The past two years have seen an increase in cybersecurity insurance demands. Specifically, more small to mid-sized businesses are actively requesting cybersecurity insurance policies with low rates and broader coverage terms. This boom has, by the same token, been characterized by more sapient limits deployment and market exits by significant industry players. This, as opined by industry leaders, is in line with the cybersecurity insurance market landscape which can best be described as tumultuous.
The question for 2023 is whether the cybersecurity insurance market will stabilize or continue to be as ubiquitous and what interesting changes we should anticipate moving forward.
Cybersecurity Insurance Market Update
As of Q4 of 2022, cybersecurity insurers enjoyed a healthy loss ratio due to increased prices and less frequent ransomware attacks. This saw an easing of the capacity crunch when it came to stand-alone cyber insurance policies. Even with easing, technology Error and Omissions (E &O) policy capacities remain constrained. This is likely due to the legal concerns and regulatory measures in place which means that a lot of carriers are left sidelined. The impact has been tougher policy renewals and overall limited capacity.
Other than capacity constraints, a topic of concern for most within the cybersecurity insurance landscape is systemic risk. Specifically, there’re concerns about what would happen when a single event impacted thousands of companies in one go. While reinsurance partners seem to be urging carriers to address this risk, it is anticipated that coverage restrictions will continue into 2023.
Cybersecurity Insurance Trends in 2023
Having been acquainted with the current state of the cybersecurity insurance market, here are some trends you should expect in 2023.
Coming into 2023, cybersecurity insurance prices remain high. It is expected that prices will not decrease but in fact, will moderately increase moving forward. Industry experts point to the excess insurance pricing continuing to soften throughout 2023. Questions abound, however, as to whether this increase in premiums is advantageous or, if, in fact, it hurts the market.
Self-Insured Retention Trends
In 2023, you should anticipate an increase in self-insured retention (SIR). This is likely since most carriers expect increased cybersecurity risk throughout the year.
In 2023, you should anticipate lowering of cybersecurity limits. Specifically, most carriers are dropping their policy limits from $10 million to $5 million. However, there should be greater stability within the limit profile moving forward for the different revenue bands.
Systemic Risk Trends
Most insurers are likely to adopt stronger contractual protections including limitations of liabilities to deal with aggregation risk. As for widespread event risk, most carriers are likely to continue adding a catastrophic load charge to the premium. Equally, these insurers are likely to reduce the limit available under the widespread event policy.
Recent cyber attacks have put the C-suite in the middle of cybersecurity liability claims. This opens said personnel to personal liability which could further take a toll on their finances.
That’s where the C-suite liability policy comes in.
This is a Directors and Officers (D&O) insurance policy that covers any officer of the company in the event of a cyber event. More carriers are likely to include coverage for Chief Information Security Officers (CISO) within their coverage offering.
The Russia-Ukraine conflict in 2022 brought up new concerns within the cybersecurity insurance market. Specifically, there are concerns over what types of cyber attacks would be covered under an act of war caveat.
In 2023, it is likely that most carriers will move to exclude coverage for any attack backed by a nation-state. This war exclusion invoked on a cyber insurance claim is subject to the carrier being able to attribute an attack to the specific player. In 2023, you should anticipate better fine-tuning of the war exclusion caveat with most markets still working on their proposed wording.
AI’s Role in Underwriting
As it stands, it’s impossible to talk about predictions without mentioning artificial intelligence. Moving into 2023, we should see greater use of AI in the cyber insurance underwriting process. Specifically, most insurers will likely employ the power of GRC tools for better automated, data-driven underwriting. This should yield data-based insights into whether a policy should be written and how much premiums said policy will attract.
Increased Government Regulations
2022 saw the government tighten the laws and regulations as it pertains to cybersecurity. In 2023, it is expected that there will be expanded CMMC certification requirements. Granted, lawmakers both at the state and federal levels are yet to create a standard cybersecurity insurance guideline. Still, there’s a consorted effort towards cyber insurance requirements and regulations meant to create a common level of protection for enterprises within the US.
