A new note from WTW says that increased competition from cyber underwriters has led to more nominal rate increases when organisations can demonstrate good cyber security controls year over year.
The firm said in its note that these cyber underwriters were eager to write new business following the recalibration of cyber rates in 2021. WTW went on to say that primary and excess cyber renewals are now averaging more nominal premium increases in the flat to +25% range and there are signs of capacity beginning to broaden.
WTW also wrote that while Q1-Q4 2021 renewals were in the +50% to +200% range, Q1-Q2 premium increases were less pronounced.
It also said that increases will still be steepest for those organisations that cannot demonstrate strong cyber risk controls, culture and overall cyber hygiene. Financial industries, which are more highly regulated, have seen rate increases at the lower end of WTW’s predicted range.
Underwriting decisions, WTW said, are heavily influenced by the security controls a company has in place in conjunction with pricing and attachment points.
WTW wrote: “Although many carriers are starting to communicate that they are open to putting up more capacity for certain risks, we are still waiting for this to become a reality. There are real signs of strong competition among markets, as we are often receiving two to three quotes for certain risks. Incumbents are eager to retain business.”
Although there are finally signs of losses slowing some, WTW said ransomware and the potential for other widespread events continues to be a concern. It pointed to research by Coveware, saying that the median ransomware payment decreased by 51% in Q2 2022 over the prior quarter.
WTW added: “Cybercriminals are targeting companies in every business segment with ransomware attacks. As these attacks become more sophisticated, threatening a firm’s entire electronic infrastructure, ransom demands have increased — often reaching eight figures. Data breach costs remain highest in the U.S., where the average cost of a data breach in 2021 was $9.05m, up just under 5% since 2020. For the eleventh consecutive year, healthcare data breach costs were the highest, increasing from an average total cost of $7.13m in 2020 to $9.23m in 2021, a 29.5% increase. Ransomware attacks cost an average of $4.62m, more expensive than the average data breach ($4.24m).”
In order to highlight potential vulnerabilities, certain carriers are relying more heavily on cyber security consultants for technical expertise as well as on third-party scanning technologies. WTW said carriers are continuing to require supplemental applications for ransomware and other common events as there is increased concern around systemic losses and the potential impact they could have on the broader marketplace.
Meanwhile, WTW said markets continue to constrict coverages to limit their exposure to regulatory risk, ransomware losses and other widespread cyber incidents, and they look for new ways to underwrite cyber risk.
It added: “Largely in response to the E.U. General Data Protection Regulation (GDPR) that went into effect in May of 2018 and the subsequent trove of data privacy legislation introduced across the U.S., most notably the California Consumer Privacy Act, we are seeing cyber markets pull back on offering wrongful collection and compliance coverage. Certain markets have added broad SolarWinds and Log4j exclusions to their policies, making it essential for organizations to report notices of circumstances if either they or one of their vendors use or used the software.”
It went on: “Certain carriers have taken the drastic approach of splitting coverage into either widespread/catastrophic cyber events or limited impact events, which leaves open the possibility of applying co-insurance, sublimits, retentions, and timing factors to calibrate the exposures on either side of the split.”
