Cyber liability insurers have been taking on previously unwritten risks as companies expand coverage in the sector while keeping prices steady.
Capacity has grown sharply even as losses rose in recent years, said Joe DePaul, Willis Towers Watson PLC's head of cyber and E&O for FINEX North America. That has led to a competitive pricing environment.
"The trend for a number of years has continued to be a broadening of market of terms and conditions available to insureds with relatively flat pricing for those same broadening of terms and conditions," DePaul said in an interview.
Losses climbed as database breaches surged across the globe, and as managing and responding to attacks have become more expensive, Willis said in an annual report on cyber risk. However, no loss events have been catastrophic enough to frighten away new entrants or tamp down ever more generous terms and conditions, DePaul said.
Besides coverage for network security, system failures and privacy compromises, policies have broadened recently to include business interruption resulting from hacks. Policies could even soon include coverage for infrastructure, DePaul said. The Willis report cited reputation damage as another area where cyber policies could expand.
Direct written premiums for stand-alone cyber coverage continued to grow in 2018, up 11.8% industrywide compared to the prior year.
Throughout Europe, the Middle East and Africa, business email has become the largest driver of cyber insurance claims, partly due to privacy rules mandated since 2018 throughout the European Union by the General Data Protection Regulation, or GDPR, according to an AIG report.
The spread of similar privacy rules in jurisdictions around the world will further drive expanded cyber coverage, said Catherine Mulligan, head of cyber for Aon Ltd.'s reinsurance solutions business.
"Other places are looking to follow GDPR-style regulations, including Brazil and California," Mulligan said in an interview.
Companies have sought more cover because, while the data breach and ransomware threats have not changed significantly, management's awareness of the risk has, Mulligan said.
Adding to the impetus to expand cyber coverage has been Lloyd's of London's initiative to address so-called silent cyber risk by having companies affirm coverage for hacking losses rather than have them lurk "silently" beneath other policies as unstated risk, Mulligan said.
"Regulatory scrutiny has increased, and there are real claims scenarios that have captured the attention of the C-suites and boards on this topic," Mulligan said. Companies are assessing their exposure to the silent cyber risk with a view toward modeling adjustments and possible reinsurance cover, Mulligan said. One adjustment has been to reallocate premium dollars from other coverage areas like property to cyber insurance.
Small and mid-sized companies are also starting to look for cyber liability coverage to cover third-party hacking disruptions along service supply chains, Mulligan said.
Although coverage has broadened and losses have crept up, some underwriters have offered discounts to customers who beef up cybersecurity, according to the Willis report. Companies have managed the risk with careful, brush-stroke underwriting that employs payout limits and technology partnerships for more precise risk assessment. Insurers also use nonstandard policy applications tailored more specifically to clients' needs.
"This has led to more competitive pricing due to the increased amount of information provided," according to the report.