The cyber insurance market for Professional Services firms hardened significantly in 2021, in particular for renewals occurring from June onwards. The proliferation over the past two years (and in particular in early 2021) of ransomware attacks has led to underwriters reporting deterioration across their books, and it’s clear that what was once frequent is now severe, and even more frequent now than ever before. It’s not unusual to see ransom demands for more than £20m and what has become clear is that payment of the ransom is only the beginning of the problem - the receipt of the key does not necessarily solve the problem.
The costs incurred around handling such claims have become significant, and insurers are looking to address this through rising premiums and excesses, tighter coverage, reduced capacity, and more careful risk underwriting. A number of insurers have moved away from writing at a primary level, with a preference amongst some to sit excess of £5m or £10m, and most insurers looking to attach even higher than that.
Professional Services firms, in particular, are being scrutinised by cyber insurers who are concerned that the large amount of confidential information held by such firm makes them a more significant target for cyber related attacks.
As a result of the above, the market is looking for more information from insureds than in the past, and in particular around protecting against ransomware attacks. Insureds that can demonstrate strong cyber risk management procedures and show developments in their cyber risk management procedures year on year will be looked at favourably – the ‘flight to quality’ is real given the amount of new business still coming into the market and insurers are looking to avoid having bad or marginal risks on their book. In the current market, insurers are looking to minimise exposure to ransomware attacks, and some insurers are including express exclusions to cover. Many insurers will no longer consider insuring a risk unless Multi Factor Authentication is in place across the whole network, and there is a varying “Minimum Standards” list that most cyber insurers will expect insureds to meet just for them to offer terms.
As we progress through 2022, there are signs that the cyber insurance market is softening, and insureds can expect the following:
Continued management of capacity offered by lead insurers
Most cyber insurers have been looking to reduce the capacity that they offer on a single risk. Where some insurers were previously offering 100% participation on primary layers with up to £10m limits, most insurers are either looking to offer reduced percentage lines (i.e. 50% of a primary layer), or, if they are still willing to offer 100%, will only do so for a smaller limit, e.g. £3m. It is likely that to maintain an insured’s existing overall limit, new insurers will need to be brought onto their programme, potentially at higher cost.
Very limited appetite from insurers for writing new business at a primary level
There continues to be a limited number of insurers who will currently consider offering primary layer terms to our Professional Services firms clients – we currently see QBE, Brit, Axis, CFC, Beazley and Travelers as the most viable markets, and their appetite for writing new business will be shaped by tight requirements around the firm’s cyber risk controls. An insured will need to demonstrate strong risk controls just for the insurer to consider offering terms, and even with those controls some of the above listed markets (e.g. CFC) are starting to show preference for a higher attachment point for certain types of Professional Services firms.
New entrants into the market have typically been excess carriers rather than primary, which sustains rates at a primary level given the appetite for Professional Services firm cyber is extremely limited.
Further increases in premiums / self-insured excesses.
Insureds that renewed their cyber insurance from June 2021 will likely have seen dramatic increases in their premiums, with some firms seeing premium increases exceeding 200%, depending on how their expiring programme was structured. Self-insured excess will have risen dramatically too.
Whilst the market is still in a positive rate environment, we have seen Insurers softening increases on renewals that have already undergone dramatic corrective measures. Contributing factors include:
• The current impact of Ransomware claims reducing
• Rate adequacy across portfolios at a point where Insurers believe they can sustain losses
• Expected impact from the Russia/Ukraine conflict not materialising as first feared (yet)
Restrictions to cover
• The 1 January 2021 Lloyd’s “silent cyber” initiative led PI insurers to excluding a number of cyber related risks from a PI policy. Most cyber insurers responded by adding a “professional services” exclusion to limit the exposure of the policy and these continue in 2022.
• QBE (and we expect other insurers going forward) have restricted the “automatic acquisition” clause on their wording such that any acquired company must have:
○ multi-factor authentication on all remote connections and administrative accounts;
○ all software of any acquired company is still supported by the producer of the software and/or security updates are still being provided;
• Other insurers will likely include express exclusions if certain risk management standards are not being initially met by the insured (e.g. excluding any extortion loss until full MFA is implemented).
• The Russia/Ukraine conflict has put greater scrutiny on War Exclusions if there wasn’t enough already. From March 2023, Lloyds will require standalone cyber policies to apply language expressly addressing cover provided for cyber-attacks carried out by states.
