with coverage under a stand-alone cyber policy, causing issues with sub-limited coverage, potentially two breach response teams and “other insurance” policy provisions. Insured companies shouldn’t be too quick to cancel their stand-alone policy as many traditional insurance carriers are woefully ill-equipped to handle a data or network breach.
- Insuretech’s impact on the cyber marketplace. In 2018, one insurer took the cyber marketplace by storm, with their reactive, quantitative underwriting process and use of technology to provide proactive, qualitative risk mitigation for insured companies. They also include recommendations for risk mitigation at the time of underwriting, and many risk-mitigation services are offered in-house. In 2019, other carriers will follow suit, finding ways to provide similar mitigation services for their insureds.
- Increased M&A scrutiny. Data breaches for Marriott and Maersk dominated industry news in the last two years. Both breaches are expected to cost in the hundreds of millions of dollars. The cause was the same: lack of oversight of the IT infrastructure of acquired companies. Traditionally, the underwriting process has been fairly low-touch at the time of an acquisition. In 2019, insurance companies will likely develop new underwriting processes and procedures for IT integration oversight during an M&A event.
- New regulatory environment. The EU’s new General Data Privacy Regulation (GDPR) took effect in 2018, and is one of the most stringent. Many companies outside of Europe have exhausted resources to become compliant. One of the impacts of this regulation that may carry into the underwriting process is the oversight of third-party IT providers. GDPR now holds companies responsible for breaches caused by third parties and will investigate the process of contracting with them. Expect more GDPR settlements in 2019 – including some large payouts. Further, the success of GDPR will likely inspire other regulators to take action, like the California Consumer Privacy Act of 2018. The latter takes effect in 2020, but will cause some U.S. companies to oppose its GDPR-like stringency.
2019 Growth and Beyond
Cyber coverage terms will continue to broaden as risk evolves, the pool of buyers expands coverage demands and new carriers flood the market. Together, this perfect storm will give cyber brokers more agency to negotiate increasingly favorable terms in 2019, both in the form of lower premiums or broader coverage.