Cyber insurers warned of buyer push-back as market hardens

The combination of hard market conditions and reduced capacity in the European cyber market could lead to a change in buyer behaviour, industry experts warned.

Cyber insurers in the region have been grappling with losses arising from increasingly dangerous and sophisticated cyber attacks, putting pressure on the sector’s profitability. While some have exited their positions in cyber as a result of these losses, those that have remained have increased rates and made greater cyber security demands of their clients.

Alistair Clarke, Aon’s UK cyber broking leader, said buyer behaviour could be considered a threat to the sector. “The market needs to be very careful not to create a situation where many buyers question the purchase of cyber coverage altogether,” Clarke said.

This could see the larger, more sophisticated and well-funded buyers reducing limits or stop purchasing cyber insurance altogether.

“In so doing, the market would be left with less quality risk in their portfolios, which is the exact opposite of what the market needs at this time,” Clarke said.

It comes as sector faces rising loss ratios from increasingly sophisticated cyber-attacks, such as from ransomware, which had led some carriers to exit their positions or reduced their cyber exposures.  Insurers are also placing increasingly stringent cyber risk management requirements on buyers when taking new business on board as a measure to prevent attacks and further losses. 

“We have seen European companies on a real charge to get their security controls to a level that meets insurers’ requirements,” Debbie Hobbs, Miller’s head of cyber, technology and media, said. “Due to the increased number of losses, most insurers are only looking to write companies with best-in-class controls. We’ve seen an uptake in requests for cyber insurance from European markets.”

Coupled with a period of rate correction in the sector over the past 18 months, clients will have to show they are able to collaborate with their insurers on their security measures.

The European cyber market has traditionally been behind the US, but European privacy regulations that were implemented much later than in the US are now accelerating demand for cyber cover. 

Last year the European cyber market underwent rate corrections as insurers saw excess coverage layers were severely underpriced and this has filtered down to lower layers. James Burns, CFC Underwriting’s head of cyber, said: “The days of cheap excess primary layers seem to be well and truly over.”

“What we’re seeing now is organisations finding it hard to build the towers they want and we’re seeing a real lack of appetite for primary layer business among some insurers,” Burns said. “All insurers are responding to the ransomware epidemic and increasing rates as part of their arsenal to try to combat that.”

The cyber market, Burns added, has “taken a pause” as insurers review the performance of their books. 

Cyber insurance can no longer simply comprise the provision of a policy, with insurers adding risk prevention elements to the products they offer, which will also protect their loss ratios, Burns added.

Dave Harvey, FTI Consulting’s head of cyber security, UK, said insurers have been forced to respond to the loss increases by “placing more scrutiny and importance on the cyber readiness” of their clients.

These new measures could include tighter security controls, such as offline back-ups, multi-factor authentication logins and cyber security training for employees.

“Risk management in cyber security insurance carefully balances the evolving threat environment against the risk exposure of its portfolio,” Harvey said. “To do that, the first steps are to identify the threat and understand your own exposure.”