...across the board, including on some of the largest market placements.
Most carriers have cut the line sizes they are willing to deploy to between $5mn and $10mn in a bid to reduce the volatility of claims hitting their portfolios.
The action follows additional risk reduction measures taken by lead carriers including AIG, Beazley and Chubb in January, previously reported by this publication.
US markets continue to take firm action on pricing, with clean renewing accounts receiving risk-adjusted rate hikes of at least 15%-20%. Sources speaking to Inside P&C said premiums on loss-hit programs – even on those with sophisticated risk mitigation measures – were doubling or tripling.
Some sub-classes of cyber business are recording an even greater rise in the cost of premiums, with rates for industrial manufacturing and retail wholesalers in the US increasing by as much as 40%.
Overall, underwriters are pushing for an average 20-25% rate rise across their portfolios.
Until recently, industrial manufacturing and wholesalers were considered less hazardous risks compared with other classes such as healthcare and retail. Sources say this has changed in recent months in response to claims experience.
The continued action by carriers follows sudden sweeping changes by key lead markets, and accompany a market-wide tightening of focus on risk prevention measures in response to ransomware claims that escalated during the first and third quarters of 2020, after two prior years of worsening claims.
The retrenchment of capacity and continued upward pricing pressure also continues a reordering of the market in which some of the largest names in US cyber insurance cede market share to upstart InsurTechs.
Sources speaking to Inside P&C said that in particular the change in market conditions had benefited some of the newer entrants to the market, including West Coast MGAs such as Coalition, Cowbell and Corvus.
Capacity for the cyber underwriting platforms comes in part from insurers including syndicates at Lloyd’s, while several of the entities are supported through fronting arrangements by large reinsurers and third-party capital.
“There’s a balance that has to be struck, as obviously clients really care about the quality of the paper. But with the increase in rates the MGAs provide a good alternative,” said one broking source.
Some MGAs are understood to be quoting rates as much as 10 points below their company market competitors in a bid to grab market share and please growth-focus investors.
Sharp changes in terms and pricing during the last two months have increased the influence of West Coast MGAs and increased their momentum in growing new business. In an interview with this publication, Corvus last week revealed it had closed out 2020 by reaching a run-rate of $100mn in annual premiums.
The MGAs are licking their chops,” said one source, noting that companies such as Coalition and Cowbell have in recent weeks increased the line size they are willing to write per risk.
Divergence in ransomware approach
Recent weeks have seen large US carriers and primary writers AIG and Chubb outline their stance in as they look to tackle the challenge of ransomware.
As revealed by Inside P&C, Chubb’s measures include rate rises of as much as 50% on large corporate accounts with revenue of up to $1bn, and 40% pricing increases on mid-market business.
AIG, meanwhile, is understood to have introduced co-insurance and ransomware exclusions at 1 January renewals, and is pushing for rate increases of 30% to 50% across its book of business.
US market sources canvassed by this publication were divided over the measures, with some saying they were crucial to shore up the market’s profitability, and other saying they were unlikely to stick.
“The action from these large primary markets was well overdue, and we’ve been waiting for this ages,” said one cyber market participant.
“It took this to show that we’re serious about requiring better information from clients and charging more premium,” another underwriter said.
However, some sources speaking to Inside P&C were skeptical about whether or not clients will accept ransomware exclusions over the long term.
“We'll have to wait and see how clients deal with these exclusions – there is still a huge amount of competition out there and from what I’ve seen so far they are pushing back hard,” said one broker.
Multiple excess markets canvassed said they were seeing an extraordinary number of enquiries from brokers, often just hours before renewal deadlines, and felt the frenzied atmosphere was likely to continue for at least the next couple of months.
Other key themes to come out of Inside P&C’s cyber market canvass include:
Meanwhile, conversations in London suggest a differing approach to that of the US market, with no heard instances of sub-limits or co-insurances for ransomware.
