The start of a new year presents a good opportunity to reflect on changes over the past 12 months and predict what lies ahead in the next. As we can see a distant end to this difficult period, it’s time to reimagine the world’s future.
In a recent Accenture Consumer Survey, we found that 67% of consumers are expecting companies to “build back better” from the recent crisis by investing in long-term, sustainable digital solutions. More than half of employees who never worked from home before now want to do more often in the future. In addition, nowhere has the resilience, speed, and adoption of digital solutions occurred faster than in the small businesses that have been able to survive and thrive during 2020.
But with these new digital capabilities comes new risks. Digital protections will become just as important if not more important than physical ones. To understand what these risks mean to the cyber insurance market, we partnered with CyberCube, a leader in cyber insurance analysis, to look at the market.
The move to digital solutions over the last year as a consequence of the pandemic has been well documented. The dramatic shift to working from home has fundamentally altered how we think about our work environment. The impact of this change on the cyber risk landscape has been many-faceted. As well as existing trends such as the ongoing explosion of ransomware and the increase of managing remote workforces, 2020 was punctuated by a number of significant events in the world of cyber risk, including the Twitter breach, the Magento hack, and the Solarwinds hack near the end of the year, which may be the most important one of all. (More on this later.)
As the world of cyber insurance sits at the intersection of insurance and cybersecurity, it’s important for underwriters in this space to be forward-looking, especially since the risk landscape can change so quickly. With this in mind, Accenture and CyberCube worked together to highlight trends and predictions to look out for in 2021. Some are incremental, while others could signal a material shift in our market.
1. A hardening market
The hardening market across the insurance industry gathered pace in the second half of 2020. The dust is still settling on the January 1 renewal season, but it is clear that within the cyber (re)insurance market, there have been rate rises and a tightening of capacity and terms. The impact inevitably varies across segments, with those companies who have suffered losses particularly adversely impacted. The loss history of the last few years has shown that high excess layers are no longer perceived as outside the burn layer in large programs, so capacity has shrunk for this segment, forcing many more participants to get close to the required limits, often at much higher prices.
Against the backdrop of rising prices, there have been some cyber-specific market trends which will likely rapidly accelerate in 2021. Restrictions in cover, sub-limits in conditions, or even exclusions for certain perils (particularly in the light of ongoing ransomware issues) could make placing some risks harder for brokers. There has even been talk of exclusions relating to specific events, such as the SolarWinds hack.
One silver lining of the hardening conditions is that companies which demonstrate a strong culture of proactive risk management and effective cybersecurity controls in a holistic manner will be the beneficiaries of relatively better terms from the market. There is an increasing distinction between those companies which consistently perform well and those who are behind the curve. Underwriters are more discerning than ever when it comes to risk selection, with more data at their disposal to identify best practices in cyber hygiene. Security signals can measure indicators of cyber maturity and reward companies which demonstrate strong cybersecurity practices.
2. Pricing convergence
As the cyber market has matured, actuaries have been allocated to review portfolios with increasing focus. Further, as individual underwriters and teams have moved between different market participants, there has been a reduction in the previous volatility of pricing variance. A growing consensus has emerged regarding the most hazardous and best-in-class risks, with pricing to match. In years gone by, there have been significant pricing differences for the same risk—sometimes by an order of magnitude. In 2021, on the whole, there will be an increasing market consensus about what is the appropriate pricing for a given risk. The competition will continue to be vigorous, with an increased focus on policy language, end-to-end risk management services (both pre-and post-loss services), and experience in claims handling.
3. Technology transformation
Technology connected to the internet and networks will continue to dramatically expand, along with associated risks. The hyperconnectivity of 5G networks will become mainstream during 2021 and this will allow much faster and more reliable transmission of data—and malware. This will mark the end of the “network perimeter” as commonly understood, making corporate networks harder to defend. The internet of things will also increase its presence, with extensive adoption of both consumer applications and expanded industrial uses. The ongoing transition to cloud computing will reinforce our reliance on a small number of critical platforms in the space.
4. Growth in attack vectors
The SolarWinds attack at the end of 2020 illustrated what is at stake in cybersecurity. It showed the potential implications of nefarious state-backed hackers with up to 18,000 companies impacted by this malicious software update, including multiple U.S. government agencies. This attack exposed the interconnectedness of technologies and the reliance on a small number of critical suppliers. To date, it appears that the motivation was espionage rather than criminal, and although the financial consequences of this event are still unclear, it has provided a window into what is to come. The attack surface continues to increase dramatically, and this trend will accelerate in 2021. This will highlight vulnerabilities within supply chains, ubiquitous software used across multiple industries. As ever, the weakest point in any network will prove the point of entry for automated attacks.
5. A focus on accumulation
It wasn’t that long ago that the need for managing potential accumulation risk within the cyber insurance market was considered a luxury or an academic pastime for the curious. In the last three years, there have been several incidents which have highlighted that the issue as no longer a theoretical possibility—it’s an urgent concern. Regulatory focus by the PRA, Lloyd’s and others has also stepped up in the recent past. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is a prerequisite and a necessity for carriers. Fledgling deterministic insurer models will be supplemented and/or replaced with additional data sources and modeling capabilities to provide greater insight into different portfolios. A better understanding of the potential points of accumulation enables a more proactive approach to address and improve the efficiency of capital management. This will help enable increased diversification and resilience to withstand potential accumulation events.
The role of insurers
Insurance companies need to adapt to the rapidly growing digital world by not just selling more cyber insurance or charging more for it, but by building better cyber insurance capabilities as well.
As we see it, carriers in 2021 need to focus on three main things:
- Revisit their core underwriting practices and look for methods to supplement existing analysis with new data sources and insights to drive better risk evaluation against current and emerging threats.
- Build out enterprise risk management capabilities supporting cyber lines of business. Cyber risk insurance has become increasingly complex and traditional diversity by industry or region doesn’t offer protection against cyber threat CAT vectors.
- Develop more active risk protection. Cyber threats, like those posed by large property and liability events, can benefit from solutions that work with customers to reduce risks. Explore in-house or vendor-based solutions to support your clients with services that can reduce their exposure to cyber risks.
While this list is non-exhaustive, and the nature of insurance means that we will no doubt be dealing with unanticipated or leftfield events, an awareness of these significant trends will help us in the year ahead.