Cyber Liability | Q4 2024 Market Update
Property & Casualty
Cyber Liability | Q4 2024 Market Update
The Cyber market remains stable, with continued predictions for hardened conditions and increased rates later this year. Competition is expected to remain steady, limiting short-term market impacts. Incumbent markets seek to retain business with leading controls and add to their portfolios for opportunities of best-in-class risks.
- Changing cyber market conditions over 2024 will put pressure on pricing. Renewals are projected to change -5% to +5%.
- A soft market for the past 18+ months has resulted in market pressure to make corrections, likely starting in late 2024 into 2025.
- Additional capacity from incumbent markets and new entrants has countered the pressure to increase rates, but these dynamics seem to be fading.
- While pockets of competition remain, markets are managing limit deployment and continue to seek out best-in-class risks with strong cybersecurity posture and thorough diligence practices.
- Persistent rate of claims in both frequency and severity:
- This year exemplifies how companies can sustain persistent and severe cyberattacks in the form of ransomware, malware, business email compromise and social engineering.
- Companies paying ransom demands have decreased from a high of 77% in 2020 to an all-time low of 28% in 2024. However, when ransoms are paid, the business interruption losses can be significant and the extortion payments are higher than previous averages.
- The July 2024 CrowdStrike outage brought Cyber carriers’ aggregation risk concerns into focus but ultimately had no significant impacts on carrier books.
Areas of Underwriter Concern
- Aggregation risk from outsourced software/managed service providers (e.g., MOVEit, Change Healthcare, CrowdStrike)
- Underwriter focus centered on vendor contracts provisions, vendor diligence, policies surrounding contingency and recovery plans including testing and patching procedures.
- Contingent business interruption limit availability continues to be subject to negotiation.
- Artificial Intelligence (AI) usage and management
- Carriers will inquire about thoughtful deployment and thorough policies/procedures.
- Some carriers providing “affirmative” AI endorsements.
- NIST AI Framework: AI Risk Management Framework | NIST
- Biometrics: unique physical characteristics including fingerprints, DNA, faceprints, retina scans, etc.)
- Coverage may be excluded without appropriate compliance standards surrounding consent, collection and storage practices under relevant laws (BIPA, GDPR, etc.)
- GDPR Compliance Guidance: How do we demonstrate our compliance with our data protection obligations? | ICO
- Pixel tracking: code embedded in a website that tracks and gathers data on the user’s website activity
- Coverage may be excluded if appropriate governance is not demonstrated.
- FTC & OCR Guidance: Model Letter: Use of Online Tracking Technologies (ftc.gov).