In today’s fast changing technological landscape, cyber risk is only going one way in terms of the rising frequency and severity of incidents, as is the cyber insurance market with higher pricing and constraints on capacity as it responds to the cyber uncertainty.
While these external factors can’t be controlled by large corporates looking to protect their balance sheet and brand from cyber-attacks, organisations can help take control of how they manage their own exposure, and how they present themselves as a risk when approaching the cyber insurance market for cover.
Cyber step change
In the last 18-20 months, there has been a step change in the cyber security environment. In terms of cyber insurance claims, Aon’s Cyber Insurance Snapshot reports a “typical cadence of three new matters per business day globally in 2020, up almost 100% from 2019”. The severity of those claims also climbed in each quarter of 2020, says the study, with many organisations experiencing eight-figure ransomware event-related losses.
Choosy risk selection and higher prices
The insurance market has reacted to these losses by re-engineering their books towards the best-in-class risks. That means improving their risk selection, reducing capacity, as well as putting up pricing. Aon’s Snapshot reports an average premium increase of 5-10% from 2019 to 2020, while in Q1 2021, more than half of the cyber underwriters surveyed were pushing rate increases of between 30-40%.
These are averages of course, and can vary significantly by insured – depending on what their starting premium was – but the insurance market is looking to find the right sustainable, technical price which, given the threat landscape is changing almost monthly, is some challenge.
Hot competition for capital
There is now hot competition for a finite pool of insurance capital covering cyber risks, and it’s only those, of the large businesses, that can differentiate themselves from their peers who will get access to that capital at favourable rates, or be positioned to procure any cover. Gone are the days when some businesses bought a cyber insurance policy without having to show any material evidence of their cyber security strategy. Now, it’s only those cyber insurance buyers who are able to clearly demonstrate that cyber insurance is just one element of their cyber security posture – the other critical pillars include, among others, technology, process and governance – who will be positioned to secure cyber coverage.
The underwriting submission is crucial
As a broker, we know that when it comes to renewal, the underwriting submission is crucial in helping to tell that story to underwriters and, in turn, providing us with leverage to help negotiate the best terms possible. But, it’s no longer just about an annual renewal either. What we’ve historically not done enough of as an industry, is to interrogate further what underwriters didn’t like about a risk post-renewal. It’s critical to change that mindset because underwriters are continually raising the bar in terms of the risks they’ll accept. What might pass scrutiny this year, won’t necessarily pass next year. To keep ahead of the threat, all clients must continuously improve, and it is important that we give them the opportunity to discuss their plans and roadmap as part of their submission.
Going back to underwriters to understand where a business can improve on their risk also creates the chance for firms to talk directly to their insurer and ask them what they’re seeing in the threat landscape. It’s an incredibly important opportunity for continuous dialogue and particularly relevant for a risk which can see as much change in a year as other risks, such as property, might see in ten years.
Mid-year touch points between broker, insured and insurer are also important to make sure there is a programme of continuous improvement in place. We can’t simply wait until each renewal given the speed of change in the threat landscape.
It’s vital that buyers work closely with their brokers to support a more strategic risk-based broking approach. We believe that clients who are supported not just by our broking unit but also our cyber solutions team*, which provides risk management and submission support, can help put themselves in a stronger position when facing the difficulties of today’s cyber Insurance market. But it’s also important to acknowledge that risk transfer is just part of the risk management strategy that larger, sophisticated businesses need to develop; a strategy that demands a more consultative, year-round approach from their broker to bring in services and advice on the other cyber security pillars of technology, process and governance.
For more information on managing the cyber security risk and insurance challenges download Aon’s Cyber Insurance Snapshot.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. FPNAT553. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
*The following products or services are not regulated by the Financial Conduct Authority:
- Cyber risk services provided by Aon UK Limited and its affiliates
- Cyber security services provided by Stroz Friedberg Limited and its affiliates
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 12/05/21.