Cyber insurance: how to achieve sustainability in volatile market

Cyber insurance is at a key moment, faced with deeper and smarter attacks in the form of ransomware threats, phishing attacks and the withdrawal of some capital from the market. Premiums are responding with rising rates, driving the question of whether the space is insurable at all.

Charles Clarke, Director, International Sales (EMEA) of SecurityScorecard, will speak at the plenary panel titled “Navigate market cycles, volatility and ensure sustainability in the evolving cyber insurance landscape” at the Cyber Risk & Insurance Innovation Europe event being held in London on February 8, 2024.

Specialising in helping insurers and brokers utilise rating technology and threat intelligence in its underwriting and client advisory work, SecurityScorecard allows clients to easily identify cybersecurity risks across their digital footprints. Clarke is an experienced leader in digitising insurance, global client management, analytics, strategy and business development, with insurance and risk management experience from previous roles at Moody’s RMS and Willis Towers Watson.

The plenary panel session will discuss how insurers can remain viable, relevant and sustainable for large and small organisations, as well as outline how tighter and expanding regulations around data, privacy and technology are impacting organisations and how the cyber insurance market is responding to these developments. 

With such unprecedented change in the type, speed and number of cyber attacks, what role is innovation playing and how is the insurance market responding at a time when there is a lack of data on cyber attacks and questions over the quantification of risk?

Ahead of the plenary panel, Clarke discussed his thoughts on these important issues, outlining the next-level response that is needed. 

How has the cyber market developed and what do you predict is likely to happen in the future?

In comparison to the property and casualty market, cyber insurance is in its infancy, but in comparison to a product such as terrorism insurance I see it as more of a teenager. Cyber insurance market rates are seemingly not forecastable enough to lead to a steady rate projection for 2024 and this will lead to a dynamic yet unpredictable market flow for 2024. 

In Europe, the Middle East and Africa (EMEA), there has not been enormous growth in cyber insurance uptake, but key insurers in the UK, the Nordics, France, and Italy have recognised the importance of cybersecurity at the board level and are aligning cyber insurance products accordingly. Brokers are doing a very good job of pivoting from pure transactional, price-driven entities, into a more consultative part of the market, bringing real value all the way from SMEs through to mega enterprises. 

In addition, the cyber market is embracing technology and real-time data feeds from companies such as SecurityScorecard, enriching their understanding of clients that aren’t simply based on rating, but on complex patching cadence, common vulnerabilities and exposures identification, and supply chain management.

Is cyber on the brink of becoming uninsurable, or did rate increases and strict underwriting requirements lead to a more competitive rate environment in 2023?

I believe sustainability will come from diversification of capital, reduction in line size (there is enough direct capacity in certain parts of the market to cope with this), and a movement from excess to primary (and possibly vice versa) for those insurers with changing or expanding risk appetites. 

We still haven’t seen the impact that European legislation such as the Digital Operational Resilience Act and the Network and Information Security Directive (NIS2) will have on the insurance offerings and whether self-insurance or captive insurance could become more central in the coming year or two. 

What issues are hindering growth?

I don’t see these things as hindering growth, but collaboration between companies, unification of questionnaires, wordings and quota-share underwriting would lead to better growth. Underwriters who are trying to be the leaders, for leadership’s sake, are hindering growth. Having their own question sets, wordings, and dictating their individual business model to clients could have detrimental effects on growth as the market potentially hardens, or at least fluctuates. The market should be concentrating on unification of purpose.

What is the impact of state-sponsored attacks, and how do you view the intersection of geopolitics and cyber risk?

There is no doubt that geopolitics and cyber risk are interlocked. Cyber attacks in Ukraine, Russia and Israel and other areas in the Middle East are clear examples of this. Having said that, due to their anonymous and dark nature, cross-border political attacks will increase—and not necessarily from a wartime position. 

An example would be pro-Palestinian sympathisers in the US or Europe focusing attacks on Israeli infrastructure, or entities seeking to disrupt the 2024 US presidential election from outside the country. There are already concerns about hostile actors running phishing and smishing attacks through fake surveys, among other strategies. 

How do tighter and expanding regulations around data, privacy, and technology impact organisations, and how is the cyber insurance market responding?

Regulations in cybersecurity are lighting a fire under board members who could be held personally accountable for company failure, data loss, and distributed denial-of-service attacks. Their D&O and E&O insurances become linked to their cybersecurity and, therefore, cyber insurance. With the help of security ratings and continuous threat intelligence monitoring of companies’ supply chains and entities, companies can upskill quickly to meet the increased demands of regulatory and government scrutiny.

What do challenges such as rising rates, ransomware and conflicts mean for innovation in cyber? How is the insurance market responding and what are some of the barriers to innovation and change?

Innovation in the insurance market is a much-argued topic, focusing on the true definition of innovation. Setting up lineslips and binders is not technically innovative, neither is using platforms such as PPL or Whitespace—which should be the norm by now for processing and compliant transactions. 

However, innovation can, and should, come from brokers and underwriters partnering with (or acquiring) the technology, or threat intelligence companies that spend their days searching for, monitoring, and eradicating threats from the cyber landscape. 

Such innovations include premium incentive programmes to maintain high cyber hygiene, continuous underwriting, and managed services for customers of insurers to contract out a customer’s cyber resilience. These are things that I see coming in 2024, led by companies such as SecurityScorecard.

Register for your place at the Cyber Risk & Insurance Innovation Europe 2024 conference at America Square Conference Centre in London on February 8, 2024, and discover how to achieve sustainable insurability and sufficient capacity in a volatile market, with 200+ attendees and 50+ expert speakers covering 20+ sessions.