Cyber insurance broker seeks better coverage terms from insurers -- Part 2

November 13, 2024 4:40 PM

Young Asian male frustrated by ransomware cyber attack

Insurance claims for cybersecurity losses or breaches are on the rise. Ransomware attacks increased after the 2020 pandemic. This has brought increased interest in offering coverage against cyber incidents and cyber system failures like Crowdstrike. Jennifer Wilson, head of cyber at Newfront, an insurance brokerage, spoke with Digital Insurance in early November about the rise of MGAs offering cyber coverage, the ways the terms of coverage are changing and how Newfront brokers terms for coverage with insurers.

This is the second of two parts. This article is excerpts from the interview, edited for clarity.

What’s the risk of carriers pulling back on provisions of policies?

Jennifer Wilson of Newfront — Jennifer Wilson, head of cyber at Newfront.

If a new type of cyberattack hits, or a new exposure is exposed, insurance companies will say, we're not prepared for that. Or they'll get hit with a ton of claims in a specific area, and they'll limit exposure for that type of event by pulling coverage back or adding exclusions. Brokers then shift to carriers that will give us what we're looking for. When these carriers realize they're losing a ton of premiums, they have to add that coverage back on.

Because of the Change Healthcare and the Crowdstrike events, dependent business interruption is a big exposure for the markets, and they're paying a lot of money related to that. So a lot of carriers are limiting their coverage for dependent business interruption.

If terms can be changed every few months, are policies still written for one-year terms?

Policies are typically written for a year. We've been successful in negotiating renewal guarantees where we reserve that policy form for two years, but it's generally 12 months. Even if that carrier changes their policy form within that 12-month period, that policy does not change. We just know at renewal we'll be getting the new, revised version, so the policy does not change during that 12-month period for that particular client. But if you have a renewal, once there's a change, you're stuck with being revised.

Do carriers have the appropriate coverage for different risks coming along?

The markets are still trying to figure out their comfort level with coverage. Again, that's driven by claims. AI is adding a wrench in this, in that AI is creating some new exposures that were not contemplated before, and are not affirmatively covered in policies. There are some that are coming out with new policy terms specific to AI. It's just happening right now.

AI risk is going to change how policies are written. This is going to be an exposure we're going to see with all these tech-centered companies, and we need a solution for them.

How much of a factor is AI in cyberattacks?

It's a consideration. The biggest concerns with AI are copyright infringement and bias. AI is certainly giving unskilled hackers the ability to pull off sophisticated attacks like the $25 million fraud that succeeded because of the deep fake video. We're going to see threat actors leveraging AI to increase the scope and scale of attacks to a point that we never thought [possible].

Where is the cyber insurance specialty market headed?

We're going to learn from these claims. The claims will continue to evolve, but cybersecurity is also going to continue to evolve. We will get to a place where we're not always behind the threat actors, and maybe we're in lockstep with them, and hopefully, at some point, get ahead of them so we can prevent more, rather than react.

The problem the good guys face is that we have to deal with regulators, and we have to deal with lawyers who are making sure the policy language is appropriate and all of that. And the threat actors are just wheeling and dealing and moving fast as lightning.

How long may it be for these various gaps to be sorted out? Will there be a year or two for insurers to decide what they’ll cover?

Most of the seasoned brokers are negotiating a mandatory language, and they're saying, 'hey, carrier, look, you want to write this business and you understand their operations, their business model. We need to cover this exposure, and your policy doesn't currently do that. Here's language we recommend.' They give that to their lawyers, and they eventually will amend the policy language to cover that particular risk. That's already happening. Eventually, this language will be incorporated by the carriers. That is going to happen a lot slower than the one-offs.

Cyber policies vary by insurer, and coverage can vary based on the endorsements added to the policy. There are some key coverages that are currently excluded by many insurers. A few examples are wrongful collection, pixel tracking, and biometrics. An insurer will look for a significant premium to remove the exclusions or offer the coverage. Larger companies are willing to pay for that coverage. Some smaller companies might be in a minimum premium range and not worth the risk for the insurer. Meaning the insurer is paying out more than they are taking in. The potential loss ratio equation might not make sense.