Navigating New Cyber Insurance Challenges and Evolving Coverage

The cyber insurance market has undergone significant changes from 2022 to 2023, transitioning from a hard market to a softer one, driven by a decline in ransomware and enhanced cybersecurity controls. This led to a decrease in insurance costs for many clients. However, the industry faces new challenges in 2024, including the evolving nature of war exclusions, a resurgence of ransomware attacks, and increased regulation around privacy and data protection.

War exclusions have become a central issue, with many carriers revising their language to clarify coverage of nation-state-backed cyber attacks. Ransomware has returned to the forefront, with a shift from network-encrypting malware to data exfiltration attacks, compelling companies to reassess their risk calculus.

Coverage restrictions have expanded to include systemic risks and privacy violations, with a particular focus on pixel tracking claims. This trend is expected to spread beyond healthcare into other industries. Companies with mature cybersecurity controls are attracting more insurers, leading to competitive premium savings.

Artificial Intelligence (AI) is transforming businesses and concurrently increasing cyber risk. AI’s dual use by both organizations and hackers calls for careful risk assessment and insurance decision-making. Technology supply chain attacks pose a significant threat, as evidenced by breaches at SolarWinds, Kaseya, and Ipswitch Inc.’s MOVEit.

State privacy laws, like California’s CPRA, are gaining traction, increasing enforcement actions and penalties for violations. Underwriters believe cyber risks will increase significantly in 2024, with ransomware being the top concern. Companies are advised to focus on processes and procedures to mitigate risks.

Insurance premiums are expected to rise slightly, while self-insured retentions are likely to remain stable or increase modestly. Cyber policy coverage is anticipated to stay mostly unchanged, with some areas of expansion and contraction. Underwriting scrutiny is set to increase slightly, reflecting the growing complexity of cyber risks.

Public companies face new challenges with the SEC’s cyber disclosure rules, increasing the pressure on CISOs who must now ensure broad coverage under D&O insurance policies and seek personal indemnification agreements. Coverage for cyber physical damage continues to evolve, with insurers excluding certain cyber-related losses from traditional policies.

In summary, the cyber insurance market in 2024 is marked by evolving risks, regulatory changes, and a need for strategic risk management and insurance decisions.