NEW YORK — Despite a recent moderation in commercial cyber insurance pricing following a protracted period of a hard market, concerns are emerging about the adequacy of current rates. A panel discussion at the Professional Liability Underwriting Society Cyber Symposium in New York on Tuesday highlighted that the frequency and severity of cyber losses have not decreased proportionally, prompting industry experts to re-evaluate pricing strategies.
“Right now, we’re still in the middle of a soft market, and with that you’re also seeing deceleration of rate at a pretty good extent,” noted Tony Dolce, vice president and head of professional liability, cyber and technology errors and omissions underwriting at Hartford Financial Services Group Inc. He attributed the lower pricing to increased capacity within the market.
However, this price adjustment occurs against the backdrop of steadily increasing exposures. “We find ourselves in the market where we’re a little bit disproportionate to exposures as an underwriter,” added Tim Francis, vice president and enterprise cyber lead at Travelers Cos. Inc. Advancements in social engineering techniques by malicious actors and the emergence of new ransomware groups contribute to this rising risk.
Paul Needle, senior vice president and cyber treaty underwriter for Munich Re U.S., part of Munich Reinsurance Company Ltd., described the topic of rate adequacy as “complex and dynamic,” given the rapid evolution of the cyber landscape. He highlighted the challenge of using historical loss data to predict future performance, given changes in primary versus excess coverage, geographic appetites, attachment points, and revenue bands.
One strategy the industry is using to address these concerns involves maintaining pressure on policyholders to bolster their cyber controls. Nadia Nicole Hoyte, national cyber practice leader in the executive and professional risk solutions practice for USI Insurance Services LLC, stated that while multi-factor authentication (MFA) is now considered a “critical baseline” control, additional controls may be implemented this year. She also emphasized the crucial need for employee training, making a point to say, “training, training, training – we have not seen the end of training” for employees on proper cyber hygiene.
