Cyber insurance broker sees changing coverage terms -- Part 1

Young Asian male frustrated by ransomware cyber attack
zephyr_p - stock.adobe.com

Insurance claims for cybersecurity losses or breaches are on the rise. Ransomware attacks increased after the 2020 pandemic. This has brought increased interest in offering coverage against cyber incidents and cyber system failures like Crowdstrike. Jennifer Wilson, head of cyber at Newfront, an insurance brokerage, spoke with Digital Insurance in early November about the rise of MGAs offering cyber coverage, the ways the terms of coverage are changing and how Newfront brokers terms for coverage with insurers. 

This is the first of two parts. This article is excerpts from the interview, edited for clarity.

What does the cybersecurity risk landscape look like?

Jennifer Wilson of Newfront
Jennifer Wilson, head of cyber at Newfront.
We're in this chase, and the threat actors are ahead. Every time they evolve and come up with a new type of attack mode, the insurance company is braced with, okay, how do we manage that? What are we doing? How are our policies rated for this type of risk, or are they rated for this type of risk? 

A perfect example was the onslaught of ransomware claims that happened following the pandemic. The insurance market was not prepared for that. They weren't priced for it. They weren't looking at the proper controls to manage the risk. The claims came fast and furious, and have turned the market upside down. 

Ever since then, the threat actors are evolving. They're finding new avenues, new pathways, to exploit businesses and garner financial reward. Every time they do that, the cybersecurity companies come in, and the insurance companies get together and they figure out how to thwart that, minimize it or reduce it. Insurance companies are saying, Okay, we're paying too much in claims here. Let's draw back coverage a little bit. So they're revising their language to limit the coverage. 

How does this play out in coverage terms and competition among insurers?

Every business out there is saying, we need coverage. The coverage is selling itself. New companies are out there saying, I want a piece of that. We're seeing MGAs popping up left and right, and they don't have claims history in the background. They say, I could write that policy for you for $50,000 less, $100,000 less, $200,000 less. Standard markets that have been around for years have a history of claims to manage. They can't get down that far, and so all these new entrants are driving rates down to the bottom. The problem with that is, while they don't have the claims history that's forcing them to increase rates, they also don't have the premium history to withstand any type of significant cyber event. 

A lot of these new MGAs get started by focusing on a specific industry and building their book of business that way. If that particular sector of business gets hit, now that MGA is getting whacked with a massive aggregation of claims. 

The standard markets or the long-standing markets are trying to keep up with them because they don't want to lose business. We are in a place where all the insurance companies have driven premiums and rates down so low for two consecutive years, but the claims have increased month to month. That's not sustainable.

How are established insurers reacting to this climate?

We're going to start to see the markets drive rates up. In the meantime, carriers are revising their policy language every three to four months. Prior to the pandemic, they were revising policy language every three to four years. 

Organizations need to work with a seasoned, skilled cyber broker because we follow the language as it's coming out, and we're working with markets to establish a mandatory language. We tell key markets that we work with what language we want. We work with markets that give us the coverage we want at a competitive rate. We're not price shoppers. We're coverage shoppers. We want to make sure when there's an event, our clients have the right coverage in place. 

For example, we've seen an insurer offer a $10 million limit option at a lower quote than every other quote we had. I looked at the quote. It was a $10 million limit aggregate, and all of the critical coverages that would be triggered in any type of significant cyber attack were sublimated to $1 million or $5 million. It was presented as a $10 million limit quote. It wasn't. I'm sure that's happening all over the place. Organizations don't have the wherewithal to read these quotes and read all the fine print, so they're relying on the broker. They have to make sure the broker they're working with has this expertise.