CYBERSECURITY
 INSURANCE




































 T  imes have certainly  changed   Ransomware  attacks  continued  to  ravage   RATE INCREASES:   CAPACITY CONSTRICTION:
 the bottom lines of both their victims and
 with  respect  to  cybersecurity
 controls.  Regardless  of  industry   insurance  carriers.  During  the  first  six   Cyber  premiums  increased  across  the   There  were  clear  indicators  that  carriers
 or  organizational  size,  companies  should   months  of  2021,  more  money  was  paid   board,  regardless  of  the  industry  sector   wanted  to  limit  their  exposure  through
 expect  to  see  a  continued  disciplined   in  ransom  payments  than  in  all  of  2020.   or  size  of  the  organization.  Cyber   limiting capacity. The policy limits offered
 underwriting  approach  that  remains   Increased  payment  amounts  may  be  due,   underwriters  are  being  cautious  or  even   during prior renewals were routinely cut to
 laser-focused  on  data  security  controls,   at  least  in  part,  to  the  fact  that  hackers   moving  away  from  specific  industries,   half of that amount during the 2021 renewal
 with  rates  continuing  their  upward  trend.   now  routinely  threaten  to  publicize  their   including municipalities, higher education,   cycle, both at the primary and excess layer
 Organizations  will  need  to  grapple  with   victim’s  most  sensitive  data  if  their  six   technology, and manufacturing.  level.
 more restrictive coverage terms, mandatory   and  seven  figure  ransom  demands  are
 sublimits,  and  exclusionary  language   not  met.  However,  extortion  payments   COVERAGE LIMITATIONS:   GREATER UNDERWRITING SCRUTINY:
 specific  to  certain  global  and  widespread   are just one piece of the cyber claim. The
 cyber  incidents.  Capacity  questions  have   average  downtime  from  a  ransomware   Many  carriers  imposed  sublimits  and   Almost all carriers asked for more details
 not  been  settled,  and  exactly  how  much   attack is 23 days, more than doubling the   coinsurance   provisions   specific   to   around  data  security  control  efforts.  Not
 will  be  available  in  the  U.S.  and  global   costs due to business interruptions.   And   ransomware  claims.  This  often  resulted   surprisingly,  many  questions  focused  on
 cyber markets in 2022 remains an open   when companies had to switch to remote   in limiting coverage to 50% of the policy   ransomware  prevention  and  mitigation,
 question.  operations,  the  costs  of  a  data  breach   limit  or  less.  Certain  carriers  had  to  add   with several carriers requiring ransomware
 increased.
        exclusionary  language  to  specific  known   supplemental  applications  consisting
        vulnerabilities;  failure  to  remediate  these   of  dozens  of  questions  to  see  how  well
 The  cyber  insurance  market  took  four
 deliberate steps to combat increasing loss   could lead to a denial of coverage for losses   insureds managed the threat.
        attributed to them. Others revised coverage
 ratios in an effort to protect its bottom line.
        terms  specific  to  regulatory  claims  with   Based  on  the  past  statistics  and  future
        language that constricted risk transfer for   predictions,  the cybersecurity  insurance
        regulatory risk.                  market is changing.
 27                                       CONTINUED ON NEXT PAGE           28