A number of sources stressed the challenges of essentially offering “half a product”, given that ransomware is a core coverage area alongside data breach and privacy, and there appears to be little appetite among underwriters to follow an AIG lead with such restrictions on cover. Many also said sub-limits were simply a short-term fix for a problem that isn’t going to go away.
London brokers speaking anonymously to this publication said they would look for alternative lead options for any accounts with an AIG primary layer, in the interest of securing clients the best coverage available.
Sources at London markets said they were asking more questions of insureds of their cyber security and controls, and educating buyers around risk mitigation and prevention – an approach Beazley also outlined in its results last week.
“There are really healthy conversations happening in the market – in London and in the US – around minimum standards [for internal controls at insureds],” said one underwriter. “It’s setting those standards which is really going to help with the attritional losses.”
Meanwhile, underwriters are taking advantage of harder conditions to strip out non-core coverages which were “thrown in” in an attempt to be competitive and encourage product uptake during the soft market.
There is particular scrutiny around “non-IT” BI wordings which provide contingent BI cover as a result of service provider failure and can create substantial aggregation of claims with just one outage. The potential for aggregation has come into sharp focus with the recent SolarWinds hack.
Other coverages looking to be stripped out or sub-limited include “add-ons” such as crime, cryptojacking and social engineering – the act of using digital means to trick someone into divulging information or taking action.
Crucial to the duration of rate hardening will also be the attitude of cyber reinsurers in upcoming renewals. There is widespread anticipation that the 1 March renewal will see double-digit rate rises on non-proportional excess of loss deals, following on from the 20%-25% rate increases in that segment of the market at 1 January – although this type of coverage is less common than the use of quota share.
The January renewal additionally saw increased pressure on ceding commissions, which is also expected to feature in later reinsurance renewals.
At this stage, it is far too early to predict the behavior of reinsurers at the 1 January 2022 renewal, however sources said reinsurers would be paying particular attention as to whether the actions taken by cedants on rate and terms would be enough to tackle the challenge of rising loss ratios in the class.
Loss ratio pressure
The widespread correction in cyber brings to an end years of widening terms and softening rates, which was driven by an influx of capacity keen to capitalize on a growing product, which has made cyber insurance a circa $5bn market with compound annual growth rates in the double digits.
The surge in frequency and severity of ransomware claims in recent years brought the challenges of the class into sharp focus, with a sharp deterioration in the loss ratios for the 2019 underwriting year said to be the major wake-up call for the market. Meanwhile, the cyber market has already been talking about the 2020 year as loss-making.
Loss triangles from Beazley’s full-year 2020 report reflect this deterioration, as seen below. Although only half of the firm’s cyber and executive risks division is cyber and technology premium – and therefore cannot be taken as a straight read-across – management attributed the 8.2-point deterioration in the 2019 year of account to ransomware.
Meanwhile, the cyber market has already been talking about the 2020 year as loss-making – which again, is underlined by Beazley’s 2020 picks, assuming an expense ratio of 30%.
Sources told this publication that although the cyber market has seen major losses in the form of Marriott and Capital One breaches, it was the widespread nature of the uptick in ransomware that had forced a market-wide correction.
“With those full-stack losses, only the markets on that placement were affected,” one underwriter said. “Those who weren't on those losses didn’t need to take any action. But this time, ransomware has affected quite literally everyone.”
The deterioration in loss ratios has attracted the attention of the C-suite, which is also acting as a driver for rate acceleration and tightening terms.
Coveware data shows that costs associated with ransomware payments more than doubled during the first three quarters of 2020, before dipping slightly in Q4.
Average ransomware payments surged to $233,817 in Q3, up from $111,605 in Q1. This declined by 34% to $154,108 during the fourth quarter, which the cyber analytics firm attributed to an increase in the number of firms refusing to make payments to cybercriminals.
However, even if ransom payments drop, the challenge of BI losses arising from downtimes still stands – data from AGCS suggests that 60% of the cost of cyber claims stems from BI.
