Fastest growing or fastest slowing – a new dynamic for cyber in 2022
You've never seen a high-growth market darling segment shrivel as quickly as cyber could if the industry doesn't get a leg up on where cyber attackers are headed next, with what frequency or severity and on just how global of a scale.
The headline themes in cyber insurance to date have covered the full gamut. Fast-growing premiums, explosive rate growth, sudden risk-awareness amongst clients amid ransomware and data breaches, then unpredictable claims lacking data history and alarms on loose catch-all wordings.
At a new theme per season, how could the industry not end up on notes of capacity cutbacks, a mass tightening of terms and cyber exclusions from existing coverage? When skyrocketing rates result from both high demand and falling supply, the industry heads the wrong way on protection gap.
"2022 could see some businesses being unable to secure cyber insurance at a time when cyber incidents and data privacy regulations and their enforcement are ramping up." Marc Voses (pictured) of Clyde & Co. said. "Hopefully, this will cause businesses to invest in hardening their cybersecurity and evaluate their need to collect and maintain data.
"In 2022, US insureds will continue to face hurdles arising from stricter underwriting for cyber insurance and cyber exclusions added to non-standalone cyber policies aimed at preventing cyber incidents from causing a covered loss," he said.
Analysts at JP Morgan seconded that argument from the price side. "Higher prices will slow exposure growth …. with clients less willing to pay more for skimpier coverage and insurers only interested in providing coverage to the highest quality accounts,” analysts wrote in a recent sector analysis.
For the market to grow past the current shock, insurers will have to see industry-wide signs that risks are manageable at the client-level, JP Morgan suggested. Once industry goes hard-core IT security and "cyber hygiene," insurers can go full-on cyber exposure.
It's perhaps the most data-strapped business line in the industry. Regulators are pressing for open-source incident data. And that data will only be fully valid until the next cyber-attacker innovation. And the next criminal cyber innovator is more likely to bring about a global aggregation of risks than a neat collection of identifiable and studiable individual incidents.
Ahead of the curve or out of control? Just look at the rise of triple extortion threats in ransomware: cyber-attackers encrypt the data for ransom, blackmail release of sensitive data to outsiders, mine the data to ID and best target their next victim - itself a whole new trend for 2022, Clyde & Co. says.
As everywhere, even if the insurers get off the hook for the outright P&C claim, the D&O policy could get them coming the other way. Clyde & Co.'s Stuart Maleno sees "rising costs and frequency of claims [putting] directors and officers increasingly in the spotlight over whether they complied with their duties in ensuring the company had adequate systems and controls."
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
