Cyber

In this chapter of our Annual Insurance Review 2023, we look at the main developments in 2022 and expected issues in 2023 for Cyber.

Key developments in 2022

As predicted in last year's edition of the Annual Insurance Review, 2022 has seen the level of standalone cyber insurance products increasing and the price of cyber insurance products remaining high.

According to Industry Arc's Cyber Insurance Market Forecast, the global cyber insurance market was valued at $12.86 billion in 2022 compared with $10.33 billion in 2021. Within this context, standalone cyber insurance policies have a CAGR (compound annual growth rate) of 31.1% and are growing quickest when compared with packaged insurance, which is being phased out.

The price of cyber insurance products in the UK has seen a rise of 102% in the first quarter of 2022 according to the Global Insurance Market Index released by Marsh. These increased premiums, alongside more complicated application processes for cyber policies, have resulted in a strain on some organisations trying to obtain cyber insurance. With the increased cost of cyber threats on insurers, it is no longer feasible to simply transfer the risk of cyber threats over to insurers. Internal investment in security is needed. Market pressures, as well as ever greater sophistication in cyber-attacks, meant that insurers are tending towards insisting on a base level of security standards being in place.  

However, over the course of 2022, we have seen a drop overall in large-scale ransomware incidents.  Whilst ransomware is still a very significant risk, the majority of cyber incidents we have dealt with in 2022 have been attempted frauds, often through business email compromise. The drop in hard-hitting ransomware incidents may help the cyber insurance market to rebalance. However, whilst the price of cyber insurance policies is settling, the security standards policy holders are required to have is likely to remain a permanent shift.

What to look out for in 2023

As the cyber insurance market continues to develop, we are seeing changes being made to balance the needs of the insurance market in insuring knowable risk, the needs of the commercial sector in managing the risk of cyber threats, and the mutual need to keep premiums competitive and manageable.

Lloyds of London has announced that there will no longer be coverage for some state-backed attacks from March 2023. Alongside its announcement, Lloyds produced four new LMA clauses for use in cyber policies, which exclude cover for losses incurred due to war and/or due to cyber operations launched during war, in retaliation by specific states, or which cause major detrimental impacts to the functioning of a state. The LMA clauses state that in assessing such exclusions, the primary factor that will be looked at is whether the government of the state in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.

However, it can be very difficult if not impossible to make such an attribution as those carrying out state sponsored attacks will very rarely openly align themselves with the state's war efforts.  Further, even if the affected government was able to determine which state carried out the cyber operation, they may choose not to make such information public for political or other reasons.  Therefore, it may be difficult for insurers to assess attribution and make use of the new war exclusion clauses in practice.  

In 2023, we are likely to see some claims being made under cyber policies that include the above exclusions. It will be interesting to observe how the clauses are analysed and navigated within the inherently opaque and shadowy context of cyber operations.

Written by Elizabeth Zang.

Download our full Annual Insurance Review 2023 for more insights.