Aon warns of ‘great shift’ on cyber insurability
Insureds have to jump through ever-higher hoops to secure cyber insurance, with coverage not available at all for less-than-excellent risks
The cyber insurance market has experienced a “great shift” where only the best risks are able even to find cyber insurance, as carriers grapple with the soaring cost of ransomware claims, Aon has warned.
Brent Rieth, US practice leader in the broking giant’s errors and omissions/cyber team, said insurers are “paying far closer attention to the controls insureds need to have to be eligible to purchasing this insurance”.
Insureds face having to answer a “wide-ranging list of questions” before coverage is granted. Those that fail to provide convincing answers typically are refused coverage outright, rather than being asked to pay a higher rate, Rieth said during a webinar on the topic.
Criteria for refusal include a lack of multifactor authentication (MFA), endpoint threat detection and response (a cyber security technology that continually monitors an “endpoint” to mitigate malicious cyber threats), or a lack of back-ups.
The new criteria are the market’s response to soaring ransomware costs. By Aon’s calculations, there has been a 323% increase in ransomware claims frequency from the first quarter of 2019 to the fourth quarter of 2021.
“In contrast, there has been a 75% decrease in data breach privacy claims that we are seeing,” the broker said.
The ongoing Russia-Ukraine conflict has also raised fears of a new wave of cyber attacks. In 2017, the NotPetya ransomware was used by Russia to target Ukraine, which had a massive impact on companies around the world including WPP, pharmaceutical company Merck, Danish shipping firm Maersk and many others.
On March 28, US president, Joe Biden, said US businesses have a “patriotic obligation” to protect themselves from cyber attacks. Businesses must “harden [their] cyber defences immediately”, he said.
A recent study showed cyber attacks and data loss are the top risks facing company directors with cyber extortion and the growth of ransomware attacks a leading concern.
Some two-thirds of respondents to the survey of company directors around the world said cyber attack is very significant or extremely significant risk. A similar proportion said the same of data loss.
Around six out of 10 feared cyber extortion and around half were concerned about regulatory risk, the survey by WTW and Clyde & Co found.
In response to this more recent conflict, Aon has seen carriers bring in updated war and terrorism exclusions, sanctions exclusions and geographically specific exclusions.
“I believe the bar has been massively raised for insurability,” Alistair Clarke, Aon’s UK cyber broking leader, said. “No client should automatically assume themselves to be insurable in this market, as perhaps was the case in the past.
“We need to show continued iterative improvements on every renewal to ensure we can have continuity of coverage,” Clarke added.
Aon’s larger clients have benefited from having a greater range of responses available to them compared with smaller insureds.
“While our big clients have seen big price increases in most situations, I think they generally have more levers to pull than our smaller and mid-market clients,” David Molony, head of cyber solutions for Aon’s Europe, the Middle East and Africa business, said. “Whether that is higher retention, captive involvement or in certain circumstances just buying less limit.
“The mid-market doesn’t necessarily have that level of option and doesn’t have the ability to drastically reduce the limits in this market. So I think it is enormously challenging,” he added.