Insurance carriers have become stingy with cyber insurance. From non-renewals to premium hikes to policy restrictions, cyber coverage is simply more difficult to procure. Here, we explore the “why” and offer tips to become more insurable to underwriters.

Why is Cyber Insurance More Difficult to Obtain Now?

Cyber & data breach insurance used to be a one or two-page application for which nearly every business qualified. Today’s carriers, however, have added stricter underwriting requirements and shifted the entire marketplace. Here’s why:

Overwriting Risks Pre-COVID

Pre-COVID was an exciting time for insurance producers (salespeople) in the cyber insurance market. Every underwriter wanted a piece of the pie and was handing out coverage with just a basic questionnaire. Unfortunately, this party didn’t last forever. Carriers overwrote coverage and didn’t anticipate the consequences.

For context, underwriters generally target a 50% or lower loss ratio ([claims paid / premium dollars collected] x 100). And they were posting really good cyber loss ratios just before the pandemic:

  • 2017: 32.4%
  • 2018: 35.3%
  • 2019: 44.6%

But during and after COVID-19? A different story. 2020 and 2021 had 66.9% and 66.4% loss ratios, respectively. It finally leveled off in 2022 to 48% and then to 41.6% last year.

But even then, the recent decrease isn’t necessarily fewer claims filed. It is a combination of charging higher premiums and adding more policy exclusions where they don’t need to pay claims. For example, underwriters started adding provisions that wouldn’t pay for specific causes of cyber incidents, such as acts of war, insider threats, or unpatched systems and vulnerabilities. (some of the most common)

Unpredictable Cybersecurity Threats

If there’s one thing underwriters hate, it’s unpredictability. And no place says “unpredictability” more than cyber threat actors. Tactics, techniques, and procedures constantly evolve. When we think we have the perfect defenses deployed, hackers get creative and find new ways to exploit a vulnerability.

Unpredictability means a higher likelihood of attacks, and a higher likelihood of attacks leads to more insurance portfolio risk.

Increased Cyber Attacks

Insurance covers you for causes of loss. And with cyber insurance, those “causes” are cyber-attacks, which are trending upward. For example, there were 78% more data breaches in 2023 than in 2022, and a $1.1 billion spike in ransomware payments. Phishing attacks alone even grew 17% last year.
When the causes of loss and business cyber risk are up, it only makes sense to be cautious about providing coverage.

Business Infrastructure and Supply Chain Risks

Finally, business infrastructure is nuanced. Companies constantly add Internet of Things (IoT) devices to their tech stacks and have made remote work more customary (i.e., new attack vectors). There’s also more connectivity within the supply chain. So much activity happens through third-party vendors and outsourcing — demanding shared data systems.

Why does that matter? Supply chain risks get weird. Remember that part of cyber insurance is liability coverage. So, let’s say your business falls victim to an attack, and customers’ personal information is compromised. In that case, the policy pays for legal fees, compliance fines, settlement costs, third-party damages, and other similar expenses.

Now, what if a third-party business falls victim to an attack, but your data still gets compromised? How do you place blame and adequately divvy up liability costs? Supply chain risk adds a new layer of complexity for insurers, especially when one company’s data breach can compromise many.

Consequences of These Challenges

Looking to procure or renew a policy? Underwriters may put some roadblocks in front of you. Here’s how carriers have tightened standards for cyber insurance:

Businesses Can’t Obtain New (or Adequate) Coverage

Remember earlier when we mentioned that cyber insurance used to be a one or two-page application? It’s not quite as simple anymore. Today’s applications can be dozens of pages. And if you don’t check all the boxes for security controls, you’ll be denied altogether.

Last year, 28% of organizations with less than 250 employees couldn’t get a new policy. Plus, 67% of those who obtained a policy took at least four months to get their ducks in a row before the underwriter bound a coverage.

And if you’re lucky enough to get cyber insurance, it’s often loaded with exclusions (underwriters learned their lesson during COVID). For example, 44% of all cyber claims were denied last year, and carriers didn’t pay 27% of claims specifically due to exclusions in the policy.

Non-renewal of Existing Policies

If it’s renewal time, you may be unable to keep your policy. With cybersecurity threats up, 64% of insurers agree that the cyber insurance market will harden now and into 2025. A majority also believe that underwriting standards will go up. Ultimately, this has caused major, standard carriers to exit the cyber market slowly.

The result: Companies can’t get renewed and expose themselves to significant business cyber risk.

Many must look to surplus line carriers (non-admitted companies that take on high-risk policies) for coverage. In 2023 alone, for example, 59.2% of all cyber premiums were written by surplus carriers.

Skyrocketing Cyber Insurance Premiums

If you renew your policy, there’s a good chance you’re looking at higher premium rates. Surplus lines insurance is always more expensive since it takes on high risk and offers massive coverage limits. But even standard line coverage isn’t immune to price hikes.

Nearly 70% of organizations that renewed coverage saw cyber insurance premiums jump from 50% to above 100%. And while many companies were fortunate only to see an 11% hike in Q1 2023, the policy exclusions expanded — giving you less value for your insurance dollars.

Tips to Become More Insurable for Cyber Coverage

While it might appear like a bleak future for the cyber insurance market, many players are still looking to offer coverage as long as you check the boxes. And we’re here to set you up for success! With some of these basics, you can build a strong cybersecurity program appealing to insurance underwriters.

Implement MDR Services

Managed detection and response (MDR) services can strengthen your cybersecurity defenses. Through non-stop visibility of your IT environment and network activity, plus automated response, potential threats can be quickly identified and remediated before impact.

For example, our MaxxMDR offers 24x7x365 threat monitoring and detection services with zero-latency response. It boosts your security posture and allows your business to become a highly appealing risk for cyber insurance underwriters.

Regular Security Audits and Assessments

Regular security audits, gap analysis, risk assessments, and attack simulations via purple teaming showcase your proactiveness in cybersecurity. Rather than waiting until an actual attack to make adjustments, underwriters love to see that you’re constantly taking action to lower business cyber risk.

Robust Incident Response Planning

Many insurance carriers want to see a documented and practiced incident response plan. While cybersecurity threats will constantly target your business, being able to respond quickly can reduce an incident’s impact. This ensures underwriters that even if an attack is successfully delivered, it won’t necessarily add a lot to the loss ratio.

Cyber Insurance: A Must-Have for Cyber Resiliency

Cyber insurance is your last defense to protecting your bottom line during a data breach. While the insurance market isn’t as flexible as pre-COVID, you can still take steps to make yourself more appealing to underwriters. A combination of MaxxMDR and its Cyber Resiliency services, for instance, can help you prepare for and withstand cyber threats while increasing insurability.