Cyber is becoming a sophisticated insurance purchase and businesses must respond to help mitigate premium increases and cover restrictions.
In the last hard insurance market which occurred in the early 2000s, cyber insurance was rarely featured as a big issue for mid-market sized businesses; primarily because cyber wasn’t a class that had developed sufficiently in the UK. This time though, the rapidly increasing cost of cyber insurance is having a more significant impact on the mid-market sector due to the greater penetration of the product.
It means that, given these testing insurance market conditions, medium sized businesses will have to work harder with their broker to ensure they’re able to secure cover at an affordable price, without losing too much in terms of reductions in limits and restrictions in cover.
Insurers reach a tipping point
In the last 18 months, businesses have gone from seeing cyber incidents mostly related to business email compromise and data breach, to a significant uptick in ransomware attacks (by as much as 486% over the last 12 quarters); these attacks are often perpetrated by big, organised criminal organisations with the potential to inflict huge losses on the victims. In turn, insurers who were focusing on cyber as a development area have started to take big losses. According to Aon’s Cyber Insurance Snapshot report: “Throughout 2020, insurers reached, and in many instances surpassed, a tipping point as loss frequency and severity outpaced improved risk selection and limited rate increases.” With the key driver being “ransomware across all revenue segments, but primarily in the middle market segment”.
Consequently, we saw the market impose sizeable rating increases on claims free risks in 2020. This upward trend has continued into 2021 with 30-40% rises, with Aon’s Snapshot suggesting that more than one in ten are seeing rate hikes of between 40-50%. There is also a real problem in securing capacity for higher limits of around £10 million, with the market now dropping to more like £5 million in most cases.
In the light of their mounting losses, insurers have realised they need to ask for far more information from buyers, while also taking proactive steps to fully rate a risk which can include doing their own scans of businesses to look for cyber vulnerabilities such as open portals. What this means for mid-sized businesses looking to renew their cyber cover is a need to start the process around five months before renewal. Question sets from insurers are evolving almost weekly as new threats emerge and the data gathering required is now a hugely intensive process for businesses. Use of a cyber risk enterprise platform like Aon’s CyQu*, can provide real dividends in helping to alleviate resource hungry demands for information.
Cyber ‘sprinklers’ and ‘fire alarms’
Basic cyber hygiene is also a fundamental requirement for every organisation, whatever its size. Insurers want to see that a business has the right controls in place. In the same way that property insurance demands that adequate fire safety measures like a sprinkler and fire alarm are being used, cyber is no different. Underwriters are looking for how claims could occur and how the business is controlling that exposure. They might be looking at technical controls – such as network separation – for example, which are there to prevent the likelihood of an incident happening and to reduce the severity of the impact if an attack is successful.
Differentiate your risk
It’s clear that cyber is becoming a sophisticated insurance purchase, not just for large multi-nationals but also mid-sized firms. But, as it does so, its importance for businesses that don’t have the balance sheet strength to absorb losses continues to grow, particularly given the impact ransomware can have on business interruption losses. That means differentiating the quality of a risk from its peers can pay real dividends for businesses looking to secure cyber cover in this challenging market.
For more information on managing the cyber security risk and insurance challenges download Aon’s Cyber Insurance Snapshot.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. FPNAT555. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
*The following products or services are not regulated by the Financial Conduct Authority:
- Cyber risk services provided by Aon UK Limited and its affiliates
- Cyber security services provided by Stroz Friedberg Limited and its affiliates
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 07/05/21.
 Aon’s Cyber Insurance Market Insights Q1 2021