Cyber Insurance Trends and Challenges in 2023. In an insightful conversation, Gia Snape from Insurance Business engaged with Miguel Canals, the Senior Vice President and senior cyber underwriter at Munich Re US, to gain his perspective on the cyber insurance landscape and the trends affecting insurers’ strategies.
After witnessing two years marked by substantial rate hikes and stringent underwriting criteria, the cyber
insurance sector is now entering a more competitive phase in 2023.
“2023 is shaping up to be a year of transformation in the realm of cyber insurance,” commented Miguel Canals, the Senior Vice President and senior cyber underwriter at Munich Re US. As per the Best’s Market Segment Report dated June 13, 2023, AM Best reported a rate change of +8.4% for Cyber in 1Q23, in contrast to +34.3% in 4Q21 (the peak of cyber rate changes). It’s important to note that these figures pertain solely to US data as reported to the NAIC.
“The gradual deceleration in positive rate changes from 4Q21 to 1Q23 suggests that 2023 may not witness the same level of rate increases as experienced in 2021 and 2022. These increases played a pivotal role in the remarkable improvements seen in Calendar Year 2022 results, as per AM Best’s report.”
“Despite the enhanced performance in 2022 from a Calendar Year perspective, brokers and their clients mustn’t become complacent. Carriers are diligently refining their strategies in response to an ever-evolving risk landscape,” emphasized Canals.
Canals shed light on three prominent trends in cyber insurance, offering a snapshot of the current landscape:
- Surge in Ransomware Incidents:
Ransomware attacks are once again on the rise, following a lull in 2022. This resurgence can be attributed to the emergence of ambitious ransomware groups and the discovery of new critical vulnerabilities.
“The frequency of ransomware incidents has witnessed a significant spike in 2023 compared to the less active year of 2022,” noted Canals. “An increasing number of groups are finding opportunities to launch attacks.”
Within this trend, the industry has also noted a rise in data exfiltration, which involves the unauthorized removal or movement of data.
In the past, ransomware groups typically extorted payment from victims in exchange for decryption keys to recover their stolen data. However, recent malicious actors have escalated their tactics by threatening to disclose sensitive data, creating double-extortion scenarios.
“Data exfiltration adds an alarming dimension to victims already grappling with business interruptions,” Canals explained. “When victims fall prey to this form of ransomware attack, they must grapple with the additional risk of potential data leaks.”
Fortunately, the insurance industry’s efforts to mandate stricter cybersecurity measures and bolster defenses against ransomware and other threats have yielded positive results, leading to a decrease in claims.
“The insurance community has achieved a high level of sophistication in deploying risk assessment and risk selection methods, which has significantly enhanced portfolio quality,” Canals added.
- Privacy Litigation Claims:
Another noteworthy trend is the surge in litigation arising from the unauthorized collection of personal and sensitive information without user consent. Canals categorized most claims into two areas: a. Pixel and Tracking Technology Litigation
b. Biometric Information Privacy Act (BIPA) of Illinois
Pixel and tracking technology-related privacy cases have been ongoing for approximately 15 years, Canals noted. However, growing awareness of consumer rights has resulted in a surge in claims in recent years, particularly in the healthcare sector. The COVID-19 pandemic played a role in this, with hospitals and healthcare entities expanding their online capabilities and telemedicine services.
“During the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) announced a leniency in enforcing HIPAA rules related to remote communications. This allowed healthcare providers to use popular video chat programs and social media platforms for telemedicine, potentially leading to the inadvertent collection of sensitive patient data,” explained Canals.
The healthcare industry has witnessed significant settlement amounts in class action lawsuits, with settlements ranging from $2 million to $18 million, notably against Meta concerning the use of the Meta pixel by healthcare entities. However, larger settlements have been seen in the broader tracking technology space, such as the $392 million settlement against Google in a multi-state privacy case in late 2022.
Regarding BIPA claims, this Illinois law provides a unique provision by offering a private right of action to aggrieved individuals without the need to demonstrate actual harm. Recent Supreme Court decisions related to BIPA could have profound implications for claims.
“One key decision extended the statute of limitations to five years, while another changed the quantification of statutory damages to $1,000 per violation instead of per individual. Each swipe or scan of biometric data now constitutes a separate violation, potentially leading to higher aggregation rates in a single event,” Canals explained.
- VPPA-Related Legal Actions:
Legal actions related to the Video Privacy Protection Act (VPPA), a federal law from the 1980s, have gained traction in the current landscape. Originally designed to prevent video rental companies from disclosing customer data and rental history, this law is now being applied to streamers, online media companies, and digital health providers regarding their user data practices.
Cyber Insurance Trends and Challenges in 2023
The cyberattack on MOVEit file-transfer software has ensnared some of the world’s largest financial institutions, healthcare companies, insurance providers, and government agencies. This attack, which began in May of this year, exploits a so-called “zero-day vulnerability,” a software weakness that attackers discover before the vendor’s awareness.
Canals observed that concerns about cyber vulnerabilities stemming from MOVEit software have not been uniform among carriers, largely due to variations in their portfolio compositions.
“Some carriers view this as a minor concern, while others are deeply worried. Carriers that focus more on the small and medium enterprise (SME) sector may have a different perspective compared to carriers primarily engaged in excess business,” he elaborated.
Nevertheless, the MOVEit attack has emerged as a significant cause for concern in the cyber insurance sector due to its far-reaching impact.
In response to the more competitive market, certain cyber insurance carriers in the excess space have expanded their appetite, offering higher coverage limits. In the primary space, however, increased limits are less common and are typically paired with higher Self-Insured Retentions.
Furthermore, carriers have taken steps to refine their policy wordings in light of privacy litigation claims, with some adopting an absolute exclusion approach toward unlawful collection exposure. Others have tailored their exclusions to specific states, particularly addressing privacy litigation claims related to BIPA in Illinois.
Carriers are closely monitoring these vulnerabilities and, where deemed necessary, making adjustments to their policy forms. Additionally, carriers are in various stages of updating their cyber war clauses, aiming to provide policyholders with greater clarity and transparency regarding the definition of Cyber War, qualifying events, and the attribution of Cyber War actions.
Munich Re US plays a vital role in helping clients enhance their cyber resilience by providing expertise in cyber security, reinsurance capacity, cyber underwriting and claims training, and consultation on accumulation risks.