CYBER INSURANCE MARKET INSIGHTS

CYBER INSURANCEMARKET INSIGHTSQ3 2020

OVERVIEWCyber risk and insurance continue to dominate boardroom discussions with cyber criminals takingadvantage of the confusion emanating from the COVID-19 pandemic, and technology beingincreasingly acknowledged as a critical component of business success.In March 2019 the Australian Government announced its intention to increase the maximum penaltyapplicable to a corporation’s serious breach of the Privacy Act1. The increased penalty will align with themaximum penalty currently available under the Australian Consumer Law - the greater of either 10m;three times the value of any benefit gained as a result of the contravention; or 10% of annual turnover.The intention to increase penalties is a herald that government and regulator attitudes are changing; wherepreviously the focus was on awareness and education, that focus is now shifting towards enforcement.These reforms have not been enacted yet, but rather are on the cards for the future.2Further, the implementation of consumer data rights as of 1 July 2020 for certain industries3and the 14 May 2020 amendment to the Privacy Act to expressly protect COVIDSafe app users4demonstrates the Australian Government's hardening position on data protection.The cyber insurance market continues to evolve, with ransomware events causing major concern forcyber insurers. The list of global cyber incidents, many of which have insurance, is staggering: Data breaches stemming from university use of exam Proctor software The Australian Prime Minister’s announcement of ongoing state-sponsored attacks Cyber incident involving the Victorian healthcare sector Norsk Hydro’s ransomware incident was a watershed moment for non-traditional cyberinsurance purchasers Multiple incidents in the airline industry, including British Airways, Cathay Pacific and EasyJet Incidents across manufacturing, logistics and associated industries, including Toll, Mitsubishiand Honda ASIC taking action against a financial institution for inadequate cyber security systemsUnfortunately, this list is a very small subset of the global cyber incidents that have been witnessed overthe last 12 months. Some markets are reporting ‘no less’ than 20% uplift in ransomware events alone inthe last three months, with others witnessing and reporting on this trend as early as Q1 20205. However,the extremely challenging change has been the financial consequences of ransomware events whichhave reportedly increased 10 times compared to 12 months ago.These events are the types of events that cyber insurance will typically respond to, and for whichinsurers are watching carefully. As the frequency and severity of these events escalate at an alarmingpace, impacting all types of organisations, irrespective of their individual or industry maturity,insurers will start to move from education to enforcement when it comes to preventative measuresand an improving risk posture.1 e-24-march-20193 right-cdr-02 https://www.lexology.com/library/detail.aspx?g 3909e617-a4f8-4ade-bea1e8e328d76efc.5 -25-in-q1-says-beazley/4 safe-app-and-my-privacy-rights/

CYBER MARKET OVERVIEWClaims &LossesCoverageCapacityCoverageCapacitycontinues tocontinues toevolvegrow globallyFrequency andWannacry, NotPetya andOver 75 unique insurersSignificant retentionPremiums trendingseverity of ransomwareRansomware incidentsproviding cyber capacityadjustment may lead to5-15% increases duecontinues to drivere-focus attention on BIincreased cover and/orto deteriorating claimslosses with frequency& supply chain exposurepricing flexibilityand markets consideringSignificant lossesidentified withfrequency continuingto growup significantly in2020, however morealarmingly the severity ofthe damage is increasingby orders of magnitudeComplexity of breachespressure applied to ‘right-Excess market showexposuressize’ retentions comparedtrends of rate increasesto similar new adoptersof 10% or higher,Emphasis on pre-Over 1bn theoreticalarranged vendorscapacity available,Critical infrastructurehowever insurersorganisations considerstarting to focus on limitlarge retentions inStrong local and globalmanagementexchange for tailoredmarket appetite still(broad) coverageexists, however ratingsexpenses eclipsing USsame trajectoryWar & terrorism still apoint of contentionSilent cyber is a hugetopic – the market willIncreasingly punitivebe pressed to assist withlegal and regulatoryan insurance solutionseen as a major D&Oconsiderationlong-term stabilityaggregate/accumulationclaims continue on theCyber risk managementincreasing overexisting programsevolving coverage needsin incident responseenvironment emergingstabilising, scrutinyupdate policies to meetaround certain covers iflossesRetentionsbeing reviewedEarlier adopters seeinghas driven increaseresulted in significantPricing trendsAsia. Insurers reviewingSome contractionSeverity of BI incidentsin London, Bermuda andPricingInsurers continue toand lack of competitioncostsCapacity available locally,RetentionsContractions on lineespecially for largecompaniesconsideredsizes being consideredSome carriers revisingby some marketsminimum retentions forSome organisations havecertain industry verticalssecured significant coverCarriers more discerningabout where and howAs ransomwaremuch capital they deployfrequency increases,Average limits purchasedis up 42% for largecompanies over a 36month periodmore carriers wish tolift themselves out of‘attritional’ loss zoneimprovements as a resultof higher premiums

