Ransomware claims rise highlights systemic exposure risks

Paul Handy, global head of cyber at Crawford & Company, assesses the factors driving current activity in the cyber market, the likely impact on claims and the challenge of addressing systemic exposures.

After a significant drop-off in ransomware attacks last year, the insurance market is starting to see an increase in criminal activity in 2023, with more sophisticated and targeted attacks and a greater frequency and severity of insured risk claims – albeit not yet at pre-Covid levels.

While good underwriting should counter any change in the current geopolitical environment that could increase cyber exposures, it is likely that in the second half of 2023, and going into 2024, we will see an increase in incidents and claims aligned to both cyber product growth and threat actor activity, reiterating the need for adequate cyber insurance protection.

The contraction of capacity in the cyber market and the firming up of underwriters’ cyber books last year resulted in higher rates, reduced availability of coverage and higher retentions/deductibles on policies which, coupled with a volatile geopolitical environment that saw state-sponsored threat actors turn their attentions elsewhere, has created a lag in claim volumes.

But as we see deductibles begin to come down again, more competitive rates and a corresponding increase in the number of cyber policies being purchased, this is likely to drive an uptick in the number of insured risk claims in H2 2023 and early 2024.

As cyber insurers move back into growth mode, the issue of systemic risk and potential surge events has come to the fore again, with reinsurance capacity for cyber business likely to involve much greater scrutiny of how systemic risk is being managed within insurance portfolios.

Whereas there may have been more of a one-size-fits-all approach to managing large corporate and SME cyber risks a few years ago, it has since evolved into two distinct products.

Generally speaking, large corporates understand their cyber risk better – and manage, mitigate and transfer that risk accordingly – so are therefore more interested in scope of cover and price.

In the SME space, cyber risk is less well understood and there is a greater reliance on outsourced solutions, with potentially hundreds of organisations simultaneously exposed to risks from a single software package if it is compromised. Managed risk solutions for SMEs, where insurers engage with customers from pre-bind and throughout the policy term to mitigate risks and manage potential exposures, are therefore becoming more prevalent.

Exposure to systemic cyber risk attaches most readily to SME insureds, and with the sheer volume of insureds who could potentially be impacted by a surge event, the (re)insurance sector could be facing some highly significant exposures.

With innovative solutions such as defined benefit policies for cyber business interruption, parametric coverages, coinsurance clauses for ransomware and widespread event clauses entering the market, new ways of managing overall risk and exposure are making cyber insurance more sustainable from a claims management perspective and are helping to limit overall exposure.

However, the breadth of cover that is currently provided under typical cyber insurance wordings still has the potential to make a systemic event very difficult to manage.

Continuing challenges around sanctions and war risks, increasing ransomware attacks and a continual drumbeat of social engineering, business email compromise and other crime-related exposures have driven insurers to make necessary changes to policy wordings. However, if the cyber insurance product becomes too complex, with a proliferation of exclusions, the value begins to fall away. An alternate approach is to provide more upfront clarity around what is and is not covered by a policy.

To that end, there needs to be assertive and easily understood coverage available to all insureds attaching to the more extensive or surge event. It is then the joint responsibility of all stakeholders in the cyber risk underwriting and claims management community to better map and manage claims processes with a view to delivering resolution and customer satisfaction, combined with effective mitigation of risk and exposure.