2024 Cyber Insurance

Market Outlook

Increased cyberattacks with new evasive tactics, hacktivist-based attacks and frequent ransomware have created a volatile risk environment for organizations of all types and sizes over the past few years. The increased cost of dealing with such disruptive incidents created a hard market, with most policyholders facing premium hikes. Indeed, global cyber insurance
pricing rose a staggering 53% in the third quarter of 2022, according to insurance broking and risk management company Marsh.

Fortunately, Marsh’s latest report describes an improved position. Specifically, increased market competition and healthier insurer loss ratios have had a moderating impact on pricing, and the market has displayed indications of softening during 2023. In fact, cyber insurance premiums moderated to 11% in the first quarter of 2023 and 1% in the second quarter, and
prices may continue to stabilize in 2024. However, several factors can weigh on the market—including geopolitical tensions and disruptive technologies—making accurate pricing predictions difficult. As such, organizations should adopt a strong security posture and stay abreast of market developments.

Developments and Trends to Watch

• Ransomware—Ransomware remains a top risk for organizations as ransomware groups continue developing tactics and operating at larger scales. A new tactic emerged in 2023 whereby cybercriminals target third-party software to compromise the data of several organizations simultaneously, as demonstrated by the MOVEit data breach in May 2023. As such, robust
cybersecurity measures relating to ransomware and supply chain perils are critical for risk management endeavours and may also be required by insurance carriers to qualify for policies or reduced premiums.

• Artificial intelligence (AI)—AI-driven cyberthreats continue to grow as 2024 begins. Although AI tools can help organizations detect and neutralize threats and automate incident response, they can also be weaponized by cybercriminals. For instance, generative AI has begun to aid the phishing market, with AI tools able to formulate sophisticated phishing messages,
including convincing deepfake attacks, with minimal effort. Organizations should understand both the risks and advantages of AI to help combat losses.

• Business email compromise (BEC)—BEC occurs when a cybercriminal impersonates a legitimate source via email (e.g., a senior manager, business partner or vendor). Threat actors use these emails to gain the trust of their targets to trick them into wiring money, sharing sensitive information or engaging in other compromising activities. As remote and hybrid working patterns increase, email systems are a desirable target for criminals. As such, organizations should understand the types of BEC scams and check their policies, including cover for BEC fraud.

• Data collection and cybersecurity regulations—Some businesses have begun leveraging biometrics, pixels and other tracking technology to gather personal information from stakeholders; however, doing so poses several data privacy issues. Compounding concerns, cyber insurance carriers are increasingly excluding coverage for losses caused by the wrongful collection of data,
leaving organizations largely unprotected against this exposure. Furthermore, the House of Commons introduced Bill C-26 in 2022 to set a new Critical Cyber Systems Protection Act in motion. Organizations must comply with all relevant legislation to minimize risks and should scrutinize policy terms and conditions to ensure ample coverage.

Tips for Insurance Buyers

• Work with your insurance professionals to understand the different types of cyber cover available and secure a policy that suits your unique needs. Carefully examine policy terms and conditions and any exclusions.

• Consider robust employee training to prevent cybercrime from affecting your operations. Include any pertinent cyberthreats—especially AI-powered attacks, ransomware and BEC scams—in
your teachings. However, avoid just asking employees to attend frequent awareness trainings, as this can lead to security fatigue. Instead, consider ways to make cybersecurity an integral part of company culture.

• Establish a cyber incident response plan to build cyber resilience and minimize damages in the event of a data breach or cyberattack.

• Consult insurance and legal professionals to determine your organization’s regulatory exposures regarding applicable data protection and cybersecurity regulations. Make compliance adjustments as needed.

This Market Outlook is not intended to be exhaustive, nor should any discussion or opinions be construed as profes- sional advice. © 2024 Zywave, Inc. All rights reserved. Developments and Trends to Watch