STATE OFTHE MARKETWhilst capacity is still readily available to Australianorganisations, markets are now looking at sustainability as apriority. The rapid impact of cyber incidents is giving pause toinsurers, prompting reconsideration of how cyber insuranceshould be modelled, potentially moving away from thetraditional long tail insurance model and aligning more to shorttail insurance models due to the rapid manifestation of losses.This is an important concept to the insurance industry as itdictates how profitability and reserving are defined for insurers.To provide a sustainable insurance solution, insurers need torealign their understanding of how rapidly their capacity maybe consumed. When combined with the now frequent anddevastating impacts of ransomware, insurers are consideringhow their premium pricing models need to be developed.Despite the challenges faced by organisations due toeconomic uncertainty and the ongoing impacts of theCOVID-19 pandemic, cyber risk and insurance is still receivingsignificant attention. In part this is likely due to the furtherheightened importance of technology as a revenue stream.2020 will see an increase in cyber insurance higher thanhistorical increases. Aon has seen premium and policy countincrease year-on-year from 2012 of circa 30%, however 2020is already trending at 50% growth compared to 2019 despitethe economic uncertainty. This is due to a combination ofthree factors: Premium rate increases – organisations can expect to seea 10% uplift in premium for their same program limits.This is in part due to the transitioning market, as well ashistorically competitive premiums Increased limits – many organisations that have purchasedcyber insurance for a number of years and are familiar withthe coverage, are looking to increase their limits to moreaccurately reflect their risk Heightened awareness – will result in a large increase innew purchasers throughout the year, across all industrysectors, and organisation sizesCyber insuranceprojected to grow from 5.5 bn at year-end 2018to 20 bn by 2025.

GROWTH OF THE CYBERINSURANCE MARKET 4.4bn in GWP 20% growth All 50 statesregulated 800mn in GWP 50% growth GDPR now activeUK & EUUS RoWTotal cost ofcybercrime in 2018: 600BAUST 200mn in GWP GDPR spurring new privacy lawsbeyond Europe 110mn in GWP MDBN legislation enacted in 2018 Proposal to broader OAIC powersbeing considered 9 bnTotal cost ofcybercrime in 2022: 2T - 6T 14 bn 9 bn 3.5 bn2017 4.5 bn2018 5.5 bn2019202020222025Sources: Aon proprietary data; Aon Inpoint; 2017 “Global Cyber Risk Transfer Comparison Report”, Aon/Ponemon Institute; 2016 Cyber - The Fast Moving Target: Benchmarking Views andAttitudes by Industry; Insurance Business America, PwC, The Betterley Report, Advisen, Allianz, Allied Market Research

LOOKING AHEADSilent cyber1 has truly become a topic of discussion for alllines of insurance. Whilst the consequences of silent cyber aremore keenly felt in other lines of insurance, cyber insurancewill be challenged to provide solutions. As a major issue forthe entire market, we anticipate alternative cyber solutionswill emerge as mainstream options in the future, providingsolutions where other lines of insurance have retracted fromthe emerging exposure.Alternative risk transfer markets and options will become morecommon as limits of indemnity exceeding 1bn become moreessential, whether for traditional cyber or alternative cybersolutions providing broader coverage such as actual bodilyinjury, property damage or environmental liability to name a few.Silent cyber will continue to be a challenge to be managedby the industry. As a result, organisations will need to startreviewing their limit requirements and look to structureprograms that maximise the available capacity to them fortheir critical exposures.Ransomware will dominate the discussion. It cannot beoverstated the impacts such attacks/losses are having on thecyber market. Insurers are still providing broad solutions tothese incidents, however it is likely that insurers will need toreconsider their approach to this aspect of coverage. Insurersare likely to move from an educational approach to offering awide range of non-insurance products and solutions designedto reduce the insured’s and insurer’s exposure to such attacks.Insurers are likely to, over a handful of years, move to anenforcement regime where organisations must utilisecertain products and services in order to gain insurance forransomware events. These ‘conditions precedent’ have beenmostly removed from cyber insurance, however unless wideraction is taken to mitigate this type of attack, insurers willbe forced to drive attitude change via a focus on providingsuperior terms and conditions to compliant organisations, andreducing their exposure to non-compliant organisations.1 Silent cyber refers to the cyber exposure existing in policies which do not specify whetherlosses arising from a cyber-attack are affirmatively covered.2 90.htmlRansomwareRansomware has gained interest frominsurers and the media given the frequencyand severity of claims and incidents. It isworth comparing the incident responsecomponent of a cyber policy to a kidnapand ransom policy. Cyber insurancetypically provides insureds access to apanel of incident responders if an incidentwas to arise, including access to incidentresponse and investigation teams as well asreimbursement of crisis communicationsand reputational mitigation costs.These types of incidents, along withcybercrime in general, are causing themarket concern. Cybercrime is now reportedto be the fastest growing form of crime inthe US, and by 2021 is predicted to be moreprofitable than the global trade of all majorillegal drugs combined2.