With cyber intrusions on the rise and costly ransomware incidents making headlines, more companies are seeking to manage risks by purchasing cyber insurance coverage.
According to the National Association of Insurance Commissioners, the U.S. cybersecurity insurance market grew 47.6% in 2022 to about $9.7 billion in direct written premiums. But many businesses are still thinking about whether to add cyber insurance coverage, or don’t know enough about this relatively new type of policy to decide.
To learn more, we spoke with Michelle Chia, chief underwriting officer for cyber in the Americas at AXA XL, the specialty risk division of global insurer AXA. This interview has been edited.
Q: Tell us about the growth of cyber insurance. When did awareness take hold?
A: Cyber insurance has grown with the adoption of digital technology by individuals and organizations. Awareness has grown in a disparate sense. During its nascent stage, I’ll call it the early 2000s, a lot of the focus was on data and sensitive information belonging to individuals and corporations, with the liability associated with that. The first milestone that grabbed headlines was the Target breach in 2013, and then Home Depot in 2014. A lot of other organizations were exposed to the same sort of situation, and that’s really when cyber insurance as a market first picked up. There was a lack of cyber insurance capacity, which drove rates up significantly, and organizations started to improve their cybersecurity controls.
Q: What happened next?
A: Fast forward to about 2017. That’s when we started seeing ransomware in a meaningful way. Year after year, from 2017 to 2022, we saw maybe 50%, 100%, more than 300% increases in events related to ransomware. That also coincided with the pandemic because there were so many more individuals working from home, and there were more entry points into networks. So many claims were being paid, not just the number of claims but also the scale of payouts increased substantially, and therefore that created another capital crunch. There was a limited supply of insurance capital, and the demand was high at the time.
Q: What’s the state of the market now in terms of supply and demand?
A: It’s definitely more of a buyer’s market right now. Rates are more favorable in comparison to the past two or three years, primarily because of an increase in carriers who have entered the space, creating a greater access to capital. Also, carriers that were in the space haven’t been paying as many losses as in prior years and so they are able to expand as well.
Q: How much awareness is there about cyber insurance?
A: Somewhere between 30% and 50% of organizations actually buy cyber insurance, and they are only insured to about 30% to 50% of their exposure. So they are underinsured, and the vast majority of businesses haven’t purchased it yet.
Q: What’s holding back market acceptance?
A: In comparison to other insurance products, cyber insurance is not required. If I’m a $10 million or even $100 million revenue organization, what are my other spending priorities? These are business decisions organizations have to make. I also think there is a lack of awareness and understanding of what to do. This is an emerging risk. If we look at auto insurance, every kid knows you’re supposed to wear your seatbelt. Kids in elementary school practice fire drills. We’ve been made aware of those risks as a society for decades. Cyber risk has only taken prominence since the dotcom boom.
Q: Tell us a bit about the process of buying cyber insurance.
A: There’s an application process. Some carriers scan the external network of an organization to get a sense from the outside of cybersecurity controls. Many times there is a questionnaire, much like applying for health insurance. Basic questions are asked to understand what type of risk you are and how well you are managing exposures within your control. If there are basic controls, then the discussion becomes, “How do we structure a program that makes sense for how large you are and for your exposure?”
Q: What about a company’s initial steps in the process. What if someone meets you at a conference and says, “Michelle, this is embarrassing but my company has not thought about cyber risk or insurance”?
A: It depends on what their cybersecurity posture looks like: Do they have absolutely nothing in place? An organization should always do what it can that’s under its control. Build your resilience first. If they don’t know where to start they should definitely go to a cybersecurity consultant. It’s important to figure out what your exposure is relative to your organization’s size. Then, from an insurance procurement perspective, go to a broker that helps with other commercial insurance lines to figure out what else you need to do in order for an insurance carrier to be interested in you as a client.
Q: What role does the insurer play if there is an incident?
A: It depends on the insurance company. Many times when an organization experiences an event, it’s either Friday night or over the weekend or over some federal holiday. The majority of events occur during those time periods. So at AXA XL, we have a 24-hour, seven-day-a-week hotline so that people can call and say, “I’ve experienced an event, I need help.” There are many organizations that need to be called immediately to stop the bleeding. You need to know who to call. If you have an incident response plan, great. Follow that plan. Some organizations don’t have one. We have the 24/7 hotline where we always have someone on call to help our insured through the event.
For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.