The Cyber market remains stable, with continued predictions for hardened conditions and increased rates later this year. Competition is expected to remain steady, limiting short-term market impacts. Incumbent markets seek to retain business with leading controls and add to their portfolios for opportunities of best-in-class risks.

• Changing cyber market conditions over 2024 will put pressure on pricing. Renewals are projected to change -5% to +5%.
• A soft market for the past 18+ months has resulted in market pressure to make corrections, likely starting in late 2024 into 2025.
• Additional capacity from incumbent markets and new entrants has countered the pressure to increase rates, but these dynamics seem to be fading.
• While pockets of competition remain, markets are managing limit deployment and continue to seek out best-in-class risks with strong cybersecurity posture and thorough diligence practices.
• Persistent rate of claims in both frequency and severity:
  • This year exemplifies how companies can sustain persistent and severe cyberattacks in the form of ransomware, malware, business email compromise and social engineering.
  • Companies paying ransom demands have decreased from a high of 77% in 2020 to an all-time low of 28% in 2024. However, when ransoms are paid, the business interruption losses can be significant and the extortion payments are higher than previous averages.
  • The July 2024 CrowdStrike outage brought Cyber carriers’ aggregation risk concerns into focus but ultimately had no significant impacts on carrier books.

Areas of Underwriter Concern

• Aggregation risk from outsourced software/managed service providers (e.g., MOVEit, Change Healthcare, CrowdStrike)
  • Underwriter focus centered on vendor contracts provisions, vendor diligence, policies surrounding contingency and recovery plans including testing and patching procedures.
  • Contingent business interruption limit availability continues to be subject to negotiation.
• Artificial Intelligence (AI) usage and management
  • Carriers will inquire about thoughtful deployment and thorough policies/procedures.
  • Some carriers providing “affirmative” AI endorsements.
  • NIST AI Framework: AI Risk Management Framework | NIST
• Biometrics: unique physical characteristics including fingerprints, DNA, faceprints, retina scans, etc.)
  • Coverage may be excluded without appropriate compliance standards surrounding consent, collection and storage practices under relevant laws (BIPA, GDPR, etc.)
  • GDPR Compliance Guidance: How do we demonstrate our compliance with our data protection obligations? | ICO
• Pixel tracking: code embedded in a website that tracks and gathers data on the user’s website activity
  • Coverage may be excluded if appropriate governance is not demonstrated.
  • FTC & OCR Guidance: Model Letter: Use of Online Tracking Technologies (ftc.gov).

Property & Casualty Team