Insureds share onus for sustainable cyber market: Marsh

Supporting a sustainable cyber insurance market is a shared responsibility between insurers and policyholders, and organisations seeking coverage must demonstrate a dedication to mitigating the impact of third-party risk to maintain broad coverage, Marsh says.

Marsh Specialty Pacific Head of Cyber Kelly Butler says underwriters have upped cyber assessments, ditching short questionnaires for comprehensive applications and separate ransomware queries.

Insured organisations lacking key cyber “hygiene controls” will have poorer outcomes while those that demonstrate cyber maturity are best placed to “withstand erosion” of coverage, she says.

“To maintain broad coverage terms and optimise economic utility, it is essential that insureds commit to cyber resilience,” Ms Butler said in a quarterly report on the latest cyber trends.

“Achieving a balance between insureds’ and insurers’ needs and expectations regarding cyber risk transfer involves a shared responsibility and, ideally, a partnership, notwithstanding the potential for friction between those that cede risk and those that accept it.”

Demonstrating cyber risk is strategically addressed within the organisation through good governance, comprehensive controls, and an aware cyber culture, is a competitive advantage as carriers reduce the capital dedicated to underwriting cyber insurance, she says.

Australia experienced a 15% increase in the number of ransomware attacks in the 12 months to October, and Marsh says insurers last year swiftly applied corrections to their cyber portfolios to stay ahead of deteriorating loss ratios in a “unique class of business that includes both short-term and long-term claims tails”.

Marsh observed indications that insurer combined loss ratios are around 100% for a number of markets and there remains excess demand versus supply.

Insurer cyber capacity contracted considerably last year, with many markets now capping their participation on an individual risk to $5-$10 million.

“This was particularly evident locally with a decrease in the number of Australian insurers able to write cyber on a primary basis, especially for mid-to-large sized corporations,” Marsh said.

Ms Butler says as the breadth of cyber coverage and its purchasers has grown, so have insurer concerns about accumulated exposure and systemic risk, and so they are adjusting risk appetite, underwriting methodologies, the composition of the product and support services offered to the insured.

“They do so in an effort to improve their portfolio’s profitability and set the stage for the long-term sustainability of the cyber insurance market,” she says.

Cyber risk quantification and pricing is a “daunting task,” she says, and pricing cyber risk in a way that is commercially viable with an uncertain future is challenging.

Insurer concerns over losses centre on aggregation, accumulation and systemic risk “amplified by a growing reliance on certain technologies and services,” set against a relatively small number of reinsurers and primary underwriters, resulting in a concentration of risk.

“Excess insurers are re-evaluating attachment points in layered programs and scrutinising the scope of underlying coverage,” she says.

Insurers are introducing limitations related to ransomware and contingent business interruption, liability from decisions around personally identifiable information, and via exclusionary language in relation to infrastructure, natural perils, government actions, and war. They continue to use ransomware sublimits and coinsurance as a risk-sharing mechanism to incentivise cyber controls and resilience.

“Buyers need to beware. Some insurers impose ransomware limitations on the entire policy, including liability exposure, while others focus solely on the ransomware payment and/or resultant business interruption losses,” Ms Butler says.

Supply chain risk is another key focus, with pressure from underwriters to possess a comprehensive view of third-party exposure and have controls and processes in place to proactively manage this, or face increased waiting periods and sublimits or coinsurance, Marsh says.