Risk Placement Services (RPS), a national brokerage, calls itself “brokers in bold.” It recently presented its quarterly cyber update, including a report and presentations by RPS’ Steve Robinson, national cyber lead, Vice Presidents Tim Foody and Zach Kramer, and Jennifer Coughlin of Mullen Coughlin, “a law firm uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits.”
The 2023 Q3 Cyber Market Update is well worth the read, as is the interesting Q&A on the webinar Cyber Market Update: What’s New & What’s Next. And see our related report: Are Ransomware Gangs Trustworthy?
Among the most interesting analysis is a discussion of growing capacity, including for public entities, and moderating primary layer premiums. This market stabilization has, RPS suggests, “created some irresponsible underwriting activity that wouldn’t have been contemplated when the ransomware epidemic was red-hot…” The result is “erratic” underwriting, with differences not just between carriers but within the same underwriting teams at certain insurers. RPS urges its clients to read the fine print around exclusions and sublimits when they receive what appears to be unusually good pricing for cyber policies.
[Among the anecdotes in the webinar, RPS recounted the tale of a client that was hit with a cyber attack and dinged for lacking an important control. But when RPS got involved, they realized that while the client had reported it lacked the control, it actually did have it. RPS was able to use the presence of that control to get its client a retroactive capacity increase, which was then applied to the cyber loss, saving the client a substantial amount of money.]
See excerpts below regarding “irresponsible” and “erratic” underwriting. For more detail access the full report:
“Despite concerns regarding adequacy of capacity to meet the growing demand for Cyber insurance, the July 1 renewal cycle saw fewer hurdles to getting desired capacity than in 2022. Public entity — typically among the most challenging sectors for placing coverage — showed signs of a changing market; for example, large municipality placements that previously saw a ceiling of $20M in capacity last year in some cases could make decisions on towers in excess of $50M or higher in July of 2023.
These larger placements (with favorable loss experience) generally saw a rate decline on their primary layer. Couple this with an excess market bringing Increased Limits Factors (ILFs) in the 70% to 85% range, and buying higher limits became an easier decision this year. As a frame of reference, many of the ILFs we saw a year ago exceeded 100% of their primary layer pricing. We’ve found retentions and deductibles to be relatively stable in the past quarter.”
“This trend toward stabilization has led to what we view as irresponsible underwriting activity that wouldn’t have been contemplated when the ransomware epidemic was red-hot, daily, front-page news from 2019 through 2022. A dichotomy is in play, however. Some markets, in their efforts to regain market share (or achieve it in the first place), are offering unsolicited quotes on Cyber policies alongside a Crime insurance renewal, for example. Many times the coverage has been significantly restricted, or sublimits on critical insuring agreements like cyber extortion or incident response are taken down.
Tim Foody, RPS Executive Lines area senior vice president, notes, ‘Many markets are getting more aggressive and quoting accounts they would have declined six months ago, but they’re adding exclusions and sublimits that significantly impact the coverage. There’s nothing wrong with a healthy dose of skepticism toward what appears to be appetite expansion.’
Confirming the erratic nature of carrier approaches is Zach Kramer, area vice president of RPS Executive Lines: ‘Right now, I am seeing inconsistencies in underwriting not only between carriers, but also within the same underwriting teams at the same carriers. This ranges from pricing to what controls are required.'”