Cyber Coverage Explained: Sub-limits and Coinsurance

Welcome to another edition of our Cyber Coverage Explained series. This week, we're discussing sub-limits and coinsurance as it impacts our current market. For more coverage explainers, you can find our past posts on Social Engineering and Crime Coverage, Business Interruption, and Contingent Business Interruption. 

Introduction to Sub-limits and Coinsurance in the Cyber Insurance Industry

Cyber insurance isn’t new, but in contrast to insurance industries that date back centuries, it maintains a youthful glow. Since the early days of cyber in the 1990s, the industry has responded to new risks in real-time to match an increasingly digital-focused world.

This leaves us seeing a lot of “firsts” for cyber insurance that other markets had the opportunity to deal with long before. Consider how in the past homeowners insurance and property insurance responded to monumental hurricane seasons by introducing special deductibles; that’s where Cyber is now in its response to ransomware and other covered perils. 

The Growing Prevalence of Sub-limits and Coinsurance

Today, we’re exploring a couple of the ways standard cyber coverage can be amended as the industry matures and responds to changing cyber risks. Namely, we’re covering the growing prevalence of sub-limits and coinsurance in policies where there may not have been a few years ago (and where you should expect to see them).

What Is a Sub-Limit in Insurance?

Limitations on how much coverage is available for a specific type of loss. It’s common to see them in areas where expenses for a claim may be extensive.

• Right now in the cyber industry, that’s often coverage for ransomware and cyber extortion.

What Is Coinsurance?

Clauses may also be introduced alone or alongside sub-limits, which require policyholders to share a defined percentage of the claim cost with the carrier.

The Ransomware Impact: Why and How Cyber Insurers are Responding to Risks

The demand for cyber insurance is rising consistently. According to Marsh, 42% of their clients purchased cyber insurance in 2019, which is more than double the number from 2014. More organizations are dedicating the time and funds to protect themselves from threat actors, through stronger cyber hygiene best practices and the transfer of risk with insurance. 

Why the surge in interest? Most of us who have turned on the news this past year — even the digitally adverse — could probably answer that. Ransomware feels like it’s everywhere.

In the case of Colonial Pipeline, we saw how much high-profile attacks like this can cost. The largest fuel pipeline in the United States was left paying Eastern European threat actors a $4.4 million dollar ransom. 

In other instances, such as Microsoft Exchange, Kaseya, and now Log4j, we've seen both the long-term impacts of zero-day vulnerabilities and the ongoing risk to downstream customers. Grappling with the continued threat of supply chain risks, several insurers placed sub-limits on policyholders with Log4j exposure. However, important to note, that’s nearly everyone. 

Last January, AIG introduced ransomware coinsurance across all accounts, requiring policyholders to take on half the cost for digital extortion losses. This is after other carriers introduced new sub-limits in an attempt to combat the increase in expensive ransomware claims.

Current issues in the cyber industry: 

• Threat actors are continuing to innovate new ways to extract money from victims, whether through double, triple, and quadruple extortion (using a denial-of-service attack that overwhelms servers, and targeting victim’s stakeholders and customers directly) or by utilizing new, effective tools to get inside networks.

  • All that, and social engineering tactics are only getting more sophisticated. The evolution makes it harder for anyone to play defense. 

• The average ransom payout in 2021 was $142,637.

  • Plus additional costs stemming from business interruption, forensic services, legal teams, and more. 

• With rates of claims rising, insurers are taking a hard look at riskier portfolios and thinking of ways to limit losses that were not being considered in past years.

In response, policyholders are tasked with taking on more responsibility for these risks. Cyber underwriters are looking at organizations to do their part in preventing losses; they want to see better security controls paired with tighter coinsurance clauses. The theory is there’s an incentive for policyholders to take action faster when the financial burden is more likely to impact them and result in lost income. With their businesses' money on the line (through coinsurance), they may notify their cyber insurance company faster in the event of suspicious activity to speed up the response.

The Details: What Brokers Should Keep in Mind

Watch for Policy Specifications, Especially on Renewals 

As cyber insurers look for ways to cope with the current hard market, brokers should keep a keen eye on how the introduction of sub-limits and/or coinsurance percentages will impact potential claims for their clients.

Expectations of policyholders will vary as insurers determine how to deal with risk differently, but expect to see both sub-limits and coinsurance become more popular. Some insurers may be accommodating if the insured shows that they have exceptional controls and are willing to spend more in premium, but others may face ransomware extortion sub-limits nonetheless. It’ll come down to weighing the options for what works best for each organization on a case-by-case basis.

What’s most important for underwriters, brokers, and the insured (collectively!) is that specifications are clear and policyholders know exactly what will be expected from them if there is a claim.

Common Sub-Limits to Watch For:

Typically, you’ll find sub-limits alongside coverages that pair with the most costly or common claims. Below, most of the examples we’ve listed are tied to ransomware — but as cyber insurers adjust to the unpredictability of the market, you may find that less popular coverages or add-ons are met with sub-limits as well (i.e: bricking).  

Ransomware and Cyber Extortion

• As covered above, ransomware is costly and continues to be a prevalent threat. Cyber insurers are introducing sub-limits primarily with ransomware and cyber extortion coverage due to the pronounced risk, but that doesn’t take away opportunities to work with clients to ensure they’re adequately covered. Stress the importance of having great controls in place and determine that the extortion coverage is not too narrowly tailored to potentially deny coverage in the event of a claim. 

Social Engineering

• You can read more about this other commonly asked-about coverage commonly asked-about coverage here — but as we see phishing get smarter (like at Robinhood this year) you should expect to see more sub-limits for social engineering coverage. This is on top of many insurers already offering narrow coverage on these risks, due to the financial impact and breadth of social engineering attacks. In 2021, the average annual cost from phishing attacks was $14.8 million, reports ProofPoint. 

Business Interruption

• Business interruption insurance covers income loss and extra expenses incurred during a computer network outage. So, if an organization is hacked — and can’t go about business as usual, impacting customers and sales — their lost business could fall under the business interruption coverage. You can read more on the coverage details here, but watch for sub-limits in addition to already tricky policy form language on waiting periods and retention structure.

The Bottom Line

The market is constantly evolving and readjusting to the current threat landscape. But that doesn’t take away your agency to find the coverage that works best for your client. For example, while some sub-limits may be unavoidable as we combat the hard market, look for insurers that have consistent coverage elsewhere and are willing to work with policyholders hands-on to improve their controls. However, avoid sub-limits or coinsurance clauses that seem too much like a knee-jerk reaction to specific ransomware events.