We’re well into 2024, and Cyber insurance is continuing to see rapid developments across the board. As brokers, it’s interesting to watch the changes and it reaffirms our role in advising our clients in the ever-changing cyber landscape.

RiskBox’s focus is on protecting SMEs mainly in the technology and media sectors. Therefore our views on cyber and data, and that of insurers, reflects the insurance products available to them. Director Sam Johnson shares his thoughts on this below.

1. Growing risk

Cyber continues to be a growing risk for businesses of all sizes, in all sectors. After all, a catastrophic event could cripple a business, its reputation and bank balance. It therefore should be a priority for senior management to carefully consider their exposure and potentially transfer risk to insurance.

In our opinion, whilst the financial backing of insurance is important, the crucial aspect for SMEs is the access to support from forensic computer analysts, PR experts and lawyers to navigate a claim that arises. Insurers offer a crucial 24/7 helpline, meaning they’re ready to support you no matter the time of day. What SME can honestly say they know who to call straight away in the event of a cyber incident?

What’s more, premiums remain very low for the level of cover and proactive benefits are available. There also remains minimal security requirements to get this cover in place.

2. Contractual changes

Whilst we advocate Cyber and Data insurance to our clients, we’re now seeing it being requested more and more under contract.

The terminology being requested under contract is crucial as to whether Professional Indemnity covers the exposure or if a standalone policy is now required. We recommend  that you get independent advice on this to check you have the correct insurance in place.

With Professional Indemnity having Cyber Liability restricted (more on this below), it’s important to carefully consider the limits being requested for Cyber insurance under contract, as higher limits can be expensive.

Professional Indemnity Cyber restrictions

More and more, we’re seeing that insurers are looking to limit their Cyber and Data exposures under the Professional Indemnity coverage they offer. Why? Well, they want to ensure these losses fall under Cyber and Data policies so they can accurately forecast.

That’s why Cyber Liability is increasingly being restricted under Professional Indemnity. Whilst this is mainly via endorsement at the moment, we expect it’ll be part of the core wording soon – so watch out for any summary of changes!

This will of course vary between insurers. You may initially see restrictions applied to third-party cover such as aggregated or sub-limits rather than full exclusions.

Given that claims for Cyber Liability can be attributed to professional services (particularly for tech and media businesses), we find it often imperative that the cover for Professional Indemnity and Cyber and Data are with the same insurer where possible. This way, you have one insurer handling the claim.

Established insurers retracting

We’re seeing some insurers amending their cover regularly, particularly on SME products. The key element is around business interruption for Cyber. In our opinion, it’s a crucial aspect of cover – and some insurers are removing it completely as standard or restricting it heavily.

As Cyber is still a relatively new product, insurers are continuing to work through claims data and make amendments according to this. For the media and technology sectors, that’s taking the form of restrictions around extortion and, again, sub-limits being applied here.

Given the pace of these changes, it’s important to regularly review your Cyber and Data policy and make sure it’s still fit for purpose and providing you with the right protection.

Widespread losses

Whilst it’s now known practice for war and terrorism to have a standard exclusion under Cyber and Data policies, I’m interested to see whether insurers make changes to ‘widespread’ or ‘catastrophic’ losses in their wording.

A widespread loss affects multiple people from the original source, with no link to each other. This would mean one vulnerability exploited across a large number of insureds. Insurers need to carefully manage this risk in the same way they do with flood or earthquake risks.

I’m watching carefully for any changes that could impact cover here as restrictions, whilst beneficial to insurers, would be expected to be covered by insureds under these situations.

Modular products

I don’t like modular products, particularly when it comes to Cyber and Data insurance. Whilst insurers feel like they’re giving choice to the insured, for a premium option, it’s creating a large exposure on brokers and putting huge responsibility on them to select the right option.

I understand Cyber Crime will be a separate product – rightly so. But having the option to include business interruption or extortion isn’t good practice.

We know that Cyber and Data policies vary drastically between insurers – not only on cover but also terminology, claims offerings and proactive benefits. Adding a modular option on top of all this creates increased complexities for both brokers and the insured.

Emergent insurers looking for market share

We’re seeing more and more insurers looking to enter the Cyber insurance market, particularly managing general agents (MGAs) with capacity from a variety of sources. They’re offering low premiums to capture market share, but we’d be mindful of brand-new entrants for a few reasons:

• Claims expertise – Their ability to respond efficiently to a claim, and the expertise to deal with it, aren’t yet tested.
• Security – There is always the risk with new entrants as to whether they’re still going to be around in the coming years. Have they got the capital and resources to deal with catastrophic losses?
• Premium hikes – A large loss could impact their total book, which may mean hikes in premiums at future renewals. An established insurer should allow for more stable pricing.

 Proactive benefits

Insurers are investing in improvements to their claims service as well as their technology use, particularly cybersecurity. I can see two main reasons for this:

1. Data – Insurers want more data. They want to carefully analyse the risk factors for each insured so they can appropriately target and price them, and remain profitable in a volatile class of insurance.
2. Prevention – More and more insurers are utilising existing technology, as well as harnessing new tools such as artificial intelligence and threat intelligence, to prevent claims before they occur.

Insurers are doing this to remain profitable of course, but it also allows them to build customer loyalty. If they offer risk management services which the insured likes using, for example, it is more difficult for the insured to move if another insurer isn’t offering it.

How can RiskBox help?

We’ll continue to keep our finger on the pulse of this ever-changing landscape to ensure our clients remain protected as they grow. If you’d like to discuss a new Cyber and Data policy, or review your existing programme, call us today on 0161 533 0411 or email info@riskboxuk.com.