Over the years one of the virtues I have extolled about the Insurance industry is how quickly it evolves to meet new risks and by far the fastest moving risk I have seen develop during my career is cyber.
…Cyber Insurance has evolved quickly to keep up, although it may be that it ends up being a bit of a seesaw ride.
Insurers introduced specialist policies for computer software and data in the 1970s, initially for physical risks such as fire and theft, but it was the growth of the internet in the 1990s that literally opened up computer systems to the outside world and the risk of hacking and viruses.
It wasn’t too long before insurers appreciated the enormous potential worldwide exposure if the whole internet was brought down (possibly by a lone ‘bedsit hacker’) and in 2002 hacking and viruses were excluded from most policies covering computers and other property. Specialist policies were subsequently introduced for what were then known as electronic risks, initially only affordable for large corporates, but in more recent years cost-effective polices for most SMEs.
Back in 2002 the risks were viruses and worms, although they now seem ‘old hat’ and ‘Cyber’ has become the collective term to embrace the likes of social engineering, phishing and ransomware. However, the rapid development of new cyber criminality is such a massive problem to insurers that the next stage of the evolution of cyber insurance is a restrictions in cover.
The first cyber policies generally provided a very wide blanket approach to cover, usually ‘All Risks’ subject to a few specific exclusions but the downside for insurers was it meant that they would be covering new developing cyber risks, often without the opportunity of advance assessment. However, that ‘blanket’ approach is changing with many insurers now specifying the risks they are prepared to cover such as viruses, phishing, ransomware and the like with the intention of not being exposed to currently unknown cyber risks.
There has been extensive marketing of cyber policies aimed at SMEs in recent years with the main message being that all companies of whatever size were at risk of cyber-attacks, not just the big corporates who were the subject of the large incidents worthy of media attention. That message has proved to be right with cybercrime becoming one of the biggest threats to many businesses, of all sizes, although ironically being right with the marketing message has also now meant a sea change from a number of insurers.
A few years ago, every insurer seemed to want to jump on the bandwagon of the growing cyber insurance market, but the number and cost of cyber claims has soared, particularly for ransomware during the pandemic, with the threat of worse to come in the form of Russian retaliatory cyber-attacks for the economic sanctions imposed following their invasion of Ukraine. Many insurers are now backtracking, with some running for the hills and we are seeing significant increases in premiums and much stricter underwriting of risks.
One of the major international brokers has recently warned that cyber insurance may only be available to the ‘best risks’ and that could be the case for big corporates requiring very large levels of cover. For SMEs, where levels of cyber cover are much lower, is still likely to just be a numbers game with insurers trying to balance premiums to claims as they do with all insurances. We will probably see insurers impose conditions for minimum levels of cyber security and starting premiums as low as £250 will be a thing of the past, although assuming the market does return to profit, greater competition on premiums will no doubt return as well.