After two years of massive rate increases, cyber insurance market pricing has been softening and transitioning into a buyers’ market, according to a new report by Aon Plc.
In 2021 and 2022, 100% rate increases for cyber liability insurers were common, but a number of factors are finally starting to drive rates lower.
Experts recommend that risk managers take advantage of the price softening to refocus on their cyber security protocols so that if rates turn again, they’ll be better able to make their case to insurance company underwriters.
For businesses that have been on the fence about purchasing coverage, now is a good time to consider it as the corporate cyber threat is not going away and new types of cyber attacks could be coming in the future.
According to Aon, there are a number of factors that have contributed to more favorable rates:
More capacity — New companies have entered the cyber liability market and those that left the market have returned, bringing more capital and competition. As more players enter the market, prices are softening as they compete for business.
Reduction in attacks, costs — There’s been a marked decline in both the frequency and average cost of cyber claims. One of the main reasons for this is that businesses continue strengthening their cyber security risk controls and are doing a better job at training staff in how to identify malicious e-mails.
“Loss frequency continues to decline from its peak in 2021 but remains higher than 2019. However, ransomware frequency increased sharply, up 49% in the first quarter of 2023,” Aon wrote in its report.
More cyber gangs dismantled — Additionally, a number of large cyber gangs have been taken down in the last year, including:
- In January, the FBI and international partners dismantled a network of a prolific ransomware gang they infiltrated in 2022. The FBI estimates that the action saved the gang’s targets a potential $130 million in ransom payments,
- In February, Spain’s National Police and the U.S. Secret Service dismantled a Madrid-based international cyber-crime ring comprised of nine members who stole over $5.4 million from individuals and North American companies.
- European and U.S. police in May dismantled an international crime gang that used malware to steal $100 million from tens of thousands of victims, in the United States and five European countries — Bulgaria, Germany, Georgia, Moldova and Ukraine.
According to the report, companies that have in place strong security measures are likely to reap the benefits in terms of lower premiums. Many insurers scrutinize measures and may pass on the account if they feel they are inadequate.
The takeaway
Aon predicts that companies in the U.S. will see sustained cyber insurance rate decreases throughout 2023, due to more insurers entering the market and lower claims payouts than in prior years.
Ransomware and phishing e-mails continue to be the biggest threats businesses face and despite a slowdown in attacks, the criminals are still staying busy.
Advice from an expert: Bryan Hurd, the vice president of Aon cyber solutions, said during a session at the Public Risk Management Association’s annual conference in March that the main security measures underwriters look for when pricing policies include:
Multifactor authentication — Without this simple protocol, an insurer is likely to pass on the account.
Access control — Access control is a data security process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to users.
Endpoint security — Endpoint security monitors end-user devices to detect and respond to cyber threats. This is especially important for companies who have employees that use smart devices that access their database.
Business continuity testing — Companies should be running trials of what would happen if they were hit by ransomware. You should know how long it would take to get up and running after an incident, and how to do so.
Tabletop testing — The tabletop exercise is a verbally simulated scenario that mimics a real cyber security incident which could have a damaging impact on your business continuity. A Cyber Attack Tabletop Exercise is conducted by a highly experienced cyber expert who creates relevant attack scenarios for your business.