Quarterly Cyber Insurance Update: August 2023

In this quarter’s update we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors; how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile; and does having a cyber insurance policy increase the likelihood of being a victim of a ransomware attack?

Premium Prices Decline Slightly Following Several Quarters of Increases

Cyber insurance prices in the U.S. declined 4% year over year on average in the second quarter of 2023 according to insurance broker Marsh. This is a significant change from the second half of 2021 and first half of 2022, when each quarter’s year-on-year increase ranged from 79% to 130%. In a statement, Marsh said “coverage generally continued to broaden, including in some instances the removal of coinsurance requirements and increased sub-limited coverage enhancements, while insured [companies] with improved cybersecurity controls were generally able to negotiate lower retentions.” 

U.K.-based Howden Insurance Brokers reported that cyber insurance prices globally dropped around 10% in June compared to the year before, due to claims being smaller than expected.

Corporate Directors May Face Insurance Risks Following New SEC Cyber Rules

Recently enacted cybersecurity rules issued by the U.S. Securities and Exchange Commission could introduce new risks for board directors at public companies and their insurers. The new disclosure rule, which was announced in late July, could serve as a roadmap for shareholder lawsuits against a business’s leadership if a security incident occurs. Whether a company’s directors and officers insurance, which provides coverage for key corporate officials if they are sued by investors and other stakeholders, will provide protection if SEC cybersecurity disclosures are used as grounds for a claim will vary by policy, with the new rule likely to cause insurance carriers to revisit what they will cover. It’s likely that D&O policies will both have exclusions for cyber-related incidents and cyber policies have D&O-related exclusions.

“Public companies may soon find themselves in the ‘worst of both worlds,’ where neither cyber nor D&O policies pay for legal bills over SEC investigations and investor lawsuits,” according to Steven Weisman of law firm McCarter & English in a Bloomberg Law report.

Insurers Adopting AI to Develop Risk Profiles

Innovation within the insurance market includes businesses finding new ways to assess risk and devising alternative routes to coverage. Among the new approaches is artificial intelligence, which can enable insurers to analyze policyholders’ systems and assess where cyberattacks could succeed to develop risk profiles, which is incorporated into their underwriting. 

An example of a startup that’s adopted this approach is Resilience Cyber Insurance Solutions, which raised $100 million in a recently completed Series D funding round. A key component of Resilience’s approach is to effectively lease underwriting capacity from partner carriers and use  methodologies Resilience has developed to write policies, with AI at the forefront. “We’re starting to see the signs of this [approach] working. Our clients are resilient, they’re not paying the ransomware losses,” Vishaal Hariprasad, the company’s chief executive, said.

An indication that AI is becoming a tool for the broader cyber insurance industry occurred at the  National Association of Insurance Commissioners meeting in mid-August where the draft paper “Use of Algorithms, Predictive Models, and Artificial Intelligence Systems by Insurers” was the primary topic of conversation by the organization’s Innovation Cybersecurity and Technology Committee.

AI Will Reduce Underwriting Bias and Support Growing Sector

Hartmut Mai, president of Cyberwrite, which assists insurance brokers and carriers gain insight into risk for companies seeking cyber insurance, told WSJ Pro Research that “most carriers are trying to move from a more qualitative approach to underwriting to a quantitative one to avoid underwriting bias.” This is where AI is becoming a significant trend. 

Mai explained underwriters have relied partly on paper questionnaires to compile data and mainly on “gut feel” to assess the cyber risk of companies, which can lead to an underwriting bias. To reduce this bias, he said it’s necessary to look into thousands of data points to more properly understand the cybersecurity posture of a company and provide a benchmark to help understand how a company compares to its peers. The human brain can’t deliver this and “AI provides analytical support for the underwriters rather than a mechanism to make them redundant,” according to Mai. 

An important but overlooked point Mai described is that “cyber [insurance] experts have an average of just three years experience in this specific field while the vast majority of underwriters come from other lines of business and are injected into the cyber world.” This lack of experience and specific expertise combined with the rapid growth of the cyber insurance industry, which is expected to reach between $50 billion and $80 billion by 2030, will necessitate “data analytics, machine learning and an AI-based approach to support the underwriting function and [enable the sector] to grow,” he said. 

Statute of Limitations Can Affect Ability to Recoup Losses from Insurance

The University of California’s board of regents is suing several syndicates operating through the Lloyd’s of London insurance marketplace for refusing to pay out on cyber policies following a 2014 attack that stole millions of patients’ data at its health system. The dispute centers on whether the statute of limitations for the university’s claim has expired, with the syndicates saying it has and refusing to engage in dispute resolution. UCLA Health had settled a consolidated lawsuit filed by victims for $7.5 million and filed insurance claims to recover the settlement cost along with incident response and victims’ identity protection costs. The insurers countered by saying the university failed to satisfy cybersecurity requirements under the contract terms, which the university denied.  

This case demonstrates the importance of closely reading contracts and knowing if deadlines for filing claims are shorter than those in state or the relevant jurisdiction’s law. In its report,  WSJ quoted Sherilyn Pastor, head of the insurance coverage group at law firm McCarter & English, who said, “You may not actually know if you’ve sustained a loss by virtue of the breach until a later point, and so you need to know the law, because it may be that there is something that has happened that extends your period, or that the period isn’t even running yet.”

Cyber Insurance Leads to Ransomware Attacks?

Ransomware attacks, which had lessened in frequency during 2022, have picked up again in 2023. Meanwhile, some observers have speculated whether there is a greater likelihood for companies holding cyber insurance policies to be targeted by ransomware criminals than non-insured businesses. A recent report by cyber firm Barracuda Networks found that companies with cyber insurance have been hit by ransomware more than those without it, based on the premise that insured businesses are more likely to be able to come up with ransom money. 

However, a report by U.K. think tank Royal United Services Institute says there is no evidence that victims with cyber insurance are more likely to pay than non-insured organizations, with other factors such as the low costs and risks for cybercriminals in terms of the barriers to entry and the prospect of punishment cited as more likely factors to drive the increase in ransomware attacks.

WSJ Pro Research is a premium membership that supports executive decision making on critical business issues by supplementing the news with timely, in-depth research and data.

All WSJ Pro Cybersecurity research reports, webinars, events and data are available at wsj.com/pro/cybersecurity/research

Meet the Author