Professional Insight

New Risk Mitigation, Pricing and Underwriting Strategies Breathe Hope Into Hard Cyber Insurance Market

The cyber insurance market is hard right now, but new strategies should turn the situation around. Unlike other commercial lines also in hard markets, cyber insurance is unique because it is experiencing its first widespread speed bump, said Jonathan Laux, FCAS, vice president of analytics at CyberCube, a purveyor of cyber insurance analytics. Laux, who at the time of the 2021 CAS Annual Meeting was Aon’s head of cyber analytics, spoke as a panelist at the general session, “Ransomware and Other Cyber Headlines.”

He is optimistic that losses and rates will improve, but the line is still recovering. The year 2020 was pivotal for the cyber insurance industry. For the first time, standalone cyber coverage cumulatively experienced 72.8% loss ratios averaging, Laux said, leading to combined ratios over 100% for the line as a whole. The harrowing increases were due to underwriting decisions made in 2019 and 2020, and the frequency and severity of ransomware.

While rates were going up, ransomware cyberattacks in 2021 affected the public in general, drawing even greater media attention, said Emma Ye, head of actuarial and risk analytics for At-Bay, an insurtech offering cyber insurance. Such attacks include the Colonial Pipeline incident, which raised concerns on critical infrastructure and disrupted gas supplies in the East Coast. As a result, cyber insurance rate increases rose rapidly in 2021 and are projected to continue through 2022, she said.

Due to the increased use of internet-connected devices, the dramatic shift in remote work and the growing demand of the interconnected global economy, organizations realized that “they desperately need cyber insurance,” Ye observed. This has fueled demand for coverage.

Moderator Monica Shokrai, FCAS, now the head of actuarial, analytics and systems for Alphabet’s Business Risk & Insurance team, raised challenges facing customers. “Rate and capacity are concerns for market buyers as well,” said Shokrai, who also leads business risk and partnerships for Google Cloud.

Laux responded that insurers are hitting limits faster because they are being squeezed at both ends — rates are going up and clients want more coverage. “We have seen the price impact flowing to large primary buyers like Google,” he added.

He said that insurers can only write so much business without support from reinsurers, explaining that about 50% of cyber coverage is ceded to reinsurers that have clamped down on capacity. They are cautious after catastrophic events such as the Microsoft Exchange Server attack in early 2021 Colonial Pipeline; these and other major incidents cost 1 to 1.5 loss ratio points, he explained. Laux also pointed out that since reinsurers check their books less frequently than insurers, there is a lag in how quickly they respond.

Like other risk bearers, Ye’s company also saw a significant increase in the rates. “Pricing is not the only lever here,” she emphasized, “we are very keen to help the insureds to close security gaps through active risk monitoring and to provide flexibility through a variety of sublimits on the coverage.”

New risk realities

Part of what led to the current crisis is the changing nature of cyberattacks. It is a business for the hackers who want to hide in the backroom, Laux said, so when the Colonial Pipeline attack occurred, the bad actors did not know they hit a major piece of U.S. infrastructure.

Ye cites remote desktop protocol (RDP) as contributing to the rapid increase in ransomware attacks. “Once they get into the system, they can do anything they want,” Ye said. Use of open RDPs will keep increasing, which is why customers’ systems need continuous monitoring and proactive actions throughout the entire policy period.

In addition to RDP compromises, there are email phishing and software exposures like the Microsoft attack. Vulnerabilities can also arise in other ways. Companies involved in mergers and acquisitions can be exposed to risk intrusions, Ye said, when each division has its own separate system and then is connected to other divisions.

Positive developments

Now there are encouraging advances underway that should improve the cyberrisk and insurance situation. The speakers expressed relief that the federal government is becoming involved in cyberattacks and crime. “It feels like we’re getting, at least for the U.S., more active government response for the first time,” Laux said. The government is also developing partnerships with the private sector to learn how to control risks.

Shokrai praised partnerships between private companies and the insurance industry, mentioning Google Cloud’s Risk Protection Program as an example. She highlighted several initiatives Google is making to better protect its clients. “Google doesn’t let anything run in our environment that we don’t explicitly trust.” Every day, Gmail blocks more than 100 million phishing emails and blocks more than 99.9% of spam phishing and malware from reaching its users, she added.

Laux offered that he would like to see insurers deploying tighter underwriting standards that require greater evidence of cyber hygiene, perhaps checking systems once a month or even continuously. All insurers are trying to grapple with identifying the greatest risks. “It takes time to build a strategy and change underwriting guidelines,” Laux said. He indicated that there is some good news, however. Between underwriting actions and rate increases many cyber insurers right now feel like they are turning the corner. “Over the next year or two, it will be worked out,” Laux said.

At-Bay is deploying automation for underwriting. As the cyber insurance line progresses towards more maturity, Ye is confident that the adoption of modern underwriting strategies will continue for cyber coverage. At-Bay is also engaging in practices Laux would like to see insurers implement, such as improving risk mitigation through continuous monitoring of its policyholders in order to actively respond to threats. The effort has helped to lower claims frequency and loss ratios compared to the insurance market.

However, successfully reducing cyberattacks raises a challenge for actuaries pricing cyber insurance, said Ye, because such companies do not have as much claims data for ensuring credibility as traditional insurers have.

A call to interested actuaries

Ye and Laux encouraged the audience to consider working in cyber insurance. Actuaries can work on a lot of fundamental questions, Ye said, such as determining the right underwriting choices for portfolio building, shortening the cycle from data to risk actions and participating in capacity conversations. Actuaries can also determine risk profiles to ensure good cyber hygiene.

Laux sees actuaries playing a greater role by being clear about the timing of information, such as explaining the difference between accident and calendar years. “Cyber is a shorter tail line, but there is a lag in the underwriting cycle,” he added.

Actuaries can also better serve the cyber insurance industry by being as clear and specific as possible with their use of language. For example, distinctions should be made among the most prominent threats in today’s environment, versus a planned change in underwriting or claims strategies for next year, versus a decision made in prior years that is now flowing through income statements,” Laux said.

Annmarie Geddes Baribeau has been covering insurance and actuarial topics for more than 30 years. Find her blog at