Perspectives: Will cyber insurers be partners or adversaries in 2023?

It is no secret that cyber risk is one of the top risks, if not the top risk, that concerns executives this year. 

A decade ago, cybersecurity and data privacy were viewed as concerns primarily for technology firms, companies selling directly to consumers, and health care-related organizations. Times have changed and the views of potential buyers of robust cyber liability insurance programs have changed, too. More and more companies — whether business-to-business with little personally identifiable information or companies that had been traditional buyers of cyber insurance due to their risk profiles — are buying cyber insurance or are interested in doing so. 

Risk managers also know that one of the biggest questions they face from their stakeholders is: Is cyber insurance worth the paper it’s written on? Let’s hope that in 2023, insurance underwriters can answer that question affirmatively.

Changing risk

Although the risk of disclosing PII or protected health information remains, criminals have changed how they operate, and the cyber-related risks of corporate policyholders have changed, too. Ransomware attacks and business email compromises have skyrocketed. 

Many underwriters and claims personnel, who developed experience in determining potential defense and settlement costs in connection with putative class actions alleging exposure of PII or PHI, seem to struggle with the losses that result from ransomware attacks and business email compromises.

They might be used to predicting how much time it will take for a potential settlement to be approved by a court and when payments ultimately must be made, and likely are used to negotiating over a total settlement amount to resolve litigation. Ransomware and business email compromises, though, are different. If a victim company chooses to pay a ransom to resolve an event, the decision to pay and the actual payment often must take place within a day or two, if not just a few hours, of the attack. And the demands, even if there is a chance to negotiate them down, often are for significant funds. With business email compromises, the payment to fraudsters is not something that can be negotiated and the payment window cannot lag, as might happen with a class-action settlement requiring court approval.

These changing risks mean that policyholders need insurance policies with robust coverage for these risks. The nature of the risks also means that buyers need insurers that will partner with them. Why is it that many insurers have offered policies with reduced limits for the biggest risks? Or that underwriters and claims adjusters have started blaming their customers for having fallen victim to these criminal attacks?

Lack of advice

Years ago, an advertisement from a major insurer explained that it had figured out the source of a common cause of loss for its policyholders in the construction industry. Using that knowledge, the insurer helped its policyholders implement a form of loss control to address the cause of the loss, and, after the fix was implemented, claims plummeted. A win-win situation for insurers and policyholders. 

In the cybersecurity sector, though, the provision of loss control advice from insurers seems to be nonexistent. Instead, many insurers appear content to require policyholders to fill out longer and longer applications, without any discussion about what the questions mean in the view of the insurers, what steps applicants could take to improve cybersecurity and how to prevent losses based on what insurers know.

Undoubtedly, cyber insurance claim departments have the largest troves of information about cyberattacks, how they are caused, how organizations have fallen victim to the attacks and what worked to prevent or limit the impact. Why aren’t insurers engaging in widespread training and loss control efforts with their policyholders to reach a win-win outcome for everyone?

More money, less coverage

Organizations that bought or renewed cyber insurance from 2020 forward undoubtedly saw huge increases in premiums. In addition some insurers inserted several ransomware-related exclusions and limitations into their policies. 

Insurers have protested that with more frequent and more expensive claims they had no choice but to raise rates. Industry reports and third-party reporting indicates that loss ratios for cyber insurers in 2020 were approximately 70%, up from around 45% in 2019. The bright spot is that loss ratios for 2021 reportedly decreased.

Unfortunately, increases in premium often were coupled with lower overall limits. It is not uncommon for corporate policyholders to be told that their primary insurer would only offer 50% of the limits offered previously. 

In addition, war, widespread attack, and “outdated” software exclusions and limitations abound.

The London insurance market made big news in 2022 when the Lloyd’s Market Association determined it would require members to use new so-called war exclusions. It is unclear whether the exclusions are the result of the war in Ukraine or the result of recent court rulings that said old war exclusions fail to eliminate coverage for cyberattacks. Either way, this is another avenue where certain insurers are asking policyholders to pay more and get less. Some insurers have gone further, using sublimits, co-insurance, or full exclusions to limit losses resulting from wide-ranging attacks or certain older software programs.

Another unwelcome development in 2022 was litigation over rescission of a cyber insurance policy. In that litigation, Travelers Casualty Co. of America v. International Control Services, filed in federal court in Illinois, the insurer alleged that the policyholder provided incorrect information about the use of multifactor authentication. It is unclear whether the insurer discussed the answers to the application at the time of underwriting, or if it simply thought that it could try to rescind the policy later if the information was not accurate, regardless of whether the policyholder had provided the information innocently or mistakenly. Will that case be a sign of things to come? Will more insurers turn to coverage counsel as soon as an expensive claim comes in, asking counsel to treat the policyholder like an adversary and concentrate on gathering information that will support a rescission claim, rather than helping the insured resolve the matter? 

Hopes for 2023

Cyber insurance policies were created as outgrowths of technology errors and omissions policies, with the goal of covering the costs of investigating PII breaches and defending and resolving litigation arising out of such breaches. The cyber risk landscape of today, however, is far different. 

As cyber insurance buyers know, the scope of coverage under the policies slowly but surely expanded to address emerging risks such as ransomware and business email compromises. Nonetheless, the broadest coverages under cyber policies continue to be in coverage parts that harken back to 2012 and 2013. Today’s risks often are carved back and chock-full of limitations and exclusions for many buyers.

In a more perfect world, insurers would work with policyholders during the underwriting and placement process. That would include an evaluation of the answers to policy applications, making certain that insurers and applicants view the questions in the same way. It also would include loss control advice and best practices. After all, fewer and less-expensive claims are to everyone’s benefit. 

Let’s hope that 2023 presents a market where underwriters offer policies providing the most coverage for the most difficult risks to today’s buyers.

Scott N. Godes is a Washington-based partner at Barnes & Thornburg LLP, where he co-chairs the firm’s insurance recovery and counseling, and data security and privacy groups. He can be reached at scott.godes@btlaw.com