Cyber rates stabilizing on the back of enhanced cybersecurity measures: McGriff
As it progresses through 2024, the cyber insurance market is seeing rates stabilize amidst an evolving threat landscape, broker McGriff wrote in its Spring market update.
The stabilization of cyber insurance rates has been facilitated by higher retention levels and deductibles, allowing businesses to benefit from premium savings. However, companies handling large volumes of sensitive information, such as personal health and financial data, continue to face higher rates due to the aggregation risk associated with large-scale data breaches.
According to the 2024 Allianz Risk Barometer, cyber incidents, particularly data breaches, cyberattacks on critical infrastructure, and ransomware, are the top concerns across industries globally. The costs associated with these incidents are substantial, including business interruption, ransomware payouts, regulatory fines, notification expenses, credit monitoring, forensics, data recovery, legal fees, and reputational damage.
The complexity of the cyber landscape is further exacerbated by the increasing sophistication of hacker tactics, including the use of artificial intelligence (AI) to facilitate ransomware attacks and deepfake technology for phishing emails, McGriff noted.
A significant development in the cyber insurance sector is the implementation of war exclusions in cyber policies. Following AIG’s adoption of the London Market Association’s (LMA) approved war exclusion, it is expected that more domestic carriers will follow suit. These exclusions address losses arising from war, significant state-backed cyberattacks, and collateral damage, providing clarity on how nation-state attacks will be attributed.
In response to the evolving cyber threat landscape, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released draft rules for cyber incident reporting by critical infrastructure entities. The proposed rule mandates reporting substantial attacks within 72 hours and ransom payments within 24 hours, emphasizing the importance of timely and detailed incident reports.
McGriff’s full report is available here.