Cyber Coverage Explained: Sub-limits and Coinsurance
Welcome to another edition of our Cyber Coverage Explained series. This week, we're discussing sub-limits and coinsurance as it impacts our current market. For more coverage explainers, you can find our past posts on Social Engineering and Crime Coverage, Business Interruption, and Contingent Business Interruption.
Introduction to Sub-limits and Coinsurance in the Cyber Insurance Industry
Cyber insurance isn’t new, but in contrast to insurance industries that date back centuries, it maintains a youthful glow. Since the earliest forms of its existence in the 1990s, we’ve watched the industry respond to new risks with expanded coverages to match an increasingly digital-focused world. This leaves us seeing a lot of “firsts” for cyber insurance that other markets had the opportunity to deal with long before. Consider how in the past property insurance responded to monumental hurricane seasons by introducing special deductibles: that’s where Cyber is now with its response to the rise of ransomware.
The Growing Prevalence of Sub-limits and Coinsurance
Today, we’re delving into a couple of the ways standard cyber coverage can be amended as the industry matures and responds to changing risks. Namely, we’re covering the growing prevalence of sub-limits and coinsurance in policies where there may not have been a few years ago (and where you’ll expect to see them).
- Limitations on how much coverage is available for a specific type of loss. It’s common to see them in areas where expenses for a claim may be extensive. Right now in the cyber industry, that’s often coverage for ransomware and cyber extortion.
- Clauses may also be introduced alone or alongside sub-limits, which requires policyholders to share a defined percentage of the claim cost with the carrier.
The Ransomware Impact: Why and How Cyber Insurers are Responding to Risks
The demand for cyber insurance is rising consistently. According to Marsh, 42% of their clients purchased cyber insurance in 2019, which is more than double the number from 2014. More organizations are dedicating the time and funds to protect themselves from threat actors, through both stronger cyber hygiene and the transfer of risk with insurance.
Why the surge in interest? Most of us who have turned on the news this past year — even the digitally adverse — could probably answer that. Ransomware feels like it’s everywhere.
There’s been a significant impact from ransomware events. In the case of Colonial Pipeline, we saw how much high-profile attacks like this can cost. The largest fuel pipeline in the United States was left paying Eastern European threat actors a $4.4 million dollar ransom.
In other instances, such as Microsoft Exchange, Kaseya, and now Log4j, we see both the long-term impacts of zero-day vulnerabilities and the ongoing risk to downstream customers. Grappling with the continued threat of supply chain risks, several insurers placed sub-limits on policyholders with Log4j exposure. However, important to note, that’s nearly everyone.
Last January AIG introduced ransomware co-insurance across all accounts, requiring policyholders to take on half the cost for digital extortion losses. This is after other carriers introduced new sublimits in an attempt to combat the increasing risk of expensive ransomware claims. Here’s a few things that the cyber industry is grappling with:
- Threat actors are continuing to innovate new ways to extract money from victims, whether through double, triple, and quadruple extortion (using a denial-of-service attack that overwhelms servers, and targeting victim’s stakeholders and customers directly) or by utilizing new, effective tools to get inside networks. All that, and social engineering tactics are only getting more sophisticated. The evolution makes it harder for anyone to play defense.
- The average ransom payout in 2021 was $142,637. Then there’s additional costs from business interruption, forensic services, legal teams, and more.
- With rates of claims rising, insurers are taking a hard look at riskier portfolios and thinking of ways to limit losses that were not being considered in past years.
All this results in more responsibility being placed on policyholders than ever before. With heightened risks, underwriters are looking at organizations to do their part in preventing losses. That means greater expectations for security measures, but also accounts for the growing popularity of coinsurance clauses. The belief is there’s an incentive for policyholders to take more action when the severity of the expenses of the claim can immediately impact them. For example, they may notify insurers faster of suspicious activity with co-insurance clauses to prevent greater losses.
The Details: What Brokers Should Keep in Mind
Watch for Policy Specifications, Especially on Renewals
As cyber insurers look for ways to cope with the current hard market, brokers should keep a keen eye on how the introduction of sub-limits and/or coinsurance percentages will impact potential claims for their clients.
Expectations of policyholders will vary as we see the insurers determine how to deal with risk differently, but expect to see both sub-limits and coinsurance become more popular. Some insurers may be accommodating if the insured show that they have exceptional controls and are willing to spend more in premium, but others may face ransomware extortion sub-limits nonetheless. It’ll come down to weighing the options for what works best for each organization on a case-by-case basis. What’s most important for underwriters, brokers and the insured collectively is that the specifications are clear and policyholders know exactly what will be expected from them if there is a claim, and what to expect from their insurer in the case of an adverse event.
Common Sub-Limits to Watch For:
Typically, you’ll find sub-limits alongside coverages that pair with the most costly or common claims. Below, most of the examples we’ve listed are tied to ransomware — but as cyber insurers adjust to the unpredictability of the market, you may find that less popular coverages or add-ons are met with sub-limits as well (i.e: bricking).
Ransomware and Cyber Extortion
- As covered above, ransomware is costly and continues to be a prevalent threat. Cyber insurers are introducing sub-limits primarily with ransomware and cyber extortion coverage due to the pronounced risk, but that doesn’t take away opportunities to work with clients to ensure they’re adequately covered. Stress the importance of having great controls in place and determine that the extortion coverage is not too narrowly tailored to potentially deny coverage in the event of a claim.
- You can read more about this other commonly asked about coverage here — but as we see phishing get smarter (like at Robinhood this year) you should expect to see more sub-limits for social engineering coverage. This is on top of many insurers already offering narrow coverage on these risks, due to the financial impact and breadth of social engineering attacks. In 2021, the average annual cost from phishing attacks was $14.8 million, reports ProofPoint.
- This covers income loss and extra expenses incurred during a computer network outage. So, if an organization is hacked — and can’t go about business as usual, impacting customers and sales — their lost business could fall under the business interruption coverage. You can read more on the details of the coverage here, but watch for sub-limits in addition to already tricky policy form language on waiting periods and retention structure.
The Bottom Line
The market is constantly evolving and readjusting to the current threat landscape. But that doesn’t take away your agency to find the coverage that works best for your client. For example, while some sub-limits may be unavoidable as we combat the hard market, look for insurers that have consistent coverage elsewhere and are willing to work with policyholders hands-on to improve their controls. However, avoid sub-limits or coinsurance clauses that seem too much like a knee-jerk reaction to specific ransomware events.
What’s the difference between your most overprepared travel buddy and a cybersecurity pro?
The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If you’d like to receive the report in the future, please send your inquiry to firstname.lastname@example.org.