Cybersecurity Insurance Requirements Predictions
A decade ago, for a business to get cyber security insurance, all that was required was a need for the policy. This translated to a significantly simpler application with most insurers only requiring that the prospective policyholder fill out a questionnaire.
With the rise in frequency and cost of ransomware attacks, carriers have been forced to be stricter with requirements to help balance the books. Some of the changes to cyber insurance requirements moving forward include:
Positive Correlations between Cloud Misconfiguration and Cyber Insurance Claims
In line with current trends, most enterprise organizations have jumped onto the cloud-native adoption trend. Unfortunately, most of the organizations adopting the cloud have poor security policies in place owing to cloud misconfigurations. The latter has emerged as a leading attack vector for data breaches which makes it a concern given that ransomware is a leading cause of cyber insurance claims.
As such, most insurers are likely to require that prospective policyholders have more stringent security controls and policies in place. Specifically, businesses seeking cyber insurance will be mandated to strengthen their cloud security postures and particularly show how they will minimize misconfigurations.
Organizations with Extended Detection and Response (XDR) Will Be Considered Less Risky
As highlighted, organizations are required to show their carrier of choice that they have effective cybersecurity policies and countermeasures in place. In the past, endpoint detection and response (EDR) was the go-to baseline cyber insurance requirement that most underwriters were looking for.
However, EDR has proven to be lacking as not all threats have their genesis at the endpoint. Specifically, web applications and emails have emerged as vectors for cybersecurity breaches.
That’s where extended detection and response (XDR) comes in. This is a multi-vector approach that helps collect and correlate data across multiple security layers. This translates to a better understanding of the chain of attack which trickles down to better response and remediation.
It is given the superiority of XDR that experts anticipate that cyber insurance carriers will make it mandatory. The logic is that XDR translates to lower cyber risk which means fewer claims.
Greater Inclination towards Vulnerability Prioritization
An effective patch strategy that’s creating ripples is vulnerability prioritization. The latter gives organizations comprehensive visibility into the attack surface. For underwriters, this demonstrates that the organization has made the appropriate investment into tightening its security. Moving into 2023, it’s likely that carriers will be more inclined toward organizations that can show they have centralized and proactive vulnerability prioritization strategies.
Refined Underwriting Guidelines by Working with Incident Response Services Providers
Most small and midsized businesses will often have to grapple with low resources and response. This will likely translate to security gaps which are a turn-off for most insurers. Specifically, underwriters are often unnerved by the lack of high-value data about security threats which then affects the underwriting guidelines.
To navigate this challenge, insurers are likely to require that such businesses bring in a second set of eyes in the form of incident response services providers. The latter is expected to ensure a faster and more effective response, thus lowering associated financial damages. In 2023, we’re likely to see these managed solutions be part of the cybersecurity insurance evolution.
This move is likely in response to most carriers shunning self-attestation. Specifically, most insurers are more comfortable working with businesses that leverage automation when it comes to evidence collection. While there are carriers, especially larger ones, that couldn’t care less about the automation prospective policyholders have around evidence collection, most still ask for higher premiums from customers who perform self-assessment questionnaires. Moving into 2023, businesses that are yet to move into automation should anticipate less coverage, more exclusions, and a host of other mandatory requirements slowly being rolled out.
2023 is likely to be a watershed moment when it comes to cybersecurity insurance. It should continue to be a massive market within the US even as concerns rise over increased premiums and more stringent exclusions. It is likely that in response, carriers will develop a unified standard for the qualification of cybersecurity insurance as well as offerings. A lot of the guesswork should be eliminated with more carriers onboarding more qualified security testers.
While the best practice is to avoid cybersecurity incidents, Agile IT can help your organization meet the most stringent requirements of the any cybersecurity insurance policy through well planned implementation of Microsoft 365 and Azure security tools.