Solving the cyber insurance capacity crunch

According to the UK National Cyber Security Centre's annual report, there were three times as many ransomware attacks in the first four months of 2021 as there were in all of 2019. This costly ransomware spike, combined with increased demand for the product amongst corporates, pushed the cyber market into the red, and insurers responded by raising prices.

Higher risks, higher prices in 2021

Rates in continental Europe peaked in the fourth quarter of 2021, with average year-on-year increases of 90% and some companies paying up to 300% more for coverage.3 Similar trends occurred in other jurisdictions globally, such as the United States. As a result, cyber insurance buyers faced a difficult market in 2021.

Higher risk resulted in fewer insurers offering cyber capacity, and the high rates prompted certain price-sensitive buyers to reconsider purchasing the cover even when offered it.4 There has also been an increase in high-profile disputes as to coverage. Insurers’ attempts to cement cyber cover as part of "Business As Usual" insurance programs hit a stumbling block in 2021.

Decreasing UK/European risks in 2022: market circumstances

In the short term, market conditions are lowering the risk profile of cyber insurance as a product, at least in relation to exposure to third party liability. Data leaks are common as a result of cyberattacks; however, the legal fees for individuals bringing private damages claims typically outweigh any monetary damages awarded.

The UK Supreme Court went a step further in 2021, prohibiting class action lawsuits for data breach claims.5 If other markets follow suit, cyber insurance providers will most likely face lower pay-outs for third party claims arising from cyber-attacks and incidents.

"Silent cyber" coverage in non-cyber policies has been a thorn in underwriters’ sides for a (relatively) long time. In a move which is contrary to attempts to limit cyber coverage in non-cyber policies, in the UK, the Solicitors Regulation Authority (SRA) announced the addition of a new clause to the minimum terms and conditions of law firms' professional indemnity insurance (PII) policies. The clause explicitly includes cybercrime coverage, causing losses to third parties and law firms’ clients.6 Law firms will need to continue to look to the specialist cyber market to obtain coverage for their own “first party” losses.

Market movements may decrease insurers’ exposure somewhat, but it is clear that price increases, higher deductibles, lower limits, and coverage restrictions will be needed to usher in a return to profitability in the cyber insurance market. Insurers will need to pursue this while staying aware of the reality that buyers in this developing market will not accept further price increases.7

Long term solutions

Many businesses continue to prioritize cyber insurance despite market turbulence. However, as the volatility of 2021 may well return, the market needs long term pricing solutions.

These may be found in Insurance Linked Securities (ILS) and increased use of co-insurance models. For the cyber market to remain viable and price-competitive, insurers and their customers need a new pool of capital to help address the risk of large, generally unlikely (but possible) cyber catastrophes. ILS could offer that alternative capacity in the same way that it has for many years in the natural catastrophe market.

ILS carriers may be drawn to the cyber market by the prospect of using catastrophe-type reinsurance structures (covering large scale, infrequent events) in order to generate adequate returns for their investors while assisting insurers and reinsurers in managing their overall risk more effectively. 

Similarly, co-insurance models manage risk by making the insured responsible for a greater proportion of the exposure alongside the insurer, an approach which insureds may be willing to adopt in the interest of keeping prices down.

 

Authored by Jamie Rogers and Charlie Shute.

 

1. NCSC Annual Review 2021.pdf

2. UK_Cyber_Insurance_Trends_H1_2021_Report.pdf

3. https://www.commercialriskonline.com/european-cyber-pricing-to-stabilise-in-h2-says-marsh/

4. The Cyber Insurance Market Needs More Money (hbr.org)

5. https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf

6.https://www.sra.org.uk/sra/news/press/2021-press-releases/pii-cybercrime-clause/#:~:text=The%20clause%20means%20insurance%20policies,scope%20for%20a%20potential%20claim

7. https://www.commercialriskonline.com/european-cyber-pricing-to-stabilise-in-h2-says-marsh/

8. The Cyber Insurance Market Needs More Money (hbr.org)

Contacts
Joke Bodewits
Partner
Amsterdam
Peter Marta
Partner
New York
Jamie Rogers
Partner
London
Paul Otto
Partner
Washington, D.C.
Eduardo Ustaran
Partner
London
Charles Shute
Senior Associate
London

 

This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.