Privacy back in the spotlight
Aside from the threat of first-party ransomware claims, sources speaking to this publication in recent weeks have described a gradual increase in the volume of privacy-related cyber claims, citing the California Consumer Protection Act (CCPA), and biometric information privacy legislation that has so far passed into law in Illinois, Texas, Washington, California, New York, and Arkansas.
The CCPA came into force on 1 January last year, and codifies in law the right of consumers affected by a data breach to seek up to $750 per user in a class action lawsuit, raising the specter of costly punitive damages enforced by regulators.
US states, including Virginia and New York, are in the process of ratifying new consumer privacy legislation that, if passed, will mirror the California act.
"Privacy has not gone away and will come back to bite [the market],” said one broker, adding that they had recorded a jump in the number of Biometric Information Private Act (BIPA) claims accompanying the vertiginous rise of the consumer tech sector.
Another broking source said he had seen a large number of third-party losses during 2020, and emphasized that the conversation around privacy breach claims has once again come to the fore, despite the focus on first-party ransomware losses during last year.
Cyber insurers face the dual challenge of stringent new laws coming into effect and rising exfiltration attacks in which digital criminals threaten to publicly leak data that they have obtained. According to breach analysis firm Coveware, these type of losses accounted for 70% of claims during the fourth quarter of 2020 – a 43% rise compared with the third quarter of the year.
The top three industry sectors that came under attack during the quarter, according to Coveware, were healthcare companies, professional services firms, and consumer services – all types of company that depend heavily on keeping their customers’ data secure.
The SolarWinds question
Cyber insurers on both sides of the Atlantic continue to monitor the impact of the SolarWinds attack from last December, which affected at least 18,000 of the company’s customers.
Broking and underwriting sources canvassed by this publication were divided over the likely severity of the claim, but said the fallout had provoked greater scrutiny on cyber books from senior management.
Last month this publication reported on the wide-ranging impact of the loss event for the market, highlighting the tightening of underwriting criteria across the market, and the introduction of specific exclusions by carriers including Chubb and Crum & Forster.
While digital forensic work continues to assess the full extent of the attack, market sources have pointed to the potential for third-party losses to hit the market, and underscored the effect it has had in helping to continue upward momentum on pricing.
“I would expect some fallout to come over the next six months, but this is really new,” one source said, adding that the systemic nature of the attack mirrored cyber realistic disaster scenarios previously issued by Lloyd’s to help prepare the market for such an eventuality.
The attack has laid bare the residing uncertainty around extreme tail risk in cyber, and the inability for the market to be able to weather cat events at a time when attritional losses are effectively large enough to take out a whole year’s premiums.
“This has the potential to be huge, and if it does turn out to be a cyber catastrophe, I don’t know how the market will handle it on top of ransomware,” said another source.
Market participants canvassed by this publication were divided over the use of exclusions, with some describing them as “prudent,” while others questioned whether such policy clauses would in reality be enforceable – and the extent to which they would alienate clients. Market sources said they had not seen any London carrier implement such exclusions.
However, some sources speaking to this publication were clear that they do not expect the event to result in a major loss for the market.
“I think this is going to be a big nothingburger,” said one broking executive, adding that he was more concerned about the potential knock-on impact of deteriorating financial lines losses on the US cyber market, including claims that may arise from recent equity market volatility.
Last week ratings agency AM Best warned that claims against trading platform Robinhood may test the overlap between the company’s D&O and cyber cover.
Commenting on the SolarWinds attack, CFC chief innovation officer Graeme Newman, said: “The threat actor behind it [was] not after credit card data or social security numbers. They were after government secrets, so the blast zone is actually relatively small.”
“You can easily clean the environment and remove the tooling if that’s what you want to do at relatively little cost. So this is a very different type of event to one which is a cataclysmic, such as the non-criminal actor spreading ransomware; the WannaCry/NotPetya-style cases,” he added.
Inside P&C provides unparalleled market intelligence on the entire US P&C market – from small commercial and personal lines right through to reinsurance and Bermuda. Redeem your complimentary 14-day trial for more premium content from Inside P&C.
Scan here to download the app